CASL confusion: what July 1 really signifies for marketers

David Elder - 

July 1, 2017 is not only Canada’s 150th birthday -- it is also marks three years since Canada’s Anti-Spam Legislation (CASL) has been in force.  While Canadian businesses are unlikely to celebrate the latter anniversary with barbecues and fireworks, July 1 will signify an important change in the way that CASL will apply. 

Unfortunately, there seems to be some confusion about what the approaching deadline really means for marketers.  From a CASL perspective, July 1 is important for 3 reasons:

Private right of action

Let’s start with what it doesn’t mean: July 1 will no longer mark the coming into force of the private right of action contained in the law.  This provision would have allowed civil suits to be filed against individuals and organizations for alleged violations of the law.  In addition to suing for actual damages, the provision also would have allowed plaintiffs to claim statutory damages (which need not be proved) of up to $200 – including for receipt of a non-compliant email message.

The order that proclaimed CASL in force as of July, 2014, had originally set July 1, 2017 as the day on which the private right of action provisions in the law would come into force.  However, the government recently amended this order so as to suspend indefinitely the coming into force of the private right of action. 

In a news release announcing the suspension of the implementation of this statutory cause of action, the government noted that it was acting “in response to broad-based concerns raised by businesses, charities and the not-for-profit sector.”  The precis to the order indicated that the original coming into force date was being suspended “in order to promote legal certainty for numerous stakeholders claiming to experience difficulties in interpreting several provisions of the Act while being exposed to litigation risk.”

Parliamentary review

The second important consequence to the arrival of July 1, 2017, is that CASL includes is a section requiring a general review, after that date, of the provisions and operations of the Act by a parliamentary committee.

The government has indeed announced – when it suspended the private right of action - that it will ask a parliamentary committee to review the legislation, in keeping with this requirement of the law.

While it is difficult to know at this time precisely how that review might unfold, the legislative provision itself is very broad.  Accordingly, we may see in the near future a review that will take into account the law as a whole, followed by recommendations to the government for possible reform.

The law has many detractors in the business community, which have raised concerns relating to issues such as vagueness and impracticality of the law, disproportionate enforcement and penalties and real damage to economic interests.  That said, the law also has many fans, which see the regime as an important new protection for consumers.  As a result, the pending committee hearings are expected to be lively.

Expiry of transition period for prior business relationships

Finally, July 1, 2017 will mark the end of the initial transition period during which organizations are deemed to have implied consent to send commercial electronic messages to recipients based on certain types of business relationships that arose prior to the law coming into force.

The law deems implied consent to exist where the sender of a message has an “existing business relationship” or an “existing non-business relationship” with the recipient.  While there are several narrow scenarios that give rise to these defined relationships, for most commercial businesses, an existing business relationship most commonly arises through the purchase of goods or services.  In such a case, the law normally deems an organization to have implied consent to send electronic marketing messages to a customer for a period of two years after such a purchase, unless they otherwise unsubscribe.

However, for the initial 3-year transition period, CASL deemed implied consent to exist for business relationships that arose at any time before July 1, 2014 (when the law came into force), without regard to the two-year limitation.  In other words, during the transition period, the law effectively deemed an organization to have implied consent to send commercial electronic messages to a customer that had made a purchase at any time before July 1, 2014. 

The stated purpose of this transition period was to provide organizations with the opportunity to obtain express consent.  As a result, in the months leading up to the end of the transition period, many organizations have been reaching out by email to their distribution lists in order to confirm consent.

While such outreach campaigns make good sense for some businesses, seeking express consent at this time is not required in all cases.  The real impact of the expiry of the transition period will vary from business to business, based on a number of factors, including the following:

  1. If an organization is sending commercial electronic messages based on an existing business relationship that arose from a purchase made after the law came into force, then the transition period does not apply.  These types of business relationships are subject to the normal two-year limitation imposed by the law.  Indeed, for transactions that occurred in 2014 and early 2015, this period will have already expired.
  2. If express consent was collected prior to July 1, 2014, in compliance with applicable privacy law, that consent continues to be valid, even if the request did not meet the form requirements now imposed by CASL.  Businesses with reliable records of that type of consent need not reach out now to secure an additional consent.
  3. If an organization is likely to have at least one sale transaction every two years with addressees on its email marketing list, it may elect not to secure express consent, relying solely on implied consent arising from its existing business relationships.  Much depends on the typical business cycles for a particular industry/service category, but many businesses have found that they can reasonably attain marketing objectives solely through reliance on implied consent.  Of course, where a given addressee does not make a purchase within the allowed 2-year period, they must be dropped from the list, but some organizations find this churn to be manageable, and also find that, in any event, marketing offers are less likely to be effective with respect to such “stale” customers.  Recognizing that consent outreach campaigns tend to have a low rate of success, continued reliance on existing business relationships may be an attractive option for some companies.
  4. Organizations that engage in B2B marketing may not be affected by the expiry of the transition period.  The transition period affects only existing business relationships and existing non-business relationships; it does not affect implied consent that may arise under the law as a result of conspicuous publication or direct disclosure of a business electronic address, nor does it affect to general B2B exemption found in the Electronic Commerce Protection Regulations.
  5. Similarly, other types of businesses that rely on exemptions set out in the Regulations need not reach out now to obtain express consent -- for example, registered charities sending fund-raising messages, or messages sent and received on an electronic messaging service where the information and unsubscribe mechanism required by the law is available on the user interface through which the message is accessed.

Businesses are advised to carefully review their own circumstances and to seek advice as to the best approach to deal with the issues arising from the end of the transition period. 

CRTC slashes anti-spam fine in first review decision

David Elder -

In the first case considered by the appointed members of the CRTC under Canada’s Anti-Spam Law (CASL), the Commission has significantly reduced the size of the penalty previously issued by staff, potentially raising questions about the appropriateness of previous AMPs issued under the law.

A Notice of Violation was originally issued by CRTC staff to Blackstone Learning Corporation in January of 2015, requiring that company to pay an Administrative Monetary Penalty (AMP) of $640,000.  However, following a review by the CRTC, the amount payable has been reduced to $50,000.

Under the scheme of the Act, the Commission may designate persons or classes of persons to exercise powers in relation to any matter referred to in the designation.  Somewhat unusually, the enforcement powers under CASL – such as the power to issue preservation demands, notices to produce, and notices of violation - are actually granted to such designated persons, rather than to the Commission itself. The CRTC has designated a Chief Compliance Officer, and potentially other staff members, to exercise such powers.

Where a power is exercised by a designated person, representations may be made by the subject of a CASL investigation to the appointed members of the CRTC, who can review the action of the designated person and revoke or amend that action, as appropriate.  With respect to Notices of Violation in particular, upon receipt of representations from the subject of the notice, the Commission must decide, on a balance of probabilities, whether the subject committed the violation, and if so, may impose the penalty set out in the notice, may reduce or waive the penalty, or may suspend payment of the penalty, subject to any conditions that the Commission considers necessary to ensure compliance with the Act.

