Under the Canadian Anti-Spam Legislation (CASL), dental clinics must obtain either express or implied consent before sending SMS appointment reminders, recall notifications, or any other commercial electronic message to patients. Express consent requires a signed intake form, digital checkbox, or recorded verbal agreement kept on file. Implied consent applies for up to two years after a patient's last appointment. This guide explains both consent types, how to capture them correctly, and includes ready-to-use template language for every patient touchpoint.

CASL has been in force since July 1, 2014, and is enforced jointly by the Canadian Radio-television and Telecommunications Commission (CRTC), the Competition Bureau, and the Office of the Privacy Commissioner of Canada. For dental clinics, compliance is not optional: violations carry maximum fines of $10 million per incident for businesses and $1 million for individuals. The CRTC's enforcement record includes health and wellness organisations, making this a credible risk for any clinic sending patient SMS without valid consent.

What CASL Requires for Dental SMS

According to the Government of Canada's official CASL guidance at fightspam.gc.ca, any commercial electronic message (CEM) sent to a Canadian electronic address requires consent from the recipient before sending. A CEM is defined as any electronic message where one of the purposes is to encourage participation in a commercial activity.

For dental clinics, the following message types qualify as CEMs under CASL:

  • Recall reminder SMS ("It's been 6 months since your last visit, time to book your cleaning")
  • Unscheduled treatment follow-ups ("Your treatment plan included a filling, we'd love to get that scheduled")
  • Cancellation recovery messages offering available appointment slots to waitlisted patients
  • Promotional offers such as new patient discounts or seasonal whitening promotions
  • Reactivation messages for patients not seen in 12 or more months

Appointment date-and-time confirmations with no promotional content may qualify for CASL's administrative message exemption, but most dental reminder messages include a reply prompt or booking call to action, which brings them within CASL's scope. The safest approach is to treat all patient SMS as CEMs and ensure consent is on file for every contact.

When In Doubt, Obtain Consent
The administrative message exemption under CASL is narrow. If your reminder includes any phrase such as "Reply YES to confirm," "Book your next appointment," or "Call us to reschedule," that message is a commercial electronic message. Clinics are far better served by capturing consent at intake than by attempting to categorise each message individually.

CASL recognises two legally valid forms of consent for commercial electronic messages: express consent and implied consent. Understanding the distinction matters because they impose different obligations on your clinic, expire differently, and carry different evidentiary weight in a CRTC audit.

Business Fine
$10M
per violation (CRTC)
Implied Window
2 Years
from last appointment
Opt-Out By
10 Days
after unsubscribe request

Express Consent

Express consent is an unambiguous, affirmative agreement from the patient to receive your commercial electronic messages. According to the CRTC's published guidelines on CASL compliance, express consent must:

  • Clearly describe the purpose and nature of the messages the patient is agreeing to receive
  • Not be bundled with consent for other unrelated purposes — the consent must stand on its own
  • Be captured in a way that can be demonstrated on request: written form, digital checkbox, or a recorded verbal agreement
  • Be retained as a record that includes the date, the method of capture, and the patient's identifier and mobile number

Express consent is indefinite. Once given, it remains valid until the patient withdraws it by sending a STOP message, submitting an unsubscribe request, or contacting the clinic directly. There is no automatic two-year expiry for express consent, which is a significant operational advantage over implied consent for active patient communication.

Implied Consent

Implied consent arises from an existing business relationship. For dental clinics, any patient treated at the practice within the past two years has given implied consent for you to send commercial electronic messages, according to CASL's provisions for existing business relationships. The implied consent window runs for two years from the date of the most recent appointment, purchase, or transaction.

Implied consent is useful as a transitional mechanism for clinics that did not capture express consent from long-standing patients, but it carries three important limitations:

  • It expires automatically two years after the last appointment, regardless of whether the patient has opted out
  • Once a patient sends STOP, their implied consent is revoked and cannot be relied on again without fresh express consent
  • Demonstrating implied consent in a CRTC enforcement action is considerably harder than producing a signed intake form or a timestamped digital record

Best practice is to treat implied consent as a bridge: use it to communicate with existing patients while converting those patients to express consent through your updated intake process at their next visit.

