If you run a café in Canada and you want to bring customers back with a “two-for-one this Friday” email or a “your order is ready” text, there is a law you need to know about: CASL, Canada’s Anti-Spam Legislation. It is one of the strictest electronic-messaging laws in the world, and the penalties for getting it badly wrong are large. The good news is that compliance is straightforward once you understand the rules, and most cafés can stay well within them while still marketing effectively.
This is a plain-English guide for café and restaurant owners. It is not legal advice — for anything high-stakes, talk to a lawyer — but it will give you an accurate mental model of what you can and cannot do.
The short answer
Yes, you can email and text your customers in Canada. But unlike the US, where you can message people until they opt out, CASL requires consent before you send the first message. That consent can be express (the customer clearly opted in) or implied (you have a recent relationship, like a purchase). Every message must also identify you and offer a working unsubscribe. Get those three things right — consent, identification, unsubscribe — and you are compliant.
What CASL actually covers
CASL governs “commercial electronic messages” (CEMs): any electronic message that encourages participation in a commercial activity. That includes:
- Marketing emails
- Marketing SMS / text messages
- Instant messages and social media direct messages
A CEM is essentially any message sent to an electronic address — an email account, a phone number, a social media account — that promotes your business. A promotional email blast is a CEM. A “spend $10, get a free coffee” text is a CEM. (Purely transactional messages, like an order-ready notification a customer asked for, are treated more leniently, but the safe habit is to get consent for everything.)
Express vs implied consent
This is the heart of CASL. There are two kinds of consent, and they behave very differently.
Express consent is when the customer clearly and actively agrees to receive your messages — for example, ticking an unchecked box that says “Yes, send me café offers” or texting a keyword to join your list. Express consent does not expire. It lasts until the customer withdraws it. Important catch: a message asking for express consent is itself a CEM, so you cannot email someone “can we email you?” without already having some basis to contact them.
Implied consent is when it is reasonable to conclude you have permission because of an existing relationship. The two windows that matter most for a café:
- A purchase or transaction gives you implied consent for 2 years from the date of that transaction.
- An inquiry or application (someone asking about your service without buying) gives implied consent for 6 months.
So when a regular buys a coffee through your system, you have a two-year window of implied consent to market to them — but the clock resets with each new purchase, and an active customer keeps that window open indefinitely. The burden of proof is on you: if challenged, you must show you had consent.
| Consent type | How you get it | How long it lasts |
|---|---|---|
| Express | Active opt-in (checkbox, keyword, sign-up) | Until the customer withdraws it |
| Implied — purchase | Customer buys from you | 2 years from the transaction |
| Implied — inquiry | Customer asks about your service | 6 months from the inquiry |
The strategic takeaway: collect express consent whenever you can, because it never expires. Implied consent is a useful bridge, but it has a shelf life.
The three things every message needs
Whatever channel you use, every commercial message must include:
- Identification — your café’s name and how to reach you (a mailing address and at least one of phone, email, or web).
- A working unsubscribe — easy to find, easy to use, and honoured within 10 business days. The customer must be able to opt out the same way they got the message (an unsubscribe link in email, a STOP keyword in SMS).
- Proof of consent on file — keep records of who consented, how, and when. Regulators expect you to produce this, and consent records should be retained well after the relationship ends.
The penalties are real
CASL is not a paper tiger. The maximum administrative penalties are up to $1 million for an individual and up to $10 million for a business per violation. In practice, the CRTC’s enforcement actions against smaller businesses have landed in the thousands to low hundreds of thousands of dollars — still more than enough to ruin a café’s year. You do not need to be a spammer to get caught; sloppy list hygiene and missing unsubscribe links are common triggers.
Where push notifications fit — and why they are different
Here is the part most café owners do not realize. CASL is aimed at commercial messages sent to an electronic address: an email account, a telephone number, a social account. A push notification delivered to a customer who installed your app is generally treated differently, because it is not a message sent to one of those addresses — it is a notification surfaced by software the customer chose to install and can switch off in their phone settings at any time.
This is not a loophole to abuse, and you should still treat it responsibly:
- Ask for notification permission inside the app (iOS and Android both require this anyway).
- Make turning notifications off trivial.
- Keep the content relevant and not relentless.
But the practical upshot is meaningful: push gives you a direct line to customers with less regulatory friction than email or SMS, no unsubscribe-link mechanics to manage, and far better engagement. We compare the three channels head to head in email vs SMS vs push for café marketing, and explain why push drives repeat visits in push notifications for café customer retention.
None of this is legal advice — notification law evolves, and edge cases exist — so confirm specifics with a professional. But the general pattern holds: an app you own is a cleaner, more durable marketing channel than a rented email list.
A simple compliant playbook for a café
You do not need a compliance department. You need a system:
- Capture consent at the point of sale or sign-up. When a customer joins your loyalty program or orders ahead, present a clear, unchecked opt-in for marketing messages. That is express consent — the gold standard.
- Lean on implied consent honestly. Active customers who buy from you regularly keep their 2-year window open. Do not message people whose window has lapsed without re-earning consent.
- Identify yourself and include unsubscribe in every email and text. Make it one click. Honour it fast.
- Keep your records. Whatever tool you use should log when and how each customer opted in.
- Use push for the high-frequency stuff. Order-ready alerts, today’s special, a loyalty reward unlocked — these belong in app notifications, where engagement is higher and the CASL mechanics around CEMs do not bite the same way.
Building this into the same system that takes orders and runs loyalty is far easier than bolting compliance onto a generic email tool. When the customer opts into your app and your loyalty program in one step, consent capture and messaging live in one place.
That is part of why a branded ordering app makes retention simpler: Tany puts order-ahead, self-running loyalty, eGift cards, and push notifications into one app under your café’s name, on your existing Square POS, live in about a day for $99 CAD/month per location. You collect consent cleanly at sign-up and reach regulars through push — the channel built for habit, not the one built around unsubscribe links.
Market to your customers. Just do it on the right side of CASL.