In the case of Blackstone, the CRTC appears to have reduced the applicable penalty largely on the basis that the company “is a small business with a relatively limited ability to pay”, as well as the fact that CASL is a relatively new regulatory regime, and that Blackstone had no history of non-compliance under CASL.  The amount was reduced notwithstanding that Blackstone apparently did not cooperate with the CRTC investigation, refusing to respond to a Notice to Produce issued pursuant to the Act, even after a Commission decision requiring that it do so. 

While the significant reduction in the AMP payable by Blackstone is noteworthy of itself, the case may be particularly noteworthy as the reduction, and the factors cited by the Commission in support of that decision, may raise questions for some about the appropriateness of some of the AMPs previously paid with respect to earlier investigations.

In this regard, other than the $1.1 million Notice of Violation issued to Compu-Finder, prior to the Blackstone decision, all of the AMPs paid to date under CASL - ranging from $48,000 to $200,000 - were paid pursuant to undertakings into which companies voluntarily entered in order to settle investigations by CRTC staff.  There was no review of these settlements by the appointed members of the Commission.

Consistent with the Commission rationale in the Blackstone decision, CASL would also have also been a relatively new regulatory regime in each of the previous settled CASL cases, and each of the companies concerned would also have had no history of non-compliance with the anti-spam law. Moreover, unlike the facts in Blackstone, in each of the previous undertakings, the companies (Plentyoffish Media,Porter Airlines, Rogers Media and Kellogg Canada) cooperated fully with the staff investigation and took immediate steps to rectify alleged non-compliance, as explicitly indicated in the undertakings and news releases associated with those cases.

It remains to be seen whether the strong guidance from the CRTC in the Blackstone decision will inspire companies in future to make representations to the appointed members of the Commission with respect to alleged violations of CASL, in the hope of reducing the AMPs payable, rather than entering into voluntary undertakings with Commission staff.

Tags: ,

CRTC gets frosted at Kellogg's over email violations

David Elder

In the fifth, and most recent, enforcement decision relating to compliance with Canada’s Anti-Spam Legislation, the CRTC has announced that Kellogg Canada has voluntarily entered into an undertaking respecting alleged non-compliance, which includes payment of $60,000 in penalties.

The undertaking resulted from an alleged failure to obtain consent from recipients prior to sending commercial electronic messages.  The alleged violations apparently occurred over an 11-week period in late 2014.

As with previous undertakings announced by the CRTC, the summary produced by the CRTC includes few details about the alleged non-compliance, such as whether the company sent messages without obtaining consent, failed to meet form requirements in collecting consent, or was unable to prove the existence of an existing business relationship that would give rise to implied consent.

Interestingly, the CRTC summary does note that the messages in question were allegedly sent by “Kellogg and/or its third party service providers”, and that Kellogg undertook to comply with CASL and its Regulations, and to “ensure that any third party authorized to send a commercial electronic message on its behalf” did the same – suggesting that the alleged violations may have stemmed, at least in part, from the activities of a third party service provider.  This, in turn, raises important – but unfortunately, unanswered -- questions about how penalties are assessed in such circumstances, and the extent to which due diligence in vendor selection and procurement arrangements might impact liability for non-compliance under CASL.

The central prohibition in CASL relating to commercial electronic messages does refer explicitly to those sending such messages, as well as to those causing or permitting such messages to be sent; accordingly, the law appears to apply to both marketers and the service providers that may be retained to send marketing messages on their behalf.  Organizations would be well advised to choose third party vendors carefully, and to impose clear contractual and process requirements on such vendors to help avoid potential non-compliance.

Tags: ,

CRTC partners with global agencies to enforce spam and telemarketing rules

David Elder - 

The Canadian Radio-television and Telecommunications Commission (CRTC) has announced that it has signed a memorandum of understanding with 10 domestic and global enforcement agencies to aid in the enforcement of spam and telemarketing laws.  However, while the announcement is certainly a step in the right direction, many of the countries that produce the most spam were not at the table.

The agreement is intended to promote cooperation between the various enforcement agencies, and includes commitments by each signatory to share information and intelligence regarding unsolicited communications, where permitted by the laws of its jurisdiction.  

For its part, in Canada, s. 60 of Canada’s Anti-Spam Legislation permits the government, the CRTC, the Office of the Privacy Commissioner of Canada (OPC) and the Commissioner of Competition to share information with foreign governments and agencies with respect to investigations and enforcement activities relating to foreign laws that address conduct that is substantially similar to conduct prohibited under Canadian laws regulating unsolicited telecommunications and commercial electronic messages.

In addition to the involvement of the CRTC and the OPC, the memorandum was signed by 9 international agencies, from the U.S., Australia, the Netherlands, the UK, Korea, New Zealand and South Africa.

Each of the signatories to the new MOU is a member of the “London Action Plan” (LAP), a global organization created to promote international spam enforcement cooperation and address spam related problems, such as online fraud and deception, phishing, and dissemination of viruses. 

Interestingly, while all signatories are members of the LAP, not all LAP members have signed on to this latest memorandum -- in fact, only about one third of LAP members have signed on.  More significantly, absent from the list of signatories are regulatory agencies from 8 of the Top 10 Worst Spam Countries, as compiled by the Spamhaus Project, an international organization that tracks spammers and spam-related activity.

The CRTC has previously entered into similar agreements with the Commissioner of Competition and the OPC, and most recently, announced the signing of an agreement with the U.S. Federal Trade Commission and Federal Communications Commission respecting mutual assistance in the enforcement of laws on commercial email and telemarketing.

Enforcement agencies, including the CRTC, face many challenges in investigating and enforcing unsolicited communications laws where the alleged perpetrators operate from outside of Canada, necessarily requiring the cooperation of local regulatory and enforcement authorities.  Some feel that as a result, CRTC enforcement activity disproportionately focuses on known and legitimate domestic companies, many of whom are trying to comply with the rules, rather than on rogue international operators, whose campaigns often have fraudulent objectives.

Hopefully, these new information and intelligence sharing arrangements will assist somewhat with the CRTC’s international enforcement challenge, although the effectiveness of the initiative will be frustrated by the absence of a majority of the biggest spam-producing countries.

CRTC executes another raid in malware investigation

David Elder - 

The Canadian Radio-television and Telecommunications Commission (CRTC) has announced the execution of another warrant under Canada’s Anti-Spam Legislation (CASL), this time at two locations in the Niagara region of Ontario.

This is only the second such warrant executed by the CRTC under the anti-spam law.  As in a recent previous announcement respecting the execution of a similar warrant, the warrant was issued as part of an ongoing investigation, and the party that was the subject of the warrant was not identified.

