If you email people in Canada, you need to take consent seriously. Canada’s Anti-Spam Legislation (CASL) is stricter than a lot of business owners realize, and it applies even if your business is based outside Canada.
The simple version: if you want to send marketing emails, you need permission, and you need to be able to prove you got it.
Why you should care: “I didn’t know” won’t save you
CASL isn’t one of those laws you ignore until someone complains and you get a gentle slap on the wrist. Getting this wrong can result in penalties large enough to bankrupt a small business. The maximum penalties can be up to $1 million per violation for individuals and $10 million per violation for businesses.
Is every small business going to get hit with a $10 million fine? No. But the point is the same. The risk is real, and the penalties are not proportional to “I didn’t know.” Ignorance doesn’t make you compliant, and it doesn’t protect you if someone decides to make an example out of your business.
This is why consent, record keeping, and a clean unsubscribe process matter. They’re not just best practices. They’re your seatbelt.
Two types of permission
CASL gives you two common types of consent: express and implied.
Express consent is the best option
This is when someone clearly says “yes, you can email me marketing messages.”
Common Examples:
- Someone signs up for your newsletter and clicks “Subscribe.”
- Someone checks a box that says “Send me updates and offers.”
- Someone verbally tells you to add them to your list.
- Someone fills out a paper form at a trade show and expressly agrees to be added to the mailing list.
Express consent does not expire unless they unsubscribe or tell you to stop. Consent can be withdrawn any time. If someone unsubscribes, you stop.
If consent is verbal, you need a record
Verbal express consent can count, but only if you can prove it later. The simplest approach is to log it like you’d log a sale: date, time, how it was given (phone or in-person), what they agreed to receive, and who collected it. If you can’t track it, don’t rely on it.
Paper signup sheets still need explicit opt-in
Trade shows and wedding shows are a common place to collect emails, but the form has to be clear. “Can we contact you?” does not mean “add me to your mailing list.” If you want to put someone on a newsletter, the sheet needs a clear statement like “Yes, I want to receive email updates and promotions from [Business Name]” and ideally a checkbox they intentionally opt in with. Only add the people who explicitly agreed.
Implied consent is temporary permission
Implied consent is more like “you can email them for now because there’s a real relationship.” It has an expiry date, and you need to track it.
Common examples:
- They bought something from you. Implied consent can apply for up to two years after the date of purchase.
- They asked for a quote or made an inquiry. Implied consent can apply for up to six months after the date of the inquiry.
Once that two-year or six-month window passes, you no longer have permission to keep marketing to them. At that point, the only way to keep emailing them promotional content is to get express consent.
A practical way to think about it:
- Express consent is “yes, keep me in the loop.”
- Implied consent is “you can email me because we’ve recently done business, but only for a limited time.”
Your emails need the boring stuff
Every marketing email must include:
- Who you are
- How to contact you
- Your mailing address
- A working unsubscribe option
That mailing address requirement is not optional, even if you work from home and don’t love the idea of your home address living in 5,000 inboxes.
The good news is that CASL does not require your home address specifically. It requires a valid mailing address, and that can be a street address, a PO Box, a rural route address, or a general delivery address. For a lot of home-based businesses, a PO Box is the simplest way to meet the requirement while protecting your privacy.
When someone unsubscribes, you must process that request within 10 business days. After that, you cannot keep sending them marketing emails.
This is non-negotiable. If your email platform can’t handle unsubscribes properly or include the required contact info, you’re using the wrong platform.
Pre-checked boxes are not allowed
If your newsletter checkbox is already checked by default, that’s not consent. People have to intentionally opt in.
Do you always need a checkbox?
Not always, but you always need clarity.
- If the form is only for newsletter signup, entering an email and clicking a clearly labelled “Subscribe” button can count as an intentional opt-in, as long as it’s obvious what they’re signing up for and you can prove it.
- If the email field is part of a bigger form (contact form, quote request, checkout, booking request), use a separate unchecked checkbox for marketing emails. Otherwise people think they’re just contacting you and you quietly treat it like a subscription. That’s how you get complaints.
Abandoned cart emails are not a free pass
An abandoned cart is not a purchase. That means it is not an “existing customer relationship,” and it does not automatically give you permission to send marketing emails under CASL.
A cart reminder is almost always trying to get someone to complete a purchase. That’s marketing. Marketing requires consent.
Here’s the part that trips people up: someone typing their email into a checkout form does not mean they agreed to be emailed later. They might have been checking shipping costs. They might have been comparing totals. They might have gotten distracted. None of that equals “yes, please follow up.”
If you want to use abandoned cart emails in a way that’s actually defensible, you need express opt-in. The simplest way is an unchecked checkbox at checkout with clear wording, something like:
“Email me cart reminders and order updates.”
If you also want to send newsletters and promotions, that should be a separate unchecked checkbox. Two different permissions. No surprises.
One more note, because this is where it gets slimy: if your checkout hides shipping or totals until someone enters personal information, and then you use that info for marketing without clear opt-in, you’re not “being strategic.” You’re gambling with compliance. A tool making it easy doesn’t make it legal, and it definitely doesn’t make it smart.
