CASL & WiFi Marketing in Canada: Email Consent Requirements
Key Takeaways: Canada's Anti-Spam Legislation (CASL) is one of the strictest email consent laws in the world. It applies to all commercial electronic messages (CEMs) sent to or from Canada, regardless of where the sender is located. CASL requires express consent before sending marketing emails — implied consent from a WiFi login does not satisfy CASL requirements without additional steps. Penalties reach $10 million per violation for businesses. WiFi captive portals in Canada must include explicit, opt-in consent mechanisms with specific language requirements. This guide covers what CASL requires and how to configure compliant WiFi marketing deployments.
CASL (Canada's Anti-Spam Legislation, S.C. 2010, c.23) has been in force since July 1, 2014. It governs all commercial electronic messages (CEMs) sent to or from Canada, making it one of the most far-reaching anti-spam laws globally.
For WiFi marketing resellers, CASL matters because sending a marketing email to a guest who connected at a Canadian venue — or to a Canadian resident at any venue — requires CASL-compliant consent. According to the Canadian Radio-television and Telecommunications Commission (CRTC) 2025 enforcement report, CASL penalties have exceeded $16 million since enforcement began, with average penalties of $200,000–$500,000 per case.
CASL is often underestimated because it pre-dates GDPR and lacks the media profile of European privacy regulation. But its requirements are in some respects stricter than GDPR — particularly around record-keeping and the distinction between express and implied consent.
What does CASL cover?
Commercial electronic messages (CEMs)
CASL applies to any electronic message that has a "commercial purpose" — which includes virtually all WiFi marketing communications:
- •Promotional emails (offers, discounts, coupons)
- •Newsletter emails that contain any commercial content (product mentions, pricing, calls to action)
- •SMS marketing messages
- •WhatsApp marketing messages
- •Social media direct messages with commercial intent
- •Push notifications with promotional content
Not covered: Purely transactional messages (order confirmations, appointment reminders, service notifications without commercial content), messages between individuals with a personal relationship, and messages within an organization to its employees.
Geographic scope
CASL applies to:
- •CEMs sent to Canadian recipients (regardless of where the sender is located)
- •CEMs sent from Canada (regardless of where the recipient is located)
- •CEMs routed through Canadian computer systems
A reseller in the US sending a marketing email to a guest who provided a Canadian email address at a venue in Florida is subject to CASL. A reseller in Canada sending to guests at a Mexican resort is also subject to CASL.
Consent: Express vs. implied
CASL distinguishes between two types of consent: express and implied. The distinction determines what marketing you can send and for how long.
Express consent
Express consent is an affirmative opt-in by the recipient to receive CEMs from a specific sender. It is the gold standard under CASL and has no expiration — once obtained, express consent remains valid until the recipient withdraws it.
Requirements for valid express consent:
- •Clear and prominent request. The consent request must be clearly visible, not buried in terms of service.
- •Identify the sender. The request must identify the person or organization seeking consent (the venue and/or the reseller).
- •Purpose statement. The request must describe the type of messages the recipient will receive ("promotional offers and updates from [Venue Name]").
- •Contact information. The request must include the physical mailing address and either a phone number, email, or web address of the sender.
- •Unsubscribe information. The request must inform the recipient that they can withdraw consent at any time.
What express consent looks like on a captive portal:
A checkbox (unchecked by default) with text: "Yes, I would like to receive promotional emails and offers from [Venue Name]. [Venue Name], 123 Main Street, Toronto, ON M5V 1A1. You can unsubscribe at any time."
Implied consent
Implied consent exists in limited circumstances and has time limits:
Business relationship: If the recipient has an "existing business relationship" with the sender (purchased a product or service within the last 2 years), implied consent exists for 2 years from the date of the last transaction.
WiFi login as business relationship: The CRTC has not issued specific guidance on whether a free WiFi login constitutes an "existing business relationship." Legal opinion is divided. The safer interpretation: a free WiFi login alone does not create a business relationship because no transaction occurred. If the guest also made a purchase at the venue (ordered food, bought a product), a business relationship exists for 2 years from that purchase.
Inquiry: If the recipient made an inquiry about the sender's products or services within the last 6 months, implied consent exists for 6 months from the date of the inquiry.
Published address: If the recipient has conspicuously published their email address (e.g., on a business card or website) without indicating they do not want CEMs, and the CEM is relevant to their published role, implied consent exists.
