Quick answer

Canada's Anti-Spam Legislation (CASL) is the strictest electronic marketing law in the developed world. Maximum penalty: CAD $10 million per violation for organisations. Pure recruiting messages about a specific offer to a specific person are exempt. Almost everything else — talent-pool warming, "we might have something for you" sourcing emails, recruiting newsletters — needs express consent documented with timestamp and IP. Implied consent has narrow grounds. Every commercial electronic message needs sender identification, contact info, and a functional unsubscribe processed within 10 business days.

Why CASL is a real risk, not a checkbox

CASL has been in force since 2014. Penalties of CAD $1.1 million (Compu-Finder, 2015), CAD $200,000 (Plentyoffish, 2015), and increasingly automated CRTC enforcement actions have made clear that "we didn't know" is not a defence. The law applies to:

The geographic test is broad enough that almost any Canadian-based recruiter is operating within CASL whether they realised it or not.

The recruiting carve-out — and its limits

Industry Canada regulations (and §6(6) of CASL) carve out from "commercial electronic message" definitions:

"Offer of employment" is the carve-out recruiters lean on. It covers messages like: "Hi Maria, I'm reaching out about a Senior Engineer role at NearTalent. Here are the details. Would you be interested in discussing?" A real, specific, identifiable role is on the table.

What the carve-out does NOT cover:

The line is whether you can point to a specific employment offer with sufficient particulars at the moment of sending. If yes, recruiting carve-out applies. If no, you need consent.

Express vs implied consent

Express consent

The candidate or prospect has explicitly agreed to receive your commercial messages. Requirements:

Express consent does not expire (no fixed time limit) but is implicitly revocable. Once granted, you may continue to send commercial electronic messages until the recipient unsubscribes.

Implied consent

Narrow circumstances where the law presumes consent. The main grounds for recruiting:

Notably, LinkedIn profile email addresses generally do not qualify as conspicuously published for implied consent — they're behind authentication, not in the public domain. Cold LinkedIn-sourced outreach to a LinkedIn-listed email needs express consent or recruiting carve-out.

What every CASL-compliant email must contain

Even with consent or recruiting carve-out, certain technical requirements apply to any commercial-leaning message:

  1. Sender identification — your legal name and any operating name (e.g. "Selection Book S.L. operating as NearTalent").
  2. Contact information — a mailing address plus at least one of: telephone, email, or web URL. Valid for 60 days after the message is sent.
  3. Unsubscribe mechanism — free, simple, requiring no more than two clicks. Must work in any browser or email client. Must be functional for at least 60 days after the message.
  4. Unsubscribe processing — within 10 business days of the request. No "soft" delays.

The 10-day rule in practice

Once a recipient hits unsubscribe, the law gives you 10 business days to stop sending. The practical implication for your CRM:

Consent record-keeping — what CRTC expects to see

If CRTC investigates, the question is: can you prove this person consented? The records you need to keep:

FieldWhat to captureRetention
Date and timeUTC timestamp of consent action3 years post-revocation minimum
IP addressIP from which the form was submitted3 years
Exact wording shownThe opt-in text the user saw at consent time3 years (versioned)
MethodForm, double opt-in, written, verbal-recorded3 years
Categories consented toRecruiting, newsletter, product updates, etc.3 years
Unsubscribe historyDate, time, channel, action takenIndefinitely

Most CRM platforms (HubSpot, Salesforce, Pipedrive) support CASL-compliant consent fields if configured correctly. The configuration step is the one many Canadian recruiters skip.

Practical operating model for a Canadian recruiter

  1. Sourcing emails with a specific role attached — recruiting carve-out applies. Still include sender ID and contact info as good practice.
  2. Talent-pool warming and newsletters — require express opt-in via a form (un-checked checkbox, clear description). Log timestamp and IP.
  3. Application acknowledgments — implied consent from the application itself (recipient initiated). One-shot response, not ongoing marketing.
  4. Status updates during active recruiting — implied consent from the active process. Once the process closes, stop messaging unless they opted in to talent pool.
  5. Quarterly suppress-list refresh — sync unsubscribes across all CRM systems and email tools.
  6. Annual CASL compliance review — sample 100 sent emails per quarter, confirm sender ID, contact info, unsubscribe all functional.

What about US-based recruiters reaching out to Canadian candidates?

CASL applies based on where the message is accessed, not where it is sent. A US-based recruiter emailing a Toronto candidate's Canadian Gmail address falls within CASL jurisdiction. The Canadian Radio-television and Telecommunications Commission (CRTC) has jurisdiction; cross-border enforcement happens via Mutual Legal Assistance Treaty (MLAT) processes. Major US companies (Amazon, Google, Microsoft) have been subject to CASL inquiries. Treat CASL as applicable for any outreach to a Canadian recipient regardless of where your company is based.

Cross-references

Related Canadian compliance reading: PIPEDA + CASL + provincial labour playbook · T4A vs NR4 vs 1099-NEC · Canada-Mexico tax treaty

General information, not legal advice. CASL enforcement is fact-specific; specific situations should be reviewed with Canadian privacy or marketing counsel.