CASL compliance email marketing is one of those subjects most Canadian small business owners know they should understand but never quite get to. The law has been in force since July 1, 2014, and the penalties for non-compliance are real: up to $1 million per violation for individuals and up to $10 million for corporations. Despite that, a surprising number of Ottawa and Toronto businesses still send marketing emails without consent records, use pre-checked opt-in boxes, or assume that having a customer’s email address from a past purchase gives them unlimited permission to email forever. None of those assumptions hold up under CASL.
The good news is that the rules are straightforward once you see them laid out in plain language. This checklist covers everything a small business needs to know: the two types of consent, what every email must include, how your opt-in forms need to be built, how to handle unsubscribes, and what records you need to keep. If you get these four areas right, you are running a legally compliant email marketing program. If your current setup has gaps, this is the guide to closing them.
Turn your website into a search-driven growth engine
Boost Your Rankings with AI-Powered Semantic SEO
Take the next step toward higher visibility and stronger conversions.
What CASL Actually Covers — and Why It Applies to Your Ottawa or Toronto Business
Canada’s Anti-Spam Legislation, known as CASL, governs the sending of commercial electronic messages, which the law defines as any electronic message that encourages participation in a commercial activity. That definition is intentionally broad. A promotional email announcing a sale is a commercial electronic message. A newsletter that links to products on your website is a commercial electronic message. A follow-up email after a quote is a commercial electronic message. The test is not whether the primary purpose is commercial, but whether the message encourages commercial activity at all.
CASL applies to messages sent from Canada, sent to Canada, and sent through computer systems located in Canada. If your business is in Ottawa or Toronto and you send marketing emails to a list, CASL applies regardless of where your subscribers are located. If you are a business outside Canada that sends marketing emails to Canadian recipients, CASL also applies to you. The CRTC, which is the regulatory body responsible for enforcing CASL, treats it as one of the toughest anti-spam laws in the world, and enforcement history confirms that description.
CASL does not apply to every electronic message your business sends. Transactional messages, such as order confirmations, appointment reminders, and password resets, are not commercial electronic messages under the law, though they must still include identification information and an unsubscribe mechanism. Internal communications between employees, messages sent to people in response to a specific request, and messages sent between businesses with a direct relationship that is not primarily commercial are also generally outside CASL’s scope. When in doubt, treat the message as a commercial electronic message and apply the full requirements.
The Two Types of Consent Under CASL: Express and Implied
Every commercial electronic message you send requires consent from the recipient. CASL recognizes two types: express consent and implied consent. They have different requirements, different time limits, and different levels of legal risk.
Express Consent: The Safer, Permanent Option
Express consent means the recipient took a positive, proactive step to indicate they want to receive commercial electronic messages from you. They checked an unchecked box on your website. They signed a paper form. They verbally told you they want your emails and you recorded that. Express consent is the gold standard under CASL for several reasons.
First, express consent does not expire. Once someone gives it, you can continue emailing them until they withdraw it, which they have the right to do at any time. Second, the burden of proving express consent lies entirely with the sender. If the CRTC ever questions whether you had permission to send a message, you need to be able to produce records showing exactly when and how the consent was given. This means your email platform needs to log the date, time, source, and method of every opt-in. Third, a checkbox used to collect express consent must be unchecked by default. Pre-ticking a box to suggest the person has agreed violates CASL explicitly. The person must check it themselves.
The consent request itself must include your business name, a mailing address, and at least one of a phone number, email address, or website URL. It must also describe the type of messages the person is consenting to receive. A generic ‘subscribe to our list’ does not meet the standard. Something like ‘I agree to receive weekly email updates, promotions, and news from [Business Name] at [Address]’ does.
Implied Consent: The Time-Limited Option
Implied consent covers situations where the law considers it reasonable to conclude you have permission to send a message, even without an explicit opt-in. The two most relevant situations for small businesses are an existing business relationship and an inquiry.
An existing business relationship gives you two years of implied consent. If someone purchased a product or service from you, accepted a business offer, or entered into a written contract with you, you may send them commercial electronic messages for two years from the date of that transaction. After two years, the implied consent expires and you need express consent to continue.
An inquiry gives you six months of implied consent. If someone fills out a contact form asking about your services, requests a quote, or sends you an email asking a question about your business, you may send them commercial electronic messages for six months from the date of that inquiry. After six months, you need express consent to continue. This is where most small businesses make mistakes: a lead who inquired six months ago and never converted is no longer under implied consent, and emailing them without express consent is a CASL violation.
