Quick Answer: Cold email to Canadian businesses is legal under CASL if you meet three conditions: the recipient’s business email is publicly published without a “no cold email” disclaimer, your message is relevant to their professional role, and your email includes your legal name, a physical mailing address, and a working unsubscribe link. Penalties reach $1 million CAD for individuals and $10 million CAD for organizations per violation. For teams that need to manage CASL-compliant cold email at scale, Mystrika provides AI-powered warm-up, automated unsubscribe handling, and campaign controls that help keep Canadian outreach organized.
—
What Is CASL and Why It Matters for Cold Email
Canada’s Anti-Spam Legislation (CASL) came into force on July 1, 2014, and remains one of the strictest commercial email laws in the world. Unlike the United States CAN-SPAM Act, which operates on an opt-out model, CASL requires prior consent before sending a Commercial Electronic Message (CEM) to a Canadian electronic address.
CASL applies to any CEM sent to or from a Canadian electronic address, regardless of where the sender is located. A sales team in New York, London, or Sydney emailing a Canadian prospect is subject to CASL exactly as a Canadian sender would be.
What CASL Covers
CASL covers Commercial Electronic Messages, which means any electronic message where at least one purpose encourages participation in a commercial activity. This includes:
- SMS/text messages
- Instant messages
- LinkedIn or social media direct messages
- App-based messages
- Similar electronic communications
Public social media posts are generally not treated the same way as direct messages. A LinkedIn post visible to everyone is different from a LinkedIn DM sent to a prospect.
What Counts as Commercial Activity?
A message is commercial if it promotes, offers, advertises, or encourages participation in a business activity. Examples:
- Pitching software
- Offering consulting services
- Asking for a sales meeting
- Promoting an event or webinar tied to revenue
- Sending a product demo offer
- Asking someone to buy, subscribe, book, register, or download
If the message is part of a lead generation or sales motion, treat it as a CEM.
—
Is Cold Email Legal in Canada Under CASL?
Yes, B2B cold email is legal in Canada, but only when you can prove a valid consent basis and your message contains all mandatory CASL elements.
The most common legal path for B2B cold email is implied consent through conspicuous publication. This means the recipient’s business contact information is publicly available, there is no statement saying they do not want commercial messages, and your email is relevant to their role.
The Three-Part Test for B2B Cold Email
To rely on implied consent through conspicuous publication, all three conditions must be true:
| Requirement | Meaning | Example |
|---|---|---|
| Publicly published business contact info | The email appears on a company website, directory, speaker bio, professional profile, or similar public source | A VP Sales email listed on the company leadership page |
| No anti-CEM statement | The page does not say “no cold email,” “no solicitations,” “no recruiters,” or similar | A LinkedIn profile with no restriction statement |
| Role relevance | Your message relates to the person’s business role, function, or duties | A cold email platform pitched to a Head of Sales |
If any one condition fails, do not email the contact under implied consent.
Examples of Legal vs Risky Outreach
| Scenario | Likely CASL Status | Why |
|---|---|---|
| Emailing a publicly listed VP Sales about outbound sales software | Lower risk | Public business email + role-relevant message |
| Emailing an HR Director about cold email infrastructure | Risky | Message not clearly relevant to HR role |
| Emailing a founder whose site says “no unsolicited sales emails” | Not valid implied consent | Anti-CEM statement removes implied consent |
| Emailing a purchased list with no source documentation | High risk | Cannot prove consent basis |
| Emailing a past customer 18 months after purchase | Implied consent may apply | Existing business relationship within 2 years |
| Emailing someone 8 months after they requested pricing but never bought | Consent likely expired | Inquiry-based implied consent lasts 6 months |
—
Express Consent vs Implied Consent Under CASL
CASL recognizes two major consent types: express consent and implied consent. Cold email usually relies on implied consent, but express consent is stronger and safer.
Express Consent
Express consent means the recipient actively agreed to receive commercial messages. Examples:
- Checking an unchecked opt-in box on a form
- Subscribing to a newsletter
- Signing a written agreement that includes email consent
- Verbally agreeing to receive marketing emails (harder to prove)
Express consent does not expire until withdrawn. However, you must be able to prove it.
What You Must Record for Express Consent
- Date and time of consent
- Source form or page URL
- Exact wording shown at the time
- IP address or method of capture if available
- Consent category or subscription type
- Any later unsubscribe or consent update
Implied Consent
Implied consent applies only in specific situations.
| Implied Consent Basis | Valid For | Example |
|---|---|---|
| Existing business relationship | 2 years | Purchase, contract, lease, or delivered service |
| Inquiry or application | 6 months | Prospect requested pricing or a demo |
| Existing non-business relationship | 2 years | Membership, donation, volunteer relationship |
| Conspicuous publication | No fixed expiry, but must remain valid and documented | Publicly listed work email with role-relevant outreach |
Why Reverse Onus Matters
CASL uses a reverse onus model. If investigated, you must prove consent. The regulator does not need to prove you lacked consent first. This makes documentation essential.
