CASL COMPLIANCE FOR FRANCHISE MARKETERS

Canada's Anti-Spam Legislation (CASL) applies to all commercial electronic messages (CEMs) sent to or from Canada. A CEM is any electronic message that encourages participation in a commercial activity — including email, SMS, and certain social media messages.

CASL requires that senders have either express or implied consent before sending a CEM, and that every CEM includes a functioning unsubscribe mechanism that processes within 10 business days.

Non-compliance carries significant penalties: up to $1 million per violation for individuals and $10 million per violation for organisations. The CRTC has issued fines in the millions against Canadian businesses for systematic CASL violations.

Express consent is explicit, affirmative agreement to receive commercial messages. It must be obtained separately from other terms and conditions — burying consent in a sign-up form footer does not meet the standard. Express consent does not expire.

Implied consent exists in specific relationships: existing business relationships (customers who purchased within the last 24 months), club or association memberships, and publicly disclosed contact information (e.g., an email on a business website). Implied consent expires after 24 months from the most recent qualifying interaction.

For franchise systems, this creates complexity. A customer who visits franchisee location A has an implied consent relationship with that franchisee. But does that imply consent for messages from the franchisor brand? The answer is no — unless the relationship with the brand was clearly communicated at the point of data collection.

Franchise systems face three structural CASL challenges that standalone businesses do not:

Data ownership and consent portability. When a customer provides their email to a franchise location, does that consent extend to head office communications? It does only if the data was collected with clear disclosure of who would send messages.

Franchisee non-compliance risk. If a franchisee sends non-CASL-compliant messages, the franchisor may share liability if they have significant control over the franchisee's marketing activities. This is a meaningful risk for brands that provide email marketing tools to franchisees.

Unsubscribe processing at scale. An opt-out submitted at any touchpoint — website, email, in-store kiosk — must suppress that contact across the entire network within 10 business days. Most franchise systems do not have unified suppression lists.

Best practice for franchise CASL compliance:

1. Centralise your consent database. All opt-in and opt-out events should write to a single suppression list that all sending systems check before deployment.

2. Dual-purpose consent capture. When collecting email addresses at the location level, include clear language about which entities will send messages: "You agree to receive marketing messages from [Franchise Location] and [Brand Name]."

3. Timestamp every consent event. Implied consent has an expiry. You must be able to prove when the qualifying relationship began. Store timestamps with every consent record.

4. Automate unsubscribe processing. Manual unsubscribe processing at scale is not viable. Every CRM and email platform in your network should write opt-outs to the central suppression list automatically.

5. Audit annually. Review your consent records, expiry dates, and unsubscribe processing workflows at least once per year.

If your franchise system is not currently CASL-compliant, prioritise these actions:

Immediate (0–30 days): - Audit your current email list for consent documentation - Implement a functioning unsubscribe mechanism in all CEM channels - Create a central suppression list and connect all sending systems to it

Short-term (30–90 days): - Update all consent capture points to clearly disclose senders - Train franchisees on CASL requirements and your consent architecture - Document your consent procedures in writing

Ongoing: - Monitor implied consent expiry dates and re-engagement campaigns - Review new marketing channels against CASL requirements before launch - Maintain records of all consent events for a minimum of three years

CASL compliance is not a one-time project — it is an ongoing operational discipline. The brands that build it into their marketing infrastructure are significantly better protected than those that treat it as a checklist.