A Practical 2026 CASL Compliance Checklist For Canadian Email Marketers

CASL compliance email marketing is no longer a back-office concern in Canada. The CRTC logged 152,603 spam complaints in just six months of 2025, and roughly a third of cold email campaigns sent from Canadian senders still fall short of the law. If your list, your templates, or your record-keeping have not been audited recently, your next campaign could be the one that triggers a notice.

Canada’s Anti-Spam Legislation has been on the books since 2014, but enforcement has tightened sharply over the past 18 months. Penalties now reach $1 million per violation for individuals and $10 million per violation for businesses, and 2025 settlements landed in the $5,000 to $250,000 range for everyday small and mid-sized senders. The good news is that compliance is mostly a checklist problem, not a legal one.

This guide walks Canadian business owners through a practical CASL checklist for 2026: the two consent types, the expiry timelines, the mandatory message elements, the records you need to keep, and the enforcement patterns the CRTC actually pursues. At the end, you’ll see how INBOX handles each item automatically, so your team can ship campaigns without a lawyer on speed dial. For the underlying legal text, the CASL knowledge-base article is a useful companion read.

The CRTC has shifted from warning letters to settlements. In 2025 alone, the regulator publicly resolved cases against staffing agencies, e-commerce stores, real-estate brokerages, and a national retailer, with most fines clustered between $15,000 and $75,000. The pattern is consistent: the violations were not exotic. They were missing unsubscribe links, recycled lists with no consent records, and sender names that did not match the business behind the offer.

Three shifts make 2026 different from earlier years:

• Complaint volume: 152,603 complaints filed in the first half of 2025, the highest six-month tally since CASL took effect.
• Cold email scrutiny: CRTC investigators are increasingly auditing B2B prospecting tools, not just consumer newsletters.
• Cross-border reach: CASL applies if the message is accessed in Canada, which means U.S. and international senders are not exempt.

If your business has any Canadian recipients, CASL applies to every commercial email you send them — regardless of where your servers, your team, or your headquarters sit.

A platform that bakes compliance into the send flow turns this from a legal risk into a routine workflow. INBOX’s INBOXShield abuse-prevention system blocks the categories of sends most likely to attract CRTC attention before they leave the platform.

Every commercial electronic message you send needs either express or implied consent. The difference matters for both compliance and list longevity.

Express consent

• What it is: The recipient actively opted in — checked a box, completed a form, confirmed a subscription. Pre-checked boxes do not count.
• Lifespan: Express consent does not expire. It stays valid until the recipient withdraws it.
• What you must record: The date, the method, the wording shown to the user, and the IP or form source.

Implied consent

• Existing business relationship: Valid for 2 years after the last purchase, contract, or written agreement.
• Inquiry-based relationship: Valid for 6 months after the recipient asked about your product or service.
• Conspicuous publication: Valid if the recipient published their business email publicly without a “no marketing” disclaimer, and your message relates to their role.

The mistake most teams make is treating implied consent as a long-term list source. It is not. A 24-month-old purchase that has not been followed by a renewal, repurchase, or fresh opt-in is no longer a valid basis for sending. Segmenting by consent type and last interaction date keeps your active list inside the law without manual auditing.

CASL requires every commercial electronic message to contain three specific elements. Missing any one of them is its own violation, regardless of consent. Run this against every template you have in production:

Sender identification

• Legal business name: Not a brand nickname, not a campaign codename. The name registered with your province or federally.
• Affiliated senders: If you send on behalf of another business, both names must appear.
• Reply-to alignment: The “From” address should match the identified sender so recipients can verify who is writing to them.

Contact information

• Mailing address: A valid physical address, current for at least 60 days after the send.
• One additional contact method: A phone number, a web address, or an email address.

Functional unsubscribe

• Conspicuous placement: The unsubscribe link must be clearly visible — typically in the footer, in a readable font size.
• One-click or two-step maximum: The recipient should not have to log in, answer questions, or hunt through menus.
• Honored within 10 business days: Once a request comes in, you have 10 business days to stop sending. No exceptions.
• Free of charge: You cannot require payment, account creation, or data submission to unsubscribe.

INBOX’s drag-and-drop builder and landing pages include compliant footers and one-click unsubscribe by default, so these elements never get stripped out by accident during a redesign. The same applies to transactional and notification emails, which still need clear sender identification even when they are not strictly marketing messages.

Consent expiry is where most lists quietly go out of compliance. The rules are specific, and the clock starts on a defined event:

• Existing business relationship — 2 years: Clock starts at the date of last purchase, contract signing, or last delivered service.
• Existing non-business relationship — 2 years: Applies to memberships, donations to registered charities, or volunteer commitments.
• Inquiry — 6 months: Clock starts the day the recipient made the inquiry, not the day you responded.
• Express consent — indefinite: Until withdrawn, but you must be able to prove it exists.

