What does CASL require that CAN-SPAM doesn’t?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
Say you're a US company that just started sending to a few thousand Canadian subscribers. You're following CAN-SPAM rules: accurate sender info, physical address, working unsubscribe. That's not enough. You're likely already violating CASL.
The main difference: CASL requires prior consent; CAN-SPAM doesn't. Under CAN-SPAM, you can cold-email anyone as long as you disclose who you are and honor opt-outs. Under CASL, you need either express consent (explicit opt-in) or time-limited implied consent from an existing business relationship before you can send.
Other things CASL requires that CAN-SPAM doesn't: no pre-checked consent boxes allowed, sender identification must include both who's sending and who they're sending on behalf of, and valid contact information must stay live for 60 days after sending. CAN-SPAM just needs a physical address and a working unsubscribe. And CASL's penalties are dramatically higher. Up to $10 million CAD per violation versus ~$51,744 per email under CAN-SPAM.
If you're applying CAN-SPAM standards to Canadian subscribers, you're under-compliant. Check whether you have valid CASL consent on file for each Canadian contact before your next send.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.