Canadian Technology & IP Law : Canadian Technology Lawyers & Attorneys : Stikeman Elliott Law Firm : IP Law in Toronto, Montreal, Calgary, Ottawa & Vancouver

In this regard, many of the issues raised and exemptions requested by the business community following the pre-publication of the original proposed Regulations have not been accommodated, including:

• Accepting as valid under CASL consents to the receipt of commercial electronic messages that are obtained in compliance with the federal private sector privacy law, the Personal Information Protection and Electronic Documents Act.  In the explanatory remarks accompanying the proposed Regulations, the Government explicitly indicates that CASL is intended to create a higher threshold for consent for the receipt of commercial electronic messages.
   
• Allowing Canadian businesses to send, on behalf of foreign organizations, commercial electronic messages to recipients outside of Canada.  Concerned with the potential for abuse by spammers, the Government rejected submissions that the lack of an exemption for such activity would put Canadian outsourcing and cloud computing firms at a significant disadvantage with respect to their foreign counterparts.
   
• Allowing manufacturers without a direct relationship with end users of their products (such as where the products are purchased from a retailer) to send commercial electronic messages to those end users.  The Government rejected an exemption for manufacturers as too broad, but as noted below, has created new exemptions with respect to sending warranty and recall information.
   
• Reducing the complexity of the requirements for the collection and withdrawal of consent for the receipt of commercial electronic messages sent by as-yet-unknown third parties.  The Regulations continue to require organizations collecting such consents on behalf of such third party organizations to engage in detailed tracking of such consents and take responsibility for the actions of such third parties.
   
• Expanding the “existing business relationship” exemption to include legitimate commercial electronic messages sent in the context of additional ongoing business relationships, which do not clearly fall within the narrow definition of the current exemption.

Nevertheless, the revised regulations do provide some clarification of key legislative terms, as well as new exemptions for business activities that were not intended to be within the scope of CASL.  Moreover, the Government has indicated that Industry Canada and the CRTC are exploring the use of interpretational guidelines and other guidance material to provide clarity where appropriate.

Virtual Friends

One such clarification is that the revised Regulations amend the previous definition of “personal relationship” so as to correct what many argued was an unduly narrow exemption from the anti-spam requirements for commercial electronic messages sent between individuals.

CASL provides that its core anti-spam provision does not apply to commercial electronic messages that are sent by an individual to another individual with whom they have a “personal or family relationship.”  However, in the original regulations proposed by Industry Canada, the term “personal relationship” was defined so as to recognize only those relationships where the individuals concerned had actually met face-to-face within the previous 2 years.

The revised Regulations exempt commercial electronic messages sent between individuals who have had direct, voluntary two-way communications, in circumstances where it would be reasonable to conclude that the relationship is personal.  In reaching such a conclusion, all relevant factors are to be considered, including the nature and frequency of such communications, the length of time over which the parties have communicated and whether the parties have met in person.  The two-year limitation period has been removed.  Recipients of exempted “personal relationship” messages may opt-out of receipt of such messages, in which case the exemption no longer applies.

The exemption may be most relevant for businesses where they may facilitate or encourage customers to send commercial electronic messages to their personal networks, such as through “forward to a friend” features.

B2B Exemptions

One of the chief criticisms of the earlier regulations, and of CASL as a whole, has been that the since the definition of “commercial electronic message” is so broad, the Act could impose unnecessary consent and disclosure requirements on regular business communications that should not be within the scope of the law.

In response, the revised Regulations introduce new exemptions for commercial electronic messages sent within a business, or sent between businesses that are already in a business relationship, where the messages are sent by employees, representatives, contractors or franchisee and the message concerns the organization or the individual recipient’s role, functions or duties within or on behalf of the organization.

Messages in Response

Again, due to the broad definition of “commercial electronic message”, concerns were raised that businesses responding to inquiries could be caught by the anti-spam law.  While CASL includes an exemption for individuals contacting an organization to inquire about its business, there was no corresponding exemption with respect to the organization’s response.

Accordingly, the revised regulations include a new exemption for commercial electronic messages that are sent in response to a request, inquiry or complaint, or that is otherwise solicited by the recipient.

Incidentally in Canada

One of the key concerns of many foreign companies was that CASL applies to commercial electronic messages that are either sent from or accessed through a computer system located in Canada.  Accordingly, concerns arose about the potential application of the law to commercial electronic messages sent from outside Canada, to recipients who are ordinarily resident outside Canada, but who may access such messages during visits to Canada.

