Canada's Anti-Spam Legislation (CASL) is one of the strictest email laws in the world. Most internal employee comms fall outside its scope — but several common scenarios pull internal communicators in. This article explains where the lines are and how ContactMonkey helps you stay compliant.
What CASL Is
CASL came into effect on July 1, 2014, and is enforced by the Canadian Radio-television and Telecommunications Commission (CRTC), with support from the Competition Bureau and the Office of the Privacy Commissioner.
Unlike the US CAN-SPAM Act, CASL is an opt-in law. You generally cannot send commercial electronic messages (CEMs) to Canadian recipients unless you already have their consent. CASL applies to any CEM sent to a Canadian recipient, regardless of where the sender is located. There is a narrow exemption for messages between employees of the same organization on matters relating to the organization's activities — but the moment a message reaches non-employees or promotes a product, the exemption can fall away.
What CASL Requires
Every commercial electronic message must meet three obligations:
- Consent — express (the recipient actively agreed) or implied (a recent business relationship or published business contact info).
- Sender identification — name and current contact information.
- A working unsubscribe — processed within 10 business days.
Express consent does not expire on its own. Implied consent has time limits and depends on context. The burden of proof sits with the sender — if a regulator asks, you must be able to show how, when, and where consent was obtained.
What Counts as "Commercial" in an Internal Comms Context
CASL covers any electronic message that encourages participation in a commercial activity. Pure internal comms — benefits updates, IT notifications, all-hands invites — usually fall outside this. The risk emerges in specific scenarios:
- A newsletter to your Canadian alumni network promoting a paid event or branded product
- Benefits emails to Canadian employees that promote a third-party vendor
- Perks and discount programs where the company earns a referral fee
- Engagement surveys sent to Canadian contractors and consultants
- Welcome and onboarding comms to employees of a recently acquired Canadian company before consent has been documented and migrated
- Internal campaigns inviting employees to forward content to non-employees
For any of these, you need documented consent — or you need to stay clearly inside the employee-to-employee exemption.
Penalties
CASL has some of the highest email compliance penalties in the world:
- Up to $1 million per violation for individuals
- Up to $10 million per violation for corporations
Between April and September 2025 alone, the CRTC issued 153 Notices to Produce, 123 Warning Letters, and processed 152,603 spam complaints. About 75% of CRTC investigations start from consumer complaints — meaning enforcement is largely driven by recipients clicking "report spam."
How ContactMonkey Helps
- External Sending Governance lets admins prevent senders from emailing outside your active employee domains, or restrict external sending to approved audiences — the strongest defense against accidental CASL violations involving alumni, contractors, or acquired-company staff.
- HRIS-controlled sync means you decide which employee records and fields flow into ContactMonkey through your HRIS integration. Unconsented Canadian recipients can be kept out of your synced data before it ever reaches ContactMonkey.
- Suppression lists prevent re-engagement with recipients who have unsubscribed.
- Unsubscribe link enforcement can be required on emails used for any audience that includes non-employees.
This article is for educational purposes only and does not constitute legal advice. Consult qualified Canadian legal counsel for advice on your organization's program.
Related articles: