9 CASL Compliance requirements for Canadian Businesses

CASL compliance requirements

Since CASL (Canada’s Anti-Spam Legislation) went into effect on July 1, 2014, maintaining email communication and marketing success has been more difficult for Canadian businesses.

What if I tell you that you can be compliant and still run effective email campaigns?

Before we get into details let us introduce ourselves. We’re Envoke, a CASL complaint, Canadian broadcast email service founded in 2007. We work with associations, the public sector, post secondary institutions, SMBs, healthcare and many other sectors where compliance is of utmost importance.

Here’s how Envoke’s rich CASL functionality compares to Mailchimp and other competitors:

CASL compliant email software
CASL compliant email software feature comparison

“Envoke opened up a way to mass and target communicate with our members that we hadn’t been able to do before, except in a very manual way. And the fact that it was a Canadian company, and all CASL compliant sold it for us. The folks at Envoke have been great to work with, and very responsive to inquiries.”

Kelly Clemmer / Marketing Manager
Encompass Credit Union

It doesn’t have to be hard to comply with CASL but you do have to understand a few key CASL requirements and apply them.

To relieve you of stress, we’ve put together this CASL guide to keep your business compliant and achieve positive results.

In this article, you’ll learn:

How CASL affects your business?

Anti-spam regulations such as GDPR and CAN-SPAM focus more on providing an opt-out for email recipients. Yet, CASL focuses more on ensuring that your recipient did opt-in in the first place.

To put it simply, unless you have the recipients’ consent or permission, you can’t send any email to contacts to engage them in a commercial activity.

If you’re running your business in Canada or have contacts in your database that are based in Canada, you must comply with CASL regulations.

Not doing so, you risk being fined for non-compliance. The fine is up to $1 million for individuals or up to $10 million for businesses.

CASL legislation is taken very seriously in Canada, and it’s not something that you can sleep on. For instance, Kellogg Canada Inc. was fined $60,000 for sending emails without consent.

Before sending any email campaign, review your contacts’ consent statuses and make sure you send emails only to contacts who already provided their consent.

According to CASL regulations, your obtained consent must be tracked and recorded. It means you must prove how you obtained each contacts’ consent. 

Tracking this manually in a CRM system or Excel is very time consuming and prone to errors.

You need a software that automates gathering consent and changes over time for every contact on your list. 

Envoke, a Canadian email marketing company that automates your CASL compliance requirements so you can focus on communications instead of compliance. 

Not in the meaning that you have to prove it before every email you send, but the proof of consent should be recorded just in case you’re required to.

The Compliance and Enforcement Information Bulletin states that the criteria for tracking and recording consent are:

  • Consent must be oral OR written
  • Provide the date on which consent was obtained
  • State the purpose it was obtained for.
  • And how the consent was obtained.

CASL affects your business; that’s a fact. But if you understand your CASL requirements and treat it carefully, you can send successful email campaigns that are compliant.

9 CASL Compliance Requirements You Need to Know

As a business, whether an SMB or a large enterprise you must learn about CASL compliance requirements to introduce it to your company and team.

Understanding the general requirements for sending commercial electronic messages prevents you from potential CASL fines and penalties.

Here are 9 CASL compliance requirements that you need to know.

1. Assign someone to be in charge of CASL compliance

The person will be in charge of CASL compliance for the organization.

Here are the primary responsibilities that your compliance manager should handle:

  • Write compliance policies.
  • Be aware of CASL requirements and updates.
  • Ensure the application of CASL policies in the company.
  • Oversee and review the team’s communication activities.

Assigning someone to be responsible for CASL compliance reduces the risk of being non-compliant.

You don’t have to hire someone specifically for this responsibility. You can assign an existing employee to handle it. 

Plus, CASL compliant email software makes it easier for you to stay compliant.

2. Audit your email list

Your first step toward CASL compliance starts with auditing your email list.

Perform an audit on your database to identify any non-compliance risk related to managing your contacts, contacts’ consent, records, etc.

Segment your contact list based on these CASL consent examples:

  • Express consent
  • Implied consent
  • Expired consent
  • Consent not provided

You don’t want to keep contacts with expired or not-provided consent in your email list. These contacts present a risk for you.

