While the Canadian federal government's anti-spam legislation is not yet in force, many businesses are starting to prepare for compliance.
The law is broad; it applies to any electronic message that is sent, routed, or retrieved using a computer system in Canada, and the penalties for non-compliance are steep. Virtually every person and business in Canada (and many outside of Canada, in particular the United States) will be affected and need to rethink how they send emails, voicemails and other telecommunications.
(It is broader and more onerous than American anti-spam legislation, so compliance with the US CAN-SPAM Act will not be enough.)
The Canadian legislation prohibits any person from sending (or causing or permitting to be sent) a commercial electronic message unless the recipient expressly or implicitly consents to receiving the message. That's going to be a tough rule to follow, especially since very few people actually respond to requests for consent, particularly requests sent by email.
Some other key points are as follows:
Not just e-mail: The definition of "commercial electronic message" is very broad and includes any message sent by telecommunications (including e-mail, text messages, voicemail, social media communications, etc.) if the purpose of that message is to encourage participation in a commercial activity.
Not just spam: The law also prohibits hacking, malware, online fraud, electronic harvesting and privacy invasions.
Consent: Commercial electronic messages cannot be sent without the recipients' consent. Consent can be express or implied, and there are specific rules for how to obtain consent. There are also some limited exceptions to the consent requirement.
Identification: All commercial electronic messages must identify the person who sent the message (and if different, the person on whose behalf it was sent); provide accurate contact information for these parties; and send out a mechanism by which the recipient may unsubscribe. The law also requires other disclosures, and contains specific rules regarding how the disclosures can be presented.
Unsubscribing: The recipient must be able to unsubscribe using the same means by which the message was sent. There are specific rules and time limits for complying with unsubscribe requests.
Penalties: The maximum penalty for a violation of the legislation is $1,000,000 for an individual and $10,000,000 for a corporation or other business entity. These fines are imposed per violation, and a violation is defined as being separate for each day that it continues.
Vicarious liability: Violations under the Act create both direct and vicarious liability, and directors or officers of corporations may be personally liable for the corporation's violations. Employers are also liable for violations committed by their employees acting within the scope of their employment.
The law is complicated and lengthy. There have already been two sets of regulations and interpretation bulletins published, and more may follow. Compliance will therefore be difficult, and will not be made any easier by the fact that consent is required to send an email requesting consent to send further emails.
It is therefore advisable to start preparing for compliance now. Some of the steps you can take are:
- conduct an audit of your current databases
- determine how and why you send commercial electronic messages
- establish place consent mechanisms
- establish data management systems to record consents and rejections
- establish unsubscribe mechanisms
- draft policies to deal with commercial electronic messages
This article first appeared in the Fall 2013 issue of CPABC Industry Update.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.