Strategy 12 min read

CASL Compliance Guide for Canadian E-Commerce Brands: What You Must Know Before Sending

By Excelohunt Team ·
CASL Compliance Guide for Canadian E-Commerce Brands: What You Must Know Before Sending

Canada’s Anti-Spam Legislation (CASL) is one of the most stringent anti-spam laws in the world. Since coming into force on July 1, 2014, CASL has fundamentally changed how Canadian businesses can market by email — and the consequences of non-compliance are severe.

Fines for CASL violations can reach $1 million CAD per violation for individuals and $10 million CAD per violation for organisations. The Canadian Radio-television and Telecommunications Commission (CRTC) actively investigates and enforces CASL, and has issued multi-million dollar penalties against Canadian businesses.

This guide covers everything Canadian e-commerce brands need to know about CASL compliance: what it covers, the consent requirements, the implied consent timelines, unsubscribe rules, record-keeping obligations, and the practical steps to ensure your email programme is fully compliant.

Note: This guide provides general information about CASL requirements. It is not legal advice. For legal guidance specific to your situation, consult a qualified Canadian lawyer.

What CASL Covers

CASL applies to Commercial Electronic Messages (CEMs) — any electronic message (email, text/SMS, certain social media messages) sent to an electronic address if the message has as one of its purposes to:

  • Encourage participation in a commercial activity
  • Encourage the purchase, lease, or rental of a product, service, or person
  • Promote a business, person, or organisation

For e-commerce brands, virtually every marketing email is a CEM. Welcome series, abandoned cart emails, promotional campaigns, product launch emails, win-back flows — all of these are CEMs subject to CASL.

Transactional exceptions: Pure transactional messages — order confirmations, shipping notifications, password resets, account change notifications — are generally not CEMs if they contain no promotional content. Adding a product recommendation, discount code, or marketing message to a transactional email can convert it to a CEM.

Geographic scope: CASL applies if the message is sent to a Canadian electronic address, or if the sender is a Canadian person or organisation. For most Canadian e-commerce brands, essentially all email marketing is subject to CASL.

The Three Requirements for Every CEM

Every Commercial Electronic Message you send must meet three conditions:

You must have consent from the recipient before sending. Consent comes in two forms:

Express consent: The recipient has actively opted in to receive commercial messages from you. This requires:

  • A clear, positive action from the person (ticking an unticked checkbox, completing a sign-up form)
  • Clear disclosure of what they’re consenting to (who will be sending, what kind of messages)
  • Express consent does not expire under CASL (though it can be withdrawn at any time)

Implied consent: In specific circumstances, CASL allows you to send without express consent. The main implied consent scenarios for e-commerce are:

  • Existing business relationship: A customer who has purchased, leased, or contracted with you within the last 3 years has an existing business relationship, giving you implied consent
  • Prospective business relationship: A person who has made an inquiry to your business, submitted an application, or made a business inquiry within the last 2 years
  • Conspicuously published address: If a person has conspicuously published their email address (e.g., on a public website) without indicating they don’t want to receive CEMs, you can contact them regarding business related to their role/function — but this is narrow and rarely applicable for standard e-commerce marketing

2. Identification

Every CEM must clearly identify:

  • The sender — your business name as it would be legally identifiable
  • The person or organisation on whose behalf the message is being sent (if different from the sender)
  • Contact information that remains valid for 60 days after the message is sent — including a physical mailing address, and a phone number, email address, or web address

3. Unsubscribe Mechanism

Every CEM must include an unsubscribe mechanism that:

  • Is clearly and prominently set out
  • Allows the person to unsubscribe using the same electronic means used to send the message (if reasonably practicable) or by visiting a single web page
  • Is effective for 60 days after the message is sent
  • Unsubscribe requests must be processed within 10 business days

In practice, Klaviyo, ActiveCampaign, Campaign Monitor, HubSpot, and Mailchimp all include automatic unsubscribe links and process unsubscribes in real time — satisfying this requirement automatically.

Implied consent is the area of CASL that causes the most confusion for Canadian e-commerce brands. Here’s a detailed breakdown:

Existing Business Relationship (3-year window)

An existing business relationship exists when a person has:

  • Purchased or leased a product from you in the past 3 years
  • Accepted a service from you in the past 3 years
  • Entered into a written contract with you that was in force in the past 3 years
  • Received an award, membership, or recognition from you in the past 3 years, and the person has not unsubscribed

The clock resets: If a customer purchases again within the 3-year window, the 3-year clock resets from the date of the most recent purchase. A customer who buys every year will always be within the implied consent window.

The expiry: If a customer hasn’t purchased in more than 3 years and hasn’t given express consent, implied consent has expired. You must not send them CEMs unless you obtain express consent.

Prospective Business Relationship (2-year window)

A prospective business relationship exists when a person has:

  • Made an inquiry or application regarding a product or service in the past 2 years
  • This could include asking a question about a product, requesting a quote, or signing up for a waitlist

Note: Simply visiting your website or viewing a product does not create a prospective business relationship.

Common CASL Compliance Mistakes by Canadian E-Commerce Brands

Adding an email address to your list at checkout only constitutes express consent if the customer actively ticked an unticked checkbox with clear consent language. Pre-ticked checkboxes, or bundling email consent with terms of service acceptance, do not constitute express consent.

If your checkout doesn’t have a separate, opt-in email marketing checkbox with clear language — you likely have implied consent (from the purchase), not express consent.

