CASL Compliance for Service Businesses: What You Need to Know
Or: How to reactivate customers without going bankrupt (yes, really)
The One-Paragraph Summary
You can contact past customers for 2 years after they used your service (6 months after an inquiry/quote). Every message must clearly identify your business, include contact info, and provide an easy opt-out. Honor opt-outs within 10 days. Don't buy lists. Don't lie in subject lines. That's it.
At the end of this article you'll find a bonus checklist to help you stay compliant with every campaign you plan to send.
Look, I get it. You clicked on this article about Canadian spam law and you're already falling asleep.
But here's why you should care:
CASL (Canada's Anti-Spam Legislation) violations can cost you up to $10 MILLION per violation.
Still with me? Good.
Here's the good news: If you're a service business reaching out to PAST CUSTOMERS, you're probably fine. But there are a few tripwires that could cost you big.
Let me show you how to stay safe in plain English. No lawyer-speak. No 47-page compliance guides.
Just: "Can I text my old customers or not?"
The 60-Second CASL Summary
What CASL says (basically):
You can't send commercial electronic messages (emails or texts) to people in Canada unless:
They gave you explicit permission (express consent), OR
You have an existing business relationship with them (implied consent)
For service businesses, this means:
You CAN contact past customers (you have a relationship)
You CANNOT buy email lists and spam them (no relationship)
The catch: That "existing business relationship" expires after 24 months.
So if someone used your service 3 years ago? Technically, you need their permission to contact them again.
Black On White: What Are The Types Of Consent
Express Consent (Best Case)
Express consent means the person clearly agreed to receive messages from you.
Examples include:
Checking a consent box on a form
Opting in via text or email
Giving verbal consent that was documented
Express consent:
The only requirement is that you can prove how and when it was given.
Implied Consent (Time-Limited)
Implied consent exists because of a prior relationship, not because the person explicitly opted in.
This is where most re-engagement campaigns fall - and where mistakes are common.
There are two types.
Existing Business Relationship (EBR)
Applies when someone:
Was a customer
Signed a contract
Paid an invoice
Implied consent lasts 2 years from the last transaction.
Existing Non-Business Relationship (ENBR)
Applies when someone:
Requested a quote
Submitted a contact form
Asked for information
Implied consent lasts 6 months from the inquiry date.
Once these time windows pass, implied consent expires.
No Consent = No Contact
You cannot send SMS or email if:
The relationship is outside the time limits
You don’t know how the contact was collected
The list was scraped or purchased
Being “in the CRM” does not equal consent.
The "Am I Going to Get Sued?" Flowchart
Question 1: Did this person pay you for a service in the last 2 years?
→ YES: You're good. Contact away.
→ NO: Read on...
Question 2: Did they request a quote or inquiry in the last 6 months?
→ YES: You're good (implied consent from inquiry).
→ NO: You're in risky territory.
Question 3: Did they give you explicit permission to contact them for marketing?
→ YES: You're good (express consent).
→ NO: Don't contact them. Move on.
Real Talk: The 2-Year Rule
Here's the rule nobody tells you clearly:
You have an "implied consent" (existing business relationship) for:
2 years after their last purchase, OR
6 months after their last inquiry/quote
What this means for your reactivation campaigns:
SAFE: Customers from 2024-2025 (within 2 years)
RISKY: Customers from 2022 (2-3 years ago)
DANGEROUS: Customers from 2021 or earlier (3+ years)
My advice: Stick to customers from the last 18-24 months. Yes, you're leaving some money on the table. But $10M fines aren't worth it.
The 3 Things Every Message MUST Include
This is non-negotiable. Every email and text must have:
1. Clear Identification
Who you are:
WRONG: "Hey! Spring's here. Need lawn care?"
RIGHT: "Hey Sarah! It's Mike from GreenScape Lawn Care. Spring's here. Need lawn care?"
The recipient must immediately know:
Who is sending this
Your business name
How to contact you
2. Contact Information
Every email must include:
Your business address (physical location)
Your phone number OR email OR website
Example footer:
GreenScape Lawn Care
123 Main Street, Mississauga, ON L5B 1A1
(905) 555-0123 | [email protected]
For SMS, you can be briefer:
Reply STOP to opt out.
GreenScape Lawn Care
(905) 555-0123
3. Unsubscribe Mechanism
Every. Single. Message.
For Email:
Include an unsubscribe link at the bottom
Must work for at least 60 days after you send the email
Must be processed within 10 business days
(Most email platforms handle this automatically - Mailchimp, Go High Level, etc.)
For SMS:
Include "Reply STOP to opt out" in the message
Actually honor STOP requests immediately
The Stuff That'll Get You in Trouble
Here are the actual violations I see service businesses make:
Violation #1: Buying Email Lists
Scenario: You buy a list of "10,000 homeowners in your area" for $500.
Why it's illegal: You have no relationship with these people. They didn't give you permission.
Penalty: Up to $10M.
Don't do it. Ever.
Violation #2: Ignoring Opt-Outs
Scenario: Customer texts "STOP" but you manually add them back to your campaign the next month because "they probably didn't mean it."
Why it's illegal: You must honor opt-outs within 10 business days. No exceptions.
What to do: Create a "Do Not Contact" list and check it before every campaign.
Violation #3: Hiding the Unsubscribe Link
Scenario: You make the unsubscribe text tiny, light gray, buried at the bottom.
Why it's illegal: The unsubscribe mechanism must be "clear and prominent."
What to do: Use your email platform's default unsubscribe footer. Don't try to hide it.
Violation #4: Misleading Subject Lines
Scenario: Subject line says "URGENT: Your account is suspended" when really you're just selling lawn care.
Why it's illegal: Subject lines must accurately reflect the content.