For every Canadian prospect, store:
- Consent type
- Source URL or relationship event
- Date collected
- Role relevance notes
- Whether any anti-CEM statement was present
- Expiry date for time-limited implied consent
- Unsubscribe status
—
Mandatory Elements in Every CASL-Compliant Cold Email
Consent alone is not enough. Every CEM must include specific identification and unsubscribe elements.
| Requirement | What CASL Expects | Practical Implementation |
|---|---|---|
| Sender identification | Legal name or organization name | Use your registered company name, not just a brand nickname |
| Mailing address | Valid physical mailing address, PO box, or registered agent address | Include in footer and keep current |
| Contact method | Email, phone, or web address | Must remain functional for at least 60 days |
| Unsubscribe mechanism | Clear, functional, no-cost opt-out | One-click link or reply-based opt-out |
| Unsubscribe timeline | Process within 10 business days | Automate suppression immediately |
| Truthful content | No misleading subject, sender, or claims | Match subject line to message content |
CASL-Compliant Footer Example
“`
Sent by Example Inc.
123 Business Street, Toronto, ON M5V 2T6, Canada
Contact: [email protected]
Unsubscribe: Click here or reply “unsubscribe”
“`
What Not to Do
- Do not hide unsubscribe in tiny or low-contrast text
- Do not require login to unsubscribe
- Do not ask extra questions before honoring the opt-out
- Do not make the recipient pay or call someone to unsubscribe
- Do not keep sending during the 10-business-day window if your system can suppress immediately
—
CASL Penalties and Enforcement Risk
CASL penalties can reach:
- Up to $1 million CAD per violation for individuals
- Up to $10 million CAD per violation for organizations
That does not mean every mistake results in a multi-million-dollar fine. Enforcement historically focuses on complaint volume, repeated violations, deceptive practices, missing unsubscribe systems, and poor consent records. But the legal exposure is real.
What Triggers CASL Complaints?
Common triggers include:
- Missing unsubscribe link
- Unsubscribe requests ignored
- Generic mass-blast pitches to irrelevant roles
- Purchased lists with no consent proof
- Misleading sender identity
- False or exaggerated claims
- High bounce rates and spam-trap hits
- Sending after someone already opted out
Why Bounce Rate Matters for Compliance
High bounce rates do not automatically prove a CASL violation, but they create risk. Invalid addresses, spam traps, and scraped lists generate complaints and signal poor list governance. This is where Filter Bounce is useful: verify Canadian prospect lists before sending so invalid, risky, or catch-all addresses do not damage your sender reputation or compliance posture.
—
CASL vs CAN-SPAM vs GDPR
Cold email teams often confuse these laws. They are not interchangeable.
| Law | Consent Model | Applies To | Unsubscribe Deadline | Max Penalty |
|---|---|---|---|---|
| CASL | Opt-in: express or implied consent required | CEMs sent to/from Canada | 10 business days | $10M CAD per organization |
| CAN-SPAM | Opt-out model | US commercial email | 10 business days | $50K+ USD per violation |
| GDPR | Legitimate interest or consent | EU/EEA personal data | Without undue delay | EUR 20M or 4% global revenue |
Key Difference
CAN-SPAM allows cold commercial email until the recipient opts out. CASL generally requires consent before the first message. For B2B cold email, implied consent through conspicuous publication is the practical path.
CASL Is Narrower Than GDPR Legitimate Interest
GDPR legitimate interest can support B2B cold outreach if the sender passes a balancing test and offers opt-out. CASL is narrower: the contact’s address must fit a specific consent basis, such as public publication without restrictions and role relevance.
—
The CASL Cold Email Compliance Checklist
Use this checklist before sending any campaign to Canadian recipients.
1. Identify Canadian Recipients
Tag Canadian contacts using:
- Country field
- Company headquarters
- Email domain clues (.ca is not enough by itself)
- LinkedIn/company profile location
- Phone area code
- CRM region fields
When uncertain, treat the recipient as Canadian if they are likely based in Canada.
2. Classify Consent Basis
Each Canadian contact should be tagged as one of:
- Express consent
- Implied consent: existing business relationship
- Implied consent: inquiry
- Implied consent: conspicuous publication
- No valid consent basis
If there is no valid basis, suppress the contact.
