Canada's Anti-Spam Legislation requires explicit consent for commercial electronic messages, accurate sender information, and functional unsubscribe mechanisms. This checklist walks through the audit steps, consent verification, documentation practices, and ongoing compliance measures businesses need to avoid CASL penalties.
CASL regulates commercial electronic messages sent to or from Canadian addresses, covering email, SMS, and certain social media direct messages. The legislation rests on three mandatory elements: obtaining consent before sending, providing accurate sender identification in every message, and offering a functioning unsubscribe mechanism. Consent can be express, where the recipient explicitly agrees to receive messages, or implied through existing business relationships, inquiries, or memberships. Express consent does not expire unless withdrawn; implied consent has statutory time limits. Sender identification must include your legal business name, a mailing address, and at least one contact method such as a phone number or email address. The unsubscribe mechanism must process opt-outs within ten business days and cannot require the recipient to log in, pay a fee, or provide information beyond an email address or similar identifier. Violating any of these three pillars exposes organizations to administrative monetary penalties, which the CRTC can impose without proving intent or actual harm.
Start by segmenting your contact database by consent type and acquisition date. For each record, verify you have documentation showing when consent was obtained, the specific language or form used, and whether consent was express or implied. Express consent typically comes from newsletter sign-up forms, account registrations with marketing checkboxes, or written agreements. Implied consent arises from purchases or transactions within the past two years, inquiries within six months, or membership in clubs or associations. Export a sample of records from each acquisition source and confirm the timestamp, IP address or form version, and opt-in language are logged. If you migrated email platforms or CRMs, check that historical consent data transferred correctly. Review any third-party lead sources or co-marketing partnerships to ensure consent was obtained under CASL rules and that you have written agreements specifying each party's compliance responsibilities. Missing or incomplete consent records for a segment means you must either obtain fresh express consent from those contacts or stop sending commercial messages to them.
Pull a recent export of all commercial email templates, transactional message templates if they contain promotional content, and any SMS or social media message flows. Check that each template includes your complete legal business name as registered, a current mailing address, and a working contact method. The mailing address can be a post office box or registered office, but it must be accurate and in Canada if you are a Canadian entity. Confirm unsubscribe links appear prominently, typically in the footer, and test that they function without requiring login credentials. Templates should avoid burying the unsubscribe option in small print or using confusing language like preference center when a one-click opt-out is required. Review subject lines and preview text to ensure they accurately represent the message content and do not mislead the recipient about the sender's identity. If you send on behalf of clients or partners, verify that their legal name and contact information appear, not just your agency's details, and that you have written authorization to send on their behalf under CASL.
CASL requires you to honour opt-out requests within ten business days. Test your unsubscribe workflow by subscribing test addresses to different message streams, then opting out and tracking how long it takes for those addresses to stop receiving messages. Check that opt-outs apply to all commercial messages from your organization, not just the specific campaign the recipient unsubscribed from, unless you offer a legitimate preference center where recipients can choose specific message types. Review your suppression list management to confirm opt-out records persist across database cleanups, platform migrations, and CRM syncs. If you use separate systems for email, SMS, and other channels, verify that an unsubscribe in one channel propagates to all channels within the ten-day window. Document your internal process for manual unsubscribe requests received via email or phone, ensuring customer service teams know to log these requests immediately and update suppression lists without delay. Test that suppression lists are checked before every send and that no automation or bulk upload can override an existing opt-out status.
Implied consent from purchases or transactions expires twenty-four months after the transaction, while inquiries create a six-month window. Build a system to flag records approaching these expiry dates and decide whether to request express consent before the window closes or remove those contacts from commercial messaging lists. If you operate a subscription business, active subscriptions maintain implied consent, but lapsed subscribers fall under the twenty-four-month rule from their last payment. Membership organizations can rely on ongoing membership as implied consent, but if a member's dues lapse, the two-year clock starts. Calculate expiry dates from the last relevant activity, not the initial contact creation date. For records acquired before CASL took effect in July 2014, transitional implied consent periods applied, but those have long since expired, meaning all pre-CASL contacts now require express consent or a recent qualifying relationship. Segment your database to identify contacts relying solely on aged implied consent and prioritize re-engagement campaigns that request express opt-in or accept that those contacts must be suppressed.
