Canada’s anti-spam framework continues to shape how companies approach cold email marketing in 2026. Under Canada’s Anti-Spam Legislation, commonly known as CASL, marketers, sales teams, recruiters, software vendors, agencies, and international businesses must be careful when sending commercial electronic messages to recipients in Canada. The law does not ban every cold email, but it sets strict rules for consent, identification, and unsubscribe mechanisms.
TLDR: CASL remains one of the strictest anti-spam laws in the world, and cold email campaigns targeting Canadian recipients require careful compliance in 2026. Businesses generally need express consent or a valid form of implied consent before sending commercial emails. Every compliant commercial message must clearly identify the sender and include a working unsubscribe mechanism. Purchased lists, vague lead sources, and mass unsolicited outreach remain high-risk under CASL.
Contents
What CASL Regulates in 2026
CASL applies to commercial electronic messages, often called CEMs. A message is generally considered commercial when one of its purposes is to encourage participation in a commercial activity. This can include promoting a product, offering a service, advertising a business opportunity, inviting a recipient to book a sales call, or encouraging a person to visit a commercial website.
The law applies when a CEM is sent from, accessed by, or routed through a computer system in Canada. As a result, CASL can affect Canadian businesses and foreign organizations that send marketing emails to Canadian recipients. A company based outside Canada may still face compliance expectations if it targets Canadian prospects.
Is Cold Email Legal in Canada?
Cold email is not automatically illegal in Canada, but it is heavily restricted. CASL requires the sender to have consent before sending most CEMs. That consent may be express or implied, depending on the context.
For a cold email campaign, the most important question is whether the sender can prove that the recipient gave consent or that a recognized implied consent situation applies. If the sender cannot prove consent, the campaign may create legal risk.
In 2026, businesses should avoid assuming that business-to-business emails are freely permitted. CASL can apply to B2B communications if the message has a commercial purpose and does not fit within an exemption or valid implied consent category.
Express Consent Under CASL
Express consent is the safest form of permission. It occurs when a recipient clearly agrees to receive commercial electronic messages. This may happen through a sign-up form, webinar registration, customer account setting, quote request, newsletter subscription, or other clear opt-in process.
To be valid, express consent should be obtained with clear language explaining:
- Who is requesting consent;
- What types of messages the recipient may receive;
- Contact information for the sender;
- The fact that the recipient may unsubscribe at any time.
CASL does not allow consent to be obtained through silence, inactivity, or pre-checked boxes. Consent must be positive and informed. A business should also keep records showing when, where, and how consent was obtained.
Implied Consent and Cold Outreach
Implied consent may exist in limited situations. It can be useful for cold email marketing, but it must be handled carefully because it is narrower than many marketers expect.
Common implied consent scenarios include:
- Existing business relationship: The recipient has purchased a product, entered into a contract, accepted a business opportunity, or engaged in a qualifying transaction with the sender within the relevant time period.
- Recent inquiry: The recipient has made an inquiry or application related to the sender’s business within the previous six months.
- Conspicuous publication: The recipient has publicly displayed an email address, has not included a statement refusing unsolicited messages, and the message is relevant to the recipient’s business role or functions.
- Business card or direct disclosure: The recipient has provided an email address to the sender and has not indicated that commercial messages are unwanted, provided the message relates to the recipient’s role.
The conspicuous publication rule is often misunderstood. A company cannot simply scrape email addresses from websites and send unrelated pitches. If a lawyer publishes an email address on a firm website, for example, a message about legal conference software may be more relevant than an unrelated consumer product advertisement. Relevance is central.
Required Content in Commercial Emails
Even when consent exists, CASL requires commercial emails to include certain information. A compliant CEM should clearly identify the sender and provide a way for the recipient to contact the sender.
Most commercial emails must include:
- The sender’s name or the name of the business on whose behalf the message is sent;
- A valid mailing address;
- At least one additional contact method, such as an email address, phone number, or website;
- A clear and functional unsubscribe mechanism.
The unsubscribe process must be simple, free, and effective. It cannot require the recipient to log in, answer unnecessary questions, or take multiple confusing steps. Unsubscribe requests must generally be processed within 10 business days.
Cold Email Lists and Purchased Data
Purchased email lists remain one of the highest-risk areas under CASL. A vendor may claim that a list is “opt-in” or “verified,” but the sender must still be able to prove that valid CASL consent exists. If the list provider cannot show how consent was collected, what the recipient agreed to receive, and whether consent can be transferred to the buyer, the list may be unsafe.
In 2026, compliance-focused organizations generally treat third-party lists with skepticism. They ask for detailed documentation, consent language, source records, dates, and suppression-list procedures. If those records are unavailable, the campaign may expose the sender to enforcement risk and reputational harm.
B2B Email Marketing Under CASL
B2B marketers often assume that corporate email addresses are exempt from anti-spam laws. CASL does not work that way. A message sent to a work email address can still be a CEM.
However, some B2B communications may fall within exemptions or implied consent categories. For example, certain messages between employees or representatives of organizations may be exempt when the organizations have an existing relationship and the message concerns the activities of the recipient organization. Messages sent in response to a request, quote, or inquiry may also receive different treatment.
The safest approach is to treat B2B cold email as regulated unless a specific CASL basis applies. A short, relevant, role-specific message sent to a publicly listed business contact may be lower risk than a bulk campaign to thousands of scraped addresses, but it still requires careful analysis.