3. Store Proof
For conspicuous publication, store:
- Source URL
- Collection date
- Screenshot or archived copy when possible
- Role/title at collection
- Notes confirming no anti-CEM statement
- Reason the offer is relevant to the recipient’s role
4. Verify Email Addresses
Run the list through Filter Bounce before sending. Remove:
- Invalid addresses
- Known spam traps
- Disposable addresses
- Risky catch-all addresses when campaign risk is high
- Role accounts when not relevant (info@, support@, admin@)
5. Confirm Message Relevance
Your pitch must connect to the recipient’s role. A few examples:
| Recipient Role | Relevant Pitch | Risky Pitch |
|---|---|---|
| VP Sales | Cold outreach software | Payroll software |
| IT Manager | Email security or SMTP infrastructure | Sales coaching |
| Founder | Revenue growth or infrastructure | Irrelevant consumer offer |
| HR Director | Recruiting automation | Cold outbound platform unless clearly HR-focused |
6. Include Required Footer Elements
Every message must include:
- Legal sender identity
- Physical mailing address
- Contact method
- Unsubscribe mechanism
7. Automate Unsubscribes
Do not rely on manual spreadsheet updates. Your sending platform should immediately suppress unsubscribed contacts across all campaigns. Mystrika’s unsubscribe handling helps prevent accidental follow-up after opt-out.
8. Keep Records for at Least 3 Years
Store consent, send, bounce, reply, and unsubscribe logs for at least 3 years. If investigated, you need to produce records quickly.
—
How to Write a CASL-Compliant Cold Email
A CASL-compliant cold email is not just a legal footer. The whole message should demonstrate relevance and transparency.
Template: B2B Cold Email Under Implied Consent
“`
Subject: Quick question about [specific business function]
Hi [First Name],
I found your contact information on [source] and noticed you lead [role/function] at [Company].
I am reaching out because [specific reason tied to their role]. We help [relevant audience] with [specific outcome].
If this is not relevant, no worries. You can reply “unsubscribe” or use the unsubscribe link below and I will not contact you again.
Best,
[Full Name]
[Legal Company Name]
[Physical Mailing Address]
[Contact Email / Website]
[Unsubscribe Link]
“`
Why This Works
- It documents source context in the message itself
- It ties the pitch to the recipient’s role
- It includes sender identity
- It offers a clear opt-out
- It avoids deceptive or exaggerated claims
What Makes a CASL Cold Email Risky
- No explanation of why the recipient is relevant
- Generic mass-blast language
- No physical address
- No unsubscribe link
- Using a fake sender name
- Claiming a prior relationship that does not exist
- Continuing after opt-out
—
Infrastructure Requirements for CASL-Compliant Outreach
Compliance is partly legal, partly operational. Your infrastructure must support documentation, authentication, unsubscribe processing, and clean data.
SPF, DKIM, and DMARC
Email authentication does not replace consent, but it supports sender identity and deliverability.
| Protocol | Purpose | CASL Relevance |
|---|---|---|
| SPF | Authorizes sending servers | Helps prove message came from your authorized infrastructure |
| DKIM | Cryptographically signs email | Supports identity and tamper resistance |
| DMARC | Aligns SPF/DKIM with domain policy | Helps prevent domain spoofing and protects sender reputation |
Dedicated Sending Domains
Use dedicated sending domains for cold email. Do not send cold campaigns from your primary corporate domain. A dedicated domain strategy helps isolate deliverability risk and makes recordkeeping easier.
DoYouMail for SMTP Infrastructure
DoYouMail is appropriate when teams need dedicated SMTP servers and domain-level authentication control. For CASL outreach, this matters because clean infrastructure reduces bounces, authentication failures, and spam complaints. Dedicated SMTP does not make a non-compliant message legal, but it supports the technical side of compliant sending.
Mystrika for Sequencing and Suppression
Mystrika is useful for CASL programs because it centralizes:
- Sending account management
- AI-powered warmup
- Campaign sequencing
- Reply management in a unified inbox
- Unsubscribe handling
- Multi-domain campaign operations
When sending to Canadian recipients, the operational risk is often not the first email. It is the second or third follow-up after someone opted out. A platform-level suppression system reduces that risk.
Filter Bounce for List Hygiene
Filter Bounce helps clean Canadian prospect lists before sending. This reduces:
- Hard bounces
- Spam trap risk
- Invalid address sends
- Deliverability damage
- Complaint-triggering list quality issues
List verification is not a CASL consent substitute. It is a risk-control layer.
—
CASL Documentation Fields to Add to Your CRM
Create these fields before launching Canadian campaigns:
| Field | Type | Example |
|---|---|---|
| CASL consent type | Dropdown | Express / EBR / Inquiry / Conspicuous publication |
| Consent source URL | URL | https://company.com/team |
| Collection date | Date | 2026-06-25 |
| Public no-CEM statement present? | Boolean | No |
| Role relevance note | Text | VP Sales, pitch about outbound pipeline |
| Consent expiry date | Date | 2026-12-25 for inquiry consent |
| Unsubscribe date | Date | Blank or date |
| Suppression status | Boolean | True/False |
| Last Canadian campaign sent | Date | 2026-06-25 |
| Evidence screenshot/file | File link | CRM attachment |
Simple Rule
If you cannot fill the consent source and relevance fields, do not send the email.
