Until December 2010, Canada was the only member of the G8 without any anti-spamming legislation. An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying our commercial activities, S.C. 2010, c. 23, formerly referred to as the “Fighting Internet and Wireless Spam Act” received royal asset on December 15, 2010 (the “Act”). The Act has not yet been proclaimed and the draft Regulations have been released for comments. It is expected that the Act and its Regulations will come into force in early 2012.

 

The Act may be the most comprehensive and stringent anti-spamming law in the world and creates significant obligation on businesses and individuals who use electronic means of communication and marketing. The application of the Act is not limited to restricting bulk, unsolicited email messages. It applies to any “commercial electronic message” (the “CEM”). The Act prohibits individuals and businesses from sending CEMs unless the recipient has provided the sender with express or implied consent. This opt-in regime differs from the opt-out regime established by the other anti-spamming legislations.

 

Commercial Electronic Messages

A CEM is an “electronic message” where one of its purposes is to invite the recipient to participation in a commercial activity. An "electronic message" is defined rather broadly to include any message sent by any means of telecommunication, including a text, sound, voice or image message. The definition covers e-mails, sms (text messages), instant messages, and arguably any form of message sent using a social media platform (such as "tweets" or Facebook postings or messages).

 

The Act further requires the sender of the CEM to "clearly and simply" outline the purpose(s) for which consent is being sought and identify the organization seeking the consent, prior to sending of the CEM. Notable here is that a request for consent to receive CEMs is in itself a CEM and subject to the provisions of the Act.

 

The Act provides limited exceptions to the above noted requirement. Consent is not required to send a CEM, if the CEM is being sent to:

  • provide an estimate or quote in response to a request made by the recipient;
  • facilitate a pre-agreed commercial transaction;
  • provide warranty or safety information to a purchaser of goods;
  • provide information related to an ongoing subscription, membership, account or loan;
  • provide information related to an employment relationship or benefit plan; or
  • deliver a pre-authorized product, goods or service, including product updates and upgrades

 

In addition to the above circumstances where consent is not required, the Act provides that consent to receive a CEM can also be implied in certain circumstances, including but not limited to where:

  • the sender and the recipient have an existing business relationship
  • the sender and the recipient have an existing non-business relationship (such as membership in a club);
  • the recipient has "conspicuously published" its electronic address and has not expressly indicated a desire not to receive unsolicited CEMs, and the message is relevant to the professional capacity and role of the recipient; or
  • the recipient has provided its electronic address to the sender without expressly indicating a desire not to receive unsolicited CEMs, and the message is relevant to the professional capacity and role of the recipient.
 

Spywares

The Act also contains similar requirements for installation of any computer software. This is designed to combat installation of spyware, address mining or phishing. Disclosure notices should be provided to users that set out the reasonably foreseeable impact of the software on the user’s computer and any data on the user’s computer in advance of the installation of the software.

 

There are certain exceptions from the above noted consent requirement for certain categories of computer programs, including “cookies”, Java Script, HTML and operating systems. This limited exception is available to be relied upon only where the user’s conduct makes it reasonable to infer consent. Another narrow exception in the Act is for installation of an update or upgrade to of software when the initial installation complied with the notice requirements.

 

Penalties

The Act will be enforced by the Canadian Radio-Television and Telecommunications Commission ("CRTC"). Under the Act, the CRTC has the ability to impose administrative monetary penalties for violations of the Act of up to $1 million per violation for individuals, and $10 million per violation for other persons (such as corporations). In addition, the Act permits a private right of action, which allows any person affected by a violation of the Act to sue for damages.

 

What clients need to do

Individuals, businesses and non-profit organizations using any electronic mean to communicate with their customers, clients, subscribers, prospective clients should:

 

review all categories of electronic communications and identify those that fall under the definition of CEM;

determine if appropriate consents have been obtained from the recipients of the CEMs;

for recipients without consent, determine if any of the exceptions to obtaining consent or implied consent provisions apply;

  • create consent notices that are compliant with the content and form requirements of the Act and its Regulations;
  • develop opt-out mechanisms in accordance with the Regulations;
  • obtain appropriate consents prior to coming into effect of the Act or utilize the three (3) years transition period provided in the Act in cases where prior business relationship exists;
  • establish opt-in consent and consent renewal mechanisms on web pages, agreements, terms of use or applications in accordance with the requirements of the Act and its regulations; and
  • develop and implement procedures for “unsubscribing” any recipient of CEMs in accordance with the guidelines provided for in the Act and the Regulation.
 

The businesses should review the Act and the final Regulations and establish internal guidelines, training and operational controls to ensure compliance with them.


Key ContactJohn Collins