CASL Compliance for Canadian Cold Email 2026: Complete Guide
If you send cold email to Canadian recipients, one fact reshapes everything: Canada's Anti-Spam Legislation (CASL) is the strictest anti-spam law in the world,
If you send cold email to Canadian recipients, one fact reshapes everything: Canada’s Anti-Spam Legislation (CASL) is the strictest anti-spam law in the world, with penalties reaching $10 million CAD per violation for businesses. Unlike the U.S. CAN-SPAM Act — which only asks for an unsubscribe link and honest headers — CASL runs on an opt-in model, puts the burden of proof on you, and expires implied consent on a hard clock. This is the full 2026 playbook: which messages CASL covers, how express and implied consent actually work, how to track the 2-year EBR window, the enforcement record, and the compliant strategies that still let you run cold outreach at scale. And because the sending side is now driveable by AI agents, we’ll show you the execution layer that keeps every send inside CASL’s guardrails — and inside your provider’s safety limits.
Why CASL is the world’s strictest anti-spam law
CASL came into force on July 1, 2014, to protect Canadians from spam, phishing, identity theft, and other online threats. Since then, the Canadian Radio-television and Telecommunications Commission (CRTC) has issued penalties totaling well over $2.7 million CAD to organizations of every size — from small businesses to household-name corporations. In 2019, Compu-Finder was fined $1.1 million CAD. In 2020, Rogers Communications was fined $200,000 CAD. These aren’t theoretical risks; they’re live enforcement actions.
What makes CASL uniquely tough is the combination of four things at once: an opt-in consent standard, harsh maximum penalties, strict record-keeping obligations, and a reversal of the burden of proof. Under CAN-SPAM, a recipient has to prove you broke the rules; under CASL, you have to prove you had consent. Layer on the 2-year time limit for implied consent from business relationships and you get a compliance surface that doesn’t exist in any other jurisdiction.
The good news is that CASL compliance is entirely achievable. It doesn’t ban cold outreach — it demands that you do it properly. This guide covers exactly how: message scope and exemptions, the two consent types, the EBR clock, required message elements, the enforcement landscape, and practical strategies to keep campaigns compliant while they scale. Whether you’re a Canadian business, a U.S. company selling into Canada, or an international team with Canadian customers, the rules below apply the moment your message is accessed in Canada.
CASL vs. CAN-SPAM vs. GDPR at a glance
Cold-email teams almost always operate across borders, so it helps to see how the three big regimes differ before diving into CASL’s specifics.
| Dimension | CASL (Canada) | CAN-SPAM (U.S.) | GDPR (E.U.) |
|---|---|---|---|
| Consent model | Opt-in (express or implied) required before sending | Opt-out — send first, honor unsubscribes | Opt-in for marketing; lawful basis required |
| Scope | All commercial electronic messages accessed in Canada | Commercial email sent from the U.S. | All processing of E.U. residents’ personal data |
| Burden of proof | Sender must prove consent | Recipient must prove non-compliance | Controller must demonstrate lawful basis |
| Max penalty | $10M CAD (business) / $1M CAD (individual) per violation | ~$51,744 USD per email | €20M or 4% of global revenue |
| Consent expiry | Implied consent expires (2 yr EBR / 6 mo ENR) | No expiry concept | Consent can be withdrawn anytime |
Why CASL is considered the strictest: it stacks opt-in consent on top of some of the highest penalties in the world, adds strict record-keeping, and flips the burden of proof onto the sender. The hard expiration dates on implied consent create compliance complexity you won’t find in CAN-SPAM or GDPR.
What is CASL, and who enforces it?
CASL is federal legislation enforced by three regulatory bodies, each owning a slice of the law:
- CRTC (Canadian Radio-television and Telecommunications Commission) — enforces the provisions covering commercial electronic messages (the part cold emailers care about most).
- Competition Bureau — enforces provisions on false or misleading representations.
- Office of the Privacy Commissioner of Canada — enforces provisions on unauthorized collection of personal information and unauthorized access to computer systems.
Before CASL, Canada had no comprehensive anti-spam framework, and Canadian inboxes absorbed billions of spam messages a year. The law aimed to protect Canadians from unwanted messages, safeguard privacy, keep electronic commerce trustworthy, and level the playing field for legitimate businesses that couldn’t compete with spammers.