The most recent warrant was apparently obtained as part of an investigation relating to the installation of malware and the alteration of transmission data.  This marks the first public announcement respecting an investigation into the alteration of transmission data.  Section 7 of CASL generally prohibits the alteration of transmission data in an electronic message such that the message is delivered to a destination other than or in addition to that specified by the sender, unless the alteration is made with the express consent of the sender or is made pursuant to a court order.

Interestingly, the CRTC’s investigation in this case appears not to have been launched as a result of complaints received, but rather as a result of a tip from a US network security company specializing in cyber threat protection and forensics.

This most recent enforcement action continues the Commission’s efforts against the most damaging and deceptive types of online threats.  As noted in in previous posts, concerns had been raised in light of what appeared to be an early focus by the CRTC on enforcement against legitimate domestic companies for errors made in attempting to comply with the core anti-spam provisions of CASL, rather than targeting distributors of malware and other intentional bad actors.

Tags: ,

Airline hits turbulence from CRTC: pays penalty for violations of anti-spam law

David Elder - 

In the most recently announced settlement under Canada’s Anti-Spam Legislation, the CRTC has announced that Porter Airlines Inc. has agreed to pay $150,000 as part of an undertaking concerning alleged violations of the law.

The CRTC’s summary of the undertaking indicates that Porter sent commercial electronic messages:

  • without an unsubscribe mechanism or with an unsubscribe mechanism that was not set out “clearly and prominently”, as required by the Electronic Commerce Protection Regulations (CRTC) (the Regulations).  In this regard, the CRTC noted that some of the messages contained two unsubscribe links, only one of which was functional.  In the CRTC’s view, the unsubscribe mechanism was not clearly set out, as it was not apparent which mechanism was functional
  • without complete identification information required by the Regulations
  • without proof of consent to send commercial electronic messages to some of the recipients
  • to at least one recipient who had previously indicated they wanted to unsubscribe.  The CRTC found that the unsubscribe request was not given effect within 10 business days, as required by the Act

The alleged violations occurred over the period commencing 1 July 2014, the date on which the core anti-spam provisions of the Act came into force, and ending 16 April 2015.

In addition to agreeing to the monetary payment, Porter has also agreed to revise its anti-spam compliance program, and has apparently already made changes to bring its electronic mailing list into compliance.

The undertaking confirms that the Commission is continuing to take enforcement action for messages sent commencing back to the first days that the new law came into force.  It also serves as a cautionary tale to electronic marketers to ensure that any commercial electronic messages sent have working unsubscribe mechanisms, and that there is no possible confusion to recipients as to the availability of these mechanisms or the manner in which they can be exercised.  Finally, the undertaking stresses the importance of meeting the sender identification requirements set out in the Regulations, which – somewhat paradoxically for electronic communications – require displaying a postal mailing address, along with a web address, email address or telephone number.

First blood: CRTC imposes $1.1 million fine in first ever finding under anti-spam law

David Elder -

Eight months after Canada’s Anti-Spam Law (CASL) came into force, the Canadian Radio-television and Telecommunications Commission (CRTC) has made public its first ever finding of non-compliance with the Act, issuing an administrative monetary penalty of $1.1 million against Compu-Finder, a firm that provides training and consulting services.

Surprisingly, this much anticipated enforcement action was not against a firm targeting consumers, as many had suspected, but rather was directed at a firm sending email messages to businesses to promote various training courses related to topics such as management, social media and professional development.   It is believed by many that the overwhelming majority of the more than 250,000 complaints received by the CRTC since the law came into force have been from consumers.  In the case at hand, the CRTC indicated that over one quarter of all complaints about the training industry sector received by the Spam Reporting Centre related to Compu-Finder, although it is not known how many complaints were received.

Following an investigation, the CRTC’s Chief Compliance and Enforcement Officer found that Compu-Finder sent commercial electronic messages without the recipient’s consent, as required by law, as well as sending commercial electronic messages in which the required unsubscribe mechanisms did not function properly.   

The CRTC’s media release also indicates that the messages in question were sent to electronic addresses the company found by scouring websites.  To the extent that these addresses were collected by a computer system, such collection and use may also be contrary to the Personal Information Protection and Electronic Documents Act, pursuant to consequential amendments to that law that were made by CASL, meaning that the company’s behaviour could also be the subject of complaints to the Privacy Commissioner of Canada.

While well below the maximum $10 million per violation that the CRTC may impose, the size of the penalty is considerably higher than the vast majority of penalties the CRTC has issued under the Unsolicited Telecommunications Rules, which apply to unsolicited voice and fax communications, and which carry maximum penalties of only $15,000 per violation

The penalty imposed against Compu-Finder is also notable for two other reasons: first, because it apparently relates to just four violations.  Even if each of these violations were to involve individual training offers sent to thousands of recipients, the decision suggests a somewhat aggressive approach to determining appropriate penalty amounts.  Second, each of these violations occurred between July 2, 2014 (the day after the Act came into force) and September 16, 2014, suggesting that, contrary to the expectations of some, it would appear that the CRTC is showing little leniency in the early days after the law came into force.

The CRTC has indicated that a number of other investigations under CASL are currently underway, but no other Notices of Violation have been made public to date.  The Commission has also noted that it is working with its international partners with respect to enforcement of the Act, suggesting that non-Canadian senders of electronic messages may also be the subject of future enforcement action.

Tags: ,

CRTC clarifies that anti-spam law won't apply to self-installation of computer programs - most of the time

David Elder -

CRTC staff has issued important guidance on its interpretation of section 8 of Canada’s Anti-Spam Legislation (CASL), noting that the law would not apply to most installations initiated by users, including the downloading of mobile apps from popular digital distribution platforms like The App Store, Google Play and BlackBerry World.

While much attention has been paid to the core anti-spam provisions of CASL, which came into force on July 1, less attention has been paid to date with respect to section 8, which governs the installation of computer programs in the course of commercial activity.  However, as the January 1, 2015 coming into force date nears for that provision, many businesses have been struggling to understand their legal obligations and take the necessary steps to comply.

Section 8 of CASL generally provides that a person must not install or cause to be installed a computer program on another person’s computer system without prior express consent.  Both the terms “computer program” and “computer system” are very broadly defined, and would include a wide range of programs and devices.

Given that it has become commonplace for businesses to develop and distribute mobile apps as promotional tools, often free of charge, the computer installation provisions of CASL have been attracting attention from companies well beyond the software industry. 

Accordingly, it will be welcome news to many that the CRTC has indicated that in most cases, self-installed software is not subject to the requirements of CASL, including software installed from a disc or downloaded from a website or mobile app store.  However, business should be aware that even in self-install scenarios, they may still have obligations under the anti-spam law.