The most reliable way to maintain CASL compliance is to capture express consent from every new patient at intake and from existing patients at their next visit. The process below applies whether your clinic uses paper forms, a digital patient portal, or a verbal intake workflow.

01
Patient completes intake form
02
Consent checkbox ticked
03
Record filed with date
04
SMS reminders activate

Paper Intake Form

If your clinic uses paper intake forms, add a standalone consent section near the patient's signature line. The consent language must be visually separated from other terms, clearly legible, and must not be pre-ticked. Patients must actively mark the box to give consent. Keep the signed form on file and note the date of signing in your patient management system.

Digital Patient Portal or Intake App

For digital intake systems, the consent checkbox must be unchecked by default. The CRTC has confirmed that a pre-ticked box does not constitute valid express consent under CASL. Your digital system should automatically capture the submission timestamp, which provides the date-stamped record the legislation requires. If your portal exports records, ensure the export includes the consent field and timestamp for each patient.

PIPEDA, Canada's federal privacy legislation, also governs how patient mobile numbers are collected, stored, and used. A dental SMS opt-in process that meets CASL's express consent standard will generally satisfy PIPEDA's consent requirements for the same activity, but clinics operating in Ontario should also review PHIPA requirements for health information.

Verbal Consent at the Front Desk

Verbal consent is valid under CASL, but it requires a contemporaneous record. According to CRTC guidance on express consent methods, a verbal consent record should capture the patient's name, the date consent was given, the staff member who obtained it, and a description of the message types the patient agreed to receive. Train your front desk staff to enter a brief consent note in the patient management system immediately after the conversation, not at the end of the day.

The following template language has been drafted to meet CASL's express consent requirements. Each template identifies the sender, describes the message types the patient is consenting to, and provides clear language about how to withdraw consent.

Legal Review Recommended
Before adopting any of these templates, review them with a Canadian legal professional familiar with CASL. Regulatory requirements can change, and clinic-specific circumstances may require modifications. These templates are illustrative examples, not legal advice.

Template 1: Paper or Digital Intake Form (Checkbox Language)

[Clinic Name] — Text Message Consent
☐ I consent to receiving SMS text messages from [Clinic Name] at the mobile number provided above. These messages may include appointment reminders, recall notifications, and updates about my dental care. Standard message and data rates may apply. I understand I can withdraw my consent at any time by replying STOP to any message or by contacting the clinic directly at [phone number].
Patient Signature: _________________________   Date: _______________

Template 2: Verbal Consent — Front Desk Script

Staff Script (read closely or paraphrase)
"To make sure you never miss an appointment, we send text message reminders to the mobile number you've given us. These come from [Clinic Name] and include appointment dates, recall reminders, and the occasional care update. You can stop receiving them at any time by replying STOP to any message. Do you consent to receiving these texts?"
Record in patient file: date, staff name, patient response (yes or no), mobile number confirmed.

Template 3: SMS Welcome Message (Send After Consent Is Captured)

Confirmation SMS (send within 24 hours of consent capture)
Hi [First Name], thanks for visiting [Clinic Name]. You've opted in to receive appointment reminders and care updates from us at this number. Reply STOP at any time to unsubscribe. Questions? Call us at [phone number].
Note: A confirmation SMS after consent is captured is considered best practice under CASL and helps establish the consent date clearly in your records.

Template 4: Standard Footer for All Outgoing SMS

Short footer — include in every outgoing patient SMS
Reply STOP to unsubscribe. [Clinic Name] | [phone number]
CASL requires every CEM to identify the sender and include a functioning unsubscribe mechanism. This footer satisfies both requirements in under 50 characters.