A new provision in the revised Regulations appears to largely satisfy this concern, by exempting such messages, provided that they relate to a product, good, service or organization located or provided outside Canada, and that the sender did not know and could not reasonably be expected to know that the message would be accessed using a computer system located in Canada.  However, uncertainties still remain, for example with respect to the treatment of a non-Canadian sender who also makes the product or service in question available through a Canadian subsidiary or affiliate.

Non-Transactional Business Communications

The revised Regulations also include a new provision exempting commercial electronic messages sent for purposes relating to the satisfaction, notification or enforcement of legal or juridical rights and obligations, such as sending warranty or recall information, electronic bank statements, notices of copyright infringement, etc..  Again, such an explicit exemption was considered necessary by some in view of the broad definition of commercial electronic message found in the Act.

Referral Messages

The revised Regulations contain a new exemption for commercial electronic messages sent based on a referral by one or more individuals, where such individuals have an existing business or non-business relationship or a personal or family relationship with the sender and the recipient.  The exemption applies only to the first commercial electronic message sent to contact the recipient, and the message must disclose the full name of the referring individual or individuals.  Several stakeholders had previously expressed concern that without such an exemption, they could not directly act upon referrals from friends, family and clients without first obtaining consent.

Telecom Service Provider Software

Finally, the revised regulations add two types of telecom service provider (TSP) software to the list of specified computer programs (such as HTML code, Java scripts, cookies, etc.), for which express consent is assumed if the individual’s conduct leads to a reasonable belief that they consent to such an installation.  The new exemptions relate to TSP programs to prevent unauthorized or fraudulent use of a service or system, or to update or upgrade systems on their networks.

Next Steps

While passed into law in December 2010, CASL has yet to be proclaimed in force, in part because the Government was awaiting the finalization of two sets of regulations: one to be made by Industry Canada, and one to be made by the CRTC.  The Electronic Commerce Protection Regulations (CRTC) were finalized last year, and the CRTC has issued two interpretation bulletins to provide guidance as to how it intends to apply those Regulations.

The proposed revisions to the remaining Electronic Commerce Protection Regulations were officially published for comment on January 5^th, 2013, starting CASL on the final leg of its long journey to coming into force.  Following a 30 day comment period, it is expected that the Regulations will be finalized, and a date will be announced for the coming into force of the new anti-spam regime.

As we noted previously, the CRTC registered its Electronic Commerce Protection Regulations (CRTC) in March of 2012, providing additional clarification of these new regulations in a subsequent Regulatory Policy.

The first of the new Compliance and Enforcement Bulletins provides further, and in some cases helpful, guidance on the interpretation of these Regulations, such as providing details on acceptable unsubscribe mechanisms for each of email and SMS messages, including visual mock-ups of acceptable approaches.

However, the Bulletin also indicates that the Commission considers that, where included in general terms and conditions of use or sale of a product or service, requests to send commercial electronic messages, alter transmission data or download computer programs must be obtained through separate positive affirmations of the user, such as the proactive checking of a tick-box to signify consent to each of these actions, in addition to the acceptance of other contractual terms or an organization’s privacy policy. 

Most problematically, in a second Compliance and Enforcement Bulletin, the CRTC seems to be ruling out default settings that favour consent, even where the user can uncheck a box to exercise their choice (a process that the Commission refers to as “toggling”) and where the user does provide a positive affirmation to a set of terms or an agreement.  The following example, included in the Bulletin, shows that even where the pre-checked box and related consent is featured prominently, and is adjacent to a button that the user must pressed to signify agreement to a contract, the CRTC will not consider this to be valid consent to the receipt of CEMs under the anti-spam law.

Another area of likely concern for businesses relates to CRTC guidelines respecting the collection of oral consent, a form of consent which is explicitly authorized by the Electronic Commerce Protection Regulations (CRTC).  The Bulletin suggests that in order to be able to discharge the onus of proving that it obtained oral consent, a business would have to have that consent verified by an independent third party or retain a complete and unedited audio recording of the consent.

We would note that, while these methods may work where consent is collected by telephone, through a call centre, they would create significant operational problems where consent is collected during a face-to-face interaction, such as might commonly occur at point of sale.

While the Bulletins do not have the force of law, they do provide a clear indication of how the CRTC will interpret the law and regulations that is charged to enforce.

In an earlier post, we had summarized the main changes in the final regulations. Helpfully, the new Regulatory Policy appears to clarify several uncertainties that had been raised by these changes.

Perhaps most significantly, the Commission explicitly indicates in the Regulatory Policy that consent obtained “in writing” includes electronic forms of consent, putting to rest one of the more significant concerns of companies operating over the internet. In other contexts, the Commission has accepted electronic forms of consent where a user signifies agreement through some positive action, such as clicking on an “I agree” box.