Identify and label contacts with an invalid consent status in your email list to exclude them from receiving any commercial electronic messages or CEMs.

3. Record consent

Once you audit your email list and segment contacts based on their consent status, the next thing is to verify the consent record.

As part of your CASL compliance requirements, you must be able, when asked, to provide the authorities the list of contacts you sent emails to.

You must provide the proof of consent of your email recipients, including the consent date for each contact and a list of all emails you sent to each one.

Another thing you must keep a record of is the unsubscribe requests. 

4. Write compliance policies

To reduce the risk of being non-compliant, you should create compliance policies and procedures to ensure everyone in your organization is aware and following the CASL regulations.

The compliance policies should be written and accessible by all employees, and particularly by those in charge of communications.

Making your employee sign the compliance policies is not enough. You must ensure it’s applied.

5. Train your communication team

Even though CASL went into effect since 2014, it’s still new for some organizations and employees.

When you introduce your written compliance policies to your staff, consider allocating a few sessions to deliver training about CASL compliance and its importance.

This will help your communication team to stay up-to-date with CASL compliance requirements and their responsibilities toward it.

6. Set strict rules for your team

CASL laws are taken seriously. You can’t afford any of your employees sending a non-compliant commercial message.

Set strict rules for compliance policies, so it’s always treated sensitively and with caution.

A mistake of sending a promotional message to contacts with invalid consent can result in thousands of dollars in CASL fines.

Strict rules will keep your team alert and reduce the risk of making mistakes.

7. Create an ongoing consent monitoring process

CASL implied consent is time-limited consent. If it’s based on inquiry (contact fills a form without an expressed consent), it expires in 6 months.

And implied consent based on transaction (contact purchase a product without an expressed consent) expires in 24 months.

You need an ongoing consent monitoring program to keep an eye on consent expiry dates. It prevents sending emails to contacts with expired consent.

One way to eliminate the risk of sending emails to contacts with invalid consent is to use a Canadian CASL compliant email software. It reviews consent before sending campaigns and only sends the email to contacts with valid consent.

Here is an example of Envoke’s consent monitoring dashboard.

CASL contact statuses

8. Update consent statuses

In addition to your consent monitoring process, you must update the consent statuses of your contacts on an ongoing basis.

This step requires removing expired consents from your database and working on turning implied consent to express consent.

Send consent expiry reminder emails to prevent losing contacts. It will help you turn contacts with a time-limited implied consent, to express consent that doesn’t expire.

9. Use a CASL compliant email software

All the CASL requirements and details make it difficult to manage compliance manually.

Use a CASL compliant email software to automate your CASL compliance requirements. It helps you:

  • Collect, track, and record contacts’ consent.
  • Automatically update contacts’ consent statuses.
  • Send consent expiry reminder emails.
  • Send emails only to contacts with valid consent.

All emails sent through your Envoke account are CASL compliant, and the software automates the above CASL requirements.

Also, Envoke takes into consideration mandatory emails that are sent to members of associations or alumni. These emails are exempt and CASL doesn’t apply since it’s not commercial messages.

8 Point CASL Checklist to Follow

Here I created a CASL compliance checklist that you can follow to avoid sending unsolicited commercial electronic messages (CEMs).

  1. Review if forms are CASL compliant.
  2. Determine if you have either express or implied consent to send emails.
  3. Obtain express consent from your existing contacts.
  4. Update the email list by removing contacts with expired consent status.
  5. Document and record contacts’ consent.
  6. Create an ongoing consent monitoring process.
  7. Include this data in your CEM: Name, mailing address, phone number, email address, and website URL.
  8. Ensure that your emails include an unsubscribe option.

Use this checklist to guide you and your team to assess new or existing email campaigns for CASL compliance.

Register to Envoke’s 30 days free trial to learn how to automate your compliance requirements and tasks. It helps you eliminate mistakes and send emails that are compliant with CASL.

15 Frequently Asked Questions about CASL requirements

When the Canadian Anti-Spam Law went into effect on July 1st, 2014, it overwhelmed most organizations and communication managers.

