In 2023, the CRTC hit a single Canadian company with a $200,000 penalty under CASL for sending commercial emails without proper consent. They weren’t a shady offshore spammer. They were a legitimate business that assumed their old mailing list was fair game. That one assumption cost them the price of a detached house in most Canadian cities. If you run email campaigns, drop tracking pixels, or collect customer data in 2026, the Canadian digital marketing regulations aren’t background noise — they’re the guardrails between you and a life-altering fine. At TheBomb®, we’ve spent 12+ years helping businesses across BC and beyond stay compliant while still running aggressive, results-driven campaigns. The good news: the rules are knowable. The bad news: most Canadian marketers are still quietly breaking them.
This guide breaks down what every marketer operating in Canada — agency, in-house, or solo — needs to understand about CASL, PIPEDA, Bill C-27, and the enforcement landscape heading into 2026.
What Are Canada’s Core Digital Marketing Laws in 2026?
Canadian digital marketing regulation is a stack of four overlapping frameworks: Canada’s Anti-Spam Legislation (CASL), the Personal Information Protection and Electronic Documents Act (PIPEDA), the National Do Not Call List rules enforced by the CRTC, and — pending passage — the Consumer Privacy Protection Act (CPPA) under Bill C-27. Together these govern how you collect, store, use, and contact Canadian residents for commercial purposes. They apply whether your business is based in Toronto, Vancouver, or Vernon — and often when it’s based outside Canada but targets Canadians.
Here’s the quick definition set every marketer should have memorised:
- CASL governs electronic commercial messages (email, SMS, some social DMs) and software installation. Enforced by the CRTC.
- PIPEDA governs how private-sector organisations collect, use, and disclose personal information in the course of commercial activity. Enforced by the Office of the Privacy Commissioner of Canada.
- The Do Not Call List (DNCL) restricts unsolicited telemarketing calls and faxes to registered Canadian numbers.
- Bill C-27 / CPPA is the pending modernisation of PIPEDA, introducing GDPR-style rights, a dedicated tribunal, and fines of up to 5% of global revenue.
Three of the four are already enforceable with real penalties. The fourth is close enough that building for it now is the sensible play.
How Does CASL Actually Work?
CASL is the one most Canadian marketers trip over, because it’s stricter than the American CAN-SPAM Act that many assume applies here. Under CASL, you cannot send a commercial electronic message (CEM) to a Canadian recipient unless you have consent, the message identifies the sender clearly, and it contains a working unsubscribe mechanism that honours requests within 10 business days.
Consent under CASL comes in two flavours, and knowing the difference is non-negotiable:
Express Consent
Express consent is an affirmative, opt-in action. A checked box (unchecked by default), a signed form, a verbal “yes” on a recorded call. It doesn’t expire on its own — once given, it lasts until the recipient withdraws it. This is the gold standard and the only type of consent you should be actively building.
Implied Consent
Implied consent is narrower than most marketers think. It applies in specific scenarios: an existing business relationship (a purchase within the last 24 months), an existing non-business relationship (a donation or volunteer activity within 24 months), or conspicuously published business contact information where the message is relevant to that person’s role. Implied consent expires. The 24-month clock starts ticking the moment that transaction ends.
Every CEM you send must also include:
- Your business name (and any names under which you carry on business)
- A physical mailing address
- A phone number, email, or web address for contact
- A clear, functional unsubscribe link that works for at least 60 days after the message is sent
The fightspam.gc.ca portal maintained by the federal government is the official reference for CASL requirements, and it’s worth bookmarking.
PIPEDA, Bill C-27, and the CPPA — What Changed?
PIPEDA has been the backbone of Canadian private-sector privacy law since 2000, but it’s showing its age. The core principle is simple: you can collect personal information only with meaningful consent, for purposes a reasonable person would consider appropriate, and you must protect it with safeguards proportionate to its sensitivity.
In practice, PIPEDA requires marketers to:
- Identify the purpose for collection before or at the time you collect data
- Limit collection to what’s necessary for the identified purpose
- Provide individuals with access to their data on request
- Report privacy breaches that pose a real risk of significant harm to the Office of the Privacy Commissioner and affected individuals
Bill C-27 — the Digital Charter Implementation Act — is set to replace PIPEDA’s commercial provisions with the Consumer Privacy Protection Act (CPPA) and create a separate Personal Information and Data Protection Tribunal. The changes that will hit marketers hardest:
- Plain-language consent: Consent requests must be understandable by the average person. No more 4,000-word legalese privacy policies buried behind a scroll.
- Right to deletion: Canadians will have a statutory right to request deletion of their personal information, similar to GDPR’s right to erasure.
- Algorithmic transparency: If you use automated decision-making (think: predictive scoring, ad targeting models), individuals can request an explanation.
- Penalties up to 5% of global revenue or $25M CAD, whichever is greater — a league above PIPEDA’s current $100,000 maximum per violation.
Even if Bill C-27 slips further, Quebec’s Law 25 is already in force with many of the same provisions and its own set of fines. If you market into Quebec, you’re already operating under a GDPR-equivalent regime.
Cookies, Tracking, and Consent Management Platforms
Canada hasn’t (yet) imposed the explicit prior-consent-for-cookies regime you see under the EU’s ePrivacy Directive, but that doesn’t mean you can sprinkle tracking scripts across your site without a second thought. Under PIPEDA, cookies and pixels that collect personal information require meaningful consent — and the Privacy Commissioner has repeatedly stated that implied consent through continued browsing is not sufficient for sensitive or behavioural tracking.
