WhatsApp Business API vs Regular WhatsApp Business: What Canadian Businesses Get Wrong About CASL

Almost every Tamil-Canadian small business we talk to in the GTA is using regular WhatsApp Business (the green-icon app you download from the Play Store or App Store) to broadcast promotions, send weekly grocery deals, or push new tuition batches to parents. Most of them are in violation of CASL (Canada's Anti-Spam Legislation) without realising it, and many are also in breach of WhatsApp's own Business Messaging Policy.

This post walks through the practical difference between the two products, what CASL actually requires, and the minimum setup you need before your next broadcast.

What CASL actually says

CASL applies to any commercial electronic message — that includes WhatsApp messages to customers in Canada. Three things matter:

1. You need consent. Either express consent (the recipient explicitly said yes) or implied consent (a recent transaction, a published business address, or an existing business relationship).
2. Every message needs an identifier — who you are, how to contact you, and a way to unsubscribe.
3. Unsubscribe requests must be honoured within 10 business days and must work using the same channel the message was sent through.

The fines are not theoretical — the maximum administrative monetary penalty is $10M CAD per violation for a corporation, $1M for an individual. Even the CRTC's smaller settlements in the last 3 years have averaged $200K+.

The common misconception is that CASL is just about email. It is not — CASL covers SMS, MMS, WhatsApp, Telegram, Signal, and basically any electronic messaging service used for commercial purposes.

The critical feature difference: consent and audit logs

Here is the table most Tamil-Canadian business owners need to see:

| Feature | WhatsApp Business (free app) | WhatsApp Business API | |---|---|---| | Free to use | Yes | No (pay-per-conversation) | | Broadcast to 256+ contacts | No (256-contact list cap) | Yes (unlimited with templates) | | Opt-in audit log | None | Required by Meta before templates approved | | STOP / unsubscribe automation | Manual block & pray | Automatic keyword handling | | Message template approval | Not applicable | Required by Meta + CASL-compliant | | Delivery & read receipts at scale | No | Yes | | Multi-agent / team inbox | No | Yes (via BSP dashboard) | | Webhook into your CRM | No | Yes | | Cost of CRTC fine if you mess up | Same | Same |

The regular WhatsApp Business app was never designed for compliance. It is a phone you hand out to customers. It has no consent tracking, no automatic opt-out, and no audit trail for the CRTC to audit. If CRTC comes knocking with a complaint, you have nothing to produce.

The WhatsApp Business API (accessed through a Business Solution Provider, or BSP) is a different product. Every template you use must be pre-approved by Meta, every opt-in is logged with a timestamp, and opt-outs are enforced automatically via keyword handlers (STOP, OFF, "வேண்டாம்" in Tamil, "बंद करो" in Hindi, etc.).

What a CASL audit actually looks like

When a complaint lands at CRTC, here is what they ask for:

1. The exact message that was sent (in the language it was sent)
2. The date, time, and phone number it was sent to
3. Proof the recipient consented, when, and how
4. Proof the message included a working unsubscribe mechanism
5. Proof you honoured the unsubscribe within 10 business days

On WhatsApp Business API with a BSP, every one of those is a database query. On regular WhatsApp Business, you cannot produce items 3, 4 or 5 at all — you would be asking the CRTC to trust your screenshots.

The Tamil-Canadian context specifically

Four issues we see repeatedly in GTA Tamil business broadcasts:

1. "Implied consent" is over-claimed. Implied consent under CASL is narrower than most people think. A customer paying at your grocery store does not grant consent to receive WhatsApp broadcasts. A customer who purchased in the last 2 years does — but only for 2 years from the transaction date, and only for similar products. An existing business relationship does not automatically unlock broadcasts.

2. Temple & community lists are not safe lists. Many first-generation Tamil businesses share contact lists with temple committees, Tamil Sangam boards, and Tamil radio station VIP member lists. That is not consent transfer. The person who agreed to receive temple event updates did not consent to receive promotional messages from a separate commercial business. Sending to that list is a textbook CASL violation.

