In December 2010 Canada’s new anti-spam legislation was passed (the “Anti-spam Act”) which will, when it comes into force, be one of the strictest anti-spam regimes in the world (see: Anti-spam Act). Canada had been criticized prior to its passage as being the only G8 nation without stand-alone anti-spam legislation.
In general, the Anti-spam Act will require express or implied consent for the sending of “commercial electronic messages” and will also impose certain form (i.e., disclosure) and opt-out (i.e., unsubscribe) requirements.
The Anti-spam Act will have significant impacts on companies that engage in electronic marketing, including marketing through e-mail, text messaging, instant messaging and likely social media.
The Anti-spam Act will also require express consent for other electronic practices, including altering transmission data and the installation of computer programs on other persons’ computer systems.
In addition, the Anti-spam Act will also broaden the Competition Bureau’s jurisdiction to regulate misleading advertising in the context of electronic communications – for example, misleading representations made electronically, such as in sender information, subject matter information, electronic messages or locators. In this regard, the Anti-spam Act also includes amendments to the civil and criminal misleading advertising sections of the Competition Act (under sections 52 and 74.01).
Contravention of the new legislation will expose individuals and companies to significant penalties of up to C $1 million (for individuals) and C $10 million (for corporations). The Anti-spam Act also creates private rights of action, under which both actual and steep statutory damages may be awarded (of up to $1 million per day of non-compliance) and will also allow class actions to be commenced.
In passing the Anti-spam Act, Industry Canada said:
“On December 15, 2010, the Government of Canada passed the Fighting Internet and Wireless Spam bill, Bill C-28. In doing so, the government delivered on a key commitment made by Prime Minister Harper to Canadians and Canadian businesses in September 2008.
The intent of the legislation is to deter the most damaging and deceptive forms of spam, such as identity theft, phishing and spyware, from occurring in Canada and to help to drive out spammers.
This law addresses the legislative recommendations of the Task Force on Spam, which brought together industry, consumers and academic experts to design a comprehensive package of measures to combat threats to the digital economy.
As well the government studied successful legislative models in other countries and, based on their experiences, has developed a focused plan to address spam and related online threats.”
A. LEGISLATIVE HISTORY
In 2005, the Task Force on Spam completed a one-year mandate and issued its final report (Task Force on Spam Report: Stopping Spam: Creating a Stronger, Safer Internet). The Government also studied successful anti-spam measures in other countries.
The Anti-spam Act, which was first introduced in April, 2009 and reintroduced on May 25, 2010, addresses legislative recommendations made by the Task Force on Spam, which assembled consumers, academic experts and industry to design comprehensive legislation to fight spam in the digital economy.
During third reading, the amended Bill C-28 received unanimous support in the House of Commons and was given Royal Assent on December 15, 2010.
The Anti-spam Act will come into force following the finalization of draft CRTC and Industry Canada Regulations and following a Governor in Council order (see below for coming into force information).
B. COMING INTO FORCE INFORMATION
Two sets of draft Regulations were issued in 2011 as follows: (1) CRTC Regulations in June, 2011 (the “June CRTC Regulations”); and (2) Industry Canada Regulations in July, 2011 (the “July Industry Canada Regulations”).
Both sets of draft Regulations were subject to public comment periods, which were completed on September 6 and 7, 2011.
There have been significant delays to the finalization of the draft Regulations, however, and some opposition during public consultation periods. As such, while it is not yet clear, the draft Regulations may come into force in late 2012 or early 2013.
There may also be an additional consultation period on revised draft Regulations before they are finalized.
For copies of the Anti-spam Act and the draft CRTC and Industry Canada Regulations see:
Anti-spam Act
Draft CRTC Regulations
Draft Electronic Commerce Protection Regulations (CRTC)
Draft Industry Canada Regulations
Electronic Commerce Protection Regulations (Industry Canada)
C. ANTI-SPAM ACT – OVERVIEW
[Please note: The Regulations under the Anti-spam Act are not yet in force and so uncertainties remain regarding the scope and application of this pending new legislation. For coming into force information, please see above.]
Canada’s new Anti-spam Act will, once in force, create an “opt-in” regime for commercial electronic marketing, and will amend the following federal statutes:
1. Canadian Radio-television and Telecommunications Commission Act.
2. Competition Act.
3. Personal Information Protection and Electronic Documents Act (“PIPEDA”).
4. Telecommunications Act.
Unlike similar U.S. legislation (i.e., the U.S. CAN-SPAM Act), which is restricted to e-mail communications, Canada’s new Anti-spam Act will require express or implied consent for the sending of a wide range of commercial electronic communications, whether by e-mail, text message, instant messaging and potentially social media communications. There are, however, some specific exceptions for some types of communication, for example for telemarketing.
