CASL, Canada's Anti-Spam Legislation, has been in force since 2014. Enforcement has become more consistent since the CRTC ramped up its investigations. If you send commercial email, SMS, or certain direct messages to recipients in Canada, CASL applies to you. Most BC businesses are technically non-compliant. Here's what the law actually requires and where the common gaps are.
Who CASL Applies To
CASL applies to commercial electronic messages (CEMs) that:
- Are sent to an electronic address (email, SMS, certain social DMs)
- Have a commercial purpose (promoting a product, service, or business interest)
- Are sent to recipients in Canada, or sent by a Canadian business
Most outbound marketing from BC businesses is in scope. Internal employee communications are not. Transactional messages (receipts, password resets, appointment confirmations) are generally not CEMs, but don't add marketing content to transactional messages and assume they're exempt.
Express vs. Implied Consent, The Critical Distinction
Express consent means the recipient actively opted in. They took a clear affirmative action (ticked a checkbox that was not pre-ticked, submitted a sign-up form) with a clear description of what they were consenting to receive.
Implied consent means you have a pre-existing relationship that justifies the contact. Implied consent exists when:
- There is an existing business relationship (a transaction), expires 2 years after the last transaction
- The person inquired about your products or services, expires 6 months after the inquiry
- The person prominently published their contact info and you're sending messages relevant to their published role
Implied consent is narrower than most businesses assume. A customer from three years ago who hasn't transacted since is no longer an implied consent contact.
What Express Consent Requires
A compliant express consent mechanism includes:
- A clear statement of who is asking (your business name)
- A description of the type of messages the person is consenting to receive
- A statement that they can unsubscribe at any time
- The email address or phone number to which messages will be sent
- An unchecked checkbox, pre-ticked boxes are not consent
What does not constitute consent: purchasing a product (unless they also ticked a separate marketing checkbox), a checkbox buried in terms of service, verbally agreeing without a written record.
Proof of Consent Is the Actual Work
If the CRTC investigates a complaint, they ask for proof of consent. "We've been emailing them for years" is not proof. You need to be able to produce:
- The system that captured consent
- The date and time of consent
- The form language the person saw when they consented
- The IP address or device ID where possible
Most email marketing platforms, Mailchimp, HubSpot, ActiveCampaign, can capture and store this information. Most BC businesses have not configured them to do so. Turn this on now.
Unsubscribe Requirements
Every CEM must include a working unsubscribe mechanism. Requirements:
- Clearly visible in the message (not hidden in 6-point grey text at the bottom)
- Honours the unsubscribe request within 10 business days
- Remains functional for 60 days after the message is sent
- Costs the recipient nothing to unsubscribe
- Does not require the person to log in or submit more information than their email address
After unsubscribe, the address must be added to your suppression list and never contacted again with CEMs. Accidentally re-importing suppressed contacts from a spreadsheet is a common compliance failure.
Suppression List Discipline
Your suppression list, the list of addresses that have unsubscribed, is a permanent record. It should:
- Never be deleted or reset
- Be imported and applied whenever you add new contacts or import from another source
- Be maintained separately from your "active" list, not just a tag
If you switch email platforms, export your suppression list first and import it into the new platform before sending anything.
CRTC Enforcement in 2026
CRTC enforcement follows a complaint-driven model, they investigate businesses that generate complaints. Penalties can reach up to $1 million per violation for individuals and $10 million for corporations. Most enforcement actions against SMBs resolve at lower amounts, but they're disruptive and public.
The practical risk for most BC businesses is not a maximum-penalty CRTC investigation. It's a customer complaint that damages your reputation, or an audit that reveals systemic non-compliance requiring expensive remediation. Fix it proactively.
Frequently Asked Questions
If someone gave me their business card, can I add them to my list? Not as express consent. A business card is not a consent mechanism. You may contact them once for business purposes related to the context of the meeting, but not add them to marketing lists without a separate consent step.
Do our newsletters to existing clients need CASL consent? If the subscription is recent (within 2 years of last transaction), implied consent covers it. For clients who haven't transacted in over 2 years, you need express consent or to stop sending.
Talk to a Prince George-based IT team about implementing CASL-compliant email practices, call 672-983-1174 or book a free assessment at northstarit.ca.
Want this in your inbox?
We send a short monthly note with one cybersecurity or IT topic that BC business owners should know about. No sales pitch.
Get the monthly note Read more InsightsServices mentioned in this post.
Frequently asked questions
What are the main changes in the new CASL 2026 rules?
The new CASL 2026 rules focus on heightening the transparency of electronic consent and simplifying the withdrawal process for recipients. Businesses must now maintain more granular records of how and when consent was obtained. These updates also introduce stricter penalties for technical failures in unsubscribe mechanisms, making it vital for companies in BC and Alberta to audit their current email systems for reliability and compliance.
How do these updates affect businesses in BC and Alberta?
Western Canadian businesses must ensure their digital marketing and internal communications meet the updated federal standards. Whether you are based in Vancouver, Kelowna, or Edmonton, the new CASL requirements apply to all commercial electronic messages sent to or from Canada. North Star helps local organisations update their IT infrastructure to automate consent tracking and ensure that every communication sent is legally defensible and compliant with the 2026 standards.
Can managed IT services help with CASL compliance?
Yes, managed IT services are essential for CASL compliance. We help you implement secure email gateways, automate data retention policies for consent logs, and secure your Microsoft 365 environment against unauthorised outbound spam. By centralising your communication technology, we make it easier to monitor compliance across your entire organisation, from Prince George to Whitehorse, reducing the risk of human error and legal exposure.