Does CASL apply to your cold email campaigns?
Before you worry about the mechanics, determine whether CASL even applies. It has specific jurisdictional triggers and message-type requirements.
CASL applies if the message is sent from or accessed in Canada
The two triggers are simple:
- The message is sent from a computer system located in Canada, or
- The message is accessed from a computer system located in Canada.
This is why CASL has extraterritorial reach. A U.S. company emailing Canadian prospects is covered. A UK firm with Canadian customers on its list is covered. The law protects Canadian recipients regardless of where the sender sits.
What counts as a “Commercial Electronic Message” (CEM)?
CASL regulates CEMs — messages sent to an electronic address that:
- Encourage participation in a commercial activity, directly or indirectly
- Include offers, advertisements, promotions, or solicitations
- Provide information about products, services, or business opportunities
Covered message types include:
- Email (the most common by far)
- SMS / text messages
- Social-media direct messages (LinkedIn InMail, X DMs, Facebook Messenger)
- Instant-messaging platforms
Important nuance: a message doesn’t have to sell something explicitly to be “commercial.” Even a free-webinar invite or a “quick call to learn more” is likely a CEM if there’s commercial intent behind it.
What’s EXEMPT from CASL?
Several message categories do not require consent:
- Family or personal relationship messages — exempt, but this rarely covers business communication.
- Responses to inquiries or complaints — if someone contacts you first, you can respond to that specific request without separate consent (you can’t piggyback unrelated marketing onto it).
- Enforcing legal rights, warranties, recalls, or safety notices — exempt.
- Messages to business employees, with conditions — a message to an employee’s business address is exempt if it concerns the activities of the organization. This gives B2B cold email more room, with nuances covered below.
- Factual administrative messages — transaction confirmations, account updates, and subscription renewals are exempt, as long as they carry no promotional content.
- Messages between businesses with existing relationships — certain messages may be exempt or covered by implied consent.
The gray area: B2B cold email
The most common CASL question is whether it applies to cold outreach to a business address ([email protected]) versus a personal one ([email protected]). The honest answer: it depends on the nature of the message and the relationship.
CASL exempts messages sent to a business address if the message concerns the activities of the organization — the so-called “B2B exemption.” But it’s narrower than most people assume:
- Likely exempt: “I noticed your company is hiring sales reps. We provide sales training that helps new hires ramp faster.”
- Likely NOT exempt: “Want to boost your personal productivity? Check out our time-management course.”
The CRTC has indicated the exemption applies when the message relates to the recipient’s role within the organization, not their personal interests. Pitches for the business itself generally qualify; personal-development or consumer-focused messages may not.
Best practice: don’t lean on the B2B exemption alone. Even when emailing business addresses, aim to establish implied consent (via an EBR or conspicuous publication) and convert it to express consent as fast as you can.
The two types of consent under CASL
Consent is the heart of CASL. The law recognizes two kinds — express and implied — and documenting both correctly is what keeps you out of enforcement.
Express consent: the gold standard
Express consent means the recipient has explicitly agreed, in writing or orally, to receive CEMs from you. It’s the most robust permission you can hold.
Requirements for valid express consent:
- Clear request — plainly describe why you’re seeking consent and for what kind of messages.
- Separate from other terms — consent can’t be buried in T&Cs or other agreements.
- Identity disclosure — identify yourself (or the organization you’re acting for).
- Contact information — provide a mailing address plus a phone number, email, or web address.
- Deliberate opt-in — the person must take an action to consent (check a box, click “yes,” say yes).
- Unsubscribe notice — state that they can opt out at any time.
Valid express-consent mechanisms:
- A checked opt-in box on a form (“Yes, I want to receive product updates from [Company]”)
- Confirmed double opt-in (user submits email, then clicks a confirmation link)
- Documented verbal consent
- Keyword text-message opt-in after clear consent language
What does NOT qualify:
- Pre-checked boxes (consent must be active, never assumed)
- Consent buried in lengthy T&Cs
- A purchased email list (consent can’t be transferred)
- Inferring consent from a website visit or download
- Adding someone because you met them at a conference
Duration: express consent doesn’t expire unless the recipient unsubscribes. Once obtained, you can email indefinitely (until they opt out).
