Organizations will need to reassess their practices for sending commercial electronic messages or face significant new penalties.
On May 25, 2010, the federal government re-introduced its anti-spam legislation which, if enacted, would introduce complex new rules for sending commercial electronic messages.
Bill C-28, the Fighting Internet and Wireless Spam Act, goes much further than regulating bulk, unsolicited email communications often referred to as "spam". Rather, it would create a new "express" consent-based regime that would apply to almost all electronic messages sent for a commercial purpose.
The new anti-spam rules would be enforced with stiff penalties, including administrative monetary penalties of up to C$10,000,000 for corporations (C$1,000,000 for individuals) and statutory damages of up to $1 million a day. As well, a private right of action would allow consumers and businesses to commence enforcement proceedings and recover damages.
When the New Rules Will Apply
Bill C-28 is identical in most respects to a predecessor Bill (Bill C-27, the Electronic Commerce Protection Act), which died on the order paper in December 2009 after being adopted by the House of Commons. As a result, it is expected that Bill C-28 will be fast-tracked through Parliament.
It is unknown if the government will delay the coming into force of Bill C-28 to afford businesses time to make the changes to their operations that the new rules will require.
Scope of the New Anti-Spam Rules
The anti-spam rules would apply to commercial electronic messages or "CEMs" sent by telecommunication to an email, instant messaging, telephone or similar account. A message would be regarded as being "commercial" in nature if it has, as its purpose or one of its purposes, the encouragement of participation in a commercial activity.
New Consent Requirements
Under the new regime, CEMs could be sent only with the express consent of the recipient, unless the sender could demonstrate that there is a statutory exception. Examples of exceptions include messages that solely:
- provide a requested quote or estimate;
- facilitate, complete or confirm a commercial transaction; and
- provide warranty information, product recall information, or safety or security information about a product that the message recipient has used or purchased.
There also would be limited instances in which consent could be implied, including where there is an "existing business relationship" between the sender and the recipient. Generally speaking, such a relationship would exist if the sender could demonstrate that:
- there is a business relationship arising from the purchase or lease of a product, goods or a service within the prior two-year period;
- there is a written contract with the recipient (other than in respect of the purchase or lease of products, goods or services and certain other subject matter) until two years following termination of the contract; or
- there was an inquiry or application made by the recipient within the prior 6 months regarding certain commercial activities, including purchases of goods or services.
Note, however, that these time periods would not apply during the initial three years after the anti-spam rules come into force if the existing business relationship includes communications using CEMs and the recipient has not opted-out of receiving them.
Consent Disclosure Requirements
When seeking express consent for the sending of CEMs, businesses would be required to set out clearly and simply the purposes for which the consent is being sought, prescribed information identifying the person seeking consent or the person on behalf of whom consent is being sought, and any other information prescribed in regulations.
Form and Content Requirements
Most significantly, CEMs would need to include an unsubscribe mechanism that meets prescribed requirements. In addition, CEMs would need to include the sender's contact information, identify the person who sent the message, identify the person on whose behalf the message is sent (if different from the sender), and set out any other information prescribed by regulations.
Other Prohibited Conduct
In addition to combating spam, Bill C-28 also addresses both spyware and pharming.
A new express consent-based regime for the installation of any computer program on a user's computer would be created. More information on these rules is available here.
The alteration of "transmission data" in an electronic message without the consent of the sender or the recipient would be prohibited. This provision is intended to address the practice of "pharming" whereby a website user is redirected to a bogus website upon clicking on a link included in an email message which appears to be from the legitimate company.
Related Amendments to other Legislation
Bill C-28 also would introduce important amendments to other statutes. Highlights of these changes include the following:
- Restrictions on Address Harvesting
The Personal Information Protection and Electronic Documents Act (PIPEDA) would be amended to restrict "address harvesting," or the unauthorized collection of email addresses through automated means (i.e., using a computer program designed to generate or search for, and collect, email addresses) without consent.
The use of an individual's email address collected through address harvesting also would be restricted.
- Misleading Advertising
The Competition Act would be amended to make it an offence to provide false or misleading representations in the sender information, subject matter information, or content of an electronic message. The same conduct would be "reviewable conduct" pursuant to the rules governing deceptive marketing practices.
- Do-Not-Call List
The Telecommunications Act would be amended to repeal the national Do-Not-Call List. However, it is expected that the coming into force of these amendments would be postponed.
How Bill C-28 Would Affect Your Business
If Bill C-28 is enacted, significant impacts for organizations would include:
- revisiting procedures and systems for obtaining and documenting consent;
- addressing the new "express" consent requirements (i.e., relying on consent strategies developed under PIPEDA would no longer be appropriate);
- developing procedures and systems for meeting new, prescriptive disclosure rules; and
- adding an unsubscribe mechanism and other prescribed content to commercial electronic messages.
Michael Fekete's practice focuses on outsourcing, information technology, e-commerce and privacy. Nicole Kutlesa regularly advises on marketing, trade practice, regulatory and privacy matters with a particular emphasis on food, drug, cosmetic, medical device and other regulated products.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.