Here we answered 15 FAQ about CASL that concerns Canadian email marketing to help you understand the ins and outs of CASL compliance.

1. Do CASL regulations prohibit me from sending marketing messages?

CASL regulations do not prohibit you from sending messages. However, it just sets the requirements that you have to comply with before sending any electronic messages.

You need to obtain consent, provide identification data, and provide an opt-out option.

2. When does CASL apply?

CASL applies to all CEMs that are sent to electronic addresses to people who reside in Canada. This includes emails, SMS, or other messaging to electronic devices.

In some cases like public sector email marketing, you’re not sending commercial emails. In this case, CASL doesn’t apply because you’re not sending CEMs.

3. Does CASL apply to text messages?

Yes, SMS marketing is considered a commercial electronic message.

4. What is a CEM under CASL?

According to the Canadian Chamber of Commerce, CASL defines CEM as a message that encourages participation in a commercial activity. This includes ads, promotional messages, offers, business opportunities, events, etc.

5. Does CASL apply to CEMs sent to friends and family ?

No, CASL doesn’t apply to CEMs sent to individuals with whom the sender has a personal or family relationship,

6. What is CASL consent?

Under CASL laws, individuals and businesses must obtain consent from contacts before sending them any commercial message.

Your contacts must provide consent to receive emails.

You can collect the consent of contacts in two ways, through implied consent or express consent.

7. Does CASL require double opt-in?

No, double opt-in is an email confirmation method to reduce spam email addresses when building your email list. CASL doesn’t require double opt-in.

8. Does CASL apply to social media?

CASL applies only to CEMs that are sent to electronic addresses. The electronic address can be:

  • Email account
  • Instant messaging account (WhatsApp, Messenger, etc.)
  • Telephones account
  • Other similar accounts

Social media under CASL depends on what channel you’re using and how. If the two criteria sending CEMs and sending it to electronic addresses are present, CASL applies.

For example, messages sent to users through social media messaging systems are considered CEMs, and CASL applies. 

9. Does CASL apply to US companies?

CASL laws protect people and devices located in Canada. If the recipient of CEMs is in Canada, then CASL applies regardless of where your company is based.

10. What is the purpose of regulating spam?

CASL’s purpose is to reduce the harmful effects of spam and related threats and help create a safer and more secure online marketplace.

11. Is sending unsolicited emails illegal?

Yes, sending unsolicited emails is considered illegal in Canada. You must receive consent from recipients before sending messages.

Sending unsolicited emails might result in CASL fines.

12. Does CASL apply to phone calls?

CASL does not apply to an interactive two-way voice communication between individuals.

13. When was CASL implemented?

The Canadian Anti-Spam Law (CASL) went into effect on July 1, 2014.

14. Does CASL apply to B2B?

CASL does not apply to messages that are sent between representatives of different organizations that are doing business with each other.

If both parties have an existing relationship and the messages are about their joint activities, then CASL doesn’t apply.

15. Does CASL apply to charities?

Yes, CASL does apply to nonprofit organizations and registered charities, but CEMs sent for raising funds are exempt.

Here are a few examples of CEMs that do not violate CASL when doing email marketing for nonprofits:

  • An email you send on behalf of a charity that promotes an event where the proceeds from ticket sales are designated for the registered charity (e.g., fundraising event)
  • An email newsletter that shares information about an upcoming campaign without asking recipients to make an action. This means the newsletter should not include a call-to-action.


Compliance becomes fairly easy to manage when you understand it well and use the right software that helps you manage your CASL compliance requirements.

Your responsibility toward CASL regulation is not something you can postpone for the next week or quarter.

The CASL requirements and checklist shared in this article are enough to put you on the right track.

If you have questions about how to be CASL compliant, please write to us. We’ll be glad to help.

Share this Article


Join our list to receive our monthly “practical tips and best practices” emails.
Unsubscribe any time.

View our newsletter archives to get a glimpse of the kind of messages you’ll be receiving.

Start a 30 day trial

Start a fully loaded trial account

30 days free access:

Let’s discuss your requirements to establish or rule out a fit.

Trial accounts include full support and all functionality.