Record-keeping: keep records of when, how, and from whom you got express consent. The CRTC recommends retaining them for as long as you rely on the consent, plus at least three years after you stop.
Implied consent: temporary permission
Implied consent is inferred from certain actions or relationships. It’s narrower than express consent and comes with expiration dates.
1. Existing Business Relationship (EBR) — 2-year window. The most relevant path for cold email. An EBR exists when, within the past 2 years, the recipient:
- Purchased a product, service, or subscription from you, or
- Accepted a business, investment, or gaming opportunity from you, or
- Entered a written contract with you (still in effect or expired within 2 years) tied to commercial activity.
Timing rules: consent expires 2 years after the transaction date. For ongoing subscriptions or contracts, the clock starts when the contract ends, not when it was signed. You must track expiration per recipient — bulk assumptions won’t survive enforcement.
Example: Sarah bought a $50 course on January 15, 2024. You have implied consent to email her until January 15, 2026. After that, you need express consent or a fresh transaction.
2. Existing Non-business Relationship (ENR) — 6-month window. Implied consent also exists for 6 months after someone:
- Provides you their email address without asking not to be contacted
- Makes an inquiry about your products or services
- Submits an application or volunteers with your organization
Example: Mark fills out a “Request a Demo” form on March 1, 2026. You may email him until September 1, 2026.
3. Conspicuous publication. Implied consent exists if the person has conspicuously published their email address (website, directory, social media), the publication doesn’t prohibit unsolicited CEMs, and your message is relevant to their role or business functions.
Example: a VP of Sales lists their email on LinkedIn with no “no unsolicited email” disclaimer, and you sell sales training. You likely have implied consent to send a relevant pitch. This path applies primarily to the person’s professional role — consumer-focused messages don’t qualify.
Which consent type should you rely on?
- Best: express consent via opt-in forms, lead magnets, webinar signups
- Good: EBRs and ENRs — past customers, demo requests, inquiries
- Permissible for B2B: conspicuous publication for role-relevant outreach
- Purchased or scraped lists
- Pre-checked consent boxes
- "We met at a conference"
- Consent inherited from an acquired company
The safest posture: always work to convert implied consent into express consent quickly, so you have unlimited permission and no expiration clock to manage.
The 2-year EBR window, explained
The 2-year EBR window is one of CASL’s most important — and most misunderstood — provisions. It’s a double-edged sword: a pathway to keep talking to past customers, and a hard expiration date many businesses forget to track.
How the EBR clock works
Scenario 1 — one-time purchase
- Customer purchases on January 1, 2024
- Implied consent starts: January 1, 2024
- Implied consent expires: January 1, 2026
- After that: you need express consent or a new transaction
Scenario 2 — ongoing subscription
- Customer subscribes to a monthly service on January 1, 2024
- Customer cancels on June 1, 2025
- Implied consent expires: June 1, 2027 (2 years after the subscription ended)
Scenario 3 — signed contract
- Customer signs a 1-year agreement on January 1, 2024
- Contract expires December 31, 2024 (not renewed)
- Implied consent expires: December 31, 2026 (2 years after the contract expired)
Common EBR mistakes that lead to violations
- Assuming EBR lasts forever. “Once a customer, always a customer” is not how CASL works. Emailing past the 2-year mark is a direct violation.
- Not tracking expiration dates. If you can’t prove when the EBR started and ended for each recipient, you can’t defend an enforcement action.
- Inheriting old lists. Acquiring another company’s customer list doesn’t transfer their EBRs. The relationship was with the original company, not you — you need fresh consent.
- Confusing transaction date with first-contact date. The clock starts at the transaction (purchase, signature), not when you first met.
What to do when an EBR expires
Once the window closes, you have three options: obtain express consent (run a re-permission campaign before expiry — the most sustainable path), create a new EBR (a fresh purchase or contract restarts the 2-year clock), or stop emailing (remove them from commercial lists if they don’t opt in). To manage this at scale, store the transaction date, transaction type, contract end date, and calculated expiration date for each recipient, and flag EBRs 60–90 days before they lapse so you can run re-permission campaigns in time.