Although in their final form, the Regulations are not yet in force. They will come into force on the day on which the core sections of Canada’s Anti-Spam Law come into force, which is expected to occur later this year.

Those hoping for significant additions to the CRTC Regulations will be disappointed, as the revised Regulations remain in the same form, and appear intended to accomplish the same end, as the earlier version: namely clarifying the sender identity and contact information that must be included in commercial electronic messages and requests for consent to send such messages.  However, to be fair to the CRTC, this narrow focus is consistent with the scope of the regulation-making power provided to the Commission under CASL.

The final Regulations include the following changes from those originally proposed:

• Clarification that persons sending a message, or persons on whose behalf a message is sent, must identify themselves by the name by which they carry on business.
• Greater choice with respect to the contact information to be provided.  Senders, and those seeking consent to send messages, may now provide either a telephone number providing access to an agent or a voice messaging system, an email address or a web address.  The original proposal seemed to require the provision of all of these, as well as a physical address.
• Revised requirements that web-based information be “readily accessible” and that the required unsubscribe mechanism must “be able to be readily performed.” The original proposed Regulations specified these requirements with reference to a maximum number of “clicks.”
• The revised Regulations now indicate that consent for the receipt of a commercial electronic message may be obtained orally, as well as in writing, as the original proposed regulations provided; however, the Regulations do not provide certainty as to whether electronic forms of consent will be considered to be “in writing,” which was the chief concern of many stakeholders with this requirement. See our earlier post for a discussion of this issue.
• The Regulations still require that when seeking consent, requestors must include a statement indicating that consent can be withdrawn, but no longer requires the requestor to specify through which avenues such a withdrawal of consent could be made.

The publishing of the CRTC Regulations puts the country one step closer to CASL being proclaimed in force.  The other shoes to drop include finalization of the Industry Canada Regulations (a revised version of which is expected to be published in the near future) and the selection of a vendor to run the Spam Reporting Centre contemplated by the Act.

A placeholder link is provided to the yet-to-be created Spam Reporting Centre, a clearing house intended to identify and analyze trends in spam and other threats to electronic commerce, as well as identifying spammers and their locations and assisting in future prosecutions and civil proceedings against those who violate Canadian and international anti-spam laws.  It is expected that the government will soon be issuing a Request for Proposals with respect to the operation of the Spam Reporting Centre.

Interestingly, in the government’s announcement for the website, it indicated, for the first time, that the Act will likely come into force “early in 2012.”  Previously, it had been suggested that the statute would come into force in the fall of 2011.

Two sets of draft regulations associated with the Anti-Spam are open for comment.  Comments on the regulations proposed by the Governor in council are due by September 7, 2011; comments on the regulations proposed by the CRTC are due by August 29, 2011.

UPDATE: On 15 August 2011, the CRTC extended the deadline for submission of comments on the Commission's draft Electronic Commerce Protection Regulations (CRTC) to 7 September 2011, to coincide with the deadline for comments respecting the related draft regulations proposed by the Governor in Council.

The additional time will allow both industry and regulators to gear up for the new regime (The CRTC, the Privacy Commissioner and the Competition Bureau are all slated to receive additional budget and personnel to administer their sections of the legislation), as well as providing the government with time to consult with the public and interested stakeholders on proposed new regulations, including the launch of a planned website dedicated to the legislation, to be known as the Fighting Internet and Wireless Spam Act (FISA). This week, at the very brief Senate Transportation and Communications Committee meeting convened to consider the bill, government officials indicated that they were planning a 60-day consultation period on the new regs, which have yet to be made public.

As we have detailed in previous blogposts, with some exceptions, the new law would generally prohibit the sending of commercial electronic messages without consent,  as well as making significant consequential amendments to other federal legislation, including Canada’s Competition Act, Telecommunications Act; and Personal Information Protection and Electronic Documents Act (PIPEDA). The law also contains provisions, intended to prevent the spread of spyware and malware, which prohibit the installation of a computer program without consent, as well as prohibitions on the indiscriminate harvesting of addresses to create distribution lists for spam.

Violations of FISA will carry significant Administrative Monetary Penalties of up to $ 1 Million for individuals and up to $ 10 Million for corporations. The law also creates a private right of action for actual damages, as well as statutory penalties of between $200 and $1 Million per contravention.

The primary purpose of Bill C-27, which incorporates a number of the legislative recommendations made in 2005 by the government-mandated "Task Force on Spam", is to cut down on spam (unsolicited junk e-mail). However, the proposed ECPA aims to regulate not only spam, but also counterfeit websites and spyware, among other issues. In the broadest sense, therefore, the legislation is intended to bolster consumer confidence in online commerce.