The new Anti-spam Act regime is also, generally speaking, stricter than present requirements under federal privacy legislation (i.e., PIPEDA), under which opt-out consent is permitted. PIPEDA also generally allows for broader implied consent than the pending Anti-spam Act.
Some key aspects of the new Anti-spam Act are discussed below.
1. CONSENT AND FORM REQUIREMENTS FOR COMMERCIAL ELECTRONIC MESSAGES (CEMs)
(a) Consent
The Anti-spam Act prohibits the sending of commercial electronic messages (“CEMs”) without the recipient’s prior express or implied consent.
This “opt-in” system is in contrast to the U.S. opt-out regime (i.e., a sender may send a message where there is no positive consent, with the recipient being able to “opt out” of future messages).
“CEMs” are broadly defined as any electronic message that encourages participation in a commercial activity regardless of whether there is any expectation of profit.
“Electronic messages” are messages sent by any means of telecommunication, including a text, sound, voice or image message.
Electronic messages that request consent to receive CEMs are also defined as CEMs and, therefore, cannot be sent unless consent is received. In other words, consent cannot be obtained by sending a request for consent by, for example, e-mail.
The Anti-spam Act allows both express and implied consent for the sending of CEMs.
(i) Express Consent
When requesting express consent, the following is required: (i) state the purpose for which consent is being sought and (ii) information identifying the person seeking consent or person on whose behalf consent is being sought (as set out in the Regulations).
The June CRTC Regulations set out the requirements for requests for consent. They state that requests for consent must be “in writing” and sought separately from, for example, the sending of a CEM, and also sets out specific information that must be included in consent requests.
(ii) Implied Consent
Consent may also be implied, including in the following:
1. An “existing business relationship” (as defined) between the sender and the recipient.
2. An “existing non-business relationship” (as defined) between the sender and the recipient.
3. A so-called “business card” exception, whereby a person has published their electronic address without a statement that they do not wish to receive unsolicited CEMs and the message is relevant to their business, role, functions or duties in a business or official capacity.
4. A recipient has disclosed their electronic message to a sender without indicating that they do not wish to receive unsolicited CEMs and the message is relevant to their business, role, functions or duties in their business or official capacity.
5. As set out in the Regulations.
“Existing business relationship”, which will likely be the most important category of implied consent, is defined to include, among several other things:
1. The purchase of products (goods or services) within two years before the message is sent;
2. The acceptance by the recipient of a business, investment or gaming opportunity within two years before the message is sent; or
3. An inquiry by the recipient within six months before the message is sent.
“Existing non-business relationship” is defined to include:
1. Certain donations or gifts to charities or political parties.
2. Volunteer work for charities or political parties.
3. Memberships in clubs, associations or voluntary organizations (“membership” and “club, association or voluntary organization” both as defined in the Regulations).
(b) Form and Unsubscribe Requirements
The Anti-spam Act also sets out rules governing the sending of CEMs, including form (i.e., disclosure) requirements and mechanisms for the withdrawal of consent (i.e., to opt-out or unsubscribe).
(i) Form Requirements
CEMs must be in a prescribed form that, among other things, (i) identifies the person who sent the CEM, (ii) the person, if different, on whose behalf it is sent, (iii) includes information enabling the recipient to contact the sender, and (iv) includes an unsubscribe mechanism.
The June CRTC Regulations set out the specific information that must be included in CEMs. This currently includes the name of the person sending the CEM, the physical and mailing address, a telephone number providing access to an agent or voice messaging system, an e-mail address and the web address of the person sending the CEM.
The June CRTC Regulations also state that the prescribed information to be included in CEMs must be “set out clearly and prominently”.
The contact information included must also be valid for a minimum of 60 days after a CEM is sent.
The June CRTC Regulations also contain an exception to the prescribed form and unsubscribe requirements, however, providing that where it is “not practicable to include the [prescribed information] and the unsubscribe mechanism” in a CEM, the information may be provided by a web link that is clearly and prominently set out and can be accessed by a single click at no cost to the recipient.
This exception, if it remains in the finalized Regulations, will likely prove to be important for some forms of social media communications, where it is not practical to disclose the full prescribed information in a message.
(ii) Unsubscribe Mechanisms
Unsubscribe mechanisms must:
1. Allow recipients to indicate that they wish to no longer receive any CEMs using the same electronic message (or if impractical, any other electronic means that will enable the same result); and
2. Specify an electronic address (or web link) to unsubscribe.
The electronic address or webpage for unsubscribing must be valid for a minimum of 60 days after a message is sent.
In addition, recipients who unsubscribe must be unsubscribed “without delay” (and in any event no later than 10 business days after notifying their desire to be unsubscribed).