Required message elements: what every CASL email must include
Even with valid consent, every CEM must carry specific elements. Missing any of them can trigger penalties.
1. Sender identification
Every CEM must clearly identify who’s sending it: your name or business name; on whose behalf it’s sent (if an agency sends for a client, identify both); a valid physical mailing address; and at least one contact mechanism (telephone, email, or web address). This information must be easy to find — most compliant emails put it in the footer.
Acme Corporation
123 Main Street, Toronto, ON M5H 2N2
Email: [email protected] | Phone: (416) 555-0123
Website: acmecorp.ca
2. Unsubscribe mechanism
Every CEM must include a clear, prominent unsubscribe mechanism that’s easy to use.
Functional requirements: easy to perform; no login required; no cost to the recipient; available for at least 60 days after sending; works reliably. Processing requirements: act on unsubscribe requests within 10 business days; send no further CEMs after processing (a removal confirmation aside); require nothing beyond the recipient’s email address.
Best practices: use a single-click unsubscribe link; offer both a link and a reply-to-unsubscribe option; label it clearly (“Unsubscribe,” not a “Manage Preferences” trap); and test it regularly.
What NOT to do: hide the link in tiny text; make people log in or answer questions to opt out; offer only a “manage preferences” page without a full opt-out; take longer than 10 business days; or send “one last message” after someone unsubscribes.
3. Honest subject lines
CASL prohibits false or misleading subject lines. The subject must accurately reflect the content, avoid deceptive tactics, and never misrepresent the sender. Prohibited examples: “RE: Your order” (when there’s no order), “Urgent: Account suspended” (false urgency), “You’ve won a prize!” (when it’s a pitch), or using a colleague’s name to imply the message is from them.
Penalties and enforcement: the real cost of non-compliance
CASL isn’t a guidelines document — it’s federal law backed by some of the harshest penalties anywhere.
Maximum penalties: up to $1 million CAD per violation for individuals and $10 million CAD per violation for businesses. Actual fines depend on the nature and scope of the violation, whether it was intentional or negligent, the violator’s compliance history and financial capacity, and any effort to mitigate harm.
Notable CASL enforcement actions
| Organization | Year | Penalty (CAD) | What went wrong |
|---|---|---|---|
| Compu-Finder | 2019 | $1,100,000 | 300,000+ CEMs without consent; faulty unsubscribe mechanisms |
| Rogers Communications | 2020 | $200,000 | Continued messaging customers who had unsubscribed |
| Blackstone Legal Services | 2018 | $100,000 | 100,000+ non-compliant CEMs without valid consent |
| Plentyoffish Media | 2016 | $48,000 | Failed to obtain proper consent before messaging users |
How enforcement works
Enforcement typically moves through four stages: a complaint or investigation (via the CRTC’s Spam Reporting Centre or a proactive probe); a Notice of Violation setting out the violation, evidence, proposed penalty, and deadline; a review or settlement (pay, request a review, or negotiate — often with reduced penalties if you implement compliance measures); and finally an appeal to the Federal Court of Appeal.
Who gets held responsible?
CASL can hold multiple parties liable: the sender; the person or organization on whose behalf the message is sent; directors and officers who directed, authorized, or participated in the violation; and, in rare cases, third-party service providers. You can’t outsource liability — if messages go out on your behalf without proper consent, you’re on the hook, even if an agency pressed send.
Private right of action (currently suspended). CASL originally included a private right of action allowing individuals and businesses to sue violators for statutory damages ($200 per violation, up to $1M per day). It was scheduled for 2017 but has been indefinitely suspended over concerns about frivolous lawsuits. As of 2026, only the CRTC, Competition Bureau, and Privacy Commissioner enforce CASL — but the private right could be reinstated, so maintain compliance regardless.
Practical strategies for CASL-compliant cold email
CASL doesn’t prohibit cold outreach — it requires you to do it right. Here are five strategies that keep you compliant and effective.
Strategy 1 — build express consent through lead magnets
The most sustainable long-term play is a list of people who explicitly opted in. Offer valuable lead magnets (ebooks, templates, toolkits, webinars) in exchange for signup; use clear opt-in language (“Yes, I want to receive [content] from [Company]”); implement double opt-in to strengthen your consent proof; never use pre-checked boxes; and store the consent record (when, how, what they agreed to).