Here’s the practical checklist we use with clients at TheBomb®:
- Deploy a Consent Management Platform (CMP) on every client-facing site. Tools like Cookiebot, OneTrust, or Osano let you enforce granular opt-in for analytics, advertising, and functional cookies.
- Default to off. Non-essential cookies should not fire until the user actively accepts. Pre-ticked boxes are not consent under any Canadian framework.
- Maintain a cookie inventory. Document every script, its purpose, its vendor, and its retention period. When a regulator asks — and under CPPA they will — you need this in 30 seconds, not 30 days.
- Honour Global Privacy Control signals. GPC is increasingly treated as a legally valid opt-out signal in modernising jurisdictions. Your CMP should respect it automatically.
A well-configured CMP also protects your Google Ads and Meta ad accounts. Both platforms now require verified consent signals for EU and increasingly Canadian traffic, and failing to pass them reduces attribution accuracy — which directly tanks campaign performance. Need help wiring this into a new or existing site? Our maintenance and compliance service handles CMP deployment, script audits, and ongoing monitoring.
SMS, Calls, and the Do Not Call List
CASL applies to SMS and MMS the same way it applies to email. Every commercial text you send needs consent, sender identification, and an unsubscribe path (typically “reply STOP”). The 10-business-day unsubscribe window applies identically.
For voice calls and faxes, the National Do Not Call List is the governing framework. Before any telemarketing campaign, your list must be scrubbed against the DNCL within the previous 31 days. Violations are stacked per call — dial 500 registered numbers and you’re looking at 500 separate infractions.
There are narrow exemptions: registered charities, political parties, newspapers soliciting subscriptions, and businesses with existing business relationships under the specific DNCL definitions. None of those exemptions are as broad as marketers typically hope. In our 12+ years running campaigns across Canada, we’ve watched more than one client assume they were exempt and discover — expensively — that they weren’t.
If your strategy leans on outbound, bake DNCL scrubbing into your workflow as a non-negotiable step. The cost of a subscription to the DNCL access service is trivial compared to one CRTC investigation.
What Happens If You Get Caught?
The penalties are real, they’re escalating, and they apply to individuals as well as organisations.
CASL: Administrative monetary penalties of up to $1 million per violation for individuals and $10 million per violation for organisations. The CRTC has publicly listed enforcement actions totalling tens of millions of dollars since CASL came into force. And the definition of “violation” is per message, not per campaign — a single non-compliant blast to 10,000 subscribers is, technically, 10,000 violations.
PIPEDA: Currently capped at $100,000 per violation, but that’s about to change. The Privacy Commissioner can also name-and-shame publicly, issue compliance orders, and refer matters for prosecution. Reputational damage from a published PIPEDA finding has tanked more than one Canadian brand.
Bill C-27 / CPPA (pending): Up to the greater of $25 million CAD or 5% of global gross revenue. For a mid-market Canadian company doing $50M in revenue, that’s a $2.5M ceiling on a single finding.
Private right of action: CASL originally included a private right of action allowing individuals to sue for statutory damages of up to $200 per violation, capped at $1M per day. It’s been on hold since 2017, but the government has signalled it may be reinstated. If and when it returns, class-action lawyers will have a field day with sloppy email lists.
Enforcement isn’t hypothetical. The CRTC publishes every notice of violation at crtc.gc.ca, and the Privacy Commissioner publishes findings regularly. Read a few. You’ll find they involve companies you’ve heard of — not just bad actors.
Building Compliance Into Your Marketing Stack
Compliance isn’t a one-time audit. It’s a continuous practice baked into how you build sites, collect leads, and run campaigns. At TheBomb®, we treat privacy and anti-spam compliance as a first-class feature of every project we ship — because fixing it after a regulator comes knocking costs 10x what it costs to build it in from day one.
Here’s how our services map to the regulatory landscape:
- SEO strategy — Organic traffic built on consent-first data collection outperforms paid channels long-term and insulates you from ad-platform policy whiplash.
- Website maintenance and compliance — Ongoing CMP management, cookie audits, privacy policy updates, and CASL consent record-keeping.
- Contact us — If your site has a form, tracks visitors, or sends a single email, we’ll audit your stack against CASL, PIPEDA, and CPPA-readiness.
The cheapest time to become compliant is before you’re forced to. The second-cheapest time is today. Ready to stop gambling with your email list and start building a marketing engine that scales without legal risk? Get in touch with TheBomb® and we’ll map your current exposure and the shortest path to clean.
Key Takeaways
- CASL is strict consent-based, not opt-out. Express consent is the only durable foundation. Implied consent expires — usually at 24 months — and is narrower than most marketers assume.
- PIPEDA is becoming CPPA. Bill C-27’s penalty ceiling of 5% of global revenue or $25M changes the risk calculus completely. Build for it now, not when it passes.
- Cookies require meaningful consent under PIPEDA. Deploy a Consent Management Platform, default non-essential tracking to off, and maintain an auditable cookie inventory.
- Enforcement is active and public. The CRTC and the Office of the Privacy Commissioner publish violations. Fines run into the millions and hit real, recognisable Canadian companies.
- Compliance is a system, not a checklist. The marketers who win in 2026 are the ones who treat consent as infrastructure — built into forms, stacks, and workflows, not bolted on after a complaint.
