1. The 30-second version
Canada's Anti-Spam Legislation (CASL) is the strictest commercial-messaging regime in the world. Send a single unsolicited B2B sales email without express or implied consent and you can be fined up to $10 million per violation. The CRTC has actually levied seven-figure fines on real Canadian businesses since 2014.
But CASL has explicit carve-outs for B2B outreach to commercial entities — and permit data, business-licence data, and most municipal open data sits squarely inside those carve-outs. The trick is knowing which carve-out you're standing on, and documenting it.
This guide walks you through it specifically for trade contractors using permit-intelligence feeds. We'll cover:
- Who CASL applies to (and who it doesn't)
- The four legal bases for sending a commercial electronic message (CEM)
- How "business contact information" works as an exemption
- What "implied consent" looks like for permit-sourced leads
- The three things every CEM must contain
- Real fine examples and what they tell you
2. Who CASL applies to
CASL applies to anyone who sends a commercial electronic message (CEM) to an electronic address located in Canada. A CEM is any message whose purpose includes promoting a commercial activity — quotes, sales pitches, upsells, "would you like to chat about your project," anything that has a buy-from-me angle.
The territorial test is the recipient's address, not the sender's. A US-based contractor emailing a Calgary GC is in scope. A Calgary contractor emailing a Calgary GC is in scope. A Calgary contractor emailing a Houston GC is not.
What's not a CEM: pure relationship-building messages with no commercial content (rare in practice), transactional messages about existing transactions, replies to a request for information from the recipient.
3. The four legal bases
You need one of these four things before you can send a CEM:
- Express consent — the recipient explicitly opted in (filled out a form, ticked a box, said yes in writing). Express consent has no expiry.
- Implied consent — derived from an existing business relationship (or "non-business relationship" like membership in a club). Has a 2-year expiry from the triggering event.
- The business-contact-information exemption — sending to a business email address (info@, sales@, named-person@company.com) where the recipient's role at the company is plausibly related to your offer.
- The conspicuously-published exemption — the recipient's contact info is publicly published, the publication wasn't accompanied by a "no commercial messages" statement, and your message is relevant to their business role.
4. How permit-sourced leads fit
This is the key part for trade contractors. When you pull a Calgary commercial permit for a $485,000 tenant improvement at 1234 17 Ave SW, the data set you receive contains:
- The street address of the project
- The applicant name (a company)
- The contractor name (a company)
- Permit class, work class, project value
That's business data about a commercial activity. It's not personal information about a private individual. When you then enrich it with a contact phone number scraped from Google Places (the business's published phone), you're working with conspicuously-published business contact information — and reaching out to discuss your trade's involvement in their permit is "relevant to the recipient's business" almost by definition.
You're standing on Bases 3 and 4 simultaneously: business-contact-information exemption AND conspicuously-published exemption.
info@skyriseconstruction.com about a permit they pulled is fine under business-contact-info. A CEM to steve.lee@skyriseconstruction.com about that same permit is also fine as long as Steve's contact is conspicuously published (on the company website, on a permit application, in a directory) and your offer is plausibly relevant to his role.5. What you cannot do, even with permit data
Even when you have a valid basis to send, the message itself has to comply with CASL's mandatory contents:
- Identification — your name and/or your company's name, plus a way to contact you that's valid for at least 60 days after sending (mailing address or working phone, in addition to email).
- Unsubscribe mechanism — a working, free, easy way to opt out. Must process within 10 business days.
- Truthful subject line and sender info — no misleading "Re:" prefixes, no fake sender names.
You also can't:
- Use the address from a permit feed to install software on the recipient's computer (CASL has a separate anti-malware regime).
- Aggregate addresses across many CEMs in a way that creates the impression of mass marketing (this can flip you into a category where regulators look harder).
- Continue to email someone after they've unsubscribed. The 10-business-day clock starts when they hit the link.
6. Real CASL fines: what tipped them over
The CRTC publishes its enforcement actions. A few that matter for B2B contractors:
| Company | Year | Fine | Why |
|---|---|---|---|
| Compu-Finder | 2015 | $1.1M | Sent CEMs after recipients unsubscribed; no working unsubscribe mechanism |
| Rogers Media | 2015 | $200K | Unsubscribe mechanism took >10 business days to process |
| Plenty of Fish | 2015 | $48K | Unsubscribe link non-functional |
| Porter Airlines | 2015 | $150K | CEMs sent without proper contact ID |
| nCrowd Inc | 2018 | $100K | Failure to honour unsubscribes |
Pattern: the fines almost always trace back to poor unsubscribe hygiene, not the sourcing of the email address. CRTC enforcement is reactive to complaints — if your recipients don't complain, you don't get a fine. If they do, the audit traces straight back to whether you honoured the unsubscribe.
7. A practical workflow for permit-sourced outreach
Here's what a CASL-tight workflow looks like for a contractor using Shovel Radar (or any equivalent permit feed):
- Receive the weekly Excel. Filter to permits matching your trade.
- Look up each row. Use the contractor / applicant name to find the company's conspicuously-published contact info: their website, their LinkedIn company page, their Google Business Profile.
- Draft the first message yourself. No automation, no template-mail-merge that loses the personalized touch. Reference the specific permit (address + project value) — this proves your message is relevant to their business.
- Include the mandatory footer. Your name + company + mailing address + phone + a working unsubscribe line ("reply with UNSUB to opt out").
- Track unsubscribes in a CSV or CRM. When someone says no, mark it. Re-check the list before every send.
- Re-permission every 24 months. If you haven't heard from a contact in 2 years, drop them from active outreach or send a re-permission email.
8. The honest answer to "what's my risk"
If you're a solo trade contractor sending 20 individualized outreach emails a week to commercial GCs whose permits you saw, your CASL risk is essentially zero — as long as your unsubscribe mechanism works and you honour it. The CRTC has not pursued small contractors for thousand-dollar fines; they pursue companies sending millions of messages with broken opt-outs.
If you're scaling up to thousands of sends per week with mail-merge, your risk goes up — not because the underlying activity is illegal, but because complaint volume scales with send volume, and you become visible.
The single highest-value thing you can do for CASL hygiene is: keep your unsubscribe list, and check it before every send. Everything else is downstream.
9. Further reading
- CRTC's official CASL portal — definitive source on the law and enforcement actions
- Government of Canada FightSpam site — the recipient-facing complaint portal (useful to know what your contacts see)
- Office of the Privacy Commissioner of Canada — PIPEDA guidance (covered in our companion guide)
Use the playbook
Shovel Radar gives you the trade-routed permit feed this guide describes.
Weekly Excel. 382 Canadian cities. Same playbook, scaled.
Get a 5-row sample · no credit card