Transactional and Relationship Messages
Not every email connected to a business relationship is treated the same way. Some messages are primarily transactional, such as order confirmations, warranty information, product safety notices, account alerts, delivery updates, or messages that complete an existing transaction.
CASL includes exemptions and partial exemptions for certain categories of messages. Some messages may be exempt from consent requirements, while others may still need identification and unsubscribe details. Because the distinctions can be technical, businesses should classify messages carefully instead of assuming that every customer-related email is exempt.
Penalties and Enforcement
CASL is enforced by Canadian regulators, including the Canadian Radio-television and Telecommunications Commission, the Competition Bureau, and the Office of the Privacy Commissioner of Canada, depending on the issue involved.
Potential administrative monetary penalties can be significant. Corporations may face penalties of up to $10 million per violation, while individuals may face penalties of up to $1 million. In practice, enforcement outcomes depend on factors such as the nature of the violation, compliance efforts, cooperation, harm caused, and prior conduct.
CASL’s private right of action has not been brought into force, but regulatory enforcement remains active. Businesses should not treat the absence of private lawsuits as a reason to ignore compliance.
CASL Compliance Best Practices for 2026
Organizations that use cold email in 2026 should build compliance into their sales and marketing systems. CASL compliance is not only a legal issue; it also improves deliverability, brand trust, and data quality.
Recommended practices include:
- Maintain consent records: Store the source, date, method, and language used to obtain consent.
- Segment contacts by consent type: Separate express consent, implied consent, customers, recent inquiries, and publicly sourced contacts.
- Use relevance checks: Ensure cold outreach is connected to the recipient’s role, business, or published context.
- Avoid deceptive subject lines: The subject line should accurately reflect the message content.
- Include compliant sender details: Provide accurate business identity and contact information.
- Honor unsubscribes quickly: Suppression lists should be centralized across marketing and sales platforms.
- Audit vendors: Demand documentation from lead providers, email platforms, data brokers, and outsourced sales agencies.
- Train sales teams: Employees should understand that one-to-one outreach can still be regulated.
Practical Cold Email Examples
A compliant approach might involve a software company emailing a publicly listed operations manager about logistics software that directly relates to that manager’s role, while including full sender identification and an unsubscribe link. The sender would still need to document why implied consent was believed to exist.
A risky approach would involve buying a large list of Canadian personal email addresses and sending a generic promotional offer without proof of consent. Another risky practice would be emailing contacts who previously unsubscribed, even if their addresses later appear in a new lead database.
The difference is often based on consent, relevance, transparency, and recordkeeping. CASL rewards disciplined processes and punishes careless volume-based outreach.
International Businesses Targeting Canada
Foreign companies should pay special attention to CASL when expanding into Canada. A business located in the United States, Europe, Asia, or elsewhere may still send messages that are accessed in Canada. If Canadian recipients are targeted, CASL compliance should be considered alongside other privacy and email laws, such as the GDPR, CAN-SPAM, and provincial privacy requirements.
International senders should configure their marketing systems to identify Canadian leads, apply CASL-specific consent standards, and ensure unsubscribe requests are reflected globally. Fragmented databases can create accidental violations when one team continues emailing a contact after another team has processed an opt-out.
The Outlook for CASL in 2026
In 2026, CASL continues to emphasize permission-based marketing. Regulators expect organizations to understand where their email addresses came from, why messages are being sent, and whether recipients can easily opt out. Automation, artificial intelligence, enrichment tools, and large-scale prospecting platforms do not remove those responsibilities.
For cold email marketers, the most sustainable strategy is not to avoid outreach entirely, but to make it targeted, documented, and respectful. Businesses that combine relevant messaging with strong consent management are better positioned to market effectively in Canada while reducing legal risk.
FAQ
Is cold email allowed under CASL in 2026?
Cold email may be allowed if the sender has express consent, valid implied consent, or a specific exemption. Without one of these bases, a commercial cold email to a Canadian recipient may violate CASL.
Does CASL apply to B2B emails?
Yes. CASL can apply to B2B emails if the message is commercial. Some B2B messages may qualify for exemptions or implied consent, but business emails are not automatically excluded.
Can a company email someone whose address is posted online?
Sometimes. Implied consent may exist if the email address is conspicuously published, there is no statement refusing unsolicited messages, and the message is relevant to the person’s business role or duties.
Are purchased email lists legal in Canada?
Purchased lists are risky. The sender must be able to prove valid CASL consent for each recipient. If the list provider cannot supply reliable consent records, the list should not be used for commercial email campaigns.
What must be included in a CASL-compliant marketing email?
A compliant commercial email generally needs clear sender identification, a valid mailing address, additional contact information, and a working unsubscribe mechanism.
How quickly must unsubscribe requests be processed?
Unsubscribe requests must generally be processed within 10 business days. The mechanism should be easy to use and remain functional for the required period.
What are the penalties for violating CASL?
CASL penalties can reach up to $10 million for corporations and $1 million for individuals per violation, depending on the circumstances.
Does express consent expire?
Express consent generally does not expire until the recipient withdraws it. However, the sender should keep records proving when and how express consent was obtained.
Is an unsubscribe link required in every email?
Most commercial electronic messages require an unsubscribe mechanism. Some fully exempt messages may not, but businesses should review the specific message type before omitting one.
What is the safest CASL strategy for cold email marketing?
The safest strategy is to use clear opt-ins wherever possible, document implied consent carefully, keep outreach relevant, avoid purchased lists without proof of consent, and honor unsubscribes promptly.