Canada's Anti-Spam Legislation (CASL) is the strictest electronic marketing law in the developed world. Maximum penalty: CAD $10 million per violation for organisations. Pure recruiting messages about a specific offer to a specific person are exempt. Almost everything else — talent-pool warming, "we might have something for you" sourcing emails, recruiting newsletters — needs express consent documented with timestamp and IP. Implied consent has narrow grounds. Every commercial electronic message needs sender identification, contact info, and a functional unsubscribe processed within 10 business days.
Why CASL is a real risk, not a checkbox
CASL has been in force since 2014. Penalties of CAD $1.1 million (Compu-Finder, 2015), CAD $200,000 (Plentyoffish, 2015), and increasingly automated CRTC enforcement actions have made clear that "we didn't know" is not a defence. The law applies to:
- Any commercial electronic message (CEM) sent to or accessed from a Canadian computer system.
- This includes recruiting emails sent from a Toronto-based company to a Mexican candidate's Gmail — Gmail's servers are accessed from Canada.
- It also includes LinkedIn InMails, SMS, and any electronic medium that delivers a commercial message.
The geographic test is broad enough that almost any Canadian-based recruiter is operating within CASL whether they realised it or not.
The recruiting carve-out — and its limits
Industry Canada regulations (and §6(6) of CASL) carve out from "commercial electronic message" definitions:
- An offer of employment, business opportunity, or proposal where there is a clear specific opportunity attached.
- A response to a request for information about goods or services.
- Messages between employees of the same organisation.
- Personal or family relationship messages.
"Offer of employment" is the carve-out recruiters lean on. It covers messages like: "Hi Maria, I'm reaching out about a Senior Engineer role at NearTalent. Here are the details. Would you be interested in discussing?" A real, specific, identifiable role is on the table.
What the carve-out does NOT cover:
- "Hi Maria, we're always interested in talented engineers like you — let's stay in touch in case something opens up." — no specific role, this is talent-pool warming, CASL applies.
- "Sign up for our monthly engineering opportunities newsletter." — clearly commercial, needs express consent.
- "Hi Maria, here's what's new at NearTalent this month." — marketing message, needs consent.
The line is whether you can point to a specific employment offer with sufficient particulars at the moment of sending. If yes, recruiting carve-out applies. If no, you need consent.
Express vs implied consent
Express consent
The candidate or prospect has explicitly agreed to receive your commercial messages. Requirements:
- Affirmative action (typed email + clicked submit, ticked an opt-in checkbox that was NOT pre-checked).
- Clear description of what they'll receive (recruiting alerts, monthly newsletter, both).
- Identification of who is asking (your legal name + operating name).
- How to unsubscribe.
- Documentation: timestamp, IP address, the wording shown to them, the form or method.
Express consent does not expire (no fixed time limit) but is implicitly revocable. Once granted, you may continue to send commercial electronic messages until the recipient unsubscribes.
Implied consent
Narrow circumstances where the law presumes consent. The main grounds for recruiting:
- Existing business relationship — the recipient has done business with you in the prior 24 months (paid you, accepted a contract, received your services).
- Prior inquiry — recipient made an inquiry in the prior 6 months relating to your business.
- Conspicuous publication — recipient has conspicuously published their business email (e.g. on a corporate website, in a directory) without a statement that they don't want unsolicited messages, AND your message is relevant to their role.
Notably, LinkedIn profile email addresses generally do not qualify as conspicuously published for implied consent — they're behind authentication, not in the public domain. Cold LinkedIn-sourced outreach to a LinkedIn-listed email needs express consent or recruiting carve-out.
What every CASL-compliant email must contain
Even with consent or recruiting carve-out, certain technical requirements apply to any commercial-leaning message:
- Sender identification — your legal name and any operating name (e.g. "Selection Book S.L. operating as NearTalent").
- Contact information — a mailing address plus at least one of: telephone, email, or web URL. Valid for 60 days after the message is sent.
- Unsubscribe mechanism — free, simple, requiring no more than two clicks. Must work in any browser or email client. Must be functional for at least 60 days after the message.
- Unsubscribe processing — within 10 business days of the request. No "soft" delays.
The 10-day rule in practice
Once a recipient hits unsubscribe, the law gives you 10 business days to stop sending. The practical implication for your CRM:
- Unsubscribe must update all lists, not just the one that sent the message.
- 10 business days starts the moment the unsubscribe is received, not when your team processes it.
- If a candidate unsubscribes from your sourcing emails, you cannot then add them to a newsletter without fresh express consent.
- Track unsubscribes in a permanent audit log — CRTC has the power to demand records on inspection.
Consent record-keeping — what CRTC expects to see
If CRTC investigates, the question is: can you prove this person consented? The records you need to keep:
| Field | What to capture | Retention |
|---|---|---|
| Date and time | UTC timestamp of consent action | 3 years post-revocation minimum |
| IP address | IP from which the form was submitted | 3 years |
| Exact wording shown | The opt-in text the user saw at consent time | 3 years (versioned) |
| Method | Form, double opt-in, written, verbal-recorded | 3 years |
| Categories consented to | Recruiting, newsletter, product updates, etc. | 3 years |
| Unsubscribe history | Date, time, channel, action taken | Indefinitely |
Most CRM platforms (HubSpot, Salesforce, Pipedrive) support CASL-compliant consent fields if configured correctly. The configuration step is the one many Canadian recruiters skip.
Practical operating model for a Canadian recruiter
- Sourcing emails with a specific role attached — recruiting carve-out applies. Still include sender ID and contact info as good practice.
- Talent-pool warming and newsletters — require express opt-in via a form (un-checked checkbox, clear description). Log timestamp and IP.
- Application acknowledgments — implied consent from the application itself (recipient initiated). One-shot response, not ongoing marketing.
- Status updates during active recruiting — implied consent from the active process. Once the process closes, stop messaging unless they opted in to talent pool.
- Quarterly suppress-list refresh — sync unsubscribes across all CRM systems and email tools.
- Annual CASL compliance review — sample 100 sent emails per quarter, confirm sender ID, contact info, unsubscribe all functional.
What about US-based recruiters reaching out to Canadian candidates?
CASL applies based on where the message is accessed, not where it is sent. A US-based recruiter emailing a Toronto candidate's Canadian Gmail address falls within CASL jurisdiction. The Canadian Radio-television and Telecommunications Commission (CRTC) has jurisdiction; cross-border enforcement happens via Mutual Legal Assistance Treaty (MLAT) processes. Major US companies (Amazon, Google, Microsoft) have been subject to CASL inquiries. Treat CASL as applicable for any outreach to a Canadian recipient regardless of where your company is based.
Cross-references
Related Canadian compliance reading: PIPEDA + CASL + provincial labour playbook · T4A vs NR4 vs 1099-NEC · Canada-Mexico tax treaty
General information, not legal advice. CASL enforcement is fact-specific; specific situations should be reviewed with Canadian privacy or marketing counsel.