The safest approach is simple: don’t send cart emails to Canadians unless the customer explicitly asked for them, and never add abandoned carts to your mailing list without express opt-in.
Existing customers still have limits
If someone is an existing customer, implied consent may apply for a limited period, but it expires. Track it and do not assume it lasts forever.
The smartest long-term move is to ask for express consent while you still have implied consent. That way you’re not relying on a countdown timer you forgot to set.
We take this seriously (even if you ask us not to)
We’re happy to help clients set up newsletter signups, contact forms, and mailing list integrations. We’ll even help you do it in a way that makes sense for your business.
But we’re not going to intentionally break CASL to do it.
If a client asks us to sneak people onto a mailing list without proper consent, we won’t. Not because we’re trying to be difficult, but because integrity matters, and we’d rather have an awkward conversation now than watch you deal with a complaint, a blacklisted domain, or penalties that can ruin a small business.
We also see this as part of our job. A lot of business owners aren’t trying to be slimy. They just don’t know the rules, or they’re following advice from someone who also doesn’t know the rules. Our role is to build things correctly, educate you, and protect you from avoidable headaches.
What happens when people click “I didn’t sign up for this”
Most email platforms include an unsubscribe survey, and one common option is “I didn’t sign up for this.” If you see that occasionally, it might be a simple misunderstanding.
If you see it a lot, you have a consent problem.
And even if nobody reports you to the government, your email provider may take action long before that happens. Large email platforms care deeply about deliverability and reputation. If your list looks like it was built without proper permission, you can run into:
- Campaigns being paused
- Accounts being reviewed by a compliance team
- Requirements to turn on double opt-in
- Requests for proof of consent
- Account suspension or termination
This is one of the reasons “sneaky opt-in” tactics are so dumb. They don’t just create legal risk. They can also get you kicked off the tools you rely on to email your customers.
What about emails that deliver a product, like courses?
This is where it gets a bit nuanced, and I’ll be honest: the best answer depends on the details of what’s being sent.
We had a client selling courses where the content was drip-fed through email sequences. The client didn’t want to ask for consent because, in their mind, it wasn’t marketing. It was just the delivery method.
That instinct makes sense. The implementation is what matters.
A few practical approaches that are usually safer and cleaner:
Option 1: Deliver the course through transactional emails
If the emails are strictly delivering what the customer paid for (receipts, login info, lesson access, course notifications), that’s often best handled as transactional or account-related messaging, not newsletter marketing. Keep it tightly focused on delivery. No promos. No “by the way” sales pitches.
Option 2: Separate course delivery from marketing
If you want the convenience of a mailing tool for course delivery, keep the course emails purely course-related. If you want to send promotions, newsletters, and upsells, that should be a separate list with proper opt-in. Mixing the two is where people get annoyed, and where compliance gets messy.
Option 3: Ask for express consent and be transparent
If the mailing platform is part of how you deliver the product, be clear about that at checkout.
Example checkbox wording:
“Send me course emails required to deliver my purchased content and course updates.”
If you also want marketing emails, make that a separate unchecked checkbox:
“Send me newsletters and promotions.”
Two choices. Both unchecked by default. No surprises.
If a situation like this is mission-critical and high-stakes, it can also be worth getting legal advice to confirm the cleanest approach for that specific workflow. The goal is to deliver the product properly without accidentally turning fulfillment into marketing.
Quick checklist
Use this checklist to do a quick sanity check and make sure your email setup isn’t accidentally breaking CASL.
- Every subscriber intentionally opted in (no pre-checked boxes).
- You can prove when and how each person gave consent (date, source, and method).
- Newsletter signup is clear about what they’re subscribing to.
- Contact/quote/checkout forms do not automatically add people to marketing lists without an unchecked opt-in checkbox.
- You’re not adding abandoned cart emails to newsletters unless the person explicitly opted in.
- If you rely on implied consent, you track when it starts and when it expires.
- You have a plan to convert implied consent into express consent before it expires.
- Every marketing email includes your business name and a physical mailing address.
- Every marketing email includes a working unsubscribe link.
- Unsubscribe requests are processed promptly (within the 10 business day window).
If your email strategy depends on hiding the opt-in, pre-checking boxes, or quietly adding people because “they typed their email somewhere,” it’s not clever, it’s predatory.
This isn’t just about being nice. It’s about staying compliant, protecting your domain reputation, and avoiding the very predictable outcome where people hit “I didn’t sign up for this” or “Report spam.” Once that starts happening, email providers can throttle your sends, suspend campaigns, or shut down your account. The internet has zero sympathy for “but the plugin let me.”
Ask for consent clearly. Keep proof. Make unsubscribing easy. You’ll get a smaller list, but it will be a list that actually wants to hear from you, and that’s the only kind worth having.
This stuff isn’t exciting, but it matters. If you’re unsure whether your forms, checkout, or email platform are collecting consent properly, it’s worth auditing now before you have a bigger mess later.