One additional scenario worth knowing: if someone publishes their email address publicly on a website, a LinkedIn profile, or a business directory, without a statement saying they do not want to receive commercial messages, you may have implied consent to send a message, provided it relates to their business role or responsibilities. This narrow exception is most relevant for B2B outreach, and the safest approach is still to seek express consent before adding anyone to a regular marketing list.
The CASL Compliance Checklist for Small Businesses
This checklist is organized by the four areas of your email marketing operation that need to be configured correctly: your opt-in process, the emails themselves, your unsubscribe process, and your record-keeping. Working through it systematically is the most efficient way to assess and close any compliance gaps.
Part 1 — Your Opt-In Forms and Signup Process
Your website’s email signup form is where most CASL compliance is either built or broken. A form that is missing consent language, uses a pre-checked box, or fails to identify your business clearly is a liability every time someone submits it.
Start by auditing every form on your website where someone can submit an email address: newsletter signup, contact forms, quote request forms, checkout pages if you run an e-commerce store, event registration pages, and lead magnet download forms. Each one needs to be evaluated against the following requirements.
The consent language on the form must clearly describe what the person is agreeing to receive. It must include your business name, your mailing address, and one of a phone number, email address, or website URL. The opt-in checkbox must be unchecked by default. The person must actively check it. If the form is a contact form or quote request that does not include a marketing consent checkbox, it does not constitute express consent for future marketing emails, even if the person fills it out and gives you their address.
For e-commerce businesses, the checkout page deserves particular attention. A customer completing a purchase triggers two-year implied consent for marketing messages, but it does not constitute express consent. The CRTC’s guidance recommends collecting express consent at the point of purchase by including a clearly worded, unchecked checkbox on the checkout page. This is the cleaner, lower-risk approach, because implied consent periods expire and need to be tracked, while express consent does not.
Part 2 — Every Email You Send
Every commercial electronic message you send must contain three things, regardless of whether the recipient gave express or implied consent: identification of the sender, contact information, and an unsubscribe mechanism.
Identification means your name or your business name, whichever is clearer and more recognizable to recipients. If you are sending on behalf of another business, that business also needs to be identified. Contact information means a valid mailing address. A post office box is acceptable. A mailing address and one of a phone number, email address, or website URL are required. This information is most commonly included in the footer of every email. It must be present in the message itself, not just in the email header metadata.
The unsubscribe mechanism must be clear, easy to find, and easy to use. A single click to unsubscribe, without requiring the person to log in or provide additional information, is the standard. The unsubscribe mechanism must remain functional for at least 60 days after the email was sent. This means that if someone receives an email from you in January and tries to unsubscribe from it in February, the link must still work.
Part 3 — Your Unsubscribe Process
When someone unsubscribes, you have 10 business days to stop sending them commercial electronic messages. That deadline is firm. A backlog in your email platform, a delay in processing list changes, or a segmentation error that sends a message after someone has unsubscribed are all CASL violations.
Most email marketing platforms handle this automatically. Mailchimp, HubSpot, ActiveCampaign, and Klaviyo all process unsubscribes immediately and suppress future sends to unsubscribed contacts. The risk for small businesses is when email marketing is done manually through Gmail or Outlook rather than through a dedicated platform, or when a business maintains multiple lists in different systems that are not synchronized. If someone unsubscribes from one list but remains on another, any subsequent email is still a violation.
The 10-business-day window also applies if someone unsubscribes through a method other than the link in your email. If a customer calls you and asks to be removed from your list, if someone emails you directly asking to stop receiving messages, or if someone tells you in person, the same 10-business-day requirement applies. You cannot require someone to use only the email link to unsubscribe. Any unsubscribe request through any channel is valid.
Part 4 — Your Consent Records
CASL places the burden of proving consent entirely on the sender. If the CRTC investigates a complaint about your email marketing, you need to produce documentation showing exactly when each subscriber gave consent, what method they used, what the consent request said at that time, and what type of messages they agreed to receive.
Most reputable email marketing platforms capture this automatically. When someone submits a form and checks the opt-in box, the platform logs the date, time, IP address, and form source. That log is your consent record. You need to retain consent records for a minimum of three years after the business relationship with that subscriber ends. If you ever purge your email list, export and archive the consent records for those contacts before removing them from your platform.
