New CASL 2026 Rules: Compliance Guide | Northstar IT
HomeInsightsCompliance

Mastering New CASL 2026 Rules: Compliance for Canadian SMBs

CASL is older than most marketers realize. Enforcement is newer. Here's what consent really means in 2026 and where most BC businesses fall short.

Compliance 2026-03-10 7 min read

CASL is older than most marketers realize. Enforcement is newer. Here's what consent really means in 2026 and where most BC businesses fall short.

CASL applies to most CEMs

Commercial electronic messages: email, SMS, certain DMs. Sent to recipients in Canada. From or about a Canadian business. Most outbound marketing from BC businesses is in scope.

Express vs implied consent

Express consent: the recipient clearly opted in. Implied consent: they have an existing business relationship or published their email for the purpose you're using it for. Both work, but implied consent has expiry rules and narrow scope.

What express consent requires

Clear statement of purpose. Name of the business. Statement that they can unsubscribe. Proof of consent retained. A pre-checked box is not consent. A check box hidden in terms of service is not consent. A purchase is not consent for marketing in itself.

Implied consent limits

Implied consent from an existing business relationship lasts two years after the last transaction. From inquiry, six months. From published business contact info, only for messages relevant to the published role. Most businesses overreach here.

Proof of consent is the work

If a complaint is filed, the CRTC asks for proof of consent. 'We've been emailing them for years' is not proof. The system that captured the consent, the date, the form text, and the IP need to be retrievable. Most marketing automation tools can do this. Most BC businesses haven't turned it on.

Unsubscribe must work

Working unsubscribe link in every CEM. Honored within 10 business days. If it bounces, the message wasn't compliant in the first place. Test annually.

Suppression list discipline

Unsubscribes go on a permanent suppression list. Across all platforms, not just the one they were on. The number-one CASL violation is a person who unsubscribed from list A still receiving list B.

CRTC enforcement in 2026

Fines have climbed. Multi-hundred-thousand-dollar penalties are real for repeat offenders and reckless senders. Most enforcement starts with complaints. Most complaints come from people who already unsubscribed and got more email.

← Back to Insights Get a Free Assessment →

Want this in your inbox?

We send a short monthly note with one cybersecurity or IT topic that BC business owners should know about. No sales pitch.

Get the monthly note Read more Insights

Related posts

PIPEDA in Plain English: A 2026 Checklist for BC Businesses

PIPEDA applies to most BC businesses but most don't follow it. A plain-English checklist of what's required and what to do first.

Alberta PIPA vs. PIPEDA: What BC Businesses Need to Know

Operating in both BC and Alberta? Here is how Alberta PIPA and federal PIPEDA differ, and what that means for your IT and data practices.

BC PIPA Compliance: An IT Checklist for 2026

A practical IT checklist for BC businesses needing to comply with the BC Personal Information Protection Act in 2026. What to collect, store, and document.
Related work

Services mentioned in this post.

Talk to us about your project

Frequently asked questions

What are the main changes in the new CASL 2026 rules?

The new CASL 2026 rules focus on heightening the transparency of electronic consent and simplifying the withdrawal process for recipients. Businesses must now maintain more granular records of how and when consent was obtained. These updates also introduce stricter penalties for technical failures in unsubscribe mechanisms, making it vital for companies in BC and Alberta to audit their current email systems for reliability and compliance.

How do these updates affect businesses in BC and Alberta?

Western Canadian businesses must ensure their digital marketing and internal communications meet the updated federal standards. Whether you are based in Vancouver, Kelowna, or Edmonton, the new CASL requirements apply to all commercial electronic messages sent to or from Canada. Northstar IT helps local organisations update their IT infrastructure to automate consent tracking and ensure that every communication sent is legally defensible and compliant with the 2026 standards.

Can managed IT services help with CASL compliance?

Yes, managed IT services are essential for CASL compliance. We help you implement secure email gateways, automate data retention policies for consent logs, and secure your Microsoft 365 environment against unauthorised outbound spam. By centralising your communication technology, we make it easier to monitor compliance across your entire organisation, from Prince George to Whitehorse, reducing the risk of human error and legal exposure.