Organizations will need to reassess their practices for sending
commercial electronic messages or face significant new penalties.
On May 25, 2010, the federal government re-introduced its
anti-spam legislation which, if enacted, would introduce complex new rules for
sending commercial electronic messages.
Bill C-28, the Fighting
Internet and Wireless Spam Act,
goes much further than regulating bulk, unsolicited email communications often
referred to as “spam”. Rather, it would
create a new “express” consent-based regime that would apply to almost all
electronic messages sent for a commercial purpose.
Stiff Penalties
The new anti-spam rules would be enforced with stiff
penalties, including administrative monetary penalties of up to C$10,000,000
for corporations (C$1,000,000 for individuals) and statutory damages of up to
$1 million a day. As well, a private
right of action would allow consumers and businesses to commence enforcement proceedings
and recover damages.
When the New Rules Will
Apply
Bill C-28 is identical in most respects to a predecessor Bill
(Bill C-27, the Electronic Commerce
Protection Act), which died on the order paper in December 2009 after being
adopted by the House of Commons. As a
result, it is expected that Bill C-28 will be fast-tracked through
Parliament.
It is unknown if the government will delay the coming into
force of Bill C-28 to afford businesses time to make the changes to their
operations that the new rules will require.
Scope of the New
Anti-Spam Rules
The anti-spam rules would apply to commercial electronic
messages or “CEMs” sent by telecommunication to an email, instant messaging,
telephone or similar account. A message
would be regarded as being “commercial” in nature if it has, as its purpose or
one of its purposes, the encouragement of participation in a commercial
activity.
New Consent
Requirements
Under the new regime, CEMs could be sent only with the express
consent of the recipient, unless the sender could demonstrate that there is a
statutory exception. Examples of exceptions include messages that solely:
- provide a requested quote or estimate;
- facilitate, complete or confirm a commercial
transaction; and
- provide warranty information, product recall
information, or safety or security information about a product that the message
recipient has used or purchased.
There also would be limited instances in which consent could
be implied, including where there is an “existing business relationship”
between the sender and the recipient.
Generally speaking, such a relationship would exist if the sender could
demonstrate that:
- there is a business relationship arising from
the purchase or lease of a product, goods or a service within the prior two-year period;
- there is a written contract with the recipient
(other than in respect of the purchase or lease of products, goods or services
and certain other subject matter) until two
years following termination of the contract; or
- there was an inquiry or application made by the
recipient within the prior 6 months regarding
certain commercial activities, including purchases of goods or services.
Note, however, that these time periods would not apply during
the initial three years after the anti-spam rules come into force if the
existing business relationship includes communications using CEMs and the
recipient has not opted-out of receiving them.
Consent Disclosure
Requirements
When seeking express consent for the sending of CEMs,
businesses would be required to set out clearly and simply the purposes for
which the consent is being sought, prescribed information identifying the
person seeking consent or the person on behalf of whom consent is being sought,
and any other information prescribed in regulations.
Form and Content
Requirements
Most significantly, CEMs would need to include an unsubscribe
mechanism that meets prescribed requirements.
In addition, CEMs would need to include the sender’s contact
information, identify the person who sent the message, identify the person on
whose behalf the message is sent (if different from the sender), and set out
any other information prescribed by regulations.
Other Prohibited Conduct
In addition to combating spam,
Bill C-28 also addresses both spyware and pharming.
A new express consent-based regime for the installation of any
computer program on a user’s computer would be created. More information on these rules is available here.
The alteration of “transmission data” in an electronic message
without the consent of the sender or the recipient would be prohibited. This
provision is intended to address the practice of “pharming” whereby a website
user is redirected to a bogus website upon clicking on a link included in an
email message which appears to be from the legitimate company.
Related Amendments to other Legislation
Bill C-28 also would introduce important amendments to other
statutes. Highlights of these changes
include the following:
- Restrictions on Address Harvesting
The Personal Information
Protection and Electronic Documents Act (PIPEDA) would be amended to
restrict “address harvesting,” or the unauthorized collection of email
addresses through automated means (i.e., using a computer program designed to
generate or search for, and collect, email addresses) without consent.
The use of an individual’s email address collected through
address harvesting also would be restricted.
The Competition Act
would be amended to make it an offence to provide false or misleading
representations in the sender information, subject matter information, or
content of an electronic message. The
same conduct would be “reviewable conduct” pursuant to the rules governing
deceptive marketing practices.
The Telecommunications
Act would be amended to repeal the national Do-Not-Call List. However, it is expected that the coming into
force of these amendments would be postponed.
How Bill C-28 Would
Affect Your Business
If Bill C-28 is enacted, significant impacts for organizations
would include:
- revisiting procedures and systems for obtaining
and documenting consent;
- addressing the new “express” consent
requirements (i.e., relying on consent strategies developed under PIPEDA would
no longer be appropriate);
- developing procedures and systems for meeting
new, prescriptive disclosure rules; and
- adding an unsubscribe mechanism and other
prescribed content to commercial electronic messages.