Practical implication for WiFi marketing: Do not rely on implied consent for WiFi-captured contacts in Canada. Always obtain express consent through an explicit opt-in mechanism on the captive portal. Express consent does not expire; implied consent does.
CEM requirements
Every commercial electronic message sent under CASL must include:
1. Sender identification (Section 6(2))
The message must clearly identify the sender:
- •Name of the person or organization sending the message
- •Physical mailing address (P.O. boxes are acceptable)
- •At least one of: telephone number, email address, or website URL
2. Unsubscribe mechanism (Section 6(2)(c))
Every CEM must include a functioning unsubscribe mechanism that:
- •Is clearly visible in the message
- •Can be executed at no cost to the recipient
- •Takes effect within 10 business days
- •Remains functional for at least 60 days after the message is sent
3. Record-keeping
The sender must maintain records of:
- •When and how consent was obtained (timestamp, method, consent text displayed)
- •The consent text that was presented to the recipient
- •Whether the consent was express or implied (and the basis for implied consent)
Under CASL, the burden of proving consent falls on the sender. If the CRTC investigates and you cannot produce consent records, the violation is assumed.
Implementation checklist
Captive portal configuration
- •
Express consent opt-in checkbox. Include an unchecked checkbox on the captive portal with CASL-compliant consent language. The checkbox must not be pre-ticked.
- •
Consent language includes all required elements:
- •Identifies the sender (venue name or reseller name)
- •Describes the message type ("promotional emails and offers about [category]")
- •Includes physical mailing address
- •Includes contact information (phone, email, or URL)
- •States that the recipient can unsubscribe at any time
- •
Separate WiFi access from marketing consent. WiFi access must not be conditional on marketing consent. A guest must be able to connect to WiFi without opting in to marketing messages.
- •
Consent record storage. Store the following for every consent:
- •Timestamp of consent
- •IP address (for verification)
- •Exact consent text displayed
- •Method of consent (portal checkbox)
- •Authentication method (email, social, WhatsApp)
- •
Double opt-in (recommended). While CASL does not require double opt-in, it is best practice. Send a confirmation email after portal consent: "Please confirm your subscription to [Venue Name] emails." Double opt-in provides stronger evidence of consent and reduces fake email entries.
Email campaign requirements
- •
Sender identification in every email. Include the venue name, physical address, and contact information in the footer of every marketing email.
- •
Functioning unsubscribe link. Every email must include a one-click unsubscribe link. The unsubscribe must be processed within 10 business days (best practice: immediately).
- •
No unsubscribe barriers. The unsubscribe process cannot require the recipient to log in, provide a reason, or complete a survey. It must be a single action (click a link).
- •
Unsubscribe mechanism functional for 60 days. The unsubscribe link in a sent email must remain functional for at least 60 days after the email was sent.
- •
Message content accuracy. The message must not use deceptive subject lines, false or misleading sender information, or altered transmission data.
Record management
- •
Consent records maintained. Maintain consent records for the duration of the marketing relationship plus 3 years (recommended retention for CRTC investigation defense).
- •
Implied consent tracking. If relying on implied consent (existing business relationship), track the date of the transaction that establishes the relationship and the 2-year expiration. Set automated expiration alerts.
- •
Unsubscribe records. Maintain records of all unsubscribe requests with timestamps. This demonstrates compliance with the 10-business-day processing requirement.
CASL vs. CAN-SPAM (US) vs. GDPR
| Requirement | CASL (Canada) | CAN-SPAM (US) | GDPR (EU) |
|---|---|---|---|
| Consent model | Opt-in (express or implied) | Opt-out | Opt-in (explicit) |
| Pre-send consent required | Yes (express for marketing) | No (can send unsolicited, must honor opt-out) | Yes |
| Unsubscribe deadline | 10 business days | 10 business days | Immediate |
| Physical address required | Yes | Yes | No (but privacy notice required) |
| Penalties | Up to $10M/violation (business) | Up to $51,744/violation | Up to EUR 20M or 4% revenue |
| Consent record burden | On sender | On sender (limited) | On controller |
| Private right of action | Planned but not enacted | Not available for individuals | Yes |
CASL is the most restrictive of the three for email marketing because it requires opt-in consent AND imposes strict requirements on the consent mechanism itself.
Common CASL mistakes in WiFi marketing
Mistake 1: Assuming WiFi login = consent
Problem: The reseller treats a WiFi login (email authentication) as marketing consent and starts sending promotional emails without explicit opt-in.
CASL violation: Section 6(1) — sending a CEM without consent.