In this regard, application developers and distributors may still be subject to CASL as having “caused to be installed” programs on another person’s system.  The Commission’s guidance indicates that it will view businesses as having caused programs to be installed where the installation includes unexpected programs or functionality.  Where a person causes a program to be installed on another’s system, prior express consent must be obtained, in the required form, and certain disclosures must be made, depending on the nature of the programs/features.  In some cases, businesses causing a program to be installed must also ensure that the installing party is provided with an electronic address at which they can request to remove or disable the program, and in must also provide no-cost assistance to the installing party to remove or disable the program.

While these provisions appear to be targeted at spyware and malware, they will have broader application to more legitimate programs and functions.  Unexpected programs could include “tag-along” installations of programs such as browsers, toolbars and anti-virus software that are tied to the installation of a primary program.  Unexpected functionality could include the collection or personal information from a device (even if only to identify the user), the modification of user settings or causing the program to communicate with another computer system, such as where programs report system errors and crashes to the software developer.

The CRTC has indicated that the reasonable expectations of users will be the key to a determination of what programs and features might be “unexpected”, based on a review of all relevant circumstances, including the nature of the program being installed and the nature and extent of the disclosures made by the relevant developer or distributor.

Businesses could also continue to face CASL obligations respecting automatic updates or upgrades to self-installed programs.  The law would not apply to scenarios where a user is notified that an update is available, then takes an active step to install the update (which would be considered to be a self-install), but rather to updates/upgrades that are installed automatically, without user prompting or action.  Auto-updates are generally prohibited without consent, but the law explicitly provides that consent may be collected in advance to future updates.  Accordingly, businesses may want to consider building such terms (and express consents) into the download/installation process for programs, in order to pave the way for future upgrades/updates.

Canada's Anti-Spam Law: Will Your Business Be Ready?

On February 13th, the Communications Group hosted a breakfast seminar in the Toronto office entitled “Canada’s Anti-Spam Law: Will Your Business Be Ready?”.  David Elder briefed those in attendance on key requirements of Canada’s Anti-Spam Law (CASL), the electronic messaging requirements of which will come into effect on July 1, 2014. Among those requirements, David spoke of the obligation to obtain prior consent in the delivery of commercial electronic messages (CEMs) and the prescribed form requirements for those messages, outlined a number of the key exemptions that may be available to some senders, and reviewed the timeline for implementation of various aspects of the new law.  David also reviewed some of the particular challenges that organizations are facing in implementing the new law and discussed the work that organizations must do to be able to continue to send marketing messages to established contact lists.   

A video of the seminar is available below.  At the seminar, a summary card of the main features of the anti-spam law was provided to attendees.  Additionally, please click here to receive the presentation slides, speaker profile, and other resources from the seminar.

)

Canada finalizes anti-spam regulations; new anti-spam rules in effect July 2014

David Elder -

The Canadian government has finalized long-awaited regulations made under Canada’s Anti-Spam Law (CASL), announcing at the same time that the core of the new anti-spam regime will come into force on Canada Day, July 1, 2014, while other provisions will come into force the following year, and some will not be effective until 2017.

While the final regulations do include a number of last-minute revisions that respond to concerns raised by Canadian businesses, the new regime promises to have a significant negative impact on many businesses that have come to rely on electronic marketing. 

CASL in a nutshell

In essence, CASL contains three core prohibitions, each of which is subject to a limited number of specific and narrow exemptions.

On the electronic messaging front, CASL generally requires prior express consent to send a commercial electronic message, and further imposes certain form requirements with respect to those messages, including providing in the message information identifying the sender and a mechanism to opt-out from the receipt of future messages.

Similarly, the law also generally prohibits the installation of a computer program on a user’s system or device without express consent, also imposing certain notice requirements in connection with the collection of that consent.

Finally, CASL also requires explicit consent for the alteration of transmission data in an electronic message or the rerouting of a message to a destination different than that specified by the sender.

A tale of two regulations

Further details of the requirements of the new anti-spam regime are also set out in two sets of regulations.

The first companion set of regulations, the Electronic Commerce Protection Regulations (CRTC) were finalized last year by the CRTC.  They generally contain detailed requirements respecting the form of messages and requests for consent.

The second set of regulations, the long-awaited Electronic Commerce Protection Regulations, were registered by the Government on 4 December 2013.  This publication is a final version of draft regulations that were originally proposed in July 2011, then substantially revised in January 2012. 

Earlier versions of the Regulations attracted significant criticism from the business community, which expressed concern that the regulations omitted some important clarifications of the requirements of the law, failed to provide exemptions for certain business and behaviours that should not be caught by the legislation and imposed unworkable and unnecessary requirements that may have had a disproportionate impact on technologies such as text messaging.

Phasing in the law

As noted, the core anti-spam provision will become effective on Canada Day, 2014.  The July in-force date means that businesses will have only half as long as had been expected to get ready for the new law.  Earlier statements from the Government had suggested there would be a grace period of approximately one year before the law would come into force.

Businesses will, however, have more lead time to come into compliance with those aspects of the new law governing the installation of computer programs, as these will come into force on January 15, 2015.

The Government has also delayed until July 1, 2017 the coming into force of a controversial new private right of action for non-compliance with CASL.  The Government has stated that his delayed effective date, a full three years after the core anti-spam provision comes into force, is intended to reduce uncertainty for business about how the new law will be interpreted.

What’s new in the regulations

Some hoping for significant new exemptions will be disappointed, as the final Regulations make only a few changes to the revised version published in January 2012; however, others, including registered charities, are likely to be pleased with the new regulations.  We summarized the main features of the January version of the regulations in an earlier post.

In addition to a number of clarifying wording changes, the final regulations add the following new exemptions from the general requirement to obtain prior consent and provide an opt-out mechanism:

  • Electronic messaging service – the Regulations exempt messages sent and received on “an electronic messaging service” if the identification information and unsubscribe mechanism that would otherwise be required in the message itself are conspicuously displayed on the user interface, and the recipient consents to the receipt, including by implication.  This exemption would appear to be directed at social media platforms and similar services.
  • Limited access accounts – also exempted are commercial electronic messages sent on limited access proprietary accounts by the account owner to the recipient.  This exemption appears to be targeted at banking websites and similar systems.
  • Foreign recipients – senders are exempt from Canadian anti-spam requirements where the message is sent to certain foreign states (listed in a schedule to the regulations) with their own anti-spam laws, provided the message conforms to the local law in question.  This is a significant shift from the earlier version of the Regulations, which required compliance with the Canadian law regardless of the jurisdiction in which a message was received.
  • Charities – the new Regulations include a new, broad exemption for commercial electronic messages sent by or on behalf of registered charities for fundraising purposes, regardless of whether the recipient previously donated to the charity.
  • Political parties and organizations – a similar new exemption exists for political parties, organizations and candidates for public office, with respect to commercial electronic messages sent soliciting political contributions

In addition, the “referral” exemption contained in the January 2013 version of the Regulations, which originally applied only to individuals, now provides that any “person” (including corporations) are permitted to send one commercial electronic message without consent, based on a referral by another individual with whom the sender has an existing business relationship.

