Practical Guide·July 5, 2026·12 min read read

CASL-compliant email automation: the practical guide for Canadian businesses.

Most email automation advice is written for Americans. Canada has different rules — and real penalties. Here's how automated outreach actually works under CASL, from someone running a compliant system in production.

SD

Steffen deGraaf

Founder, BotLogix · Burlington, ON

Here's something I keep seeing. A Canadian business owner watches a YouTube video about cold email automation, buys the software, loads up a purchased list, and hits send. The video was made in Texas. The software was built in California. And the law that applies to that send button is Canadian — and it's one of the strictest anti-spam laws in the world.

We run a CASL-compliant email outreach engine inside AEC Benefits, one of our own products. It sends real emails to real prospects every business day, and it has never needed a human to check a suppression list, because the system won't let a non-compliant message leave the building. That's the standard this guide is written from — not theory, production.

One thing before we start: I'm an operator, not a lawyer. This is how CASL works in practice for a small business automating its outreach. For edge cases and anything high-stakes, talk to counsel. Now, the practical version.

Quick Answer

Can you automate email outreach in Canada under CASL?

Yes — but every automated commercial email must satisfy three things: valid consent (express or implied), clear sender identification with contact information, and a working unsubscribe mechanism. The reliable way to do this at scale is to build the rules into the system itself — consent tracked per contact, the suppression list checked before every single send — so compliance is automatic, not a policy someone has to remember.

  • CASL has applied to commercial electronic messages since July 1, 2014 — email, SMS, and social DMs
  • Implied consent has expiry dates: roughly 2 years from a purchase, 6 months from an inquiry
  • Penalties can reach $1M per violation for individuals and $10M for organizations
  • The burden of proving consent is on the sender — if you can't show a record, you don't have it

What CASL actually is, in plain English

CASL — Canada's Anti-Spam Legislation — has been in force since July 1, 2014. It covers commercial electronic messages (the law calls them CEMs): any email, text message, or social media DM that encourages participation in a commercial activity. Selling something. Promoting something. Booking something.

The core idea is simple: you need permission before you send, and you need to make it easy to leave. Everything else is detail on those two points.

Enforcement is handled by the CRTC, and the penalties are not symbolic — administrative monetary penalties can run up to $1 million per violation for individuals and up to $10 million for organizations. Most small businesses never see numbers like that. But "we didn't know" is not a defence, and the burden of proving you had consent sits with you, the sender.

The three rules every automated email must follow

1

Consent

Express or implied — more on the difference below. No consent, no send. Full stop.
2

Identification

Every message must clearly say who it's from, with a real mailing address and a way to contact you. No mystery senders, no bare no-reply addresses with nothing behind them.
3

Unsubscribe

Every message needs a working unsubscribe mechanism, and the request has to be honoured promptly — the law allows at most 10 business days to process it. In practice, a good system processes it instantly.

Notice what that list means for automation: these are system requirements, not marketing preferences. Which is exactly why automation done right is actually safer than manual sending — a machine never forgets to check the suppression list. A person does.

Express vs. implied consent — and the expiry dates nobody tracks

Express consent is someone actively opting in: they typed their email into your form and agreed to hear from you. No pre-checked boxes — CASL requires a positive action. Express consent doesn't expire, but you need a record of when and how you got it.

Implied consent is where Canadian businesses get into trouble, because it comes with clocks attached:

  • Existing business relationship: someone bought from you — you generally have about 2 years from the purchase to email them commercially.
  • Inquiry: someone asked about your services but didn't buy — about 6 months.
  • Conspicuous publication: a business publishes a work email publicly without saying "no unsolicited messages," and your message is relevant to their role. This one is narrower than people want it to be — relevant to their business function, not "technically public so fair game."

Let me ask you something: does your current email tool know the difference between a contact whose consent expires in March and one who opted in explicitly? Most don't. That's the gap. Implied consent with an expiry date is a data problem, and spreadsheets are terrible at it.

