On May 25, 2010, Parliament introduced Bill C-28 – The Fighting Internet and Wireless Spam Bill, otherwise known as Canada’s anti-spam legislation. This legislation received Royal Assent on December 15, 2010 and is expected to come into force once its regulations are finalized.
Canada is the last of the G8 countries to introduce anti-spam legislation and the general consensus is that this initiative is long overdue, especially since unsolicited commercial e-mail has grown over the past few years to encompass an enormous percentage of global email traffic.
This legislation is intended to establish a regulatory framework to protect electronic commerce in Canada. In particular, it is intended to deter damaging and deceptive forms of spam from occurring in Canada and to assist in driving spammers out of this country. If marketers wish to engage in commercial electronic activity in Canada they will need to ensure that they are operating in compliance with the legislation.
Canada's anti-spam legislation is meant to complement existing provincial and federal e-commerce legislation, such as the Personal Information Protection and Electronic Documents Act (PIPEDA). However, in the event of a conflict between PIPEDA and this anti-spam legislation, the anti-spam legislation will prevail.
This legislation covers all "commercial electronic messages" sent for the purpose of encouraging participation in commercial activity, also known as spam. “Commercial activity” is a defined term in the legislation and includes conduct of a commercial nature whether or not the party who carries it out does so in the expectation of making a profit. "Commercial electronic messages" is defined broadly and covers all messages with a semblance of commercial activity. It covers all media and forms of commercial electronic messages, such as e-mail, unsolicited text messages, instant messaging, and cell phone messages, regardless of whether such messages are in the form of sound, text, voice, or image.
The legislation prohibits the sending of a "commercial electronic message" to an electronic address unless:
- the recipient has consented, either expressly or in limited circumstances, impliedly, to receive the message; and
the message complies with required formalities, including:
- the message must identify the party who sent the message and the party, if different, on whose behalf it is sent;
- the message must set out the contact information of the party or parties mentioned in subparagraph (a); and,
- the message must set out an unsubscribe mechanism, which permits the recipient to unsubscribe if the recipient does not wish to receive further messages
Electronic messages sent to friends and family members are not covered by this legislation. Messages that facilitate, complete, or confirm a commercial transaction; messages that provide warranty, recall, safety, or security information to appropriate recipients; factual information regarding subscription, membership, account, or similar information to appropriate recipients; messages relating to an employment relationship or related benefits; messages that deliver products or services (including updates or upgrades) to appropriate recipients are also excluded from the requirements outlined above. In addition, broadcasting is specifically excluded from the scope of the legislation.
Consent to receiving commercial electronic messages may be expressed or implied. Express consent must be based on the disclosure of the following information:
- the purpose or purposes for which the consent is being sought;
- information identifying the party seeking consent, and, if the party is seeking consent on behalf of another party, information identifying that other party; and
- any other information prescribed by the Act's regulations from time to time.
Consent may be implied in limited circumstances:
the person who sends the message has an "existing business relationship" or an "existing non-business relationship" with the person to whom it is sent;
- The definition of "existing business relationship" is found in the legislation. If the business is sold, the new owner is considered to have, with respect to that business, an "existing business relationship" with its customers.
- The definition of "existing non-business relationship" is also found in the legislation. One example of this type of relationship includes a non-business relationship between a sender and recipient arising from a donation or gift made by the recipient within two years of when the message was sent.
- the recipient has conspicuously published their electronic address, and the message being sent is relevant to their business, role, functions or duties in a business or official capacity. However, consent will not be implied in this instance if the recipient’s publication is accompanied by a statement that they do not wish to receive unsolicited messages; or
- the recipient has disclosed to the sender the electronic address without indicating a wish not to receive unsolicited messages, and the message is relevant to their business, role, functions or duties in a business or official capacity.
There is also a three-year transition provision that provides for implied consent in limited circumstances for existing business or non-business relationships.
Anti-Phishing / Anti-Malware
Canada's anti-spam legislation also contains anti-phishing and anti-malware provisions. The anti-phishing provision prohibits a sender, in the course of a commercial activity, from altering the transmission data in an electronic message so that the message is delivered to a destination other than or in addition to the destination specified by the sender, unless the sender obtains the recipient's express consent. The anti-malware provision prohibits a sender, in the course of commercial activity, from installing any computer program on any other party's computer system or cause an electronic message to be sent from that other party's computer system without the consent of the owner or authorized user of the computer system. In the cases where consent is given in relation to phishing and malware activities, there must be a mechanism in place which allows the recipient to withdraw consent at any time.
Enforcement and Penalties
The Canadian Radio-television and Telecommunications Commission (CRTC) is the main regulator of this legislation. CRTC has broad powers to investigate violations of the Act, including applying to a justice of the peace for a search warrant. The maximum monetary penalty for a violation of CASL is $1 million for an individual and $10 million for any other organization. Furthermore, the Act provides that the Governor in Counsel may make regulations on whether or not certain contraventions will constitute separate violations during each day the contravention of the act continues. This means that, for example, if an organization contravened the act for seven days, it could be fined up to $70 million.
The Act also creates a private right of action that allows consumers and businesses to take civil action against anyone who violates its provisions. The limitation period for commencing an application is three years from the day the subject matter of the application became known to the applicant, unless the court orders otherwise.
Corporate officers and directors can be held personally liable for corporate violations of the Act. In addition, employers can be held vicariously liable for violations committed by their employees or agents "acting within the scope of their employment or authority, whether or not the employee is identified or proceeded against under the Act." However, due diligence is a defence.
Suggestions and Recommendations
Although CASL is not yet in force, and no regulations have been published in the Gazette, businesses should not wait to ensure they are in compliance with the legislation.
Here are a few recommendations:
- Commercial electronic messages must disclose the identity and contact information about the sender and provide recipients with a user-friendly way to opt out of receiving future messages.
- Businesses must ensure that commercial electronic messages are only sent to people who have previously given express or implied consent to receive the message, and have not opted out of future messages.
- Computer software businesses must ensure that any electronic distribution of software (including software updates/upgrades) complies with disclosure and consent requirements.
This article was co-written by former lawyer June Wright, and Leanne Storms, 613-231-8215 firstname.lastname@example.org of Nelligan O'Brien Payne LLP.