For consent given by phone or in person, create a written record at the time. Note the date, who gave consent, what they agreed to receive, and who at your business recorded it. Store that record in the same system where you manage your marketing lists so it can be retrieved quickly if needed.
The Five Mistakes Small Businesses Most Often Make With CASL
After more than a decade of CASL enforcement, the violations that show up repeatedly in complaints and investigations are not obscure technicalities. They are straightforward errors that stem from misunderstanding the basics.
The first is relying on implied consent after it has expired. A customer who bought from you two years and one day ago is no longer covered by implied consent. Their address is still in your CRM, your email platform still shows them as subscribed, and nothing in your system flags the expiry. The only way to manage this correctly is to record the transaction date for implied consent contacts and either convert them to express consent before the window closes or suppress them from marketing lists when it does. This is where email platform setup and list hygiene intersect with legal compliance.
The second is using pre-checked consent boxes. This is explicitly prohibited under CASL and is also a common default in website themes and e-commerce plugins. Many WordPress and Shopify themes include newsletter opt-in checkboxes that are checked by default. If your website was built from a template and you have not specifically configured the consent checkbox behaviour, there is a reasonable chance it is pre-checked and non-compliant.
The third is sending to purchased or rented lists. Lists of email addresses acquired from a third-party provider do not carry consent for your business. The person on that list may have consented to receive messages from the company that sold their data, but they did not consent to receive messages from you. Sending commercial electronic messages to a purchased list without independent consent from each recipient is a CASL violation.
The fourth is assuming that a business card or LinkedIn connection equals consent. Receiving someone’s business card at a networking event creates a specific, narrow window of implied consent for a single relevant message. It does not constitute permission to add them to your regular marketing list. The same applies to LinkedIn connections. The fact that two people are connected on a professional platform does not give either one permission to send commercial electronic messages to the other outside that platform.
The fifth is having no audit trail. Small businesses that manage their email marketing manually, use spreadsheets to track subscribers, or have never configured their email platform’s consent logging are carrying significant risk even if they obtained consent correctly at the time. Without records, there is no way to defend against a complaint. The CRTC does not accept good intentions as evidence of compliance.
How Your Website and Email Platform Work Together for CASL Compliance
CASL compliance is not just a policy question. It is also a technical implementation question. The way your opt-in forms are built, how they connect to your email platform, what data they capture and store, and how your unsubscribe mechanism is configured all determine whether your day-to-day email marketing operation is compliant or not. Getting those systems set up correctly from the start is significantly less expensive than retrofitting compliance into a non-compliant setup after a complaint.
The forms on your website need to be built with unchecked opt-in checkboxes, accurate consent language, and your full contact information visible at the point of signup. They need to feed consent data into your email platform in a format that stores the opt-in timestamp, the form source URL, and the IP address of the submission. Most major email platforms support this out of the box when the form integration is configured correctly. When it is not configured correctly, the platform may process the signup without capturing any of the compliance data.
iWEBAPP builds CASL-compliant email marketing setups for Ottawa and Toronto businesses. This includes building or auditing the opt-in forms on your website, configuring Mailchimp, HubSpot, or ActiveCampaign to capture and store the consent data CASL requires, building landing pages with compliant consent language for lead magnets and email campaigns, and reviewing existing subscriber lists to identify implied consent contacts that need to be converted or suppressed. If you are launching email marketing for the first time, we set it up right from the start. If you have an existing list and you are not confident about your compliance status, we can audit your current setup and close the gaps.
For businesses in Ottawa and Toronto, the conversation starts with a free consultation. Reach us at +1 613-879-5266 (Ottawa), +1 905-872-5266 (Toronto), or info@iwebapp.ca. We will assess your current email marketing setup, identify any CASL compliance gaps, and recommend the specific technical steps to close them.
Frequently Asked Questions
We would love the opportunity to work with you, but we understand that you may have some additional questions. This quick Q&A covers a lot of the basics. If you have any additional questions, don’t hesitate to reach out.
What is CASL and when did it come into force?
Canada’s Anti-Spam Legislation, known as CASL, is a federal law that governs the sending of commercial electronic messages in, from, and to Canada. The anti-spam provisions came into force on July 1, 2014. The law is enforced by the Canadian Radio-television and Telecommunications Commission (CRTC) and applies to all businesses and organizations that send commercial electronic messages, regardless of size.
What are the CASL penalties for non-compliance?