—
Common CASL Mistakes to Avoid
Mistake 1: Treating CASL Like CAN-SPAM
CAN-SPAM lets you send first and honor opt-outs later. CASL requires consent first. This is the most dangerous misconception for US teams expanding into Canada.
Mistake 2: Using Purchased Lists Without Proof
A vendor saying “CASL compliant” is not enough. You need proof for each contact. If the vendor cannot provide consent type, source, date, and evidence, the list is a liability.
Mistake 3: Assuming LinkedIn Equals Consent
A LinkedIn profile may support implied consent only if the business contact info is publicly available, there is no anti-CEM statement, and your message is relevant. Scraping guessed email addresses from LinkedIn is not the same thing as conspicuous publication.
Mistake 4: Forgetting Physical Address
A valid physical mailing address is mandatory. A cold email without it can violate CASL even if consent is valid.
Mistake 5: Slow Unsubscribe Processing
CASL allows up to 10 business days, but best practice is immediate suppression. Waiting creates avoidable risk.
Mistake 6: Sending Irrelevant Pitches
Role relevance is a condition of conspicuous publication consent. If the pitch does not match the person’s job function, your implied consent argument weakens.
—
Key Takeaways
- CASL does not ban B2B cold email in Canada, but it requires a valid consent basis before sending
- The main path for B2B cold email is implied consent through conspicuous publication: public business email, no anti-CEM statement, and role-relevant message
- Every commercial electronic message must include legal sender identity, physical mailing address, contact method, and a working unsubscribe mechanism
- Unsubscribe requests must be processed within 10 business days, but immediate suppression is safer
- CASL uses reverse onus, meaning the sender must prove consent if investigated
- Penalties can reach $1 million CAD for individuals and $10 million CAD for organizations per violation
- Purchased or scraped lists are risky unless every contact has documented CASL-compliant consent proof
- Mystrika helps operationalize CASL outreach through warmup, sequencing, unified inbox, and unsubscribe handling
- DoYouMail supports dedicated SMTP infrastructure and authentication for teams that need reliable sending domains
- Filter Bounce helps reduce invalid contacts, spam traps, and bounce risk before Canadian campaigns go live
—
Frequently Asked Questions
Is cold email legal in Canada under CASL?
Yes, B2B cold email is legal in Canada when you have express consent or a valid implied consent basis. For cold outreach, implied consent often relies on publicly published business contact information, no anti-CEM statement, and a message that relates to the recipient’s role.
Does CASL apply if my company is outside Canada?
Yes. CASL applies to commercial electronic messages sent to or accessed in Canada, regardless of the sender’s country. International sales teams must comply when emailing Canadian prospects.
What is implied consent under CASL?
Implied consent can arise from an existing business relationship, an inquiry, an existing non-business relationship, or conspicuously published business contact information. For B2B cold email, conspicuous publication is the most common basis.
How long does implied consent last under CASL?
Existing business relationship consent generally lasts 2 years after the last purchase, contract, or delivered service. Inquiry-based implied consent lasts 6 months. Express consent lasts until withdrawn. Conspicuous publication does not have the same fixed expiry, but the evidence and relevance must remain valid.
What must every CASL-compliant cold email include?
Every message must include the sender’s legal identity, a valid physical mailing address, at least one working contact method, and a clear unsubscribe mechanism. The unsubscribe mechanism must work at no cost and without extra barriers.
How fast must unsubscribes be processed under CASL?
Unsubscribe requests must be honored within 10 business days. In practice, automated immediate suppression is safer and easier to defend.
Can I use purchased lists for Canadian cold email?
Only if the vendor provides documented proof of CASL-compliant consent for every contact. Most purchased lists cannot provide that evidence, so they are high risk.
Does email verification make a campaign CASL compliant?
No. Email verification does not create consent. It reduces bounce risk and improves list quality, but you still need a valid consent basis and all required message elements.
Do I need a lawyer for CASL compliance?
For high-volume Canadian campaigns, regulated industries, consumer outreach, or uncertain consent scenarios, yes. This guide is educational and operational, not legal advice.
How can Mystrika, DoYouMail, and Filter Bounce support CASL outreach?
Mystrika helps manage warmup, sequencing, replies, and unsubscribe suppression. DoYouMail provides dedicated SMTP infrastructure and authentication control. Filter Bounce verifies email lists before sending to reduce bounces and risky addresses. Together, they support compliant operations, but they do not replace the need for a valid consent basis.