CASL Express vs Implied Consent: The Difference That Decides Whether You Can Send That Email

Canada's Anti-Spam Legislation has one of the highest maximum penalties in Canadian regulatory law — up to $10 million per violation — and the most common way businesses run afoul of it isn't malice. It's sending a perfectly normal marketing email to someone whose consent had quietly expired, or who never really gave the right kind in the first place.

The whole thing hinges on a distinction most marketers have never had explained properly: express versus implied consent.

Express consent: explicit and permanent (until withdrawn)

Express consent is exactly what it sounds like — someone affirmatively agreed to receive your commercial electronic messages. They checked an unchecked box, they typed their email into a "sign up for our newsletter" field, they said yes.

The key features of express consent: it must be opt-in (a pre-checked box doesn't count), the person must know what they're agreeing to and who's asking, and — crucially — it does not expire. Once you have valid express consent, it stays valid until the person withdraws it.

This is the gold standard. Every email program should be working to convert contacts to express consent, because it's the only form that doesn't have a clock ticking on it.

Implied consent: real, but on a timer

Implied consent is where businesses get caught. CASL allows you to send commercial messages based on an existing relationship, even without explicit opt-in — but only for a limited time.

The two most common forms:

• Existing business relationship: someone bought a product or service from you, or entered a contract. Implied consent lasts 24 months from that transaction.
• Existing non-business relationship / inquiry: someone made an inquiry or request to you. Implied consent lasts 6 months from that inquiry.

There's also a narrow "conspicuously published" business email exception, but it's frequently misunderstood and over-relied upon.

The trap is the clock. A customer who bought from you 25 months ago is no longer someone you can email on implied consent. The relationship that felt current is, in CASL terms, expired — and the email you just sent is a violation.

The other two rules people forget

Consent is necessary but not sufficient. Every commercial electronic message under CASL also needs:

• Clear sender identification — who you are and how to reach you.
• A working unsubscribe mechanism that you honour within 10 business days.

A missed unsubscribe is one of the easiest violations for the CRTC to prove, because the complainant has the receipts.

Why a spreadsheet can't keep up

Here's the operational reality: managing CASL by hand is nearly impossible at any scale. You'd have to track, per contact, which type of consent you have, when the clock started, when implied consent expires, whether they unsubscribed, and when. Multiply that across thousands of contacts and several years, and a spreadsheet becomes a liability rather than a record.

This is exactly the kind of thing that should be automated — consent logged with a timestamp and a source, implied consent flagged before it expires, unsubscribes honoured and recorded with an audit trail you can show the CRTC if a complaint lands.

Valdra's CASL tooling does exactly that: it tracks express versus implied consent per contact, surfaces expiring implied consent before it lapses, and keeps the consent and unsubscribe records that turn "we think we had consent" into "here's the proof." If your email program runs on assumptions, see what CASL compliance looks like when it runs on records instead.