CASL, Canada’s Anti-Spam Legislation, is the federal law that governs commercial electronic messages sent to Canadians. It applies directly to dental practices that send appointment reminders, recall notices, and marketing communications by SMS or email. Getting CASL wrong exposes your practice to fines of up to $10 million CAD for organizations, and the rules around dental SMS communications are more nuanced than most practitioners realize.
This guide explains what CASL requires, how it applies to the specific messages your practice sends, and what a compliant dental SMS system looks like.
What Is CASL?
Canada’s Anti-Spam Legislation came into force on July 1, 2014. It prohibits sending commercial electronic messages (CEMs) to Canadians without their express or implied consent, and it requires every CEM to include identifying information and an unsubscribe mechanism.
A “commercial electronic message” is any electronic message that encourages participation in a commercial activity, which, for a dental practice, includes appointment reminders (they encourage the patient to attend a paid appointment), recall notices (they encourage booking a future paid appointment), and marketing promotions.
CASL applies to SMS messages as well as email. If your practice sends automated text message reminders to patients, CASL applies.
Express Consent vs. Implied Consent
CASL allows two types of consent:
Express Consent
- Patient checks opt-in box on intake form
- Digital or paper signature on consent doc
- Works for all message types
- Never expires until patient opts out
- Strongest legal footing
Implied Consent
- Existing patient (visited within 2 yrs)
- No explicit opt-in needed
- Recall & appointment messages only
- Expires 24 months after last visit
- Requires active patient relationship
Express Consent
Express consent is a clear, affirmative opt-in from the patient. For dental practices, this typically means the patient checks a box on a paper or digital intake form that says something like: “I consent to receive appointment reminders and practice communications by SMS and email.”
Express consent does not expire unless the patient withdraws it. It gives you the broadest permission to communicate, covering appointment reminders, recall notices, and practice communications (though not unrelated third-party marketing).
Implied Consent
Implied consent exists where you have an existing business relationship with the patient. Under CASL, an existing business relationship covers patients who have purchased or used your services within the past 24 months, or who have made an inquiry or application within the past 6 months.
For most dental practices, the majority of active patients fall under implied consent, they are existing patients who visited within the past 24 months. This covers sending appointment reminders and recall notices to these patients without an explicit opt-in.
Important limitation: Implied consent covers only messages related to the existing business relationship. Appointment reminders and recall notices are covered. Promotional emails for teeth-whitening specials or new service announcements require express consent.
| Express Consent | Implied Consent | |
|---|---|---|
| Definition | Patient actively opts in | Existing patient relationship |
| How to get it | Checkbox at booking, intake form, or verbal + documented | Existing patient who visited within 24 months |
| Duration | Indefinite (until opt-out) | 24 months from last appointment |
| Best for | New patient SMS marketing | Appointment reminders for active patients |
| Documentation needed | Yes, timestamp + method | Yes, last appointment date on file |
| CASL risk if done wrong | High | Medium |
DentRecall captures and tracks SMS consent automatically
Express consent is recorded at the point of collection, stored per patient, and honoured on every send. CASL compliance built in, not bolted on.
When Implied Consent Expires
Implied consent from a business relationship expires 24 months after the patient’s last visit. A patient who has not been seen in more than 2 years is outside the implied consent window.
Important
Once a patient’s implied consent window lapses (24 months after their last visit), sending them an automated SMS recall is a CASL violation, even if they were a loyal patient for years. You cannot reactivate them via SMS without first obtaining express consent through a non-electronic channel, such as direct mail or a phone call.
Best Practice
Send a re-consent SMS to any patient who has not visited in 18 months, before their implied consent expires at 24 months. A simple message like “Reply YES to continue receiving appointment reminders from [Clinic Name]” resets the clock with express consent on file.
This creates a specific challenge for dental recall: the patients you most want to reactivate, those who have been inactive for 18 to 36 months, may be outside your implied consent window. For these patients, you need either express consent on file or a different outreach approach (direct mail is still permitted without CASL consent requirements).
