CASL Cold Email: What You Can (and Can't) Send in 2026
You're a US-based SDR with 500 Canadian prospects in your sequencer. You hit send. Three weeks later, your domain reputation is tanked, your bounce rate is through the roof, and someone on the legal team is asking about something called CASL. We've seen this play out dozens of times.
Cold emailing Canadians under CASL is legal - but Canada's Anti-Spam Legislation isn't CAN-SPAM. It's an opt-in regime, not opt-out, and penalties run up to CAD $10M per organization. Here's exactly what you can send, what you can't, and how to stay compliant without killing your outbound pipeline.
The Short Version
- Yes, cold email to Canadians is legal - but only under specific implied consent conditions. For B2B, "conspicuous publication" is the main one.
- Every email must include clear sender identification, a physical mailing address, and a working unsubscribe link.
- Verify every address before sending. Bounces and spam complaints attract enforcement. The CRTC's Spam Reporting Centre received 152,603 complaints in just six months of 2025. They're paying attention.
What CASL Actually Covers
CASL governs any commercial electronic message, or CEM. A CEM is any electronic message where even one purpose is to encourage participation in a commercial activity - email, SMS, instant messaging, even DMs through platforms like Facebook Messenger. Public social media posts don't count, but direct messages do.
The scope catches more senders than most people realize. The law applies to CEMs received in Canada, including messages sent from other countries. A US-based SDR emailing a Toronto VP of Marketing? CASL applies. If there's a commercial angle, assume it's a CEM and comply.
Express vs. Implied Consent
This is the part that trips up most outbound teams. There are two consent types, and the difference determines whether your outreach is legal or a violation.
Express Consent
Express consent is the gold standard. The recipient explicitly opted in - they checked a box, filled out a form, or verbally agreed. It doesn't expire. Once you have it, you can keep emailing until they unsubscribe.
The catch: you must document it. Record the date, the method, and the source. If the CRTC ever asks, the burden of proving consent falls on you, not the recipient.
Implied Consent
Implied consent is where cold outreach lives.
Existing business relationship (EBR): If someone purchased from you, signed a contract, or completed a transaction, you have implied consent for two years. If they made an inquiry or submitted an application, the window shrinks to six months.
Conspicuous publication: This is the path most B2B cold emailers rely on. In our experience, it's also where most teams get tripped up. It requires passing a three-part test:
- The person's email address is publicly posted (on a company website, directory, etc.)
- The publication is not accompanied by a statement that they don't want unsolicited messages
- Your message is relevant to the recipient's business role, functions, or duties
A recurring question on r/sales and in cold email communities: does finding someone's email on their company website count as consent? Only if all three conditions above are met. Finding a CMO's email on a company "About" page doesn't give you blanket permission to pitch anything - your message needs to relate to what that CMO actually does.
| Express Consent | Implied Consent | |
|---|---|---|
| How obtained | Explicit opt-in | EBR or public posting |
| Expiry | None (until unsubscribe) | 6 months-2 years |
| Documentation | Date, method, source | Relationship + expiry |
| Proof burden | On sender | On sender |
CASL's conspicuous publication test demands role-relevant outreach to verified addresses. Prospeo's 5-step email verification delivers 98% accuracy with catch-all handling and spam-trap removal - exactly what you need to keep bounce rates under CRTC radar. 15,000+ companies trust our data.
Stop risking CAD $10M fines on unverified email lists.
CASL vs. CAN-SPAM vs. GDPR
CAN-SPAM's opt-out model trained a generation of US SDRs to assume cold email is always fine as long as there's an unsubscribe link. Canada's law treats outbound fundamentally differently.
| Law | Consent Model | Max Penalty | Unsub Deadline | Scope |
|---|---|---|---|---|
| CASL | Opt-in (express/implied) | CAD $10M (org) | 10 business days | Messages received in Canada |
| CAN-SPAM | Opt-out | $50K+ USD per violation | 10 business days | US commercial email |
| GDPR | Explicit or legit interest | EUR 20M or 4% revenue | Without undue delay | EU/EEA data subjects |
CASL technically includes a private right of action, but it's been suspended for years. Enforcement comes from the CRTC, not private lawsuits - for now.
Here's the thing: if your deal sizes are under $15K and you're running fewer than 200 Canadian prospects per quarter, you probably don't need a dedicated compliance workflow. Follow the conspicuous publication test, verify your list, and include the required email elements. The teams that get in trouble are the ones blasting thousands of unverified contacts with generic pitches - not the ones sending targeted, relevant outreach to publicly listed emails.
Compliant Cold Email Template
Here's an annotated template showing every element CASL requires. Each piece satisfies a specific legal requirement.
From: Sarah Chen, Account Executive at Acme Analytics
[SENDER ID: Clear identification - name and/or company]
Subject: Reducing churn analysis time for RevOps teams
Hi [First Name],
I noticed your team at [Company] is hiring for a data analyst
role focused on customer retention - it looks like churn
analysis is a priority right now.
