CASL Email Compliance: What Marketers Get Wrong (and What It Actually Costs)
Between April 1 and September 30, 2025, the CRTC's Spam Reporting Centre received 152,603 complaints. Over 150,000 Canadians reported unsolicited messages in six months, and 75% of CRTC investigations start directly from those consumer reports. CASL email compliance isn't a dusty regulation nobody enforces - it's an active enforcement machine, and complaints are the fuel.
Here's the thing: unlike CAN-SPAM, which is opt-out, CASL is opt-in. That single difference trips up more outbound teams than any other detail. GDPR takes a similar consent-first approach, but CASL's penalties and enforcement mechanisms are distinctly Canadian - and they apply to anyone emailing a Canadian recipient, regardless of where the sender sits. If you run any form of email marketing into Canada, understanding this distinction isn't optional.
The Quick Version
Every commercial electronic message (CEM) under CASL requires:
- Consent before you send. Either express (opt-in) or implied (narrow conditions, time-limited).
- Three elements in every message. Sender identification, valid contact info, and a working unsubscribe mechanism.
- Penalties up to $10M per violation for organizations, $1M for individuals.
- Cross-border reach. If the recipient accesses the message in Canada, CASL applies - even if you're sending from Dallas.
That last point catches a lot of US-based SDR teams off guard.
Express vs. Implied Consent Under CASL
This is where most compliance mistakes happen.
Express consent is the gold standard. The recipient actively opted in - checked a box, filled out a form, said "yes, send me emails." It doesn't expire until they unsubscribe. This is what you want for every contact in your database.
Implied consent is narrower and temporary. An existing business relationship gives you implied consent for two years after a purchase, or six months after an inquiry. Conspicuous publication - a publicly posted email without a "no unsolicited messages" notice - also qualifies, but only for messages relevant to the recipient's business role.
Now here's the catch-22 that surprises most marketers: you can't email someone to ask for express consent unless you already have implied consent. A consent request is itself a CEM under CASL. So you can't scrape 500 emails from company websites and send a "would you like to hear from us?" blast - you need a valid implied consent basis first. These rules apply equally to automated sequences and one-off sends.
Required Message Elements
Every CEM needs these elements. Treat this as a pre-flight checklist:
- Sender identification: your business name, plus anyone on whose behalf the message is sent
- Mailing address plus at least one of: phone number, email address, or website URL
- Contact info valid for 60 days after the message is sent
- Unsubscribe mechanism that's free, easy to use, and functional for at least 60 days
- Unsubscribe requests honored within 10 business days
Missing any of these gives the CRTC a clean enforcement hook the moment a complaint lands on their desk.
CASL requires valid contact info and consent before the first send. Prospeo's 5-step verification delivers 98% email accuracy with spam-trap removal and catch-all handling - so every email you send reaches a real, verified inbox instead of triggering a complaint.
Stop risking $10M fines on unverified data.
Penalties and Real Cases
The statutory maximums - $10M per violation for organizations, $1M for individuals - grab headlines. But the real disruption isn't the fine. It's the investigation.
Between April 1 and September 30, 2025, the CRTC issued 153 Notices to Produce, 123 Warning Letters, and 5 Preservation Demands. A Notice to Produce means handing over consent records, email logs, and internal documentation - weeks of operational disruption regardless of whether a fine follows. The CRTC also targeted the Ebury Botnet, responsible for more than 35 million spam messages per day, issuing warning letters to 80 web hosting companies whose servers were infected under CASL section 9.
Directors and officers can be held personally liable. CASL doesn't limit enforcement to the corporate entity. In October 2023, the CRTC hit Quebec resident Sami Medouni with a $40,000 penalty for sending over 31,000 phishing texts using six fraudulently obtained phone numbers.
CASL's private right of action - which would let individuals sue for up to $200 per contravention with a $1M/day cap - was suspended indefinitely before it took effect. If reinstated, class-action exposure would be enormous. For now, enforcement is regulator-led, but the CRTC clearly doesn't need private lawsuits to keep teams honest.
Let's be honest: most B2B teams treat CASL like a legal checkbox. It's not. The investigation process alone - Notices to Produce, document requests, legal review - can paralyze a marketing team for weeks. The fine is the headline; the operational disruption is the actual cost.