Common CASL Compliance Mistakes in Dental Clinics

Based on the CRTC's published enforcement decisions and its guidance on CASL compliance for businesses, the following represent the most common ways dental and healthcare practices fall outside the legislation's requirements.

Consent checkbox is unchecked by default and requires an active tick from the patient
Consent language names the clinic and describes the specific message types to be sent
Consent record includes the date, method of capture, and patient mobile number
Every outgoing SMS includes the clinic name and a working STOP unsubscribe option
Opt-out requests are processed and honoured within 10 business days
⚠️Pre-ticked consent boxes on digital intake forms — does not constitute valid express consent
⚠️Consent bundled with general terms and conditions without a separate standalone section
⚠️Continuing to send messages after receiving a STOP reply, even a single follow-up

When a patient's implied consent window closes — two years after their last appointment — your clinic loses its legal basis to send commercial electronic messages to that patient. Sending after the window closes is a CASL violation regardless of whether the patient has complained or is still active on other channels.

According to CRTC enforcement guidance, the burden of proof rests with the sender. If challenged, you must demonstrate that valid consent existed at the time each message was sent. Clinics that track implied consent by appointment date can manage this accurately. Those that do not are exposed to risk they cannot easily quantify.

The practical solution is a re-consent workflow. When a patient approaches the two-year mark without a return visit, their record should be flagged in your patient management system. You then have two options within the remaining window:

  • Send a re-consent SMS inviting the patient to opt in to future messages expressly, before the window closes
  • Pause all commercial electronic messages to that patient until express consent is captured at a future visit

A re-consent message sent within the implied consent window is a valid CEM and may be used to convert the patient to express consent. Once the window closes, no further messages are permitted without a new consent basis.

Enforcement Risk Is Real
According to the CRTC's published enforcement activity, health and wellness organisations have been targeted in CASL investigations. While the largest penalties have been directed at high-volume commercial senders, the CRTC has broad authority to investigate complaints from any recipient. A single patient complaint can trigger a review of your complete consent records for all patients on your SMS list.

CASL does not prescribe a specific format for consent records, but the Government of Canada's guidance states that senders must be able to demonstrate that consent was obtained upon request from the CRTC. The following table outlines the five record fields recommended for a dental clinic's CASL compliance file.

Record FieldWhat to CaptureWhy It Matters
Date and timeTimestamp when consent was given (automatic if digital)Determines whether consent was in force at the time each message was sent
MethodPaper form, digital checkbox, or recorded verbalDifferent methods carry different evidentiary weight in a CRTC audit
Patient identifierPatient name and the specific mobile number consented toLinks the consent record to the exact recipient and number
Consent wordingThe exact language the patient agreed to, or reference to the form versionConfirms the scope of what was consented to — vague consent language is a common enforcement gap
Staff name (verbal)Who obtained verbal consent and confirmed the mobile numberProvides a witness record for verbal consent, which is harder to demonstrate than written

Key Takeaways

  • CASL requires express or implied consent before sending any SMS appointment reminders, recall notifications, or other commercial electronic messages to Canadian dental patients.
  • Express consent must be captured actively through an unchecked checkbox, a signed intake form, or a recorded verbal agreement. Pre-ticked boxes are not valid under CASL.
  • Implied consent lasts two years from the patient's last appointment. When the window approaches, send a re-consent SMS within the valid period to convert the patient to express consent.
  • Every outgoing patient SMS must identify the clinic by name and include a functioning STOP unsubscribe mechanism. Opt-out requests must be honoured within 10 business days.
  • Consent records must capture the date, method, patient identifier, consent wording, and (for verbal consent) the name of the staff member who obtained it.
About DentRecall

DentRecall is an AI-powered dental recall and patient engagement platform built specifically for Canadian clinics. It automates SMS and email reminders, recall management, and online booking, with CASL consent tracking built into the patient intake flow, from $249 CAD/month (billed annually).

See how DentRecall works