CASL is Canada's Anti-Spam Legislation. It requires you to get permission before sending marketing emails, clearly identify yourself, and include an easy way to unsubscribe.
If you run a small business, this matters more than is commonly understood. You might be sending a monthly newsletter from your regular inbox, texting clients about a sale, or emailing a coupon after someone fills out a form. In all of those common situations, CASL may apply.
A lot of guides make this sound harder than it is. We think it helps to treat CASL like a simple rule for respectful digital communication. If a message promotes your business, product, or service, you need to slow down and check whether you have consent, whether the message identifies you properly, and whether the person can opt out without a hassle.
That sounds legalistic, but the day-to-day version is practical. Before you hit send, ask yourself three questions. Did this person say yes, or do I have a valid reason to rely on implied consent? Will they know exactly who sent this? Can they stop future messages easily?
What does CASL stand for?
CASL stands for Canada's Anti-Spam Legislation. The law came into force on July 1, 2014, and is enforced primarily by the Canadian Radio-television and Telecommunications Commission (CRTC), with support from the Competition Bureau and the Office of the Privacy Commissioner of Canada. The full legislative title is much longer, but virtually everyone — regulators included — refers to it as CASL.
What Is CASL and Why It Matters for Your Business
You send a quick promo from your regular Gmail account to past customers. Maybe it is a spring discount, a reminder about an event, or a follow-up after someone downloaded a guide from your site. It feels like normal small business communication. Under CASL, it may count as a commercial electronic message, and that means rules apply before you hit send.
For a business owner, the plain-English version is simple. If you send an electronic message that encourages someone to buy, book, donate, register, or otherwise engage in a business activity, CASL may apply.
That broad scope is what surprises people. CASL is not limited to newsletters sent through a marketing platform. It can reach messages sent by email, text, and some direct messages through social or private messaging tools. In daily business terms, the law follows the message, not the software you used to send it.
The simple meaning of CASL
CASL works a lot like a permission-first rule for digital promotion. Before sending a commercial message to someone in Canada, you need a valid basis to contact them. Usually that means express consent or a form of implied consent recognized by the law.
For a small business, this matters because casual habits can create risk. A message from Outlook can trigger the same CASL questions as a campaign from Mailchimp. A text about a new service can raise the same issue as a promotional email. The tool does not make a message compliant. Your process does.
A good way to understand CASL is to treat it like a receipt check at the door. Before a promotional message goes out, you should be able to show where the permission came from, who the sender is, and how the recipient can stop future messages.
Practical rule: If a message helps promote your business in any way, pause and treat it like a commercial message unless you are sure it falls outside the rule.
Why the law matters in real business life
CASL matters because it changes how routine outreach should be handled. Many owners are not running a polished email program with built-in consent tracking. They are replying from a personal inbox, sending one-off promotions to old contacts, or exporting a list into a basic provider. That is exactly where mistakes happen.
The law also pushes businesses toward clearer, more respectful communication. You need to know who agreed to hear from you, keep better records, and make opting out easy. That is good compliance practice, but it is also good customer experience. People respond better when they know why they are hearing from you and how to leave the list if they want.
CASL often gets mixed up with privacy law because both show up in the same customer journey. They are related, but they do different jobs. CASL focuses on sending commercial electronic messages. Privacy law focuses on how you collect, use, and protect personal information. If you want that side explained in plain language, read our guide to PIPEDA compliance for your business.
One more practical point. Your email provider can make compliance easier or harder. Some tools help you capture consent, store proof, and manage unsubscribes. A regular inbox usually does not. That does not change whether CASL applies, but it does change how easy it is to follow the rules consistently.
Who Must Comply with Canada's Anti-Spam Law
You send a quick promo from your regular Gmail account to a few past customers in Toronto. It feels informal, almost like a personal note. CASL can still apply.
That catches many small business owners off guard, because the law is tied less to your company size or software stack and more to what you sent, why you sent it, and whether the message reaches someone in Canada.
It applies to commercial messages across everyday tools
CASL focuses on commercial electronic messages. That includes plenty of day-to-day communication sent through ordinary tools, such as Gmail, Outlook, a CRM, a Shopify email feature, a newsletter platform, or even text messaging in some cases.