What’s not in the Regulations

Among the more significant unaddressed concerns raised by the business community are:

  • Prior consents – many stakeholders wanted the Government to treat as valid any consents to the receipt of commercial electronic messages that are obtained in compliance with the federal private sector privacy law, the Personal Information Protection and Electronic Documents Act. Since the regulations were not amended to respond to this concern, many businesses who have collected implied consents that were valid under privacy laws will have to re-approach potential message recipients to secure explicit consent.
  • Manufacturers - manufacturers without a direct relationship with end users of their products (such as where the products are purchased from a retailer) had sought the ability to send commercial electronic messages to those end users without explicit consent in certain circumstances. While exemptions exist with respect to sending warranty and recall information, manufacturers will otherwise have to obtain explicit consent.
  • Existing business relationships – some had sought to expand the “existing business relationship” exemption to include legitimate commercial electronic messages sent in the context of additional ongoing business relationships, which do not clearly fall within the narrow definition of the current exemption

Time to start work

CASL and its companion Regulations and guidelines comprise a complex package of detailed requirements and exceptions.  In light of the short timeline before the anti-spam portions of the law are to come into force, Canadian businesses would do well to start work immediately to implement the changes to their electronic marketing practices that will be required to comply with the new regime.

Many business concerns remain following revisions to anti-spam regulations

David Elder -

Much-anticipated revisions to the originally proposed Electronic Commerce Protection Regulations provide some useful clarifications and additional exemptions with respect to Canada’s Anti-Spam Law (CASL), but many concerns remain with respect to the potential over-reach of the not-yet-in-force law and the unnecessary and burdensome financial and administrative obligations that it may impose on legitimate business activity.

In fact, while the revised Regulations do respond to some of the concerns raised with respect to the previously proposed regulations – and indeed, the Act as a whole - the new Regulations may be more notable for what they don’t include than for what they do cover. 

In this regard, many of the issues raised and exemptions requested by the business community following the pre-publication of the original proposed Regulations have not been accommodated, including:

  • Accepting as valid under CASL consents to the receipt of commercial electronic messages that are obtained in compliance with the federal private sector privacy law, the Personal Information Protection and Electronic Documents Act.  In the explanatory remarks accompanying the proposed Regulations, the Government explicitly indicates that CASL is intended to create a higher threshold for consent for the receipt of commercial electronic messages.
     
  • Allowing Canadian businesses to send, on behalf of foreign organizations, commercial electronic messages to recipients outside of Canada.  Concerned with the potential for abuse by spammers, the Government rejected submissions that the lack of an exemption for such activity would put Canadian outsourcing and cloud computing firms at a significant disadvantage with respect to their foreign counterparts.
     
  • Allowing manufacturers without a direct relationship with end users of their products (such as where the products are purchased from a retailer) to send commercial electronic messages to those end users.  The Government rejected an exemption for manufacturers as too broad, but as noted below, has created new exemptions with respect to sending warranty and recall information.
     
  • Reducing the complexity of the requirements for the collection and withdrawal of consent for the receipt of commercial electronic messages sent by as-yet-unknown third parties.  The Regulations continue to require organizations collecting such consents on behalf of such third party organizations to engage in detailed tracking of such consents and take responsibility for the actions of such third parties.
     
  • Expanding the “existing business relationship” exemption to include legitimate commercial electronic messages sent in the context of additional ongoing business relationships, which do not clearly fall within the narrow definition of the current exemption.

Nevertheless, the revised regulations do provide some clarification of key legislative terms, as well as new exemptions for business activities that were not intended to be within the scope of CASL.  Moreover, the Government has indicated that Industry Canada and the CRTC are exploring the use of interpretational guidelines and other guidance material to provide clarity where appropriate.

Virtual Friends

One such clarification is that the revised Regulations amend the previous definition of “personal relationship” so as to correct what many argued was an unduly narrow exemption from the anti-spam requirements for commercial electronic messages sent between individuals.

CASL provides that its core anti-spam provision does not apply to commercial electronic messages that are sent by an individual to another individual with whom they have a “personal or family relationship.”  However, in the original regulations proposed by Industry Canada, the term “personal relationship” was defined so as to recognize only those relationships where the individuals concerned had actually met face-to-face within the previous 2 years.

The revised Regulations exempt commercial electronic messages sent between individuals who have had direct, voluntary two-way communications, in circumstances where it would be reasonable to conclude that the relationship is personal.  In reaching such a conclusion, all relevant factors are to be considered, including the nature and frequency of such communications, the length of time over which the parties have communicated and whether the parties have met in person.  The two-year limitation period has been removed.  Recipients of exempted “personal relationship” messages may opt-out of receipt of such messages, in which case the exemption no longer applies.

The exemption may be most relevant for businesses where they may facilitate or encourage customers to send commercial electronic messages to their personal networks, such as through “forward to a friend” features.

B2B Exemptions

One of the chief criticisms of the earlier regulations, and of CASL as a whole, has been that the since the definition of “commercial electronic message” is so broad, the Act could impose unnecessary consent and disclosure requirements on regular business communications that should not be within the scope of the law.

In response, the revised Regulations introduce new exemptions for commercial electronic messages sent within a business, or sent between businesses that are already in a business relationship, where the messages are sent by employees, representatives, contractors or franchisee and the message concerns the organization or the individual recipient’s role, functions or duties within or on behalf of the organization.

Messages in Response

Again, due to the broad definition of “commercial electronic message”, concerns were raised that businesses responding to inquiries could be caught by the anti-spam law.  While CASL includes an exemption for individuals contacting an organization to inquire about its business, there was no corresponding exemption with respect to the organization’s response.

Accordingly, the revised regulations include a new exemption for commercial electronic messages that are sent in response to a request, inquiry or complaint, or that is otherwise solicited by the recipient.

Incidentally in Canada

One of the key concerns of many foreign companies was that CASL applies to commercial electronic messages that are either sent from or accessed through a computer system located in Canada.  Accordingly, concerns arose about the potential application of the law to commercial electronic messages sent from outside Canada, to recipients who are ordinarily resident outside Canada, but who may access such messages during visits to Canada.

A new provision in the revised Regulations appears to largely satisfy this concern, by exempting such messages, provided that they relate to a product, good, service or organization located or provided outside Canada, and that the sender did not know and could not reasonably be expected to know that the message would be accessed using a computer system located in Canada.  However, uncertainties still remain, for example with respect to the treatment of a non-Canadian sender who also makes the product or service in question available through a Canadian subsidiary or affiliate.