[ROLE RELEVANCE: Message ties to recipient's
business function - required for conspicuous
publication consent]
We help RevOps teams cut churn analysis from weeks to hours
using automated cohort modeling. Would a 15-minute walkthrough
be useful this week?
[COMMERCIAL PURPOSE: Clear but not misleading]
Best,
Sarah Chen
Account Executive, Acme Analytics
123 King Street West, Suite 400
Toronto, ON M5H 1A1
[PHYSICAL ADDRESS: Required contact info]
Unsubscribe from future emails: [link]
[UNSUBSCRIBE: Must be functional for 60 days
after sending. Requests processed within
10 business days.]
Skip the physical address? That's a violation. Generic pitch with no connection to the recipient's role? Your conspicuous publication consent basis falls apart.
Penalties and Enforcement
Violations can reach up to CAD $10M per organization and $1M for individuals. But enforcement doesn't start with a massive fine on day one.
The CRTC's enforcement activity between April and September 2025 included 153 Notices to Produce, 123 Warning Letters, 5 Preservation Demands, and 1 Notice of Violation. One investigation into email account compromises resulted in a $50,000 administrative monetary penalty. For context on how seriously the CRTC takes volume offenders: the Ebury Botnet investigation revealed 35 million spam messages per day, prompting warning letters to 80 web hosting companies under CASL s.9. The pattern is clear - warnings first, escalation second, fines for repeat or egregious offenders.
Here's where data quality connects directly to legal risk. High bounce rates generate spam complaints. Spam complaints flow into the CRTC's Spam Reporting Centre - the same system that logged 152,603 complaints in six months. Sending to a list full of invalid addresses doesn't just hurt your deliverability; it creates precisely the signals that attract regulatory attention. Verifying your data before sending isn't a nice-to-have. It's a compliance safeguard.
If you're seeing deliverability issues, start with an email deliverability checklist and fix the root causes before scaling volume.
CASL Compliance Checklist
We've tested this with teams running 500+ Canadian contacts per quarter. It works.
Classify every Canadian contact by consent type. Tag each record as express consent, implied (EBR), or implied (conspicuous publication). If you can't identify the consent basis, don't email them.
Document consent in your CRM. For every contact, record the consent type, source, date obtained, and expiry date for implied consent. Custom fields in Salesforce or HubSpot work fine.
Set automated expiry alerts. Implied consent from a purchase expires after two years. From an inquiry, six months. Build workflow automations that flag contacts approaching expiry and suppress them from sequences automatically.
Include sender ID, business address, and unsubscribe in every email. No exceptions. Your sequencing tool should template these in by default. (If you're unsure what "counts" for US sends, see the physical address requirement.)
Process unsubscribe requests within 10 business days. Automate this - manual processing invites mistakes.
Verify every email address before sending. This is where most compliance failures actually start. Bounces and spam-trap hits generate the complaints the CRTC tracks. Prospeo's 5-step verification catches invalid addresses, spam traps, and honeypots at 98% accuracy - one customer saw bounce rates drop from 35% to under 4%. If you’re evaluating vendors, compare options in our guide to email ID validators or email checker tools.
Keep consent records for at least 3 years after the relationship ends. If the CRTC investigates, you need to produce documentation. This is much easier if you follow a consistent CRM hygiene process.
Never use purchased or scraped lists without verifiable consent documentation. If the list vendor can't provide documented proof of CASL-compliant consent for every contact, the list is a liability, not an asset. Skip it. If you need to build lists safely, use list building tools and run a proper email verification for outreach workflow.
FAQ
Does CASL apply if I'm based outside Canada?
Yes. CASL applies to any commercial electronic message received in Canada, regardless of where the sender is located. If your prospect receives the message in Canada, you must comply with all consent, identification, and unsubscribe requirements. The CRTC's own guidance makes this explicit.
Can I use a purchased email list for Canadian prospects?
Only if the list vendor provides documented proof of consent for every contact - and that consent must meet CASL's express or implied standards. Most purchased lists can't provide this. Verify every address independently before sending.
Do follow-up emails need separate consent?
No separate consent is needed per message, but your original consent basis must still be valid. If you're relying on implied consent from an inquiry, the six-month window applies to all follow-ups within that period - not just the first email.
How do I avoid CASL penalties on cold outreach?
Verify your list before every send to remove invalid addresses, spam traps, and honeypots. Bounces and spam complaints are the primary signals the CRTC tracks. Pair clean data with proper sender identification, a physical address, and a working unsubscribe link in every message. The Canadian government's CASL FAQ is a solid reference for edge cases.
Blasting unverified Canadian contacts is how teams trigger CRTC complaints. Prospeo refreshes 300M+ profiles every 7 days - not every 6 weeks - so your CASL-compliant outreach hits real inboxes at real companies. At $0.01 per email, compliance doesn't have to kill your budget.
Clean data is the foundation of every compliant cold email campaign.
CASL compliance isn't complicated - it's just different from CAN-SPAM. Get the consent basis right, verify your data, and include the required elements in every message. That's it. You can run compliant cold outreach to Canadians without legal risk or pipeline paralysis.
