Canadian Anti-Spam Legislation (CASL)

The Canadian Anti-Spam Legislation was passed in 2014. Contrary to the name, it does not just affect spam, but all commercial electronic messages (CEMs). It applies to all businesses sending CEMs to a recipient in Canada. The penalty for a business that violates CASL can be as high as $10 million CAD, in addition to possible private civil action.

Image Description
Customers expect more out of your company than unsolicited, spam promotional messaging. Stay on their good side through proactive CASL compliance.


What is CASL?

What is CASL?

CASL establishes rules for commercial electronic messages (CEMs) and regulates a broad range of activities:

  • Unsolicited commercial messages sent via email, text, or social posts such as tweets
  • Hacking, malware and spyware
  • “Phishing” and other fraudulent or misleading practices
  • Invading privacy through a computer
  • Collecting emails without consent

CASL defines a CEM as having a purpose of encouraging participation in a commercial activity, and it sent from or received by a computer in Canada. This definition is quite broad, and “commercial activity” means a transaction or act of a commercial nature, regardless of whether it’s done with an expectation of profit. This means that messages sent by charities and non-profits are also regarded as CEMs.

CASL places particular emphasis on the presence of an unsubscribe mechanism. Every CEM a business sends must provide a way for recipients to opt out of future messages. It must be clearly stated and should be simple, quick, and easy for the consumer to use. The unsubscribe option must also be free to the recipient, and an opt-out must be honored by the business within 10 business days.

What gets you into TCPA hot water?

Watch Video


What about consent to communicate?

CASL requires consent to communicate via CEMs, whether it is express or implied.

    Express consent means the recipient has voluntarily agreed to receive the CEM, and the consent is documented. A request for express consent must include:

  • The purpose of the request
  • The name or business of the person requesting it, or on whose behalf it’s being requested
  • The name of the person giving consent, or on whose behalf it’s being given
  • A mailing address, phone number, email address, or web address for identification
  • A statement that the consent can be revoked at any time via a provided unsubscribe option
  • Express consent can also be given verbally, if an independent third-party can verify it, or the consent is recorded.

    Express consent does not expire but can be revoked by the recipient at any time.

    Consent can be implied in a few circumstances:

  • When there is an existing business or non-business relationship
  • When the contact’s email address is clearly and obviously published without saying they do not want to receive CEMs
  • When a contact has disclosed an email address and the message has to do with their business, role, functions, or duties in an official capacity
    • An example: a person who receives a CEM after handing out their business card

    Implied consent lasts for two years, although each transaction with a business renews the two-year timeline of implied consent.

Learn how to mitigate TCPA compliance risk

Learn How


Risks and penalties of violating CASL

Companies can suffer penalties for CASL non-compliance in a variety of ways.

Companies can suffer penalties for CASL non-compliance in a variety of ways.

  • Administrative Monetary Penalties (AMPs) consist of fines up to $10 million CAD for businesses, or $1 million for individuals found in violation
  • Vicarious liability, when a corporate director can be found liable for the wrongful acts of a corporation, or a corporation can be found liable for the acts of its employees
  • Private rights of action – As of July 2017, individuals can sue another individual or business for damages after receiving unsolicited CEMs, although an individual cannot take action against a business if the CRTC has already taken action.

How to communicate during a pandemic

Learn More


Datablocks and Sunlight Media

Datablocks and Sunlight Media, both in the business of distributing online advertisements, were fined $250,000 in 2018 for sending malware via fraudulent online advertisements (referred to as “malvertising”), including accepting unverified anonymous contacts who used their services to distribute the malware, and supplying the necessary infrastructure and software for the placement of the messages and ads.


Fine Amount


Fined For


Year Fined


How PossibleNOW can help

PossibleNOW’s platform, DNCSolution, helps companies comply with CASL in crucial ways. DNCSolution handles direct marketing compliance with relevant legislation across all channels of communication including calls, texts, emails, faxes, and direct mail.

    DNEmail and DNText

  • High-volume contact list scrubbing – handle single emails, thousands or even millions of email addresses
  • Provides a one-click opt-out solution for compliance
  • Provides scrub receipts for a record of compliance efforts
  • Exceptional customer support and application training for your team
  • Seamless integration with existing systems
  • Maintains a historical archive of all opt-out requests
  • Staying in compliance with regulations like CASL is an essential part of doing business in Canada today. Work with a compliance partner like PossibleNOW that helps you avoid upsetting your customers, violations, and falling behind on regulatory changes. You’ll be able to focus your company's resources on other important projects with confidence, rather than spending all of your time working on CASL compliance and management risk.