Skip to main content

What Is CASL

Canada’s Anti-Spam Legislation (CASL) is a federal law that took effect on July 1, 2014. It regulates commercial electronic messages (CEMs) sent to or from Canadian computer systems. CASL is enforced by the Canadian Radio-television and Telecommunications Commission (CRTC), the Competition Bureau, and the Office of the Privacy Commissioner of Canada. CASL is widely considered one of the strictest anti-spam laws in the world. Unlike the US CAN-SPAM Act, which follows an opt-out model, CASL requires prior consent before you can send a commercial electronic message.
CASL applies to any commercial electronic message sent to a Canadian recipient or routed through a Canadian computer system, regardless of where the sender is located. If you have Canadian recipients on your list, CASL applies to you.

Who Must Comply

CASL applies to any person or organization that sends a commercial electronic message (CEM) — any electronic message that encourages participation in a commercial activity. This includes:
  • Marketing and promotional emails
  • Newsletters that promote products or services
  • Emails containing offers, discounts, or upsells
  • Messages that direct recipients to a website with commercial content
CASL also covers SMS, social media messages, and other electronic messages — not just email. However, for the purpose of email sending through Lettr, this article focuses on email-specific requirements.
CASL recognizes two types of consent: express and implied. You must have one or the other before sending a commercial email to a Canadian recipient. Express consent is an affirmative opt-in where the recipient explicitly agrees to receive your messages. It does not expire and remains valid until the recipient withdraws it. To obtain valid express consent, you must clearly disclose:
  1. Who is requesting consent (your name or organization name)
  2. Why you are requesting consent (the purpose for sending messages)
  3. Contact information — a mailing address and either a phone number, email address, or web address
  4. How to withdraw — a statement that the recipient can unsubscribe at any time
<!-- Example: Compliant express consent form -->
<form>
  <label>
    <input type="checkbox" name="consent" />
    I agree to receive marketing emails from Your Company about product
    updates and promotions. You can unsubscribe at any time using the
    link in our emails.
  </label>
  <p style="font-size: 12px; color: #666;">
    Your Company Inc. — 456 Bay Street, Toronto, ON M5J 2T3<br />
    Contact: marketing@yourcompany.com
  </p>
</form>
Pre-checked boxes do not constitute express consent under CASL. The recipient must take an affirmative action to opt in.
Implied consent exists in certain business relationships without an explicit opt-in, but it is time-limited. The two most common forms are:
TypeDurationExample
Existing business relationship2 years from last purchase, contract, or transactionA customer who bought from you 18 months ago
Existing non-business relationship6 months from the inquiry or applicationA prospect who submitted a contact form 4 months ago
Conspicuous publicationNo fixed expiry, but message must be relevant to the recipient’s roleAn email address listed on a business website or directory
Implied consent is temporary. Use it as a window to convert the recipient to express consent. Include a clear opt-in mechanism in every email you send under implied consent.

The Three Requirements for Every CEM

Every commercial electronic message sent under CASL must meet three requirements:
1

Obtain consent (express or implied)

You must have valid consent before sending. Unlike CAN-SPAM, you cannot send first and offer an opt-out later.
2

Identify yourself

Every message must clearly identify the sender, including your name (or the name of the person on whose behalf the message is sent), your mailing address, and a way to contact you (phone, email, or web URL).
3

Provide an unsubscribe mechanism

Every message must include a functional unsubscribe mechanism that is free, easy to use, and works for at least 60 days after the message is sent. Unsubscribe requests must be processed within 10 business days.

Implementation in Lettr

Maintain records of how and when consent was obtained. For express consent, store:
  • The date and time of consent
  • The method (signup form, checkbox, etc.)
  • The exact text or disclosure presented
  • The source (URL of the form, event name, etc.)
// Example: Storing consent data alongside a Lettr API call
const response = await fetch("https://app.lettr.com/api/emails", {
  method: "POST",
  headers: {
    "Authorization": "Bearer YOUR_API_KEY",
    "Content-Type": "application/json",
  },
  body: JSON.stringify({
    from: "updates@yourcompany.com",
    to: "recipient@example.ca",
    subject: "Your weekly product update",
    template_id: "weekly-update",
    metadata: {
      consent_type: "express",
      consent_date: "2025-06-15T10:30:00Z",
      consent_source: "signup_form_v3",
    },
  }),
});
Use Lettr’s built-in unsubscribe tracking to comply with the unsubscribe requirement: 
<a href="https://yourcompany.com/unsubscribe?email={{email}}"
   data-msys-unsubscribe="1">
  Unsubscribe
</a>
Lettr processes unsubscribes immediately when using data-msys-unsubscribe="1", which is well within CASL’s 10-business-day requirement.

Sender Identification

Include your organization name, mailing address, and contact information in every commercial email footer: 
<footer style="text-align: center; padding: 20px; font-size: 12px; color: #666;">
  <p>Your Company Inc.</p>
  <p>456 Bay Street, Toronto, ON M5J 2T3</p>
  <p>Contact: marketing@yourcompany.com</p>
  <p>
    <a href="https://yourcompany.com/unsubscribe?email={{email}}"
       data-msys-unsubscribe="1"
       style="color: #0066cc;">
      Unsubscribe
    </a>
  </p>
</footer>

Penalties

CASL penalties are among the highest in the world for anti-spam violations:
  • Up to $1 million per violation for individuals
  • Up to $10 million per violation for organizations
  • Directors and officers can be held personally liable
The CRTC has levied multi-million-dollar fines against companies of all sizes.

CASL vs CAN-SPAM vs GDPR

AspectCASL (Canada)CAN-SPAM (US)GDPR (EU)
Consent modelOpt-in required (express or implied)Opt-out — you can send until they unsubscribeOpt-in required (explicit consent)
Pre-checked boxesNot valid consentNot addressed (no consent required)Not valid consent
Implied consentYes, time-limited (2 years / 6 months)N/A — no consent requiredNo — consent must be explicit
Unsubscribe processingWithin 10 business daysWithin 10 business daysWithout undue delay
Physical address requiredYesYesNot explicitly, but data controller must be identifiable
Maximum penalties$10M per violation (organizations)~$50,120 per email4% of global revenue or €20M
Transactional email exemptLargely exemptLargely exemptRequires lawful basis (contractual necessity)
If you send email to recipients in Canada, the US, and the EU, the simplest compliance strategy is to obtain express consent from all recipients and honor all unsubscribe requests immediately. This satisfies the strictest requirements across all three frameworks.

Common Mistakes

CAN-SPAM is an opt-out law; CASL is an opt-in law. Complying with CAN-SPAM does not mean you comply with CASL. If you have Canadian recipients, you need express or implied consent before sending.
Purchased lists almost never include valid CASL consent. Sending commercial email to purchased Canadian addresses without consent is a direct violation.
Every CEM must include your name, mailing address, and contact information. Missing any of these is a separate violation, even if you have valid consent and include an unsubscribe link.

CAN-SPAM Requirements

US commercial email law and how it compares to CASL.

GDPR and Email Sending

EU data protection requirements for email communications.

Email Consent Best Practices

Practical guidance for obtaining, recording, and managing email consent.

Unsubscribe Best Practices

Implement effective unsubscribe mechanisms across all jurisdictions.