The June CRTC Regulations also provide that an unsubscribe mechanism must be “set out clearly and prominently” and “must be able to be performed in no more than two clicks or another method of equivalent efficiency.”
(c) Exceptions
The Anti-spam Act contains the following exceptions to the consent and form requirements for CEMs:
1. Personal or family relationships (both as defined by the July Industry Canada Regulations).
2. Inquiries for commercial goods and services.
3. Interactive two-way voice communications (e.g., telemarketing), fax or voice recordings sent to telephone accounts.
4. Exceptions set out in the Regulations.
The July Industry Canada Regulations contains definitions of “family relationship” and “personal relationship”.
One of the objections to the draft Regulations has been that “personal relationship”, likely one of the broadest and most important exceptions, is defined to require an in-person meeting within the past two years and two-way communication. On its face, this exception therefore currently precludes meetings through, for example, online or social media forums.
The Anti-spam Act also sets out the following exceptions from the consent requirement for CEMs:
1. Providing a quote or estimate for products (i.e., goods or services) if requested by the recipient.
2. Facilitating, completing or confirming a commercial transaction previously agreed to by the recipient.
3. Providing warranty, product recall or safety information about a product the recipient uses (or has used) or has purchased.
4. Certain information relating to employment or benefit plans.
5. Exceptions set out in the Regulations.
(d) Transitional Period
The Anti-spam Act contains a transitional provision that provides that consent is implied for three years from the coming into force of the CEMs section (section 6) for persons with existing business or non-business relationships (as defined), unless consent is withdrawn by a recipient.
2. ALTERING TRANSMISSION DATA
The Anti-spam Act also prohibits the alteration of transmission data in an electronic message, which results in the message being delivered to a different destination without express consent of the sender or recipient (e.g., causing an electronic message to be sent to a destination that is different than what the sender intended).
3. UNAUTHORIZED INSTALLATION OF COMPUTER PROGRAMS
The Anti-spam Act also prohibits the installation of computer programs on other person’s computers without the express consent of the owner or an authorized user of the computer system (e.g., an authorized employee).
4. MISLEADING REPRESENTATIONS (ELECTRONIC & ONLINE CONTENT)
The criminal and civil misleading advertising provisions of the Competition Act, and related penalty provisions, have also been broadened to expressly include misleading representations made in the electronic and online environment.
For example, the Anti-spam Act amends the criminal misleading advertising provisions of the Competition Act to prohibit false or misleading representations made electronically, such as in sender information, subject matter information, electronic messages or locators.
Like the misleading advertising provisions of the Competition Act generally, it will not be necessary to prove that any person was actually deceived or misled. The general impression as well as the literal meaning will also be relevant in establishing misleading representations made in the electronic context.
5. UNAUTHORIZED COLLECTION OF PERSONAL INFORMATION
The Anti-spam Act also amends PIPEDA to prohibit the collection of personal information by means of unauthorized access to computer systems.
6. COLLECTION OF ELECTRONIC ADDRESSES
Finally, the collection of electronic addresses using computer programs or using such addresses without permission (“harvesting”) will be prohibited.
This may include the collection of e-mail addresses through the use of, for example, “web crawlers” (computer programs that scan websites, usenet groups and social media websites, trolling for electronic addresses) or “dictionary attacks” (where a computer program guesses real/live e-mail addresses by methodically trying various name variations within a particular group of common e-mail domains – e.g., Gmail, Hotmail, etc.).
D. ENFORCEMENT
Three government agencies will be responsible for enforcing the new Anti-spam Act as follows:
Competition Bureau (the “Bureau”)
The Bureau’s mandate will be to focus on misleading and deceptive practices and representations online, including false or misleading headers, web links and website content.
The Anti-spam Act extends the Competition Bureau’s existing jurisdiction over misleading advertising and deceptive marketing practices in Canada, which already included online advertising and marketing under the criminal and civil misleading advertising sections of the Competition Act (sections 52 and 74.01).
Canadian Radio-television and Telecommunications Commission (“CRTC”)
The CRTC will have primary enforcement responsibility for the new legislation and will have the power to investigate and take action, including imposing significant administrative monetary penalties, against unsolicited electronic messages (i.e., without consent), the alteration of transmission data or the installation of computer programs without consent (e.g., malware, spyware or viruses).
Office of the Privacy Commissioner of Canada (“Privacy Commissioner”)
The Privacy Commissioner will have the power to take measures against the collection of personal information through unlawful access to computer systems (i.e., contrary to federal law, such as the Criminal Code) or electronic address “harvesting”, where bulk e-mail lists are compiled through mechanisms, including the use of computer programs that automatically mine the Internet for e-mail addresses.