Strategy 2 — leverage conspicuous publication for B2B
For B2B cold email, you can rely on conspicuous-publication implied consent when emailing professional addresses found on websites, LinkedIn, or directories — as long as the message is relevant to the recipient’s role. Requirements: the address is publicly posted without a “no unsolicited email” disclaimer; the message relates to their professional functions; you include sender identification and an unsubscribe mechanism; and you stop the moment they opt out. Research prospects for genuine relevance, personalize to their role and company, keep the first touch brief and value-focused, and aim to convert to express consent quickly.
Strategy 3 — maximize EBRs with past customers
Your past customers are your most valuable audience. Track purchase dates and EBR expirations, send valuable content during the 2-year window to stay top of mind, and 90 days before expiry run a re-permission campaign to convert to express consent (an incentive helps). For prospects who inquired, use the 6-month ENR window to nurture them and ask for explicit opt-in before it lapses.
Strategy 4 — convert implied to express consent fast
Whenever you hold implied consent (EBR, ENR, or conspicuous publication), actively convert it. Include a “subscribe for more insights” CTA in your first outreach, offer valuable content in exchange for opt-in, make it one click, and be transparent about what they’re opting into. Express consent removes the expiration clock entirely.
Strategy 5 — segment and respect preferences
Compliance isn’t just legal checkboxes — it’s respecting preferences, and it doubles as a deliverability asset. Let people choose message types (newsletters, product updates, promotions) and frequency, monitor engagement and reduce sending to disengaged recipients, and never re-add someone who unsubscribed (even if they later buy — ask again).
CASL by email type
Not every commercial email is treated the same. Here’s how CASL maps to the common types.
| Email type | Examples | CASL status | Key rule |
|---|---|---|---|
| Transactional | Order confirmations, shipping, receipts, password resets | Exempt from consent (still must identify sender) | The moment you add “you might also like…” it becomes a CEM |
| Newsletter / content | Weekly digests, educational content | Requires express or implied consent | Even educational content is commercial if it promotes your brand |
| Cold outreach | Sales prospecting, partnership inquiries | Conspicuous publication (B2B) or obtain consent | Keep first touch brief, relevant, and personalized |
| Re-engagement | “We miss you,” win-back | Only if consent hasn’t expired | Don’t assume a 3-year-old purchase still qualifies |
| Referral | “John thought you’d find this interesting…” | The referred person hasn’t consented | Referrer’s consent doesn’t transfer to you |
For referrals specifically, the compliant approach is to use a “forward to a friend” mechanism where the referrer sends directly, keep it a true one-time personal message, or get explicit opt-in from the referred person before adding them to any list.
Tools and systems for maintaining compliance
Compliance at scale needs the right systems. Aim for these capabilities across your stack.
The four capabilities your stack needs
- Consent management — track consent type (express vs. implied) per contact, store the date/source/method, calculate EBR expirations, and flag contacts about to lapse.
- Automated unsubscribe processing — one-click links in every email, instant processing, a suppression list that prevents re-adding, and reply-based detection (“STOP,” “UNSUBSCRIBE”).
- Required footer elements — sender identification, physical address, a contact mechanism, and the unsubscribe link on every send.
- Audit trail and record-keeping — logs of when and how consent was obtained, records of unsubscribe requests and processing dates, and export for audits.
Where WarmySender fits (and where it doesn’t)
WarmySender is a cold-email and multichannel execution layer — it’s where you connect mailboxes, keep them in the inbox, source and verify contacts, and pace sends safely. It doesn’t act as your legal consent-management system of record, and you should keep your consent basis, unsubscribe records, and required footer content managed deliberately (in your CRM or ESP) so you can prove compliance. What WarmySender owns is the deliverability and safety half of the equation that most compliance guides skip:
- Lead database — search 200M+ business leads in-app to build a clean, role-relevant B2B list (the foundation for conspicuous-publication outreach). Records stay masked until you export, so you only pay for the contacts you actually pursue.
- Email verifier — check every address before you send. It returns a clear status — valid, invalid, risky, or unknown — and flags catch-all domains, so bounces don’t wreck your sender reputation.
