If your business touches customers in both Canada and the United States, you are living under two email laws at once, and they do not agree on the single most important question: do you need permission before you hit send.
Get this wrong and it is not a rounding error. The American rulebook, CAN-SPAM, permits a style of list-building that CASL treats as a violation. So a Canadian owner who learned email marketing from US blogs, US courses, and US software defaults can be breaking Canadian law while doing everything the American way “correctly.”
Here is where the two part company.
Opt-out versus opt-in
This is the whole ballgame.
CAN-SPAM (US) is opt-out. You are generally allowed to email someone who has not agreed to hear from you, as long as you identify yourself, tell the truth, and give them a way to unsubscribe. Consent is not the starting point. The recipient’s power is the ability to make you stop.
CASL (Canada) is opt-in. In general you need consent before the first commercial message goes out, whether express or a time-limited implied consent from an existing relationship. The recipient’s power is that you needed their permission in the first place.
That single difference cascades into everything else. Buying a list and blasting it might be a defensible move under CAN-SPAM. Under CASL it is a textbook violation, because none of those people consented to hear from you.
What each law covers
CAN-SPAM is aimed squarely at commercial email. Texting in the US mostly falls under separate rules like the TCPA, and the two are enforced by different bodies.
CASL is broader. It governs “commercial electronic messages” as a category, which sweeps in email and many text messages under one law, plus certain rules about installing software. For a Canadian business, that means your promotional SMS campaign is not a loophole. It is squarely inside CASL.
The penalties are not in the same league
Under CAN-SPAM, violations are counted per email and can add up, but for most small and mid-size senders enforcement has been relatively light and settlements modest.
Under CASL, the maximum administrative penalty is $10 million per violation for a business, and the CRTC has handed out penalties in the six and seven figures. Officers and directors can face personal liability. The enforcement culture is simply more assertive. When a Canadian regulator receives a complaint, the first thing they ask for is proof of consent, and “they never told us to stop” is not proof of anything under CASL.
Identification and unsubscribe: similar, but sharper
Both laws want you to say who you are and let people leave. The details differ.
- Unsubscribe timing. CAN-SPAM gives you up to 10 business days to honour an opt-out and the request stays valid for at least 30 days. CASL also lands around 10 business days but pairs it with the opt-in foundation, so the whole relationship is consent-first.
- Contact information. CASL is specific that your identifying contact details must stay valid for at least 60 days after you send. CAN-SPAM requires a valid physical postal address. Similar spirit, different specifics.
The upshot is that a clean CASL footer will satisfy CAN-SPAM, but a bare-minimum CAN-SPAM footer may not satisfy CASL.
What this means in practice
If you operate on both sides of the border, build to the Canadian standard and let it carry the American requirements. CASL is the higher bar. A program designed to satisfy CASL, consent up front, clear identification, easy unsubscribe, real records, will almost always keep you clean under CAN-SPAM too. The reverse is not true, and assuming it is has caught a lot of Canadian businesses off guard.
The practical challenge is that most email platforms default to American assumptions. They make it easy to import a list and start sending. They do not, by default, force you to track how each contact consented and when that consent expires. That gap is where the risk lives. The fix is a system that treats consent as a property of every contact, so your Canadian list and your American list can follow different rules without you having to remember which is which.
Two countries, two laws, one safe habit: collect consent before you send, and keep the receipts.
Frequently asked questions
Can I use the same email strategy in Canada and the US?
Not safely. The core difference is consent: US CAN-SPAM lets you email people until they opt out, while Canada's CASL generally requires opt-in consent before you send. A strategy built on the American model can put you offside in Canada from the very first message.
Which law is stricter?
CASL, by a wide margin. It requires consent up front, covers more message types including texts, and carries penalties up to $10 million per violation for a business. CAN-SPAM is opt-out, narrower, and its per-email penalties, while real, are usually enforced less aggressively.
If I follow CASL, am I also following CAN-SPAM?
In most practical cases, yes. CASL is the higher bar, so a program built to satisfy it will generally satisfy CAN-SPAM too. Building to the American standard and hoping it covers Canada does not work the other way around.
Does CAN-SPAM apply to text messages?
CAN-SPAM is aimed mainly at commercial email. Commercial texting in the US is governed largely by other rules, such as the TCPA. CASL, by contrast, covers commercial electronic messages broadly, which includes many texts, under one framework.