If you send commercial messages on behalf of clients, partners, or affiliates, CASL holds both the sender and the party whose product or service is promoted accountable. Draft written agreements specifying who obtained consent, who is responsible for maintaining suppression lists, and who will handle unsubscribe requests. Agreements should clarify that consent was obtained in compliance with CASL and that the consenting party will indemnify you if consent records prove deficient. If you acquire contact lists from third parties, conduct due diligence by requesting proof of consent provenance, including timestamps, form language, and opt-in methods. Purchased or rented lists almost never meet CASL standards because consent is not transferable, meaning you cannot rely on consent given to another organization unless that organization is sending on your behalf under a clear referral or partnership disclosed at the time of opt-in. Review affiliate marketing programs to ensure affiliates are not sending commercial messages promoting your products without proper consent or misrepresenting their relationship to your brand. Maintain copies of all agreements, consent records, and correspondence as evidence of your compliance efforts.
Schedule quarterly compliance reviews covering consent documentation, unsubscribe processing times, sender identification accuracy, and third-party sender audits. Assign a compliance owner responsible for staying current with CRTC enforcement updates, guideline clarifications, and case law developments. Implement automated checks such as pre-send consent verification, suppression list cross-referencing, and template validation to catch missing identification or broken unsubscribe links before messages deploy. Train marketing, sales, and customer service teams on CASL requirements, emphasizing that even individual one-to-one emails can qualify as commercial electronic messages if they promote a product, service, or business opportunity. Document all training sessions, policy updates, and incident responses. If you discover a compliance gap such as missing consent records for a segment, stop sending to that segment immediately, document the issue, and decide whether to seek fresh consent or permanently suppress those records. Maintaining detailed compliance logs and evidence of good-faith efforts to comply significantly reduces penalty risk if a complaint arises or the CRTC initiates an investigation.
CASL applies to commercial electronic messages sent to any electronic address, including business email addresses. However, messages sent to a role-based address like info@ or sales@ at a business may qualify for an exemption if they relate to the recipient's business role. Individual employee addresses at companies are still protected, and you must have consent or a qualifying relationship. The safest approach is to treat all commercial messages as subject to CASL unless you have a clear exemption.
CASL does not specify a minimum retention period, but the CRTC recommends keeping consent records for as long as you continue to send commercial messages to a contact, plus a reasonable period afterward. Many organizations retain consent documentation for three to seven years to cover potential complaint investigations or enforcement actions. At a minimum, document the date, method, and language used to obtain consent, and ensure these records are accessible if questioned by the CRTC or a recipient.
Yes, a single message confirming consent or asking the recipient to verify their subscription is generally permitted under CASL's framework, often called a double opt-in process. This message should clearly state its purpose, avoid promotional content, and include sender identification and an unsubscribe option. Once the recipient confirms, you have express consent. If they do not confirm, you cannot send further commercial messages unless you have another basis for consent.
A new purchase or inquiry can create fresh implied consent, resetting the consent clock. However, best practice is to honour the original unsubscribe preference and only resume commercial messaging if the recipient affirmatively opts in during the new transaction or inquiry process. If your checkout or contact form includes an optional marketing consent checkbox, the recipient can choose to receive messages again. Do not interpret a transaction alone as revoking a prior opt-out unless the recipient explicitly consents to marketing messages.
CASL treats email and SMS as commercial electronic messages subject to the same consent, identification, and unsubscribe requirements. However, many organizations obtain separate consent for SMS because recipients may have different preferences for text messages versus email. If you obtain consent for one channel, ensure the consent language clearly covers both if you plan to use both. If a recipient unsubscribes from one channel, best practice is to suppress them from all commercial messaging unless they explicitly consent to continue receiving the other channel.
Messages that facilitate, complete, or confirm a transaction the recipient has already agreed to are generally exempt from CASL, as are messages providing warranty, product recall, safety, or account information. However, if a transactional message includes promotional content or encourages the purchase of additional products, the entire message may be subject to CASL. Keep transactional and promotional messages separate, and ensure transactional messages focus solely on the service or transaction purpose without cross-selling or upselling unless you have valid consent.