3. "Forward to 10 friends" promotions. These are almost always in breach — not only of CASL but also of WhatsApp's own anti-spam policy. They can get your number banned.

4. Tamil-only unsubscribe instructions. If you send a Tamil message, your unsubscribe mechanism must also work in Tamil. STOP in English works, but if your Tamil-speaking customer types "வேண்டாம்" or "நிறுத்து", your system must recognise it and act. This is trivial on the API side, impossible on the regular app.

The minimum compliant setup

For a Canadian small business that wants to do WhatsApp marketing legally in 2026:

1. Upgrade to WhatsApp Business API via a certified BSP (MessageBird, Twilio, Gupshup, 360dialog, Infobip — all fine). Expect $0.03–$0.12 CAD per conversation depending on the country and type (Canada is more expensive than India).
2. Get templates approved that include your business name, address, and unsubscribe instructions. Submit Tamil + English versions separately if you serve both.
3. Build an opt-in log — minimum a spreadsheet, ideally a CRM — that captures when and how each contact gave consent. "Signed up on the website form" or "verbally agreed on call at 2026-04-10 14:32" are both fine as long as they are recorded.
4. Automate the keyword unsubscribe. Every decent BSP supports this out of the box. Test it by unsubscribing yourself.
5. Export a 24-hour rolling log of all sent messages and all unsubscribe actions. Keep it for 3 years.
6. Cap promotional broadcasts at 1-per-week-per-contact. This is not a CASL rule, it is a survival rule — otherwise you get reported and Meta throttles your number.

"My competitor is doing it and they're fine"

Most Tamil-Canadian small businesses in the GTA have not been caught yet. That is not the same as being compliant. CRTC enforcement has ramped up in 2025–26, particularly in immigrant-community-owned businesses because those are where the most complaints land (disgruntled ex-customers, laid-off workers, competitors). The question is not "will they enforce" — it is "when is the first complaint from someone you upset".

The worst-case scenario is not the fine itself. It is a message from Meta that your WhatsApp number is permanently banned for policy violations. When that happens, you lose years of customer conversations overnight, with no appeal.

Frequently Asked Questions

Does CASL apply to messages I send from Sri Lanka to Canada? Yes. CASL applies to any message sent or routed to an electronic address accessed in Canada, regardless of where the sender is based. A company based in Jaffna or Chennai broadcasting to Canadian customers is fully bound by CASL.

What about messages I send only to existing customers? The "existing business relationship" exemption gives you 2 years of implied consent after the last transaction, and 6 months after an inquiry. After that window closes, you need express consent. The exemption is also only valid for messages about similar products or services — a grocery store cannot use it to broadcast about unrelated tuition services.

Can I use the regular WhatsApp Business app for 1-on-1 customer support? Yes — CASL does not cover direct customer-initiated conversations. If a customer messages you first and you reply, you are fine. The issue is broadcasts you initiate.

What about the 256-contact list in WhatsApp Business? Broadcast lists in the regular app can send to up to 256 contacts who have your number saved in their phonebook. Most Canadian businesses misuse this feature — they blast to any 256 phone numbers, which either fails silently or gets the number banned. Either way, there is no CASL-compliant audit log.

Is the PIPEDA angle different from CASL? Yes. PIPEDA governs how you collect, use, and disclose personal information (including phone numbers). CASL governs the act of sending a commercial message. You can violate one without the other, but in practice most WhatsApp broadcast violations breach both. You need PIPEDA-compliant collection (notice + consent at the point of collection) AND CASL-compliant sending.

Does a voice-agent call (inbound) count as consent to a WhatsApp message? Only if the caller explicitly consented during the call. If the agent says "Can I send the floor plan to your WhatsApp?" and the caller says yes, that is a recorded express consent. We stamp every such consent with the call's timestamp and the audio recording. We also ship this log with every client engagement.

Need a CASL-compliant WhatsApp setup? We do bilingual Tamil + English WhatsApp Business API installs for GTA businesses — start on /canada/.