CASL Email Compliance Guide

CLOUD SERVER FOR EMAIL

Canada's Anti-Spam Legislation for Email Infrastructure Operators

CASL (Canada's Anti-Spam Legislation) is one of the world's strictest anti-spam laws. Unlike CAN-SPAM's opt-out model, CASL requires express or implied consent before sending Commercial Electronic Messages (CEMs) to Canadian electronic addresses. The consequences of non-compliance are severe: administrative monetary penalties (AMPs) of up to CAD$1 million per violation for individuals and CAD$10 million per violation for organizations.

This guide provides infrastructure-level compliance information. CASL compliance requires legal counsel familiar with Canadian telecommunications law. This is not a substitute for qualified legal advice.

What Is a Commercial Electronic Message (CEM)?

CASL covers 'commercial electronic messages' — messages sent to electronic addresses (email, SMS, social media accounts) that encourage participation in a commercial activity. The definition is broad: promotional newsletters, sales emails, and commercial announcements are clearly CEMs. Order confirmations with an upsell component may qualify as CEMs for the upsell portion.

CASL applies when the computer systems used to send or receive the CEM are located in Canada. In practice, this means CASL applies when your recipient is in Canada, even if you're sending from outside Canada. For international senders, the key question is: do you have Canadian recipients? If yes, CASL applies to those recipients regardless of where your infrastructure is located.

CASL Consent: Express vs Implied

Express Consent

Express consent is explicit, specific, and documented. The consent request must: clearly describe the type of messages the recipient will receive, identify the organization seeking consent, state what the recipient is consenting to, and be voluntary (not pre-checked or bundled with terms agreement). Consent must be documented — you must be able to prove you obtained it if challenged.

Express consent obtained for one purpose does not automatically extend to other purposes. If a recipient consents to a newsletter, that consent doesn't automatically extend to promotional offers unless the consent form included promotional messages in its description.

Implied Consent (Limited Exceptions)

Implied consent applies in specific, time-limited circumstances:

Existing business relationship: A recipient has purchased, leased, or engaged in a business relationship with you within the past 2 years. This includes someone who has asked about your products or services within the past 6 months.
Published electronic address: The recipient has prominently published their email address without a no-commercial-email statement, AND the message is relevant to their business role.
Given their address directly: The recipient gave you their email address directly (in person, on a business card), without clearly indicating no commercial messages.

Implied consent is time-limited. If 2 years pass since the last business transaction without the recipient providing express consent, implied consent expires and you cannot continue sending without new express consent.

CASL Consent Documentation Requirements

CASL's consent documentation requirement is one of the most operationally demanding aspects of the law. For every Canadian recipient on your list, you must be able to demonstrate:

Documentation Requirement	What to Record
Consent type	Express or implied (and which implied category applies)
Consent date	Exact timestamp of when consent was obtained
Consent source	How consent was obtained (web form URL, email campaign, in-person)
Consent scope	What types of messages the recipient consented to receive
For implied: relationship basis	Date of last transaction, nature of relationship, why implied consent applies
Opt-out date (if applicable)	Date when recipient unsubscribed and how (click, email, phone)

MailWizz can be configured to capture subscription timestamp, IP address, and source URL at opt-in. Cloud Server for Email configures CASL-compliant consent capture for managed infrastructure clients on request. The subscriber database becomes the legal compliance record — its accuracy and completeness are legally significant.

CASL Unsubscribe Requirements

CASL's unsubscribe mechanism requirements are stricter than CAN-SPAM: the unsubscribe mechanism must function for at least 60 days after the message is sent, and the request must be processed within 10 business days of receipt. The mechanism must be readily accessible and usable without charge.

MailWizz's unsubscribe processing is immediate for list-based unsubscribes. The global suppression list prevents re-sending to unsubscribed addresses across all campaigns. PowerMTA's RFC 8058 List-Unsubscribe-Post header provides one-click unsubscribe from email client interfaces. Cloud Server for Email configures both for all managed infrastructure clients.

CASL Enforcement and Penalties

CASL is enforced by the Canadian Radio-television and Telecommunications Commission (CRTC), Competition Bureau, and Office of the Privacy Commissioner. Unlike CAN-SPAM, CASL includes a private right of action (effective July 1, 2017, though initially delayed) allowing individuals to sue for violations.

Violation	Maximum AMP
Sending a CEM without consent	CAD$10M (organization), CAD$1M (individual)
Failure to have functioning unsubscribe	CAD$10M (organization), CAD$1M (individual)
Installing computer programs without consent	CAD$10M (organization), CAD$1M (individual)

The CRTC has issued AMPs ranging from CAD$15,000 to CAD$1.1 million in enforcement actions to date. Notable enforcement includes actions against email marketers, software companies, and affiliate networks. The CRTC has demonstrated willingness to investigate cross-border cases where Canadian recipients were targeted.

CASL vs CAN-SPAM: Key Differences

Dimension	CASL (Canada)	CAN-SPAM (USA)
Consent model	Opt-in required (express or specific implied)	Opt-out (can send without consent)
Documentation	Must prove consent	No consent to document
Implied consent duration	2 years (business) / 6 months (inquiry)	No time limit concept
Unsubscribe processing	10 business days	10 business days
Private right of action	Yes	No (ISPs only)
Maximum penalty	CAD$10M per violation	$53,088 per email
B2B prospecting	Restricted — implied consent rules apply	Permitted (CAN-SPAM applies)

Infrastructure for CASL Compliance

Subscriber Segmentation by Consent Type and Date

The most critical infrastructure requirement for CASL is the ability to segment subscribers by consent type and consent date. MailWizz supports custom subscriber fields — configure fields for: consent_type (express/implied), consent_date (timestamp), consent_source (URL/method), relationship_expiry (for implied consent). Automated campaigns can be configured to stop sending to subscribers whose implied consent has expired (2 years past last transaction).

Consent Capture Integration

MailWizz's subscription forms can be configured to capture CASL-required consent documentation: the form records the subscription timestamp, the subscriber's IP address, the form URL, and the specific consent language displayed. This data is stored in subscriber custom fields and is exportable for legal compliance documentation.

CASL-Compliant Infrastructure

Cloud Server for Email can configure MailWizz subscriber fields, consent capture forms, and suppression workflows to meet CASL's documentation requirements. Contact infrastructure@cloudserverforemail.com to discuss CASL compliance configuration for your infrastructure environment.

Discuss Infrastructure Requirements

Cloud Server for Email operates managed PowerMTA + MailWizz infrastructure from EU servers.
Dedicated IPs, daily monitoring, GDPR compliance by design.

Request Technical Assessment View Pricing

Managed Infrastructure

PowerMTA + MailWizz. EU servers. Daily monitoring. GDPR by design.

Request Assessment