A workable approach: tag every contact with the consent basis on entry, then run a monthly job that flags anyone whose implied consent will expire within 30 days. That gives your team a window to send a soft re-permission campaign, convert implied to express, or move the contact off the active list before the clock runs out. INBOX’s mailing tools support consent-basis tagging at the subscriber level, which removes the need for a separate spreadsheet to track this.

A “6-month inquiry” contact who hasn’t bought anything by month seven is not a list problem — it’s a legal liability if you keep emailing them.

If the CRTC opens a file on your business, the first document request is almost always the same: prove consent for every recipient on the campaign in question. Verbal assurances are worthless. The records you need on hand:

• Consent source and date: The specific form, checkout flow, or signup page where consent was given, plus a timestamp.
• Exact wording shown: The version of the consent language the user actually saw, not the version currently on your site.
• Consent method: Express via checkbox, express via written agreement, implied via purchase, implied via inquiry — labelled clearly.
• Unsubscribe log: Date received, date processed, and the email address removed.
• Retention period: Keep all of the above for at least 3 years from the last send.

This is the area where DIY senders most often collapse under inspection. A platform that captures consent metadata at the moment of signup — and stores it alongside the contact record — turns a potential audit into a five-minute export. The INBOX CASL legal page outlines exactly which fields are stored against each subscriber, which makes it easy to confirm your own setup is aligned.

Statutory maximums make headlines, but the practical question is what enforcement looks like for a small or mid-sized business. The 2025 settlement pattern was instructive:

• $5,000 – $15,000: Small businesses caught sending to scraped or rented lists without functional unsubscribe. Typically resolved through undertakings with the CRTC.
• $25,000 – $75,000: Mid-sized senders with thousands of recipients, repeated complaints, and clear gaps in consent records.
• $100,000 – $250,000: Cases involving cold outreach at scale, false sender identification, or refusal to honour unsubscribes within the 10-day window.

What did not appear in the 2025 enforcement reports: a single case where the sender could produce a clean consent record, a compliant template, and a logged unsubscribe history. Those campaigns either never triggered complaints or were resolved without penalty.

For business owners running cold outreach, the safer route is to start from the well-established cold email playbook and build inside a platform that flags risky sends before they leave the queue, rather than dealing with the aftermath. Permission-based email marketing still consistently outperforms cold spray-and-pray in both deliverability and ROI.

The CASL checklist looks long when you read it in legal-document form. Inside a purpose-built Canadian email platform, most items become defaults you don’t have to think about. Here is the one-to-one mapping:

• Express consent capture: INBOX signup forms and landing pages include unchecked, plain-language consent boxes with the legally required disclosures pre-populated.
• Consent records: Every subscriber record stores the form source, IP, timestamp, and exact opt-in wording. Available as a one-click export.
• Sender identification: Account-level business name, mailing address, and contact details are appended to every template automatically.
• Functional unsubscribe: One-click unsubscribe lives in every footer by default; removal is processed in real time, well inside the 10-day rule.
• Consent expiry tracking: Tag-based segmentation lets you isolate implied-consent contacts and trigger re-permission flows before the 6- or 24-month window closes.
• Abuse prevention: INBOXShield scans content and recipient lists before send to flag the patterns that draw CRTC attention.
• Transactional separation: INBOXNotify handles transactional and notification messages with their own compliance defaults so they don’t get mixed into marketing flows.
• Audit-ready reporting: Full send history, complaint rates, and unsubscribe logs are retained for the 3-year window CASL requires.

The point is not that compliance is impossible without a platform. It’s that the platform turns the checklist into the default state, which is what regulators expect a modern Canadian sender to maintain. For teams already running campaigns elsewhere, the migration path is usually a list import plus a template review — most of the compliance work is done by the platform itself. Industry-specific templates already follow these defaults out of the box.

Before your next send, run this short check against your current setup:

• Open a recent campaign: Confirm sender name, mailing address, second contact method, and unsubscribe link are all present and visible.
• Click your own unsubscribe link: If it takes more than two steps or requires login, fix it today.
• Pull 20 random subscribers: Can you produce the consent record — source, date, wording — for each one within 60 seconds?
• Check your implied-consent contacts: Any inquiry-based contacts older than 6 months, or business-relationship contacts older than 2 years, need to be re-permissioned or removed.
• Review your unsubscribe log: Confirm every request from the last 12 months was processed within 10 business days.

If any of those items fail, you have a fixable problem — not an emergency, but not something to defer past the next campaign. The cost of fixing the workflow is always smaller than the cost of a CRTC settlement.