CASL-Compliant Mailchimp Setup for Canadian Businesses

Q: Is Mailchimp CASL compliant out of the box for Canadian businesses?

No. Mailchimp provides the tools for CASL compliance but none are configured by default. The default setup targets the US market and does not meet CASL requirements for consent documentation, form language, or implied consent tracking. Canadian businesses must configure these manually.

Q: What is the difference between express and implied consent under CASL?

Express consent is an explicit opt-in that does not expire. Implied consent from a business relationship lasts two years from the last transaction; from an inquiry, six months. Express consent is the more reliable legal basis for email marketing.

Q: How long does implied consent last under CASL?

Implied consent from an existing business relationship lasts two years from the last transaction or interaction. Implied consent from an inquiry lasts only six months. Contacts must be suppressed before expiry if they have not given express consent.

Q: How do I document CASL consent in Mailchimp?

Enable double opt-in, create a consent group with a clear checkbox, add it to your signup form, and verify that OPTIN_TIME and OPTIN_IP appear in your audience CSV export. Keep a screenshot of your signup form at the time consent was collected.

Q: Can I send a re-consent email after implied consent has expired under CASL?

No. A re-consent email is itself a commercial electronic message under CASL. Once implied consent has expired, you no longer have the authority to send any message to that contact — including a re-consent request. The re-consent campaign must be sent before the expiry date.

Legal note: This article provides general technical guidance on configuring Mailchimp for CASL compliance. It is not legal advice. For advice specific to your business situation, consult a qualified Canadian legal professional.

Mailchimp has built-in CASL compliance tools. They're just not on by default.

Most Canadian businesses using Mailchimp assume the platform handles compliance automatically. It doesn't. Mailchimp gives you the infrastructure — double opt-in, consent groups, timestamped signup data — but none of it is configured out of the box. The defaults are designed for the US market.

If you're using Mailchimp's standard setup and emailing Canadian recipients, there's a reasonable chance your consent documentation is incomplete. That matters because CASL penalties reach $10 million CAD for organisations,^[1] apply equally to solo operators, and cover anyone emailing a Canadian recipient — regardless of where the sender is based.^[2]

What CASL Requires — and Where Mailchimp Leaves a Gap

CASL requires three things on every commercial electronic message: prior consent from the recipient (express or implied), clear identification of who sent it, and a functioning unsubscribe mechanism processed within 10 business days.^[3]

Express consent is an explicit opt-in — a checkbox the person ticked themselves, a signed form, or a recorded verbal agreement. It doesn't expire unless the recipient withdraws it.^[4] Implied consent comes from an existing business relationship and lasts two years from the last transaction or signed contract.^[5] An inquiry or application grants only six months.^[6]

Most guides explain this accurately. Most guides stop here. This is where the practical configuration work begins.

The Setup — Step by Step

Step 01

Enable Double Opt-In — and Understand Its Limits

Go to Audience → Signup forms → Form settings and enable double opt-in for your audience. This sends a confirmation email after signup, requiring the subscriber to click before they're added to your active audience.

Double opt-in produces better consent documentation. But it's not documentation by itself. What Mailchimp actually captures — and what you need — is the date and source of consent and the IP address at signup. Mailchimp records these in the OPTIN_TIME and OPTIN_IP columns of your audience export.^[7] This is your evidence layer if the CRTC ever asks.

Critical point most guides miss: this data is only captured for contacts who sign up through Mailchimp's hosted forms or a properly integrated form. If you're importing contacts manually from a spreadsheet, Mailchimp has no proof of consent for those contacts. You need to hold that documentation yourself — a timestamped record of where, when, and how consent was collected — before importing.

Step 02

Create a Consent Group

Go to Audience → Manage contacts → Groups → Create Groups. Select "As checkboxes." Create a single group category — something like "Marketing Consent" — with one option: "I consent to receive commercial emails from [Your Business Name]."

Add this group to your signup form. When a contact ticks it and completes the double opt-in process, you have a timestamped record of express consent from a specific form that included your identification and a description of what they consented to receive.

Export your audience as a CSV and verify the consent group column is capturing data. This export is your compliance record.

Step 03

Update Your Signup Form Language

CASL requires that a consent request include your organisation name and contact information, a clear description of what the person is consenting to receive, and how they can withdraw consent.

Mailchimp's default signup form says something close to "Subscribe to our email list." That is not sufficient. It should include your business name, a mailing address or contact information, and a plain-language description of what subscribers will receive — for example: "By subscribing, you consent to receive commercial emails from [Business Name] at [address]. You can unsubscribe at any time."

Pre-checked consent boxes are a CASL violation.^[8] Mailchimp's native forms default to unchecked — correct. If you've modified your form or integrated a third-party form builder, verify this explicitly.

Step 04

Track Implied Consent Expiry — This Is What Almost No Guide Covers

If part of your audience gave you implied consent — existing customers, recent inquirers — that consent expires two years from the last transaction or meaningful interaction, or six months for inquiries. Mailchimp doesn't track this automatically.

Create a tag or custom field: "Implied Consent Expiry" with the expiry date for each contact segment. Build an automation: 90 days before expiry, send a re-consent campaign asking contacts to confirm they still want to hear from you. If they don't convert to express consent before the expiry date, unsubscribe them.

This is not optional. Implied consent that has expired is no consent. Continuing to send to those contacts is a CASL violation regardless of how clean your Mailchimp setup is otherwise.

Step 05

The Detail Mailchimp's Own CASL Documentation Doesn't Mention

If you send a re-consent email to contacts who hold only implied consent, that re-consent email is itself a commercial electronic message under CASL.^[9] You must have the legal authority to send it before you can ask for express consent.

This creates a narrow but important window: implied consent gives you the right to send that re-confirmation email while it's still valid. Once expired, you cannot send anything to that contact — including the re-consent request. The contact must be suppressed.

