CASL Is the Most Violated Law in Canadian Business. Enforcement Is Coming.

The Law That Nobody Takes Seriously Enough

Canada's Anti-Spam Legislation has been in force since July 1, 2014. In the eleven years since, it has produced a handful of well-publicized enforcement actions, a lot of "just add an unsubscribe link" compliance theatre, and a widespread assumption among Canadian businesses that CASL enforcement is more of a background hum than a real risk.

That assumption is getting more expensive to hold.

The CRTC — the Canadian Radio-television and Telecommunications Commission, which enforces CASL — has been refining its enforcement approach, cooperating with international regulators on cross-border spam, and signalling increased scrutiny of consent documentation. The businesses that have been coasting on loose consent practices and poorly maintained suppression lists are accumulating liability they don't know exists.

What CASL Actually Prohibits

CASL prohibits sending commercial electronic messages — emails, texts, and in-app messages with a commercial purpose — to a recipient without their consent, unless the message falls within one of the limited exceptions.

"Commercial purpose" is broad. An email announcing a new product feature, a text with a discount code, a message that promotes your company even without an explicit sales pitch — all of these are commercial electronic messages. A purely transactional email (an order confirmation, a receipt, a password reset) is generally not covered, but the line between transactional and commercial is one that gets blurry fast.

Consent under CASL comes in two forms: express and implied.

Express consent is explicit — the recipient has actively indicated they want to receive your messages, through a form, a checkbox, or a verbal agreement. The mechanics matter: the consent request must be clear about what they're signing up for, who is sending, and how to withdraw consent. A checkbox that says "I agree to terms and conditions" does not constitute CASL express consent for email marketing.

Implied consent exists in specific enumerated circumstances: a conspicuous published address (like an email address listed on a website without a "no solicitation" notice), an existing business relationship with a prescribed duration (generally three years from the date of a purchase or two years from an inquiry), and a few other specific scenarios.

The duration limits on implied consent are where most businesses get into trouble. An existing business relationship gives you three years from the date of the transaction. After that, implied consent expires unless you've obtained express consent. Organizations that have been emailing customers for five years without ever collecting express consent are emailing a suppression list — a list of people they no longer have consent to email.

The Three Consent Documentation Problems

No records of when consent was obtained. CASL requires organizations to be able to demonstrate that they had consent before sending. This means a record — ideally timestamped, ideally including the specific consent mechanism used — for every person on your list. Organizations using email platforms that don't capture consent timestamps have a system that can send messages but can't demonstrate the right to send them.

No mechanism for tracking implied consent expiry. If your marketing list includes people who made a purchase in 2020 and you haven't obtained their express consent, their implied consent expired in 2023. Continuing to send to them since then has been a violation for two years. Most marketing platforms don't automatically handle implied consent expiry — it requires a process.

No suppression list management. CASL requires that every commercial electronic message include a functional unsubscribe mechanism that processes withdrawals within ten business days. Organizations that honour unsubscribe requests in one system but maintain the same contacts in other systems — a CRM, a separate newsletter tool, a sales outreach platform — are sending to people who have withdrawn consent.

The Enforcement Realities

The CRTC has levied fines ranging from $15,000 to $1.1 million for CASL violations. The $1.1 million penalty against Compu-Finder in 2015 was the first major enforcement action — a company sending emails to people who had never consented, scraping addresses from websites. The pattern since has been: organizations that send commercial messages without consent, at volume, with no meaningful opt-out mechanism.

What the CRTC hasn't had to do yet is pursue the middle-ground violations — the companies that have consent for some of their list, have let implied consent expire for another portion, and are sending to everyone. That enforcement pattern is developing. The CRTC has cooperated with the FTC, the FCA in the UK, and other regulators on cross-border enforcement. The infrastructure for going after medium-sized violators exists.

The private right of action provision — which would have allowed individuals to sue for CASL violations — was never proclaimed into force and was eventually removed. But the CRTC's enforcement authority remains, and so do the administrative monetary penalties of up to $1 million for individuals and $10 million for organizations per violation.

What CASL Compliance Actually Looks Like in 2026

A defensible CASL compliance program for a Canadian SMB doesn't require expensive software. It requires documented processes.

Know your consent basis for every contact on every list. For each segment — customers, newsletter subscribers, event attendees, trade show leads — document when and how consent was obtained, and whether it's express or implied.

Implement implied consent tracking. Transactions that create implied consent should generate a timestamped record. A CRM field or a date column in your contact database tracking "last transaction date" or "inquiry date" gives you what you need to identify when implied consent expires.

Audit your lists against your consent records. Anyone on your marketing list without a documented consent basis shouldn't be there. Purging is uncomfortable. It's less uncomfortable than a CRTC investigation.

Make unsubscribes work everywhere. When someone unsubscribes from one channel, they should come off all commercial messaging channels. This requires a suppression list that's actually used across all your messaging systems.

Don't use purchased lists. This should go without saying, but it's worth saying: buying a list of Canadian email addresses and adding them to your marketing system is a CASL violation from the first message you send. There's no way to have CASL-compliant express consent for a list you didn't build yourself.

CASL compliance isn't difficult. It's the kind of thing that seems less urgent than everything else competing for your attention — until the CRTC sends a notice of violation and suddenly it's the only thing that matters.