DentRecall tracks each patient’s last visit date and SMS consent status. The Patient Reactivation Engine only sends automated SMS to patients with valid consent. Patients outside the implied consent window are flagged for manual outreach.
The Three Required Elements of Every CASL-Compliant Message
Every commercial electronic message you send, SMS or email, must include three things:
Identification
The sender must be clearly identified. Include your clinic name and contact information in every message. For SMS, this is as simple as: “This is a reminder from [Clinic Name], call us at [Phone].”
Purpose
The purpose of the message must be clear, why you are contacting the patient. For recall SMS, state the appointment date, time, and reason (hygiene appointment, exam due, etc.) so the patient knows exactly why you are reaching out.
Unsubscribe Mechanism
Every message must include a clear, frictionless way to opt out. For SMS, the standard is “Reply STOP to unsubscribe.” Opt-out requests must be honored immediately and without charge, there is no grace period.
All three elements are required in every message, every time. There is no “grandfathering” if you included the opt-out info last month.
The STOP Opt-Out: What You Must Do
When a patient replies STOP to an automated SMS, you must:
- Process the opt-out immediately, within the same business day at the latest
- Stop sending automated messages to that number permanently
- Record the opt-out in your system
- Not send a further SMS to confirm the opt-out (this would itself be a violation)
Important
Failing to honor a STOP request within 10 business days is a direct CASL violation, even if the patient later calls your clinic to rebook. You must have a documented re-consent process to resume automated SMS after a patient has opted out. Simply reactivating them in your recall system is not sufficient.
This is the most common CASL compliance failure in dental recall systems: a patient replies STOP, but the practice’s system only pauses the sequence rather than permanently suppressing all future automated messages.
Here is what a fully CASL-compliant appointment reminder SMS looks like:
“Hi [Patient Name], this is [Clinic Name]. Your hygiene appointment is on [Date] at [Time]. Reply CONFIRM to confirm or call us at [Phone] to reschedule. Reply STOP to opt out.”
DentRecall handles STOP opt-outs by immediately setting the patient’ssms_consent flag to false and suppressing all automated SMS sends permanently for that patient. The opt-out is logged with a timestamp for audit purposes.
CASL Penalties: What Is the Actual Risk?
CASL penalties for organizations are up to $10 million CAD per violation. For individuals, the maximum is $1 million CAD per violation. In practice, the CRTC (which enforces CASL) has focused its enforcement actions on large-scale commercial spammers, not individual dental practices.
| Violation | Who | Max Fine |
|---|---|---|
| Sending commercial messages without consent | Business | $10,000,000 CAD |
| Sending commercial messages without consent | Individual | $1,000,000 CAD |
| Failing to honor STOP request | Business | $10,000,000 CAD |
| Missing identification info in message | Business | $10,000,000 CAD |
| Dental appointment reminders (transactional) | All | Lower risk, classified as transactional |
Key Insight
Appointment reminders for confirmed bookings are generally treated as transactional messages, lower CASL risk, because they relate directly to a service the patient has already agreed to receive. However, bulk recall campaigns (sending to all patients who are overdue for a hygiene appointment) are promotional messages and require valid express or implied consent. The line is: confirming an existing appointment vs. encouraging a new one.
However, the reputational risk is meaningful. A patient complaint to the CRTC is recorded, and a finding against your practice, even without a large fine, creates negative publicity and requires a formal remediation response.
The practical risk for most dental practices is not a $10 million fine. It is patient complaints about unwanted messages damaging your Google reviews, and the operational headache of a CRTC inquiry. Both are entirely avoidable with a properly configured recall system.
STOP opt-outs handled instantly, no manual process
When a patient replies STOP, DentRecall removes them from all automated sends immediately. Audit trail included. No staff action required.