Penalties under CASL can reach up to $1 million per violation for individuals and up to $10 million per violation for corporations. Penalties are assessed per violation, not per campaign, which means a single email sent to a list without proper consent could constitute multiple violations. CASL enforcement actions have resulted in penalties in the hundreds of thousands of dollars against both large corporations and smaller businesses.
Does CASL apply to B2B email marketing?
Yes. CASL applies to commercial electronic messages sent to business email addresses as well as personal ones. B2B marketers can use implied consent based on an existing business relationship or a recent inquiry, and some narrow exceptions apply to messages clearly related to a recipient’s business role when their address is publicly listed. However, the safest and most compliant approach for B2B email marketing is to obtain express consent before adding any contact to a regular marketing list.
How long is implied consent valid under CASL?
Implied consent from a purchase, transaction, written contract, or accepted business offer lasts for two years from the date of that event. Implied consent from an inquiry, quote request, or application lasts for six months from the date of that inquiry. After these windows close, the person must give express consent before you can continue sending them commercial electronic messages. Express consent, once given, does not expire unless the person withdraws it.
Can I buy an email list and send marketing emails to it?
No. Purchased or rented email lists do not constitute consent for your business to contact those people. Any individual on a purchased list may have consented to receive messages from the company that collected their address, but that consent does not transfer to you. Sending commercial electronic messages to a purchased list is a CASL violation, regardless of what the list vendor claims about consent.
What must every marketing email include under CASL?
Every commercial electronic message must include your name or business name, a valid mailing address, and one of a phone number, email address, or website URL. It must also include a clear and functional unsubscribe mechanism. The unsubscribe link must remain active for at least 60 days after the email is sent. These requirements apply to every commercial electronic message, regardless of the type of consent the recipient gave.
How quickly must I process an unsubscribe request?
CASL requires you to stop sending commercial electronic messages to someone within 10 business days of receiving an unsubscribe request. This applies regardless of how the request was made: through the unsubscribe link in your email, by phone, by a reply email, or in person. You cannot require someone to use a specific method to unsubscribe. Any clear request to stop receiving messages starts the 10-business-day clock.
How long do I need to keep consent records?
CASL requires consent records to be retained for a minimum of three years after the business relationship with that contact ends. If you remove someone from your list, archive their consent record before deleting it. Your email platform’s built-in logging typically captures the necessary information automatically when forms are configured correctly. For verbal consent obtained in person or by phone, create a written record at the time of the interaction.
Does CASL apply to text message marketing?
Yes. CASL applies to any commercial electronic message sent to an electronic address, which includes mobile phone numbers used for SMS and MMS marketing. The same consent, identification, and unsubscribe requirements that apply to email marketing also apply to text message marketing. Express consent is required for text message marketing. Implied consent does not apply to SMS in the same way it does to email.
What should I do if I am not sure whether my current email list is CASL compliant?
Start by reviewing how every contact on your list was added. For each contact, determine whether you have express consent, implied consent that is still within its time window, or no documented consent at all. Contacts with no documented consent should be suppressed from marketing sends immediately. Contacts under implied consent should be targeted with a re-consent campaign before their window expires. Contacts with express consent should have their opt-in records confirmed in your email platform. iWEBAPP can help you run this audit and configure your email platform to manage it going forward.
Compliance Is the Foundation. Growth Is What Comes After.
CASL compliance email marketing is not about limiting your ability to connect with customers. It is about building a list of people who actually want to hear from you, with documentation that protects your business if anyone ever questions your practices. The businesses in Ottawa and Toronto that take the time to configure their opt-in forms correctly, use an email platform that captures consent data automatically, and maintain clean records end up with higher-performing lists, better deliverability, and lower legal risk than those that cut corners.
The checklist in this guide covers the four areas where most small business CASL compliance either succeeds or fails: opt-in forms, email content requirements, unsubscribe processing, and consent record-keeping. If your current setup passes all four, you are in good shape. If it does not, the gaps are fixable and the fixes are practical. The technical side, which is where the actual implementation lives, is what iWEBAPP does.
We build CASL-compliant email marketing setups for small businesses across Ottawa, Toronto, and Canada. We configure Mailchimp, HubSpot, and ActiveCampaign accounts to capture the consent data the law requires. We build opt-in forms and landing pages with the right consent language and the right checkbox behaviour. We audit existing setups and tell you exactly what needs to change. If you want to start or fix your email marketing with confidence that the compliance foundation is solid, call us in Ottawa at +1 613-879-5266, in Toronto at +1 905-872-5266, or email info@iwebapp.ca.
