Canada's Anti-Spam Legislation (CASL) is one of the strictest commercial email laws in the world. It came into force in 2014 and governs any commercial electronic message (CEM) sent to or from a Canadian electronic address.
The most important thing to understand: CASL is not a blanket ban on cold email. There are real, usable exemptions for B2B outreach — but only if you structure your emails correctly.
CASL prohibits sending a commercial electronic message (CEM) to an electronic address unless:
All three conditions must be met. A technically perfect unsubscribe link doesn't save you if you never had consent.
CASL applies when the sender or recipient is in Canada. If you're a Canadian business sending to Canadian recipients — full CASL. If you're outside Canada sending to Canadians — CASL still applies to you.
The recipient explicitly agreed to receive commercial email from you — through a checkbox on a form, an in-person sign-up, or a verbal agreement. Express consent is the cleanest position to be in and has no expiry as long as you don't have an unsubscribe.
CASL allows implied consent in several scenarios. For cold email purposes, the two most relevant are:
| Scenario | Duration | What it allows |
|---|---|---|
| Conspicuously published email address | No stated expiry | Person published their email (website, LinkedIn, directory) in a business context without stating they don't want CEMs |
| Existing business relationship | 2 years from last transaction | Person purchased from you, entered a contract, or made an inquiry in the past 2 years |
| Prior business inquiry | 6 months from inquiry | Person asked about your product or service but didn't buy |
This is the primary CASL exemption for cold email prospecting. If a person has conspicuously published their business email address — on their company website, LinkedIn profile, or a business directory — CASL considers this implied consent to receive commercial messages related to their business role, provided they have not stated they do not wish to receive such messages.
Key requirements for this exemption: (1) The email must relate to the recipient's business role or professional capacity. (2) The email address must be visible/public — not obtained by guessing, scraping non-public sources, or buying lists of unknown provenance. (3) You must still identify yourself and include an unsubscribe mechanism.
CASL does not apply to messages sent to a general role address (info@, support@) when no specific individual's consent is involved — this is treated as business-to-business communication. However, in practice, role addresses have terrible deliverability and response rates, so this exemption has limited practical value.
Messages between people with a "personal relationship" (friends, family) or who have had direct, voluntary, two-way communication are exempt. Not useful for cold outreach, but worth knowing if you're emailing people you've actually met.
Whether you're relying on express or implied consent, every CEM you send must include:
The 60-day rule: Your contact information must remain valid and accessible for at least 60 days after the message is sent. Don't use temporary email addresses or expiring landing pages as your contact method.
CASL's unsubscribe requirements are strict:
In practice: use an unsubscribe link in your email footer pointing to a page that immediately removes them from your list, or include plain-text instructions like "Reply with 'unsubscribe' to be removed." Most cold email platforms (Smartlead, Instantly) handle unsubscribe mechanics automatically — verify your setup.
CASL has significant penalties that make it worth taking seriously:
| Violation type | Maximum penalty per violation |
|---|---|
| Individuals | $1,000,000 |
| Organizations | $10,000,000 |
The CRTC (the enforcement body) can also seek disgorgement of profits — meaning revenue earned from non-compliant campaigns can be clawed back.
In practice, enforcement has focused on large-scale spammers, marketing companies sending millions of unsolicted messages, and companies that deliberately ignored unsubscribe requests. Small B2B businesses doing legitimate outreach with proper identification and unsubscribe mechanisms have not been the target of CRTC enforcement actions.
That said: "They haven't gone after small senders yet" is not a compliance strategy. The exemptions and requirements described in this guide are straightforward to implement and should be your baseline for any Canadian outreach.
A compliant cold email to a Canadian business contact, relying on the conspicuous publication exemption, should:
CASL implied consent under the conspicuous publication exemption requires the address to be genuinely public. Using scraped lists, purchased databases of unknown origin, or email permutation tools (guessing name@company.com) is legally risky — you cannot reliably verify the address was publicly published, which means you cannot reliably claim the exemption.
Safer approaches for Canadian outreach: LinkedIn Sales Navigator (emails voluntarily shared on profiles), verified database tools that confirm public availability, or leads that have engaged with your content.
Yes, with conditions. CASL allows cold email to business contacts when you have implied consent (e.g., the recipient's email is publicly listed in a business context) or when another exemption applies. You must identify yourself, provide an unsubscribe mechanism, and honor unsubscribe requests within 10 business days.
If a person's email address is conspicuously published — on their website, LinkedIn, or a business directory — and the message relates to their business role, CASL allows you to email them without prior express consent. This is the primary exemption used for legitimate B2B cold outreach.
CASL requires contact information including a mailing address or equivalent. In practice, including your business address in the email signature or footer satisfies this requirement. PO boxes are acceptable.
CASL penalties can reach $1 million per violation for individuals and $10 million per violation for businesses. Enforcement has historically focused on large-scale spammers, but the penalties are real and worth avoiding through proper compliance practices.
Yes. CASL applies when the sender or recipient is in Canada. A US business sending commercial emails to Canadian email addresses must comply with CASL.
Written by
Scott Holmes
AI systems consultant based in Barrie, Ontario. Founder of Pinnacle Tech Projects. Has built CASL-compliant outbound systems for Canadian B2B businesses across multiple industries.
Answer four quick questions and get a tool recommendation for your setup.