For a small business, that means compliance is not only a "marketing department" issue. If you or your staff send offers, promotions, booking reminders with upsells, or sales follow-ups from a normal inbox, CASL may be part of that workflow too.
Your email provider does not decide whether the law applies. Your message does. The provider mainly affects how easy it is to keep records, manage unsubscribes, and stay organized.
What usually causes confusion
The hard part is figuring out whether a message counts as commercial.
A message sent from a personal or business inbox can still fall under CASL if one of its purposes is to encourage participation in a commercial activity. In plain language, if the note is helping sell, promote, or market something, treat it carefully.
A simple way to look at it is this. Purely factual or operational messages are often lower risk. Messages that include a discount, promotion, sales pitch, or subtle offer need closer attention.
Here are a few common examples:
Likely a CEM: You email past event attendees with a discount code for your next workshop.
Possibly not a CEM: You send a vendor your updated office address and payment contact.
Needs careful review: You reply to an inquiry with the requested information, then add a promotional offer in the footer.
The more practical question is not "Are we a big enough business for CASL to matter?" It is "Does this message promote something, and can we show why we were allowed to send it?"
Who needs to pay attention
Businesses in Canada need to pay attention, of course. So do organizations outside Canada that send qualifying messages to people in Canada.
A sole proprietor, local shop, consultant, charity, association, franchise location, or online seller can all run into CASL issues if they send commercial messages into Canada. The law also does not disappear just because a message was sent one by one instead of through a bulk email platform.
This is why the day-to-day setup matters. A simple provider may let you send a message fast, but it may not help you store proof of consent or process unsubscribe requests consistently. A dedicated email platform often makes those tasks easier. The legal duty still sits with the sender.
The sender has to prove it
One point business owners often miss is documentation.
If there is ever a complaint, you may need to show why you believed the message was allowed. That can mean keeping signup records, notes about an existing business relationship, screenshots of forms, or clear logs from your email provider. If your process lives partly in someone's inbox and partly in memory, proving compliance gets much harder.
One final clarification. CASL does not apply just because a message passes through Canadian servers. The issue is whether you are sending a qualifying commercial electronic message to an electronic address in Canada.
The Three Core Requirements of CASL
A lot of CASL confusion disappears once you sort every message through three simple checks. Did the person agree to hear from you? Can they tell who sent it? Can they stop future messages without hassle?
For a small business owner, that matters more than the legal wording. Whether you send from Gmail, Outlook, or an email platform, CASL usually comes down to those three jobs: get permission, identify yourself clearly, and give people an easy exit. If one piece is missing, the message is harder to defend and more likely to trigger complaints.
Consent comes first
Consent works like the front door key. If you do not have it, you should not be walking in.
Express consent is the cleanest option. Someone signs up for your newsletter, checks a box, fills out a form, or asks you in writing to send updates. This is the kind of permission that is easiest to track later, especially if your email provider stores the date, form, and source.
Implied consent is more limited and easier to misuse. It may exist because of a current customer relationship or another specific situation allowed under CASL. It does not mean every public email address is fair game for promotions.
That last point trips up plenty of small businesses. A contractor finds a company email on a website and sends a sales pitch. A consultant copies addresses from LinkedIn and calls it outreach. A shop emails past buyers long after the relationship has gone stale. Those are exactly the grey areas where weak recordkeeping and casual sending habits create problems.
Identification must be obvious
Your message should answer a basic question within seconds: Who is this from?
That means using your business name clearly and including contact information people can use. If you are sending on behalf of another business, that should be clear too. The recipient should not have to inspect the domain, scroll through a messy footer, or guess from a first name in the signature.
This is one area where your sending setup affects compliance in real life. A proper email platform often helps you standardize headers, footers, and sender details across every campaign. A regular inbox can still work, but only if you are disciplined enough to include the same identifying information every time.
Unsubscribe must be easy to use
An unsubscribe option needs to be clear, visible, and functional.
If someone wants out, they should be able to do it without logging into an account, hunting through a help page, or replying to three different addresses. The easier you make this, the fewer complaints you invite. It also keeps your list cleaner, which is good for deliverability as well as compliance.
This is another place where your email provider can help or hurt. Dedicated email tools usually add unsubscribe links and suppression handling automatically. If you send promotions one by one from a regular email account, you need your own reliable process to record opt-outs and stop future sends. Forgetting that step is where small operational mistakes turn into legal ones.
