Canada's Anti-Spam Legislation (CASL, S.C. 2010, c. 23) is one of the broadest anti-spam laws in the world. It applies to any commercial electronic message (CEM) sent to or from a Canadian computer system, including SMS, MMS, and email. Since coming into force on July 1, 2014, the CRTC has issued over $3.2 million CAD in Administrative Monetary Penalties for violations.
Use this 20-point checklist to audit your messaging program and ensure full compliance before your next campaign. Each item includes a brief explanation of the legal requirement and practical guidance for implementation.
Section 1: Consent Requirements
1. Express consent obtained before sending commercial messages
Under CASL Section 6(1), you must obtain express consent before sending any commercial electronic message. Recipients must take a proactive, affirmative action to opt in. Silence, pre-checked boxes, and inactivity do not constitute valid consent. Express consent does not expire and remains valid until the recipient withdraws it.
2. Consent records include date, time, method, and source
The CRTC's 2016 Enforcement Advisory requires that you document whether consent was obtained in writing or orally, when it was obtained (date and timestamp), why it was obtained (the stated purpose), and how it was obtained (the specific mechanism — web form, paper form, verbal agreement, etc.). These records must be stored in a format that can be promptly retrieved during a CRTC investigation.
3. Implied consent tracked with expiration dates
Implied consent is time-limited: 24 months from the date of the last transaction for existing business relationships, and 6 months from the date of an inquiry or application. Your system must track these expiration dates and automatically stop sending when implied consent lapses. The CRTC recommends converting implied consent holders to express consent as soon as practical.
4. Double opt-in implemented per CWTA guidelines
The Canadian Telecommunications Association (CTA, formerly CWTA) requires double opt-in with handset verification for short code programs. While not strictly required for long codes under CASL, double opt-in is considered a best practice by the CRTC and provides significantly stronger evidence of consent during audits. It also reduces complaint rates and improves deliverability.
5. Consent obtained separately from terms and conditions
Consent for commercial messages must not be buried in general terms and conditions or bundled with other agreements. CASL requires that consent be obtained through a clear, standalone opt-in mechanism. The recipient must understand specifically what they are agreeing to receive. Bundled consent — where agreeing to terms of service automatically enrolls someone in marketing messages — does not meet CASL requirements.
6. Third-party consent properly attributed
If you rely on consent obtained by a third party (such as a partner, affiliate, or lead generator), you must be able to demonstrate that the consent was validly obtained and that it specifically covers messages from your organization. The consent request must have identified you or your organization by name. Generic third-party consent that does not name the sender is insufficient under CASL.
7. Consent language includes purpose, frequency, identity, and opt-out instructions
Your consent request must clearly state: the identity of the person or organization seeking consent, the purpose for which consent is sought, an estimate of message frequency, contact information (mailing address plus phone or email), and a statement that the recipient may withdraw consent at any time. Consent for one channel (e.g., email) does not extend to another channel (e.g., SMS) — each requires separate consent.
8. Quebec contacts: French-language consent option provided (Bill 96)
Bill 96, which strengthened Quebec's Charter of the French Language, requires that commercial communications to Quebec consumers be available in French. Consent forms, opt-in disclosures, and marketing messages sent to Quebec phone numbers should be in French or bilingual, unless the recipient has explicitly requested English. The Office québécois de la langue française (OQLF) enforces these requirements separately from CASL, creating additional liability.
Section 2: Message Content Requirements
9. Sender clearly identified in every message
Every commercial SMS must identify the sender — the organization's name and, if the message is sent on behalf of another party, the name of that party as well. Contact information must include a mailing address and either a telephone number or email address. Given SMS character limits (160 characters per segment), it is acceptable to include a link to a web page with full sender identification details.
10. Physical mailing address or URL included
CASL requires that every CEM include a physical mailing address or a link to a web page containing that address. For SMS, where space is limited, a shortened URL pointing to a page with your full business address, phone number, and email satisfies this requirement. Ensure the linked page remains active for at least 60 days after the message is sent.
11. Unsubscribe mechanism in every message (STOP/ARRET)
Every commercial electronic message must contain a clear, functional unsubscribe mechanism that operates at no cost to the recipient. For SMS, this means supporting keyword-based opt-outs. The unsubscribe mechanism must remain operational for at least 60 days after the message is sent. Both English (STOP) and French (ARRET) keywords must be supported for messages sent to Canadian recipients.