Fix: The WiFi login captures the email for the purpose of WiFi authentication. Marketing consent requires a separate, explicit opt-in. Add a clearly labeled, unchecked consent checkbox to the portal.
Mistake 2: Sending from the reseller instead of the venue
Problem: The reseller sends marketing emails from their own brand/address, but the consent was obtained on behalf of the venue.
CASL violation: Consent is specific to the sender identified in the consent request. If the consent identified "Venue Name," the reseller cannot send from "Reseller Name" without separate consent.
Fix: Ensure the consent request identifies the actual sender. If the reseller sends on behalf of the venue (white-label), the consent should identify the venue as the sender. If the reseller sends from their own brand, separate consent identifying the reseller is required.
Mistake 3: No physical address in emails
Problem: Marketing emails do not include a physical mailing address.
CASL violation: Section 6(2)(b) — identification information requirements.
Fix: Include the physical address in the email footer. For white-label deployments, include the venue's physical address (the identified sender).
Mistake 4: Unsubscribe takes more than 10 business days
Problem: The unsubscribe request is processed manually and sometimes takes weeks.
CASL violation: Section 6(2)(c) — unsubscribe must take effect within 10 business days.
Fix: Implement automated unsubscribe processing. MyWiFi's email automation handles unsubscribes immediately upon click.
Mistake 5: Not tracking consent expiration for implied consent
Problem: Emails are sent to contacts under implied consent (business relationship) long after the 2-year expiration.
CASL violation: Section 10(2) — implied consent expires after the relevant time period.
Fix: Track the date of the transaction establishing the business relationship. Set automated alerts at 18 months and suppress sends at 24 months unless express consent is subsequently obtained.
WhatsApp and CASL
WhatsApp marketing messages sent to or from Canada are CEMs subject to CASL. The same consent requirements apply:
- •Express consent must be obtained before sending WhatsApp marketing messages
- •The consent request must identify the sender and describe the message type
- •An unsubscribe mechanism must be available
WhatsApp WiFi login provides a natural consent mechanism: the guest initiates the WhatsApp message (express action), and the login flow can include CASL-compliant consent language in the pre-filled message or follow-up template.
WhatsApp's 24-hour messaging window provides an additional safeguard: messages outside the window require pre-approved templates, which Meta reviews for compliance with messaging policies.
Recommended portal configuration for Canadian venues
A CASL-compliant captive portal for a Canadian venue includes:
- •Authentication — Email, social login, or WhatsApp (captures the contact)
- •CASL consent checkbox — Unchecked by default, with compliant text: "I agree to receive promotional emails from [Venue Name], [Address]. You can unsubscribe at any time. [Privacy Policy link]"
- •Connect button — Grants WiFi access regardless of whether the consent checkbox is checked
- •Privacy policy link — Full privacy notice accessible before form submission
For multi-jurisdiction portals (venues that serve both Canadian and US guests): Use the CASL standard (opt-in) as the baseline. CASL is stricter than CAN-SPAM, so a CASL-compliant portal automatically exceeds CAN-SPAM requirements. See our multi-jurisdiction consent guide.
FAQ
Does CASL apply if my venue is in the US but has Canadian guests? Yes. CASL applies to CEMs sent to Canadian recipients regardless of the sender's location. If a Canadian tourist connects to WiFi at your Miami venue and provides a Canadian email, sending marketing emails to that address requires CASL-compliant consent.
Can I send a single welcome email without CASL consent? A purely transactional message (confirming the WiFi connection) may be exempt. But if the welcome email includes any commercial content (offers, promotions, venue marketing), it is a CEM requiring consent. The safest approach: obtain express consent before sending any message that includes commercial content.
What is the penalty for CASL violations? Up to $1 million per violation for individuals and $10 million per violation for businesses. The CRTC can issue Administrative Monetary Penalties (AMPs) without court proceedings.
Does CASL apply to SMS and WhatsApp marketing? Yes. CASL applies to all commercial electronic messages, including SMS, MMS, and WhatsApp messages with commercial content.
How long must I keep consent records? CASL does not specify a retention period for consent records, but the CRTC can investigate up to 3 years after a violation. Best practice: maintain consent records for the duration of the marketing relationship plus 3 years.
Is double opt-in required under CASL? No. CASL requires express consent, which can be a single opt-in (checking a checkbox). However, double opt-in (confirmation email) provides stronger evidence of consent and is recommended as a best practice for CRTC investigation defense.