Your marketing emails aren’t harmless (and they’re costing people something real)
Nobody started a business thinking, “I’d love to waste people’s time.”
But that’s exactly what happens when you send unsolicited or poorly managed marketing emails. And unlike money, time is the one thing people don’t get back.
Every unnecessary email you send is a small interruption in someone’s day—a few seconds to scan it, decide it’s irrelevant, and move on. Multiply that across thousands of recipients, across weeks, months, years… and you’re not just sending messages, you’re consuming a non-renewable resource: human attention.
That’s part of why Canada took spam seriously enough to regulate it.
Why Canada created CASL (and why it applies to you)
In response to overwhelming early-2000s spam that eroded trust, productivity, and security, Canada introduced CASL—enforced starting in 2014—to regulate commercial electronic messages and apply broadly to anyone contacting Canadians.
It’s easy to think of spam as a marketing problem. But it’s also a cybersecurity problem.
Phishing campaigns, credential harvesting, and malware delivery often start with an email. Those attacks are far more effective in environments where people are used to receiving unexpected, irrelevant, or poorly explained messages.
In other words: The more noise there is, the easier it is for malicious emails to blend in. And legitimate business spam contributes to that noise.
When users get used to:
- Emails they didn’t sign up for
- Messages from companies they don’t recognize
- Vague or generic outreach
They stop paying close attention. And that’s exactly what attackers rely on.
So when your organization sends emails without proper consent, or without clear identity, or without an easy way out, you’re essentially weakening the overall security posture of the ecosystem you’re operating in.
CASL, from a business perspective
At its core, CASL is built around a few simple expectations.
They’re straightforward in theory—but require discipline in practice.
1. Consent actually has to exist (and be provable)
If you’re sending a commercial electronic message, you should be able to answer a very simple question:
“When did this person agree to hear from us?” And not just in principle—in detail. You should be able to point to: the specific interaction where the email was collected, the method (form, signup, event, etc., the date and time, and how that consent is stored and retrievable. If you can’t do that, you don’t have solid ground. And under CASL, the responsibility to prove consent sits with you.
2. People should know exactly who is contacting them
Your emails should make it immediately clear: who you are, who you’re acting on behalf of (if applicable), and how someone can reach you. If a recipient has to pause and think, “Who is this?”—you’ve already lost trust. And from a security standpoint, unclear identity makes your message look a lot like the ones people are trained to avoid.
3. Unsubscribe should be obvious and effortless
If someone wants out, they should be able to get out—quickly. Not after logging in. Not after multiple steps. Not after waiting days.. A clear, working unsubscribe mechanism isn’t just a legal requirement—it’s a signal that you respect the recipient’s time and attention. When that signal is missing, people stop engaging entirely… or block you altogether.
The uncomfortable truth: you’re competing with attackers
Every email you send is judged in a split second. Does this look legitimate? Do I recognize this? Did I ask for this? Attackers spend a lot of time trying to imitate real businesses. If your emails show up unexpectedly, lack context, feel generic, or don’t clearly identify you… then you’re making their job easier. You’re blurring the line between legitimate communication and malicious activity.
A quick reality check for your organization
Before sending a campaign, ask:
- Would the recipient expect this email right now?
- Can we prove why they’re receiving it?
- Is it immediately clear who we are?
- Can they opt out in one step?
If any of those answers are shaky, it’s worth fixing before you hit send. Not just because of CASL—but because of how your message will be perceived.
See it from the other side
Some of my readers, coming from the US or elsewhere, you might be thinking “Oh, you crazy Canucks…” But in the long term, this sort of legislation could protect more than just Canadians…
Imagine if there was an international body cooperating to ensure corporations are respecting our human right to not have our time and our life wasted by commercial interests—not to have our inbox flooded with with noise and our alertness weakened.
It’ll take some cooperation, no doubt, but it starts with each country’s own realization of the human cost of spam…
Maybe your country is next?