Common Misconceptions
"I found their email on their website, so I can email them." Not automatically. The conspicuous publication exception requires no "no unsolicited messages" notice, and your message must relate to the recipient's business role. A generic sales blast doesn't qualify. This exact scenario comes up constantly on r/Emailmarketing - marketers assume personalization plus an unsubscribe link makes them compliant. It doesn't.
"I included an unsubscribe link, so I'm covered." An unsubscribe mechanism is one of three required elements, but it doesn't create consent. Consent must exist before the first send. Adding "reply STOP" to an unsolicited email is like putting a seatbelt on a car with no brakes.
"CASL only applies to Canadian companies." Enforcement is based on where the recipient accesses the message, not where the sender is located. A US SDR emailing a Canadian prospect from a Salesforce sequence in Austin is fully subject to CASL. We've seen this exact misunderstanding trip up US-based outbound teams dozens of times.
Your CASL Compliance Checklist
Most violations aren't malicious - they're sloppy. In our experience, the consent log is where most teams fall apart. Here's what keeps you out of trouble.
Build a consent log and maintain it. For every contact, record who consented (name + email), when (timestamp), how (form URL, event name, verbal confirmation), and what language they saw (screenshot or exact copy). Include IP address where applicable, and retain records for at least 3 years after the business relationship ends. This sounds tedious, but it's the single document the CRTC asks for first in every investigation - and if you don't have it, you're already in trouble.
Audit your implied consent timers. EBR consent expires after 2 years from a purchase or 6 months from an inquiry. If you're not tracking these dates, you're sending to expired consent and won't know until a complaint hits. Automate these expiration dates in your CRM. No exceptions.
Verify your data before sending. Bad addresses generate bounces. Bounces trigger spam filters. Spam filters generate complaints. And complaints launch 75% of CRTC investigations. Prospeo's 5-step email verification catches invalid addresses, spam traps, and honeypots before they become complaints - 98% accuracy on a 7-day refresh cycle, at roughly $0.01 per email.
Test your unsubscribe mechanism quarterly. It must be functional for 60 days after sending and honored within 10 business days. Broken unsubscribe links are a common enforcement trigger - and one of the easiest problems to prevent.
Review every CEM template. Confirm sender ID, mailing address, contact info, and unsubscribe mechanism are present and accurate. CASL consent obligations can also overlap with PIPEDA requirements - if you're collecting personal information alongside email consent, both laws apply.
Skip this checklist if you're only sending transactional messages (order confirmations, password resets, shipping notifications) with no commercial content mixed in. Those are exempt. But the moment you add a promo line or upsell to a transactional email, it becomes a CEM and every CASL requirement kicks in.
Your CASL compliance checklist says verify data before sending - Prospeo does exactly that. With a 7-day refresh cycle, 300M+ verified profiles, and proprietary email infrastructure, you're never emailing stale or invalid contacts that generate bounce-backs and CRTC complaints.
Clean data is your first line of CASL defense. Get it at $0.01 per email.
FAQ
Can US companies be fined under CASL?
Yes. CASL applies based on where the recipient accesses the message, not the sender's location. A US SDR emailing a Canadian prospect must meet every requirement - consent, identification, and unsubscribe mechanism. Being headquartered outside Canada isn't a defense; the CRTC has cross-border enforcement cooperation agreements in place.
Does CASL apply to social media DMs?
Direct messages sent to electronic addresses - including messaging platforms - qualify as CEMs under CASL. The CRTC's FAQ specifically notes that social messaging systems can fall under CASL's scope. Public posts on social feeds generally don't, but one-to-one promotional messages do.
Can I buy an email list and send to it legally under CASL?
No. You can't prove consent for contacts you didn't collect yourself, and the burden of proof falls on the sender. Purchased lists are never compliant. Build your own list and verify it before sending - that's the only path that holds up under scrutiny.
What's the cheapest way to stay compliant with clean data?
Prospeo's free tier includes 75 email verifications per month - enough for small teams to validate their Canadian contact lists before sending. For larger volumes, credits cost roughly $0.01 per email with 98% accuracy and spam-trap removal built in. Compare that to a $10M maximum penalty and the math is obvious.