Non-Transactional Business Communications

The revised Regulations also include a new provision exempting commercial electronic messages sent for purposes relating to the satisfaction, notification or enforcement of legal or juridical rights and obligations, such as sending warranty or recall information, electronic bank statements, notices of copyright infringement, etc..  Again, such an explicit exemption was considered necessary by some in view of the broad definition of commercial electronic message found in the Act.

Referral Messages

The revised Regulations contain a new exemption for commercial electronic messages sent based on a referral by one or more individuals, where such individuals have an existing business or non-business relationship or a personal or family relationship with the sender and the recipient.  The exemption applies only to the first commercial electronic message sent to contact the recipient, and the message must disclose the full name of the referring individual or individuals.  Several stakeholders had previously expressed concern that without such an exemption, they could not directly act upon referrals from friends, family and clients without first obtaining consent.

Telecom Service Provider Software

Finally, the revised regulations add two types of telecom service provider (TSP) software to the list of specified computer programs (such as HTML code, Java scripts, cookies, etc.), for which express consent is assumed if the individual’s conduct leads to a reasonable belief that they consent to such an installation.  The new exemptions relate to TSP programs to prevent unauthorized or fraudulent use of a service or system, or to update or upgrade systems on their networks.

Next Steps

While passed into law in December 2010, CASL has yet to be proclaimed in force, in part because the Government was awaiting the finalization of two sets of regulations: one to be made by Industry Canada, and one to be made by the CRTC.  The Electronic Commerce Protection Regulations (CRTC) were finalized last year, and the CRTC has issued two interpretation bulletins to provide guidance as to how it intends to apply those Regulations.

The proposed revisions to the remaining Electronic Commerce Protection Regulations were officially published for comment on January 5th, 2013, starting CASL on the final leg of its long journey to coming into force.  Following a 30 day comment period, it is expected that the Regulations will be finalized, and a date will be announced for the coming into force of the new anti-spam regime.

CRTC guidance on check-boxes for e-marketing likely to tick off business community

David Elder -

Although the date on which Canada’s Anti-Spam Legislation (CASL) may come into force is uncertain, the CRTC has issued two bulletins that provide guidance as to how to comply with the new law, once proclaimed in force.

But while some of the new guidance is helpful, other provisions will likely create significant operational concerns for businesses.

The Commission is the body charged with oversight and enforcement of most provisions of the new law, including the core provisions respecting commercial electronic messages (CEMs), alteration of transmission data and the installation of computer programs.  In addition, the CRTC has the power to make regulations under the Act with respect to certain matters.

As we noted previously, the CRTC registered its Electronic Commerce Protection Regulations (CRTC) in March of 2012, providing additional clarification of these new regulations in a subsequent Regulatory Policy.

The first of the new Compliance and Enforcement Bulletins provides further, and in some cases helpful, guidance on the interpretation of these Regulations, such as providing details on acceptable unsubscribe mechanisms for each of email and SMS messages, including visual mock-ups of acceptable approaches.

However, the Bulletin also indicates that the Commission considers that, where included in general terms and conditions of use or sale of a product or service, requests to send commercial electronic messages, alter transmission data or download computer programs must be obtained through separate positive affirmations of the user, such as the proactive checking of a tick-box to signify consent to each of these actions, in addition to the acceptance of other contractual terms or an organization’s privacy policy. 

Most problematically, in a second Compliance and Enforcement Bulletin, the CRTC seems to be ruling out default settings that favour consent, even where the user can uncheck a box to exercise their choice (a process that the Commission refers to as “toggling”) and where the user does provide a positive affirmation to a set of terms or an agreement.  The following example, included in the Bulletin, shows that even where the pre-checked box and related consent is featured prominently, and is adjacent to a button that the user must pressed to signify agreement to a contract, the CRTC will not consider this to be valid consent to the receipt of CEMs under the anti-spam law.

Another area of likely concern for businesses relates to CRTC guidelines respecting the collection of oral consent, a form of consent which is explicitly authorized by the Electronic Commerce Protection Regulations (CRTC).  The Bulletin suggests that in order to be able to discharge the onus of proving that it obtained oral consent, a business would have to have that consent verified by an independent third party or retain a complete and unedited audio recording of the consent.

We would note that, while these methods may work where consent is collected by telephone, through a call centre, they would create significant operational problems where consent is collected during a face-to-face interaction, such as might commonly occur at point of sale.

While the Bulletins do not have the force of law, they do provide a clear indication of how the CRTC will interpret the law and regulations that is charged to enforce.

CRTC clarifies anti-spam regulations: consent can include electronic forms

David Elder -

Following the registration, three weeks ago, of its new anti-spam regulations, the CRTC has issued a regulatory policy explaining the changes made to the draft regulations that it had originally proposed, as well as providing some guidance as to how some of the requirements will be interpreted.

In Telecom Regulatory Policy CRTC 2012-183, issued to coincide with the publication of the Electronic Commerce Protection Regulations (CRTC) in the Canada Gazette, the Commission notes that many of the changes to the originally proposed version of the Regulations were made in response to public comments, and in most cases were amendments intended to be less prescriptive and more technology neutral.

In an earlier post, we had summarized the main changes in the final regulations. Helpfully, the new Regulatory Policy appears to clarify several uncertainties that had been raised by these changes.

Perhaps most significantly, the Commission explicitly indicates in the Regulatory Policy that consent obtained “in writing” includes electronic forms of consent, putting to rest one of the more significant concerns of companies operating over the internet. In other contexts, the Commission has accepted electronic forms of consent where a user signifies agreement through some positive action, such as clicking on an “I agree” box.

Although in their final form, the Regulations are not yet in force. They will come into force on the day on which the core sections of Canada’s Anti-Spam Law come into force, which is expected to occur later this year.

CRTC tweaks anti-spam regulations

David Elder -

Final regulations made by the CRTC under Canada’s Anti-Spam Law (CASL) include a number of revisions that respond to concerns raised by Canadian businesses; but while some additional flexibility has been provided, the Commission appears to have left a number of other concerns unanswered.

On 7 March 2012, the CRTC registered its Electronic Commerce Protection Regulations (CRTC), a final version of draft regulations that were originally proposed in June 2011.  Those regulations, and the related Electronic Commerce Protection Regulations that were proposed by Industry Canada, attracted significant criticism from the business community, which expressed concern that the regulations omitted some important clarifications of the requirements of the law, failed to provide exemptions for certain business and behaviours that should not be caught by the legislation and imposed unworkable and unnecessary requirements that may have had a disproportionate impact on technologies such as text messaging. 