This is why tracking expiry dates in advance matters. A contact whose implied consent expires next week can still be re-engaged. A contact whose implied consent expired last month cannot.

What a Complete CASL-Compliant Mailchimp Setup Looks Like

Double opt-in enabled (Audience → Signup forms → Form settings)
Consent group configured with clear checkbox language
Signup form updated to include business name, address, and consent description
Pre-checked boxes confirmed absent
Implied consent contacts tagged with expiry dates
Re-consent automation built for contacts approaching expiry
Audience CSV export verified: OPTIN_TIME and OPTIN_IP populated
Screenshot of signup form saved at the time of each major form version

Below all of this: proper email authentication. SPF, DKIM, and DMARC on your sending domain don't affect CASL compliance, but they determine whether your compliant emails actually reach the inbox.

CASL compliance is documentation work more than technical work. Most of it is configured in Mailchimp over the course of an afternoon. The cost of doing it is a few hours. The cost of skipping it is considerably higher.

What Is CASL?

CASL (Canada's Anti-Spam Legislation) is a federal law that prohibits sending commercial electronic messages (CEMs) to Canadian recipients without their prior consent. It came into full force on July 1, 2014, and is enforced by the Canadian Radio-television and Telecommunications Commission (CRTC). CASL applies to any sender — regardless of where they are based — who sends email to a Canadian recipient. Penalties can reach $1 million CAD per violation for individuals and $10 million CAD for organisations. Unlike CAN-SPAM, CASL is an opt-in law: you must obtain consent before sending, not after.

Key Takeaways

Mailchimp's default setup is designed for the US market — it is not CASL-compliant without configuration.
Double opt-in captures OPTIN_TIME and OPTIN_IP — your consent documentation if the CRTC ever asks.
A consent checkbox group in Mailchimp creates a timestamped record of express consent per form.
Express consent does not expire. Implied consent expires after 2 years (business relationship) or 6 months (inquiry).
A re-consent email is itself a CEM — you cannot send it after implied consent has already expired.
Pre-checked consent boxes are a CASL violation. Mailchimp defaults to unchecked — verify if you've customised your form.
CASL applies to anyone emailing a Canadian recipient, regardless of where the sender is located.

Frequently Asked Questions

Is Mailchimp CASL compliant out of the box for Canadian businesses?

No. Mailchimp provides the tools for CASL compliance — double opt-in, consent groups, timestamped signup data — but none of them are configured by default. The default setup is designed for the US market and does not automatically meet CASL's requirements for consent documentation, form language, or implied consent tracking. Canadian businesses need to configure these features manually.

What is the difference between express and implied consent under CASL?

Express consent is an explicit opt-in — a checkbox the person ticked themselves, a signed form, or a recorded verbal agreement. It does not expire unless the recipient withdraws it. Implied consent comes from an existing business relationship (such as a purchase or signed contract) and lasts two years from the last transaction. An inquiry grants only six months of implied consent. Express consent is the more reliable legal basis for email marketing.

How long does implied consent last under CASL?

Implied consent from an existing business relationship (purchase, contract, or membership) lasts two years from the last transaction or interaction. Implied consent from an inquiry or application lasts only six months. Once either window expires, you no longer have a legal basis to send commercial electronic messages to that contact unless they have given express consent. They must be suppressed before the expiry date — not after.

How do I document CASL consent in Mailchimp?

Enable double opt-in in Mailchimp (Audience → Signup forms → Form settings). Create a consent group (Audience → Manage contacts → Groups) with a clear checkbox: "I consent to receive commercial emails from [Business Name]." Add this group to your signup form. When a contact completes double opt-in, Mailchimp records OPTIN_TIME and OPTIN_IP in your audience export — this is your consent documentation. Keep a screenshot of your signup form at the time consent was collected.

Can I send a re-consent email after implied consent has expired under CASL?

No. Under CASL, a re-consent email is itself a commercial electronic message, and sending it requires that you already have valid consent. Once implied consent has expired, you no longer have the legal authority to send any commercial message to that contact — including a re-consent request. You must send the re-consent campaign before the expiry date, not after. This is why tracking implied consent expiry dates in advance is essential.

Sources

SendCheckIt — CASL Compliance: The Complete Guide for Canadian Email Marketing (2026) — penalties up to $10M CAD
Prospeo / CASL Email Compliance — CASL applies based on where the recipient is located, not where the sender is based
Government of Canada (ISED) — Getting Consent to Send Email — CASL official guidance
Mailchimp Help — About the Canada Anti-Spam Law (CASL) — express consent does not expire
Government of Canada (ISED) — Implied consent from existing business relationship: valid for up to 2 years
McInnes Cooper — Canada's Anti-Spam Legislation: 10 FAQs — inquiry implies 6-month consent window
Mailchimp Help — Stay Compliant with CASL — OPTIN_TIME and OPTIN_IP fields in audience export
SendCheckIt — CASL compliance guide — pre-checked boxes are a CASL violation
Canadian Legal FAQs — CASL key provisions — a message seeking explicit consent is itself a CEM under CASL

What CASL Requires — and Where Mailchimp Leaves a Gap

The Setup — Step by Step

Enable Double Opt-In — and Understand Its Limits

Create a Consent Group

Update Your Signup Form Language

Track Implied Consent Expiry — This Is What Almost No Guide Covers

The Detail Mailchimp's Own CASL Documentation Doesn't Mention

What Is CASL?

Key Takeaways

Frequently Asked Questions

Need a CASL-Compliant Mailchimp Setup?

GoHighLevel Emails Going to Spam: The Infrastructure Fix

Mailchimp Deliverability: What Most Guides Don't Tell You

500+ Email Audits: What the Patterns Actually Show