Canada’s Anti-Spam Legislation Demands Tough Standards


This post was written prior to our January 2017 merger, under our previous firm name, Aikins, MacAulay & Thorvaldson LLP.

On July 1, Canada established the world’s toughest standards for sending a commercial electronic message. The anti-spam law targets spam, those annoying messages that make it through our firewalls and clog our inboxes and try to get us to buy everything from vacations to pills that offer, ahem, certain physical enhancements. It also targets phishing (stealing personal information), the installation of spyware (gathering information) and malware (causing damage or disabling programs) on computer systems.

For its part, the government’s website states the law “will help to protect Canadians while ensuring that businesses can continue to compete in the global marketplace.”

All well and good, you may be saying. It’s about time there were aggressive measures to defend Canadians against the epidemic of spam, computer hacking and false online advertisements.

But in doing so, the federal government is creating a new regulatory regime for all legitimate business and individuals sending commercial electronic messages that has the potential for unintended consequences.

How the Law Works

A commercial electronic message (CEM) is defined as having at least one purpose of encouraging participation in a commercial activity. That provides a broad scope. Soliciting business is clearly a commercial message. But conveying any information of a commercial character in an email or online could qualify the communication as a commercial electronic message. Even a newsletter could be considered a commercial electronic message if it also suggests people contact the sender for a commercial reason. And don’t think you’re exempted if you work for a non-profit agency. The anti-spam law states the act or conduct contemplated for a commercial activity doesn’t need an expectation of profit.

The law covers all forms of electronic communication sent or received in Canada: emails, text messages and instant messaging as well as various aspects of social media. It forces individuals, organizations and businesses to obtain the consent of recipients before sending messages, then record and track the consents and remove people from the database if they subsequently withdraw their consent.

As of July 1, 2014, a commercial electronic message cannot be sent to or from Canada unless the recipient has already consented to receive it (they must opt in). It will be illegal to send a commercial message to another person requesting consent, where there is no existing relationship, because the request constitutes a commercial message.

The United States took a very different approach when it introduced its CAN-SPAM Act of 2003, which only applies to emails. American online electronic communication is based on the opt-out principle: you receive an email then notify the sender if you do not want to receive any more. Canada chose not to follow this route.

Penalities

People who ignore the new legislation do so at their peril: The law includes penalties of up to $1 million for individuals and $10 million per organization per violation. Officers and directors of an organization could also face charges.

The government has hired more than 30 people to audit computer systems and enforce this law. At least initially, the enforcement process is triggered by complaints. In the first month the government received 60,000 complaints. Similar provisions that apply to the installation of computer programs come into force January 2015. It also permits private lawsuits after July 1, 2017. Inevitably, this will lead to more class-action lawsuits.

Resources

Canadian Anti-Spam Legislation sc2010, c.23

CRTC Regulation & Bulletins

Regulation:

2012-36 Electronic Commerce Protection Regulation

Bulletins:

2012-548 Guidelines on the interpretations of the Electronic Commerce Protection Regulations

2012-549 Guidelines on the use of toggling as a means of obtaining express consent under Canada’s Anti-Spam Legislation

2014-236 Guidelines to help businesses develop corporate compliance programs

Industry Canada

Regulation 81000-2-175 Electronic Commerce Protection Regulations

Regulatory Impact Analysis Statement (RIAS)

Frequently Asked Questions

Industry Canada:

For Individuals

For Businesses and Organizations

CRTC:

For Individuals and Businesses

Note: This article is of a general nature only and is not exhaustive of all possible legal rights or remedies. In addition, laws may change over time and should be interpreted only in the context of particular circumstances such that these materials are not intended to be relied upon or taken as legal advice or opinion. Readers should consult a legal professional for specific advice in any particular situation.

Robert T. Gabor is a partner and technology lawyers with Aikins Law. He has presented and written extensively on CASL, including this article in the Winnipeg Free Press.