- Email warmup — automated peer-to-peer warmup with 5 adaptive ramp strategies, running 24/7, unlimited on paid plans, so a consented list still reaches the inbox instead of the spam folder.
- Rotation and per-mailbox caps — send across multiple mailboxes inside safe limits, so you never spike a single mailbox and torch its reputation.
For consent management and CRM
Purpose-built platforms such as HubSpot, Mailchimp, and ActiveCampaign offer consent management, automated opt-out processing, and preference centers suited to larger marketing programs. CRMs like Salesforce and Pipedrive let you store consent dates and types directly alongside contact records. Pair one of these for consent-of-record with an execution layer that protects deliverability, and you’ve covered both halves of CASL.
Your CASL compliance checklist
Run this before, during, and after every commercial campaign.
- Consent verified for every recipient
- Consent hasn't expired (EBR/ENR dates)
- Sender ID + physical address present
- Functional unsubscribe link included
- Honest, accurate subject line
- Addresses verified as deliverable
- Process unsubscribes within 10 business days
- Update consent records for opt-outs
- Flag approaching EBR expirations
- Run re-permission campaigns before expiry
- Store consent records securely (3+ years)
- Train the team; audit quarterly
Let an AI agent drive it — safely
Here’s where 2026 changes the game. WarmySender is built for AI agents: it exposes a public REST API and a Model Context Protocol (MCP) server, so an agent like Claude, ChatGPT, n8n, Make, or OpenClaw can run your outreach natively — as tools it calls directly, not brittle browser automation or raw SMTP.
A properly wired agent can search the lead database for role-relevant Canadian contacts, verify their addresses, create and launch a campaign, enroll prospects, run warmup, and drive LinkedIn — all through the same rate-limited backend the app’s own interface uses. That’s the critical safety property: because the agent talks to that shared, limited layer, it physically cannot bypass your per-mailbox caps, sending window, or LinkedIn safety limits. It automates the busywork; the execution layer still owns pacing, warmup, and account safety. Full setup lives in the documentation.
The compliance responsibilities don’t move, though. An agent can source and send, but you still decide the consent basis for each recipient, keep the unsubscribe and sender-ID elements in place, and honor opt-outs. Automate the plumbing; keep the judgment.
# Your agent enrolls a verified, role-relevant prospect — the execution
# layer decides when and from which mailbox it actually sends, always
# inside your safe per-mailbox limits.
curl -X POST https://warmysender.com/api/v1/prospects \
-H "Authorization: Bearer $WARMYSENDER_API_KEY" \
-H "Content-Type: application/json" \
-d '{ "campaign_id": "cmp_ca_b2b", "email": "[email protected]",
"first_name": "Jordan", "company": "Acme Canada" }'
Deliverability is the other half of compliance
A perfectly consented CEM still fails if it lands in spam. Since Google and Yahoo’s 2024 bulk-sender rules, senders of meaningful volume must pass SPF, DKIM, and DMARC and keep spam complaints under 0.3% — miss these and you’re filtered before your consent basis ever matters. That’s the deeper reason so many cold emails go to spam even when the list is clean and the copy is strong.
A brand-new domain has zero sender reputation, and providers treat an unknown sender that suddenly pushes volume as suspicious by default. Warmup is the fix — a gradual, automated ramp that teaches Gmail, Outlook, and the rest that you’re a real sender before you scale.
WarmySender’s warmup runs this automatically in the background. Here’s the ramp for a new domain:
| Phase | Days | Warmup | New cold sends / mailbox / day |
|---|---|---|---|
| Warm | 1–14 | Automated only | 0 |
| Ease in | 15–21 | Continues | 5–10 |
| Ramp | 22–35 | Continues | 20–30 |
| Steady | 36+ | Continues | 40–50 (per mailbox) |
To send more, add mailboxes and rotate them — never push a single mailbox high. WarmySender rotates across your connected mailboxes and keeps warmup running underneath the whole time, so inbox placement stays high while volume climbs.