Many brands treat all past customers as perpetually consentable. Under CASL, implied consent from an existing business relationship expires 3 years after the most recent qualifying transaction. Customers who haven’t purchased in 3+ years need express consent before you can send them CEMs.

CASL compliance requires you to prove consent if challenged. “We’ve always done it this way” or “they came through our checkout” are not sufficient. You need documented records of how and when consent was obtained for every subscriber.

Importing a list from a CRM, a previous business, a physical event, or a third-party source without verifying that the contacts have CASL-compliant consent is a significant violation risk. Before importing any list, assess the consent status of every contact.

Mistake 5: Treating transactional emails as immune from CASL

Pure transactional emails are exempt from CASL’s consent requirements — but adding marketing content (product recommendations, promotional codes, upsells) to transactional emails can convert them to CEMs, requiring consent.

Mistake 6: Not processing unsubscribes correctly

Unsubscribe requests must be processed within 10 business days. Continuing to send to a contact after they’ve unsubscribed is a direct CASL violation. Your ESP should be handling this automatically — but confirm that your unsubscribe flow is functioning correctly.

Building a CASL-Compliant Email Programme

Step 1: Audit your existing list

Review your entire subscriber list and categorise every contact by consent type:

  • Express consent: Date, source, and method documented
  • Implied consent (existing business relationship): Most recent purchase date within 3 years
  • Implied consent (prospective): Date of inquiry within 2 years
  • Unknown/unclear: Treat as non-consented; do not send CEMs

At every subscriber touchpoint:

  • Checkout: Separate, unticked checkbox with clear language: “I consent to receive marketing emails from [Brand Name]”
  • Website pop-ups: Clear opt-in with explicit consent language
  • Physical events: Signed consent forms or digital consent capture with explicit language
  • Third-party referrals: Only accept contacts with documented express consent

Your ESP should capture:

  • Date and time of consent
  • Source of consent (checkout, pop-up, form, event)
  • Method of consent (express via checkbox, implied via purchase)

Klaviyo, ActiveCampaign, Campaign Monitor, HubSpot, and Mailchimp all support custom properties to store consent data. Ensure your signup forms and integrations are passing this data through.

Set up automation to:

  • Flag customers approaching the 3-year implied consent expiry (e.g., no purchase in 2.5 years with no express consent on file)
  • Send a consent capture campaign to lapsing implied-consent contacts before expiry
  • Automatically suppress contacts when implied consent expires without renewal

Step 5: Confirm all emails meet the identification and unsubscribe requirements

Check every email template includes:

  • Your business name as it would be legally identifiable
  • A physical mailing address
  • A functional unsubscribe link

CASL and Your ESP

Klaviyo: Klaviyo provides custom profile properties for storing consent data. You can use source tracking and custom integrations to capture consent timestamps from your checkout and forms.

ActiveCampaign: ActiveCampaign supports custom contact fields for consent data and has built-in unsubscribe management.

Campaign Monitor: Campaign Monitor supports custom subscriber data and automatic unsubscribe handling.

HubSpot: HubSpot has built-in GDPR and consent management tools that can be adapted for CASL compliance.

Mailchimp: Mailchimp supports custom merge fields for consent tracking and provides GDPR-aligned consent management that is similarly applicable to CASL requirements.

CASL Enforcement: What You Need to Know

The CRTC enforces CASL through:

  • Investigations triggered by consumer complaints
  • Proactive investigation of high-volume senders
  • Cooperation with international anti-spam enforcement bodies

Notable CASL enforcement actions:

  • A major Canadian enterprise was fined $1.1 million CAD for using pre-ticked checkboxes and sending without consent
  • A marketing agency was fined for sending on behalf of clients without verified consent
  • Individuals have been personally fined alongside their organisations

CASL also provides a private right of action — allowing individuals to sue organisations for CASL violations. This private right of action was suspended pending review but may be reinstated.

How Excelohunt Implements CASL Compliance

At Excelohunt, we build CASL compliance into every email programme we manage. This includes:

  • Consent architecture audit at programme onboarding
  • Checkout and form compliance review
  • Consent record-keeping setup in your ESP
  • Implied consent expiry management automation
  • Email template compliance checks (identification, unsubscribe)
  • Ongoing list management to maintain compliance as your subscriber base evolves

We work across Klaviyo, ActiveCampaign, Campaign Monitor, HubSpot, and Mailchimp — and we implement CASL-compliant processes on every platform.

Get Your Programme CASL-Compliant Today

Our free email audit includes a CASL compliance review — we’ll assess your consent architecture, record-keeping, and email templates and give you a clear action plan.

Book your free email marketing audit and ensure your Canadian email programme is built on solid compliance foundations.

Tags: email-marketingcanadacaslcompliancelegal

Want Us to Implement This for Your Brand?

Get a free email audit and see exactly where you're losing revenue.

Get Your Free Audit

Related Articles

A/B Testing Email Design and Content: What to Test and What to Ignore
Strategy

A/B Testing Email Design and Content: What to Test and What to Ignore

A/B Testing Email Subject Lines: A Systematic Approach to Higher Open Rates
Strategy

A/B Testing Email Subject Lines: A Systematic Approach to Higher Open Rates

Email A/B Testing and Statistical Significance: When Your Results Are Real
Strategy

Email A/B Testing and Statistical Significance: When Your Results Are Real

1