Canada's Anti-Spam Legislation has been law for over a decade, but the compliance landscape kept evolving. A handful of high-visibility CASL enforcement actions in recent years have made it clear that the CRTC is willing to apply the legislation aggressively, and the implied-consent grace periods that early-CASL marketers relied on are largely gone. Most of the email programs CIMA members audit have at least one CASL gap — and most are fixable.

The four pillars haven't changed, but enforcement has

CASL still rests on four core requirements: consent, identification, unsubscribe, and proof. Express or implied consent before sending any commercial electronic message. Clear sender identification in every message. A working unsubscribe mechanism that processes opt-outs within 10 business days. And — most often missed — durable, dated proof of consent that you can produce on demand. The CRTC's investigations in recent years have leaned heavily on the proof-of-consent piece, and "we have a list" doesn't satisfy.

Implied consent windows are narrower than you remember

Implied consent from existing business relationships expires 2 years after the last transaction or inquiry. That clock is real, and CRTC investigators check it. Programs that import old CRM data into a new email tool inherit the original consent dates — including the expiries. "We've been emailing them for years without complaints" is not the standard.

The unsubscribe mechanism is a frequent failure point

Unsubscribe must be working, free, and processed within 10 business days. Common failure patterns: unsubscribe links that go to a multi-step preference center (legal but high-friction), unsubscribe pages that require login (likely non-compliant), unsubscribe handling that's manual and slips past the 10-day window during staff transitions. The CRTC has issued penalties specifically for slow or broken unsubscribe handling, and the test isn't whether you intended to comply — it's whether the recipient was unsubscribed in time.

Infographic of the CASL compliance checklist: consent, identification, unsubscribe, proof of consent, two-year implied window, $10M penalty risk

Penalties reach $10 million per violation

Administrative monetary penalties under CASL can reach $1 million per violation for individuals and $10 million per violation for organizations. The CRTC has issued multi-million-dollar penalties to Canadian businesses that thought of themselves as basically compliant. The most expensive mistake an agency can make is assuring a client they're CASL-compliant when proof-of-consent records are weak — that's both a regulatory and a CIMA Honest Representation issue. If you can't produce dated consent records on demand for the recipient list, the program is exposed regardless of how many years it's been running quietly.

Keep reading

Browse the full blog index, jump to our resources, or look up terms in the glossary.