Multichannel: LinkedIn under the same discipline
CASL covers LinkedIn InMail and social DMs too, so the same consent and relevance rules apply — keep messages professional, role-relevant, and brief, and respect opt-outs. But LinkedIn is far less forgiving than email on the account-safety side. A burned email domain can be replaced in a day; a banned LinkedIn account is often gone for good — years of connections, recommendations, and history, unrecoverable.
WarmySender’s LinkedIn outreach runs connection invites, messages, InMail, profile views, and post engagement — every action inside conservative per-account safety limits with a gradual ramp for new accounts. Account safety always wins over speed. Read the LinkedIn safety guide before you send a single invite; the non-negotiables are staying inside daily limits, adding human-like delays, ramping new accounts slowly, and never using anything that tries to evade LinkedIn’s detection.
Compliance as a competitive advantage
Many teams see CASL as a burden — more rules, more friction, more legal risk. Flip the frame. CASL forces you to build a better email program. When you can only email people who genuinely consented or have a real relationship with you, you’re pushed toward quality over quantity. You can’t blast millions and hope for 0.5% — you have to target the right people, personalize, and provide value. The payoff is higher engagement, better deliverability, stronger relationships, and better ROI. Teams that treat compliance as an opportunity consistently outperform the ones trying to skirt the rules.
Frequently asked questions
Do I need consent to send one cold email to a Canadian business contact?
If you’re emailing a business address with a message relevant to the recipient’s professional role, you may rely on the conspicuous-publication exemption (implied consent) when their address is publicly posted without a “no unsolicited email” disclaimer. You must still include sender identification and a working unsubscribe mechanism, and if they opt out you can’t email again without new consent. When in doubt, aim to convert that first touch into express consent.
Can I buy an email list and send to Canadian recipients?
No. Consent can’t be transferred or purchased under CASL. Even if someone consented to receive email from Company A, that gives Company B — you — no permission to email them. You must obtain fresh consent from each recipient, or rely on a legitimate implied-consent basis like an EBR or conspicuous publication. Purchased lists also wreck deliverability with high bounce and complaint rates, so it’s a lose-lose.
What if I’m not based in Canada — does CASL still apply?
Yes. CASL has extraterritorial reach: if your message is accessed in Canada by a Canadian recipient, CASL applies regardless of where you’re located. U.S., UK, and international businesses must comply when emailing Canadians. Practically, if any portion of your list includes Canadian addresses, build your consent, sender-ID, and unsubscribe practices to CASL’s standard across the whole program rather than trying to segment by geography.
Can I email someone who gave me their business card at a conference?
Maybe. If they voluntarily handed you the card during a conversation about your products or services, you likely have a 6-month implied-consent (ENR) window to follow up. But don’t add them to your ongoing marketing list without explicit opt-in — use that first email to request express consent for continued communication, and keep the message relevant to what you discussed.
How long do I need to keep consent records?
The CRTC recommends keeping consent records for as long as you rely on that consent, plus at least three years after you stop using it. That means storing when, how, and from whom you obtained consent, plus records of unsubscribe requests and when you processed them. Solid record-keeping is your primary defense if a complaint is filed years later, since under CASL the burden of proof sits with you.
Do I still need email warmup and verification if an AI agent writes my emails?
More than ever. A perfectly consented, agent-written email still lands in spam if the sending domain has no reputation or the address bounces. That’s the division of labor: let the AI agent handle sourcing, research, and writing, while WarmySender handles verification, warmup, sending limits, and reply routing — so the agent can’t over-send and burn the domain your outreach depends on. Compliance covers the legal basis; warmup and verification cover whether the message actually reaches the inbox.
Put it together
CASL is the world’s strictest anti-spam law for a reason: it protects recipients and holds senders accountable, with penalties up to $10 million CAD that are actively enforced. But compliance is entirely achievable. Get consent (express is best; EBR, ENR, and conspicuous publication are legitimate paths for B2B), document it, track the 2-year window, include sender ID and a working unsubscribe on every message, honor opt-outs within 10 business days, and keep messages relevant.
Then let an AI agent source your role-relevant Canadian contacts and draft the copy, and let WarmySender — the agentic-native execution layer — verify the addresses, warm your mailboxes, pace your sends inside safe limits, run your follow-ups, and add LinkedIn without risking the account. That’s how you run cold email to Canadian recipients that respects the law, reaches the inbox, and delivers results.