E. PENALTIES
1. ADMINISTRATIVE MONETARY PENALTIES
Persons contravening the Anti-Spam Act will be subject to “administrative monetary penalties” (essentially civil fines or “AMPs”) of up to C $1 million per violation for individuals and C $10 million per violation for corporations.
2. PRIVATE ACTIONS
Private individuals or organizations affected by a violation of the Anti-spam Act will also have a right to commence private actions.
In this regard, in addition to allowing awards of damages for actual loss or damage suffered a court may also order persons that contravene the Anti-spam Act to pay statutory damages for each day on which a contravention occurred – for example, for violation of section 6 (the unauthorized sending of CEMs) C $200 for each contravention up to C $1 million per day.
Class actions will also be possible once the Anti-spam Act is in force.
3. DIRECTOR AND OFFICER LIABILITY
The Anti-spam Act also contains broad director and officer liability provisions, which provide that directors and officers of a company that commits a violation are liable for that violation if they directed, authorized, assented to, acquiesced or participated in the commission of a violation.
This potential liability will be subject to a due diligence defence.
F. STEPS TO TAKE BEFORE THE ANTI-SPAM ACT COMES INTO FORCE
Companies or individuals that use electronic marketing (e.g., e-mail, text messages, social media forums, Twitter, etc.) to market their products and services should consider taking compliance steps before the new legislation comes into force.
Some suggested steps to take before the Anti-spam Act comes into force include:
1. Conduct a review of electronic marketing to determine which are CEMs (i.e., “commercial electronic messages”).
2. Prepare electronic messages that comply with the form and unsubscribe (i.e., opt-out) requirements.
3. Prepare consent notices to obtain express consent where required.
4. Attempt to collect express consents where required. In this regard, the onus is on the sender to show that consent was obtained and document consent.
5. Determine (and keep records) whether opt-in consent has been obtained for contacts.
6. Determine for which contacts consent may be implied (e.g., existing business, non-business, “business card” relationships, etc.).
7. Delete names from distribution lists where consent cannot be obtained (or no exception exists).
8. Establish processes to periodically refresh consents (or delete contacts – for example, where there is no longer any existing business relationship within the past two years, or within the transition period, etc.).
9. Ensure that processes are in place to process unsubscribing contacts within the statutory period (i.e., without delay, and in any event within 10 days after an unsubscribe request is made).
10. Add Anti-spam Act compliance to existing compliance programs and policies (and train staff for compliance with the requirements under the Anti-spam Act).
11. Monitor the progress of the draft Regulations and adapt any internal policies and procedures to reflect changes in the law, once finalized.
12. Ensure that other forms of marketing (e.g., telemarketing) complies with other relevant laws (e.g., the national Do Not Call List) and that advertising generally complies with Canada’s misleading advertising laws (e.g., under the Competition Act).
LINKS AND RESOURCES
LEGISLATION
REGULATIONS
CRTC
Draft Electronic Commerce Protection Regulations (CRTC)
Industry Canada
Electronic Commerce Protection Regulations
CANADA’S ANTI-SPAM WEBSITE (www.fightspam.gc.ca)
Canada’s Anti-Spam Legislation
ENFORCEMENT AGENCIES
Industry Canada
Summary of the Anti-spam Act (Canada’s Anti-Spam Legislation)
Industry Canada News Releases
“Anti-Spam Legislation is Unanimously Passed by the House of Commons” (December 2, 2009)
“Harper Government is Getting Things Done for Canadians” (December 15, 2010)
Industry Canada Backgrounders
Anti-Spam Legislation Receives Royal Assent
Industry Canada Spam Definitions
CRTC
Canadian Radio-television and Telecommunications Commission
Office of the Privacy Commissioner
Office of the Privacy Commissioner of Canada
Competition Bureau
TASK FORCES
Canadian Task Force on Spam
Recommended Best Practices for Email Marketing
Stakeholder Roundtable
Roundtable Meeting with Key Stakeholders
REPORTS
An Anti-Spam Action Plan for Canada (May, 2004)
Stopping Spam: Creating a Stronger, Safer Internet (May, 2005)
FRAUD RESOURCES
INTERNATIONAL RESOURCES
Internet Crime Complaint Centre
London Action Plan: International Spam Enforcement Network
Report of the OECD Task Force on Spam
____________________
We provide federal competition and foreign investment law services to clients across Canada and internationally.
OUR BOOKS
The Competition Law Guide for Trade Associations in Canada is a practical and concise summary of Canadian competition law as it applies to trade, professional and other associations.
OUR COURSES
Competition Law and REALTORS®: What You Say and Do Matters was designed by ACRE with the assistance of CREA to help Canadian REALTORS® understand and comply with Canadian competition law.
This course is available
to members of Canadian
real estate boards.
For more information see ACRE