CASL vs. PIPEDA: What Is the Difference?
CASL and PIPEDA are separate laws that apply simultaneously to dental recall communications.
- CASL governs the act of sending commercial electronic messages, it sets the consent and content rules for the messages themselves.
- PIPEDA governs how you collect, store, use, and protect patient personal information, it sets the rules for what you can do with the data you hold.
Both apply to your recall system. CASL requires consent before sending; PIPEDA requires appropriate handling of the data you use to send. See our PIPEDA compliance guide for dental practices for the full PIPEDA requirements.
Building a CASL-Compliant Recall System: Practical Checklist
Use this checklist to audit your current recall system against CASL requirements:
Add an SMS/email consent checkbox to your patient intake form, paper and digital. The consent language must clearly state what types of messages the patient will receive.
Track consent status in your recall software at the patient level, not just as a global practice setting.
Verify your recall software includes 'Reply STOP to unsubscribe' in every automated SMS, every time.
Confirm your software processes STOP replies immediately and permanently, not just for the current reminder sequence.
Do not send automated SMS to patients whose last visit was more than 24 months ago unless you have express consent on file.
Keep records of consent, when it was obtained, in what form, and for which patient. Timestamp and method are both required.
Set up an 18-month re-consent workflow to capture express consent before implied consent expires at 24 months.
Ensure all automated messages include your clinic name and a phone number patients can call, identification is mandatory.
Train reception staff on your re-consent process for patients who opt out and later call to rebook, they cannot be silently re-added to automated sends.
Run a consent audit when switching recall software providers, patient consent records must transfer correctly.
Frequently Asked Questions
Do appointment reminders count as commercial electronic messages under CASL?
Yes. Appointment reminders encourage the patient to attend a commercial transaction (a paid dental appointment) and are therefore commercial electronic messages subject to CASL. Implied consent from the existing patient relationship generally covers them for active patients, but the message must still include your identification, contact information, and an opt-out mechanism.
Can I send a dental recall SMS to a patient who has not been seen in 3 years?
Not under CASL implied consent, which expires 24 months after the last visit. If you have express consent on file from that patient, you may send. If not, use a non-electronic method (direct mail) for the initial outreach, or include an opt-in mechanism in a non-SMS context before resuming automated messages.
Does CASL apply to SMS sent from the US to Canadian patients?
Yes. CASL applies based on the recipient’s location, not the sender’s. If your practice sends SMS to Canadian patients, CASL applies regardless of whether your SMS provider is Canadian or American.
What is the CASL exemption for transactional messages?
CASL does not apply to messages that solely facilitate a previously agreed-upon commercial transaction, for example, a message that only contains the time and location of a confirmed appointment. However, once a message includes any promotional content (mentioning other services, asking for a review, including a link to your website), it becomes a CEM and CASL applies in full. Most dental SMS reminders cross into CEM territory.
Run a fully CASL-compliant SMS recall system from day one
DentRecall handles consent, opt-outs, unsubscribes, and message formatting, so you can focus on patients, not paperwork. 30 founding spots available.
Summary
CASL compliance for dental SMS reminders requires consent, identification, and a working opt-out, every message, every time. The most common failures are not having consent documented, not including an opt-out in every message, and not processing STOP replies immediately. A properly configured recall platform handles all three automatically. For a practical guide on how to reduce no-shows without violating CASL, our 5-touchpoint protocol article shows exactly which message types fall within the consent rules and which require explicit opt-in. To understand how PIPEDA works alongside CASL, see our guide to PIPEDA, the companion privacy law, that governs patient data storage and use. And if you are ready to evaluate platforms, our buyer’s guide covers dental recall software that handles consent automatically.
DentRecall was built with CASL compliance as a core requirement, not an afterthought. Every automated message includes clinic identification and opt-out instructions. STOP replies set the patient’s consent flag immediately. And the reactivation engine only contacts patients within the implied consent window.