What to do: Be honest. "Spring lawn care special" is fine. "Your yard is dying" (when you don't know) is not.
Violation #5: The 3+ Year Old Customer
Scenario: You text a customer who used you in 2019 (5 years ago).
Why it's illegal: Your "existing business relationship" expired after 2 years (2021).
What to do: Only contact customers from the last 24 months.
Common Questions (Answered Like a Human)
Q: "Can I email someone who requested a quote but never hired me?"
A: Yes, for 6 months after the quote. After that, no.
Q: "What if they gave me their email when they hired me? Isn't that consent?"
A: Giving you their email to do business (send invoices, schedule appointments) is NOT the same as giving you permission to market to them years later.
BUT: You have implied consent from the business relationship for 2 years.
So yes, you can email them for 2 years. After that, no.
Q: "Can I text my customers?"
A: Yes, if:
They're within the 2-year window, AND
You include "Reply STOP to opt out" in the message, AND
You actually honor STOP requests
Q: "What about Facebook messages or LinkedIn DMs?"
A: CASL applies to "commercial electronic messages" which technically includes social media DMs.
Is anyone getting fined for LinkedIn messages? Not yet.
But legally? Same rules apply.
Q: "What if I'm just 'checking in' and not selling anything?"
A: If your message has a commercial purpose (getting them to book, buy, or engage with your business), it's a Commercial Electronic Message (CEM).
"How are things?" followed by "Need lawn care?" = CEM.
Q: "What if they opt out but then call me 6 months later asking for service?"
A: Once they contact YOU, you can communicate with them again.
Their opt-out applies to YOU contacting THEM unsolicited.
If they initiate contact, you're back in business.
What to Do If You Get a Complaint
First: Don't panic.
If someone complains directly to you:
Apologize immediately
"I apologize - I've removed you from our list right now."Remove them from ALL lists
Add them to your "Do Not Contact" forever list.Don't argue
Even if you think you're right, arguing makes it worse.Document it
Keep records of when they complained and what you did.
If you get a complaint to the CRTC (the regulator):
Get a lawyer (seriously - don't try to handle this alone)
Gather your documentation:
When were they a customer?
What consent did you have?
When did you contact them?
Did you honor their opt-out?
Cooperate fully
The CRTC has the power to fine you $10M. Don't make them angry.
The Reality Check
Here's the truth:
99% of service businesses contacting past customers from the last 2 years will NEVER have a CASL problem.
The law is designed to stop spam operations and shady marketers.
You? You're a local business reaching out to people who know you.
As long as you:
Contact recent customers (last 2 years)
Include your business name and contact info
Give people an easy way to opt out
Honor opt-outs quickly
Don't buy email lists
Tell the truth in subject lines
You're fine.
The Safest CASL Move You Can Make: Capture Provable Consent
Look, here's the thing about CASL that nobody tells you:
Stop relying on "implied consent." Just get explicit consent, store it and never worry about this again.
Seriously. One checkbox solves 90% of your CASL headaches.
Here's how:
Put a Checkbox Everywhere You Collect Contact Info
I mean everywhere:
Website contact forms
Booking pages
Quote requests
Invoice forms
Paper forms you hand customers
The checkbox can't be pre-checked. They have to actually click it.
No tricks. No "by submitting this form you agree to..." buried in tiny text.
Just: ☐ Check this box.
Be Specific About What They're Agreeing To
Don't be vague. Vague = useless if you ever get challenged.
Bad: ☐ "I agree to receive communications from your company"
Good: ☐ "I agree to receive service reminders, seasonal promotions, and occasional marketing emails from GreenScape Lawn Care. I can unsubscribe anytime."
See the difference?
The second one tells them exactly what they're signing up for. If they complain later, you can show them what they agreed to.
Store Proof (This Is The Part Everyone Forgets)
Getting consent is one thing. Proving you got consent is what saves your ass.
Store these three things:
When they agreed (March 15, 2024 at 2:47pm)
Where they agreed (website booking form, paper invoice, etc.)
What they agreed to (exact wording of the checkbox)
Why?
Because if someone complains to the CRTC and says "I never agreed to this," you need to be able to say:
"Actually, on March 15, 2024, they checked this box on our booking page agreeing to receive promotional emails. Here's the record."
Game over. Complaint dismissed. You can answer with facts.
Why This Works So Well
Express consent doesn't expire (unlike the 2-year implied consent)
You're no longer limited by the 6- or 24-month windows
You can confidently run reactivation and follow-up campaigns forever
You reduce legal risk to almost zero
Pro Tip: Most CRMs (including Northline Systems) can automatically timestamp and store consent records. Set it up once, and you're protected forever.
Resources
Official CASL Info:
https://crtc.gc.ca/eng/com500/faq500.htm
CASL Compliance Guide (PDF):
https://crtc.gc.ca/eng/com500/guide500.htm
Report SPAM (if you receive it):
https://www.fightspam.gc.ca/eic/site/030.nsf/eng/home
Get Legal Advice:
Seriously, if you're worried, spend $500 on a 1-hour consultation with a lawyer who specializes in CASL. It'll give you peace of mind.
Bottom Line
CASL sounds scary. But for service businesses contacting past customers, it's actually pretty simple:
Contact people who know you. Be honest. Let them opt out. You're good.
Don't let fear of CASL stop you from reactivating your database.
Just follow the basic rules and you'll be fine.
BONUS: The Safe Reactivation Cheat-Sheet:
Use this before every campaign:
If you can check all these boxes, you're 95% safe.
Questions? Worried about your specific situation?
Drop a comment below or email me at [email protected]. I'm not a lawyer, but I'm helping Canadian service businesses run compliant reactivation campaigns everyday.