Those hoping for significant additions to the CRTC Regulations will be disappointed, as the revised Regulations remain in the same form, and appear intended to accomplish the same end, as the earlier version: namely clarifying the sender identity and contact information that must be included in commercial electronic messages and requests for consent to send such messages.  However, to be fair to the CRTC, this narrow focus is consistent with the scope of the regulation-making power provided to the Commission under CASL.

The final Regulations include the following changes from those originally proposed:

  • Clarification that persons sending a message, or persons on whose behalf a message is sent, must identify themselves by the name by which they carry on business.
  • Greater choice with respect to the contact information to be provided.  Senders, and those seeking consent to send messages, may now provide either a telephone number providing access to an agent or a voice messaging system, an email address or a web address.  The original proposal seemed to require the provision of all of these, as well as a physical address.
  • Revised requirements that web-based information be “readily accessible” and that the required unsubscribe mechanism must “be able to be readily performed.” The original proposed Regulations specified these requirements with reference to a maximum number of “clicks.”
  • The revised Regulations now indicate that consent for the receipt of a commercial electronic message may be obtained orally, as well as in writing, as the original proposed regulations provided; however, the Regulations do not provide certainty as to whether electronic forms of consent will be considered to be “in writing,” which was the chief concern of many stakeholders with this requirement. See our earlier post for a discussion of this issue.
  • The Regulations still require that when seeking consent, requestors must include a statement indicating that consent can be withdrawn, but no longer requires the requestor to specify through which avenues such a withdrawal of consent could be made.

The publishing of the CRTC Regulations puts the country one step closer to CASL being proclaimed in force.  The other shoes to drop include finalization of the Industry Canada Regulations (a revised version of which is expected to be published in the near future) and the selection of a vendor to run the Spam Reporting Centre contemplated by the Act.

Government launches Anti-Spam website, but where's the beef?

David Elder -

As the expected proclamation in force of Canada’s Anti-Spam Legislation nears, the Government recently announced the launch of a new “Fight Spam” website; however, the site currently provides only a high-level overview of the new law, rather than a detailed compliance guide for businesses.

Likely, there will continue to be some uncertainty with respect to the practical application of the new law to specific business scenarios, until the CRTC, the Competition Bureau and the Office of the Privacy Commissioner have had an opportunity to actually apply the law, hopefully providing some guidance to the business community through the ongoing publication of decision summaries or guidelines.

The new website appears to be intended to offer plain-language guidance to consumers and businesses with respect to the general requirements of the new law, offering overviews of the main provisions of the statute and the bodies charged with its enforcement.  The site also includes a series of Frequently Asked Questions, advice as to how individuals and businesses can protect themselves against spam and other electronic threats and links to other resources, such as tips from the Office of Consumer Affairs on how users can recognize and protect themselves against phishing and spyware.

A placeholder link is provided to the yet-to-be created Spam Reporting Centre, a clearing house intended to identify and analyze trends in spam and other threats to electronic commerce, as well as identifying spammers and their locations and assisting in future prosecutions and civil proceedings against those who violate Canadian and international anti-spam laws.  It is expected that the government will soon be issuing a Request for Proposals with respect to the operation of the Spam Reporting Centre.

Interestingly, in the government’s announcement for the website, it indicated, for the first time, that the Act will likely come into force “early in 2012.”  Previously, it had been suggested that the statute would come into force in the fall of 2011.

Two sets of draft regulations associated with the Anti-Spam are open for comment.  Comments on the regulations proposed by the Governor in council are due by September 7, 2011; comments on the regulations proposed by the CRTC are due by August 29, 2011.


UPDATE: On 15 August 2011, the CRTC extended the deadline for submission of comments on the Commission's draft Electronic Commerce Protection Regulations (CRTC) to 7 September 2011, to coincide with the deadline for comments respecting the related draft regulations proposed by the Governor in Council.

What won't be under the tree this year: spam

David Elder

The Canadian government’s anti-spam bill, Bill C-28, moved quickly through Parliament this fall, receiving Royal Assent on December 15th, just before Parliament rose for its holiday season break.  Though not yet available at press time, the final version of the bill will be available soon at the Parliamentary Website. Industry Canada indicated, in an eMail message to interested parties, that it anticipates that the new law will come into force in six to eight months.

The additional time will allow both industry and regulators to gear up for the new regime (The CRTC, the Privacy Commissioner and the Competition Bureau are all slated to receive additional budget and personnel to administer their sections of the legislation), as well as providing the government with time to consult with the public and interested stakeholders on proposed new regulations, including the launch of a planned website dedicated to the legislation, to be known as the Fighting Internet and Wireless Spam Act (FISA). This week, at the very brief Senate Transportation and Communications Committee meeting convened to consider the bill, government officials indicated that they were planning a 60-day consultation period on the new regs, which have yet to be made public.

As we have detailed in previous blogposts, with some exceptions, the new law would generally prohibit the sending of commercial electronic messages without consent,  as well as making significant consequential amendments to other federal legislation, including Canada’s Competition Act, Telecommunications Act; and Personal Information Protection and Electronic Documents Act (PIPEDA). The law also contains provisions, intended to prevent the spread of spyware and malware, which prohibit the installation of a computer program without consent, as well as prohibitions on the indiscriminate harvesting of addresses to create distribution lists for spam.

Violations of FISA will carry significant Administrative Monetary Penalties of up to $ 1 Million for individuals and up to $ 10 Million for corporations. The law also creates a private right of action for actual damages, as well as statutory penalties of between $200 and $1 Million per contravention.

Canada introduces anti-spam legislation

On April 24, 2009, the Canadian government introduced Bill C-27, which would establish the Electronic Commerce Protection Act (ECPA) and make significant consequential amendments to other federal legislation, including Canada's Competition Act, Telecommunications Act and Personal Information Protection and Electronic Documents Act (PIPEDA).

The primary purpose of Bill C-27, which incorporates a number of the legislative recommendations made in 2005 by the government-mandated "Task Force on Spam", is to cut down on spam (unsolicited junk e-mail). However, the proposed ECPA aims to regulate not only spam, but also counterfeit websites and spyware, among other issues. In the broadest sense, therefore, the legislation is intended to bolster consumer confidence in online commerce.

Canada is currently the only G8 country and one of only four OECD (Organisation for Economic Co operation and Development) countries without specific spam legislation. The Cisco 2008 Annual Security Report estimated that messages sent from Canada accounted for 4.7% of the world's spam.  That percentage landed Canada in fourth place on the list of countries with the most originating spam, behind only the U.S., Turkey and Russia.  The government has characterized Bill C-27 as a necessary step in fulfilling an international duty to join global partners in passing laws to combat spam and related cyber threats.

Having passed both First Reading and Second Reading in the House of Commons, Bill C-27 has been referred to the Standing Committee on Industry, Science and Technology for review. While almost everyone can agree that spam is a nuisance, concerns have been raised about the proposed legislation, as drafted. Thus, while initial predictions were that Standing Committee review would be completed before Parliament's summer recess, more recent estimates see the review continuing after Parliament returns in the fall, in order to ensure that the resulting legislative changes do not negatively affect legitimate business.