The Steep Penalties for CASL Non-Compliance
Some business owners treat the Canada anti-spam law like a nice-to-have checklist. That's risky thinking. CASL has serious financial consequences attached to it.
Under the law, administrative monetary penalties can reach up to CAD $1 million per violation for individuals and CAD $10 million per violation for corporations. The CRTC's enforcement bulletin covering April–September 2025 shows the regulator using those powers actively: 153 Notices to Produce, 123 Warning Letters, and a CAD $50,000 administrative monetary penalty in a single case involving unauthorized email-forwarding rules. In the same six-month period, the Spam Reporting Centre logged more than 152,000 complaints — roughly 5,800 a week.
Why small businesses shouldn't shrug this off
You don't need to be a national retailer to create risk. A local clinic, contractor, online shop, consultant, or nonprofit-adjacent business can still run into trouble if it sends commercial messages without proper consent or ignores unsubscribe requests.
The larger point isn't that every mistake leads to the maximum penalty. It's that regulators take the rules seriously enough to enforce them, and the law gives them strong tools when businesses ignore the basics.
Compliance is operational, not theoretical
CASL exposure usually comes from ordinary habits. A shared spreadsheet with old contacts. A website form that adds people to a promo list automatically. A newsletter template missing business details. An unsubscribe inbox nobody monitors.
Compliance isn't just a legal policy sitting in a folder. It's the daily process behind every list, form, template, and send button.
That's why the boring pieces matter. Consent capture, sender identification, and unsubscribe handling aren't administrative trivia. They're the controls that lower your risk.
Your Practical CASL Compliance Checklist
A typical problem looks like this. You send a promo email from your regular business inbox, then realize you're not fully sure who gave consent, whether the footer is complete, or where unsubscribe requests go. That is how small compliance gaps show up in day-to-day work, not in some big legal review.
A practical checklist helps because CASL compliance lives in your forms, templates, contact lists, and sending habits. If you use a simple email provider or a shared inbox, parts of this may be manual. If you use an email platform, some of it may be built in. Either way, the business is still responsible for getting the process right.
Five checks before you send
Confirm where each contact came from: For every list you plan to use, know how people were added. Website form, checkout, event signup, referral, sales conversation. If you cannot explain the source clearly, pause before sending.
Keep proof in one place: Store the signup date, method, and any form details you may need later. A spreadsheet can work for a small business if it is kept up to date and easy to search.
Check your sender details in the template: Your business name and contact information should already be there. Do not leave this to memory or last-minute copy and paste.
Test the opt-out process yourself: Click the unsubscribe link or follow the opt-out steps as if you were a recipient. It should work without confusion or extra hurdles.
Review tools and people who send on your behalf: Agencies, virtual assistants, ecommerce apps, CRMs, and booking systems can all trigger commercial messages. If their setup is sloppy, your records will be sloppy too.
Bad form submissions can also make your consent records unreliable. If your list gets cluttered with fake addresses or bot signups, this guide to stopping email sign-up spam for good can help you clean up the front door before those contacts ever reach your mailing list.
CASL compliant vs non-compliant email examples
| Feature | Non-Compliant Message (The Wrong Way) | Compliant Message (The Right Way) |
|---|---|---|
| Sender identity | “Hi, we've got a spring offer for you. Reply if interested.” | “Hi, this is North Shore Bikes. We're emailing about our spring tune-up promotion.” |
| Contact information | No business address or clear contact method | Business name plus clear contact information in the message |
| Consent trail | List imported from old contacts with no documented source | Contacts added through a clear signup process with stored records |
| Unsubscribe | “Reply STOP if you want fewer emails” but no process behind it | Visible unsubscribe link or clear opt-out mechanism that works |
| Follow-through | Opt-out requests sit in an inbox for days | Unsubscribe requests are processed within the required timeline |
That table matters because CASL problems often hide in ordinary shortcuts. A copied list from an old laptop. A footer that disappears when someone sends from Outlook instead of the newsletter tool. An unsubscribe request that lands in a general inbox nobody checks until Friday.