What automation is allowed to do — and what it isn't

CASL doesn't ban automation. It bans sending without consent. The distinction matters:

Allowed: automated follow-up sequences to people who inquired (within the window). Automated nurture to your opted-in list. Automated responses to a contact the person initiated — that's how the missed-call SMS workflow stays compliant. Transactional messages — receipts, delivery updates, account notices — which aren't CEMs at all.

Not allowed: purchased lists (you can't buy consent — the seller can't transfer what was never given for your use). Scraped emails fed into a "personalized outreach" tool. Cold sequences to people with no relationship to you, no matter how good the AI wrote them. The tools will happily do all of this. The tools were not built for Canadian law.

How we built it: compliance as architecture, not policy

This is the part that matters. Inside AEC Benefits, the outreach engine runs on a schedule — business hours, Monday through Friday. Every contact carries its consent basis and date in the database. Delivery events — bounces, opens, unsubscribes — write back to that same database automatically. And before every single send, the system checks the unsubscribe list. Not weekly. Not "when someone remembers." Every send.

The result is a system where the compliant path is the only path. Nobody has to be careful, because careless isn't possible. That's what I mean when I say compliance should be automatic, not manual — the same principle we documented in the AEC Benefits case study.

If you're evaluating email automation for a Canadian business, that's the question to ask any vendor or builder: where does consent live, and what checks it before a send goes out? If the answer is "the marketing team keeps track," you don't have a compliance system. You have a liability with a dashboard.

A practical CASL checklist for your automation

  • Every contact has a recorded consent basis (express, business relationship, inquiry) with a date.
  • Implied-consent contacts have expiry logic — the system stops sending when the window closes.
  • Every template identifies your business, with a mailing address and contact method.
  • Unsubscribe works in one click and takes effect immediately in the sending system.
  • The suppression list is checked programmatically before every send.
  • You can produce the consent record for any contact if asked. If you can't prove it, treat it as if you don't have it.

FAQ

Does CASL apply to SMS and social media messages too?

Yes. A commercial electronic message is a commercial electronic message whether it arrives by email, text, or DM. The consent and unsubscribe rules travel with the message, not the channel.

Can I email a business address I found on their website?

Sometimes — that's the conspicuous-publication form of implied consent. The address must be published without a no-contact disclaimer, and your message must be relevant to that person's business role. It is not a licence to blast every address you can find.

Is AI-written outreach treated differently under CASL?

No. The law doesn't care who — or what — wrote the message. It cares whether you had consent to send it. An AI-personalized email to a scraped contact is exactly as non-compliant as a lazy one.

What should I do if my current list has no consent records?

Segment honestly. Keep contacts you can document, and stop automated sends to the rest. It stings once. It stings less than explaining your list hygiene to the CRTC.

The businesses that get this right don't treat CASL as a legal chore bolted onto their marketing. They treat it as a system requirement, build it in once, and then never think about it again — while the automation quietly does the follow-up work their competitors are still doing by hand. If you want help building outreach that works this way, that's a conversation we have all the time. We start with one process. This is a good one to start with.

30-minute strategy session

For real businesses with real problems.

Not for tire kickers. Not for tech tourists. If you have manual work, missed calls, or after-hours admin your team hates as much as you do — let's talk.

Book my 30-min session
Steffen deGraaf

Written by

Steffen deGraaf

Founder of BotLogix · Building AI systems for Canadian businesses since 2018

Six products in production. Eight years of shipping. Based in Burlington, Ontario. Questions, pushback, or a war story to share?

Email me directly

30-minute strategy session

For real businesses with real problems.

Not for tire kickers. Not for tech tourists looking for a demo. For business owners who already know something in their operation is broken — and want to know if AI can fix it.

This isn't about replacing people.It's about killing the bad business processes your team hates as much as you do — the manual work, the missed calls, the after-hours admin.

Strategy sessions are free. Strategy Days are $1,000, capped at 4 people per session. Larger teams or multi-location workshops by special arrangement — ask when you book.

Steffen deGraaf, founder of BotLogix

Your session is with

Steffen deGraaf

Founder, BotLogix · Burlington, ON