Main prohibitions

The anti-spam provisions would prohibit sending (or causing or permitting to be sent) a commercial "electronic message" (which is defined broadly to include a text, sound, voice or image message) to an electronic address, unless the recipient has given express or implied consent. As currently drafted, implied consent would be limited to situations in which there is an existing business or non-business relationship between the sender and recipient (although there is a provision that would permit future regulations to better define implied consent.)  Both "existing business relationship" and "existing non-business relationship" are defined fairly narrowly, and would be restricted to situations in which the relevant parties had participated in a relevant transaction in the last eighteen months.  Another aspect of the ECPA that appears to pose some practical difficulties is that it would prohibit the sending by email of any request for express consent to communications by email.

The ECPA also dictates some aspects of the form of permitted messages: the message must identify the person who sent the message (and, if it is different, the identity of the person on whose behalf the message was sent), along with contact information for those identified. Moreover, permitted messages must include an unsubscribe mechanism, which includes either a hyperlink (valid for at least 60 days after the message is sent) that the recipient can follow or a specified electronic address to which the unsubscribe indication can be sent. Unsubscribe requests must be given effect within 10 days.

The ECPA includes provisions directed to privacy and personal security concerns that are associated with counterfeit websites.  Section 7 of the proposed ECPA would prohibit a person, in the course of a commercial activity, from altering or causing to be altered the transmission data in an electronic message "so that the message is delivered to a destination other than, or in addition to, that specified by the sender."  This provision appears to be directed at one aspect of "phishing".  Phishing, which is often undertaken in conjunction with a spoofed email, is the act of sending an email falsely claiming to be a legitimate business and directing the recipient to a specified counterfeit website, in an attempt to obtain sensitive information such as passwords, credit card numbers, and bank account information.

Section 8 of the proposed ECPA would prohibit a person, in the course of a commercial activity, from installing a computer program on another person's computer system without express consent.  After a presumably authorized installation, it would also prohibit a person, in the course of a commercial activity, from causing an electronic message to be sent from that computer system, without express consent.  The government's stated intent for the legislation is to prevent the collection of personal information through illicit access to computer systems (spyware), but as currently drafted, these provisions apply to all computer programs, and not just those with a harmful effect.
Requests for express consent must clearly and simply set out the purpose for which the consent is being sought, and identify the entity seeking consent.  Moreover, consent in respect of the installation of a computer program must clearly and simply describe the function, purpose and impact of every computer program that would be installed if consent is given. There is some disagreement between the federal government and industry as to whether the drafting of the latter requirement could be considered to prevent current commercial practices that see some legitimate programs (such as anti-virus and anti-spyware programs) utilizing automatic updates to the software.

Administrative monetary penalties

The ECPA would subject any individual who violates any of the foregoing prohibitions to liability under an administrative monetary penalty ("AMP") of up to $1 million and corporate entities would be liable to an AMP of up to $10 million. Officers, directors, agents of a corporation that violates the prohibitions could also be held liable for such actions if they directed, authorized or participated in the commission of the violation. At the same time, a defence of exercising due diligence to prevent the violation is available, although there is no indication of the types of action that would constitute due diligence.

The process for imposing liability under the AMP is a fairly expedited administrative process. A notice of violation (which must include details of he alleged violation and the amount of the AMP) will be issued and served upon an offender if the CRTC believes that there are reasonable grounds on which to believe that a person has committed a violation under the ECPA. The person served with the notice of violation then has 30 days to make representations to the CRTC regarding the allegations or the amount of AMP, failing which that person will be deemed to have committed the violation. If representations are made, the CRTC will evaluate them on the civil balance of probabilities standard, and may then impose the penalty set out in the notice of violation or reduce or waive the penalty. Appeal of decisions of the CRTC in respect of notices of violation can be made to the Federal Court of Appeal. The CRTC can also agree to an undertaking, which is in essence an agreement to settle an alleged violation on terms acceptable to both the CRTC and the offender.

Private right of action

One of the most controversial provisions of the ECPA is that it would establish a private right of action for persons who allege that they have been affected by a contravention of the anti-spam, anti-phishing and anti-spyware provisions of the ECPA. Such persons may apply for an order for compensation for actual loss or damages suffered or expenses incurred, as well as a maximum of $200 for each contravention of the breached provisions (with a limit of $1 million for each day on which a contravention occurred). Again, officers, directors or agents of corporations would be subject to this private right of action, if it could be proved that they directed, authorized or participated in the commission of the contravention.

That same private right of action would apply to persons who allege that they have been affected by breaches of the new provisions of PIPEDA and the Competition Act that would be brought into effect by Bill C-27 (discussed in the next section).

Changes to PIPEDA, the Competition Act and the Telecommunications Act

Bill C-27 would establish new prohibitions under PIPEDA in relation to collecting personal information, including a ban on (i) collecting an individual's electronic address through a computer program designed or marketed for use in generating (or searching for) and collecting electronic addresses, or using any address collected by the foregoing means; and (ii) collecting personal information through any means of telecommunications if the collection involves accessing a computer system (or causing one to be accessed) without authorization, or using any personal information that is collected that way.

Bill C-27 also proposes numerous amendments to the Competition Act, including the addition a new section 52.01, which broadens the criminal "false or misleading representation" provisions of the Competition Act by prohibiting activities such as knowingly or recklessly sending, for business promotion purposes (i) a false or misleading representation in the sender or subject matter information of an electronic message or (ii) an electronic message that contains a materially false or misleading representation. Under the proposed new section 74.011 of the Competition Act, such actions would also qualify as reviewable conduct, thus permitting the Commissioner of Competition to apply to court or the Competition Tribunal for an order prohibiting the conduct and/or imposing AMPs under the Competition Act.

Bill C-27 would also amend the Telecommunications Act to permit the government to either maintain the current "Do Not Call" list in such a way that it would not overlap with the ECPA regime, or to have the responsibility for regulating telemarketing fall under the ECPA entirely.

Other anti-spam bills

Bill C-27 is not the only bill with anti-spam implications currently moving through Parliament. Bill C-355, a private member's bill which aims to amend the Criminal Code to make cyberbullying an offence, proposes as part of that effort to make it an offence to make repeated telephone calls or to send repeated electronic messages to any person with intent to harass.

Bill S-220 also purports to be anti-spam legislation, introducing an offence for sending an unauthorized commercial electronic message, as well as a right of civil action for those adversely affected. Unlike Bill C-27, however, it does not propose to amend other statutes. Having been introduced in the Senate, Bill S-220 would also need to pass through the House of Commons before it could be enacted, which seems unlikely given the status of Bill C-27.