A simple workflow keeps this manageable. Start at the signup point. Make sure the form language is clear, the consent record is saved, and the email template already includes your business details and opt-out option. Then run one test from beginning to end with your own address. Sign up, receive the message, unsubscribe, and confirm future commercial emails stop.
Good compliance is boring on purpose. Clear signup. Clear sender. Clear way to leave.
How Your Email Provider Affects CASL Compliance
Your email provider doesn't make you compliant by magic. But it can make good habits easier, or make them annoyingly manual.
Generic inboxes create more manual work
A regular Gmail or Outlook inbox can be fine for one-to-one communication. It gets awkward when you start sending promotional messages at scale. You often end up tracking consent in spreadsheets, handling unsubscribes by hand, and relying on staff not to forget template details.
That isn't just inefficient. It creates uneven records. If someone asks when they consented, you may need to search forms, CRM notes, exported lists, and inbox threads just to piece together an answer.
There's also the practical issue of sending limits on some mainstream services. During a launch or seasonal campaign, those limits can interrupt normal operations and push teams into messy workarounds.
Purpose-built services help structure the process
Email marketing platforms usually help with list segmentation, unsubscribe handling, and template consistency. That's useful because CASL compliance often breaks down in the gaps between tools, not in the law itself.
For businesses that also care about privacy and data residency, provider choice carries another layer of importance. A Canadian-hosted provider can support a cleaner compliance posture around where business communications live and which legal framework governs that data. We cover that in more detail in our guide to email hosting in Canada for privacy and security.
Typewire is one example of a provider built around private email hosting in Canada, with custom domains on paid plans and unlimited sending on paid plans. That doesn't replace your legal responsibility under CASL, but it can remove some of the practical friction that comes from trying to manage business communications through a generic inbox.
What to look for in a provider
Consent support: Can you store or pair subscriber records with your signup flow?
Template control: Can you standardise sender details so every campaign includes the right identification?
Unsubscribe handling: Is opting out built into the workflow, or does your team need to process requests manually?
Operational fit: Will the service support your sending volume without pushing you toward shortcuts?
The best setup is the one that makes the compliant path the easy path.
Frequently Asked Questions About CASL
You send a quick note from your regular business inbox to someone whose email is listed on their company website. Or you add a coupon to a receipt because it feels harmless. These are the kinds of everyday moments where CASL gets fuzzy for small business owners.
The good news is that a few simple rules clear up a lot of the confusion.
Can you email someone if their address is posted on their website
Sometimes. The key question is why that address is public and whether your message matches that person's job.
If a business email address is publicly posted and your message relates to the recipient's role, you may have a limited basis to contact them. A message to the purchasing manager about a product they buy is very different from adding that address to a general newsletter or sending broad promotions.
A good way to look at it is this. A public email address is more like an open front door for relevant business contact, not permission to fill the hallway with flyers.
If the message feels like outreach tied to their work, you may be on firmer ground. If it looks like mass marketing, pause and get clear consent first.
What about receipts, invoices, or shipping notices
Transactional emails are usually treated differently from promotional ones. A receipt, invoice, password reset, or shipping update is part of delivering the service the customer already asked for.
Trouble starts when businesses mix purposes in the same message. A plain order confirmation is usually straightforward. An order confirmation that also pushes unrelated products, a discount code, or a newsletter signup starts to look like a commercial message.
The practical fix is simple. Keep operational emails clean.
Send receipts and shipping notices for the transaction only. Send promotions separately through the system you use to track consent and unsubscribes. That is easier to manage whether you send through a basic email provider or a dedicated marketing tool.
Does CASL apply to texts and social messages too
Yes. CASL is not only about email.
If you send a commercial message by text, direct message, or a similar electronic channel, the same basic compliance questions still matter. Did the person consent? Can they tell who sent it? Can they stop getting future messages?
This catches small businesses off guard because texting often feels casual. But a promotional SMS campaign from your phone or a direct offer sent through social media can create the same compliance problem as an email blast.
A useful rule of thumb is to focus on the purpose of the message, not the app you used to send it.
If you're reviewing your email setup while tightening up CASL practices, take a look at Typewire. We provide private email hosting in Canada with custom domains on paid plans and infrastructure we operate ourselves, which can help small businesses keep business email organised while staying focused on clear, consent-based communication.
Last updated: 2026-05-28