12. Messages match the purpose for which consent was given
The content of your messages must align with the purpose stated when consent was obtained. If a contact subscribed to receive order updates, you cannot send them promotional marketing messages without obtaining separate consent. Additionally, mixing promotional content with transactional messages (such as adding an upsell to a shipping notification) nullifies the transactional exemption and subjects the entire message to full CASL consent requirements.
Section 3: Opt-Out Handling
13. STOP, ARRET, UNSUBSCRIBE, HELP, and AIDE keywords auto-processed
Your messaging platform must automatically recognize and process standard opt-out and assistance keywords. The CTA (formerly CWTA) mandates support for STOP, ARRET, HELP, AIDE, and INFO in capital letters. Additionally, UNSUBSCRIBE, END, CANCEL, and QUIT should be supported as they are recognized by both Canadian and U.S. carriers. Keyword processing must be instantaneous — any delay risks additional messages being sent after a recipient has opted out.
14. Opt-outs processed within 10 business days
CASL requires that all opt-out requests be processed within 10 business days. This is a maximum — the CRTC expects organizations to honor requests as quickly as possible. For SMS keyword opt-outs, processing should be immediate and automated. After processing, no further commercial electronic messages may be sent to the individual. When a recipient opts out, the opt-out applies to all commercial messages from your organization unless they gave separate express consent for specific programs.
15. Confirmation message sent after opt-out
When a recipient opts out, send a single confirmation message acknowledging that they have been unsubscribed. This message must not contain any marketing content. A proper confirmation includes the program name, confirmation of removal, and a statement that no further messages will be sent. For bilingual programs, the confirmation should be sent in both English and French if the recipient's language preference is unknown.
16. Opt-out records retained indefinitely
Never re-add a contact who has opted out. Opt-out records must be retained indefinitely to serve as a suppression list against future sends. Even if a contact is re-imported from a third-party list or a new data source, the opt-out must be honored. Your suppression list should include hashed identifiers so that previously opted-out contacts are caught before any message is queued, regardless of how they re-enter your system.
Section 4: Record-Keeping & Audit Readiness
17. All consent records stored securely with timestamps
The CRTC requires physical or electronic copies of all evidence of express and implied consent, including signed consent forms, audio recordings of verbal consent, and digital opt-in records with timestamps. Records must be stored securely and in a format that can be promptly retrieved on request during a CRTC investigation. Best practice is to retain these records for a minimum of 3 to 5 years beyond the last communication with each contact.
18. Message logs retained for a minimum of 3 years
While CASL does not prescribe a specific statutory retention period, the CRTC advises retaining records for as long as you continue to contact an individual and for as long as practicable thereafter. Given that violations can be discovered at any time and the CRTC can investigate historical conduct, retaining complete message logs for a minimum of 3 years is considered the industry baseline. Many compliance teams recommend 5 years for full audit protection.
19. Opt-out and unsubscribe records maintained with full history
Maintain a complete audit trail of every opt-out and unsubscribe request, including the date received, the method used (keyword, web form, email, verbal), and the date processing was completed. This history must demonstrate that you honored each request within the 10-business-day window required by CASL. Retain suppression list management records showing how opted-out contacts are excluded from all future sends.
20. Audit trail exportable for CRTC inspection
When the CRTC investigates, they can issue preservation demands and notices to produce, requiring compulsory disclosure of records. Your compliance data — consent records, message logs, opt-out history, internal policies, staff training records, and third-party processor agreements — must be exportable in a structured format that can be delivered promptly. Organizations that cannot produce records on request face significantly higher enforcement risk.
CASL Penalties
Individuals: up to $1,000,000 CAD per violation
Organizations: up to $10,000,000 CAD per violation
Since 2014, the CRTC has issued over $3.2 million in Administrative Monetary Penalties for CASL violations. Additional enforcement tools include undertakings (negotiated compliance agreements with monetary payments), preservation demands, notices to produce, and formal warning letters. Notable penalties include $200,000 against Compu-Finder, $120,000 against Hudson's Bay Company, and $75,000 against an individual spammer. The CRTC received over 208,000 complaints in a single 6-month period in 2024-2025, with 39% relating to SMS.
How AlertBolt Automates CASL Compliance
AlertBolt is built from the ground up for Canadian compliance. Every contact record includes timestamped consent tracking with source attribution. Implied consent expiration is enforced automatically. STOP, ARRET, UNSUBSCRIBE, HELP, and AIDE keywords are processed instantly. All message logs and opt-out records are retained with full audit history and can be exported for CRTC inspection with a single click. Quebec bilingual messaging is supported natively. Start your 14-day free trial to see how AlertBolt keeps your organization compliant.