Canada is currently the only G8 country and one of only four OECD (Organisation for Economic Co operation and Development) countries without specific spam legislation. The Cisco 2008 Annual Security Report estimated that messages sent from Canada accounted for 4.7% of the world's spam.  That percentage landed Canada in fourth place on the list of countries with the most originating spam, behind only the U.S., Turkey and Russia.  The government has characterized Bill C-27 as a necessary step in fulfilling an international duty to join global partners in passing laws to combat spam and related cyber threats.

Having passed both First Reading and Second Reading in the House of Commons, Bill C-27 has been referred to the Standing Committee on Industry, Science and Technology for review. While almost everyone can agree that spam is a nuisance, concerns have been raised about the proposed legislation, as drafted. Thus, while initial predictions were that Standing Committee review would be completed before Parliament's summer recess, more recent estimates see the review continuing after Parliament returns in the fall, in order to ensure that the resulting legislative changes do not negatively affect legitimate business.

Main prohibitions

The anti-spam provisions would prohibit sending (or causing or permitting to be sent) a commercial "electronic message" (which is defined broadly to include a text, sound, voice or image message) to an electronic address, unless the recipient has given express or implied consent. As currently drafted, implied consent would be limited to situations in which there is an existing business or non-business relationship between the sender and recipient (although there is a provision that would permit future regulations to better define implied consent.)  Both "existing business relationship" and "existing non-business relationship" are defined fairly narrowly, and would be restricted to situations in which the relevant parties had participated in a relevant transaction in the last eighteen months.  Another aspect of the ECPA that appears to pose some practical difficulties is that it would prohibit the sending by email of any request for express consent to communications by email.

The ECPA also dictates some aspects of the form of permitted messages: the message must identify the person who sent the message (and, if it is different, the identity of the person on whose behalf the message was sent), along with contact information for those identified. Moreover, permitted messages must include an unsubscribe mechanism, which includes either a hyperlink (valid for at least 60 days after the message is sent) that the recipient can follow or a specified electronic address to which the unsubscribe indication can be sent. Unsubscribe requests must be given effect within 10 days.

The ECPA includes provisions directed to privacy and personal security concerns that are associated with counterfeit websites.  Section 7 of the proposed ECPA would prohibit a person, in the course of a commercial activity, from altering or causing to be altered the transmission data in an electronic message "so that the message is delivered to a destination other than, or in addition to, that specified by the sender."  This provision appears to be directed at one aspect of "phishing".  Phishing, which is often undertaken in conjunction with a spoofed email, is the act of sending an email falsely claiming to be a legitimate business and directing the recipient to a specified counterfeit website, in an attempt to obtain sensitive information such as passwords, credit card numbers, and bank account information.

Section 8 of the proposed ECPA would prohibit a person, in the course of a commercial activity, from installing a computer program on another person's computer system without express consent.  After a presumably authorized installation, it would also prohibit a person, in the course of a commercial activity, from causing an electronic message to be sent from that computer system, without express consent.  The government's stated intent for the legislation is to prevent the collection of personal information through illicit access to computer systems (spyware), but as currently drafted, these provisions apply to all computer programs, and not just those with a harmful effect.
Requests for express consent must clearly and simply set out the purpose for which the consent is being sought, and identify the entity seeking consent.  Moreover, consent in respect of the installation of a computer program must clearly and simply describe the function, purpose and impact of every computer program that would be installed if consent is given. There is some disagreement between the federal government and industry as to whether the drafting of the latter requirement could be considered to prevent current commercial practices that see some legitimate programs (such as anti-virus and anti-spyware programs) utilizing automatic updates to the software.

Administrative monetary penalties

The ECPA would subject any individual who violates any of the foregoing prohibitions to liability under an administrative monetary penalty ("AMP") of up to $1 million and corporate entities would be liable to an AMP of up to $10 million. Officers, directors, agents of a corporation that violates the prohibitions could also be held liable for such actions if they directed, authorized or participated in the commission of the violation. At the same time, a defence of exercising due diligence to prevent the violation is available, although there is no indication of the types of action that would constitute due diligence.

The process for imposing liability under the AMP is a fairly expedited administrative process. A notice of violation (which must include details of he alleged violation and the amount of the AMP) will be issued and served upon an offender if the CRTC believes that there are reasonable grounds on which to believe that a person has committed a violation under the ECPA. The person served with the notice of violation then has 30 days to make representations to the CRTC regarding the allegations or the amount of AMP, failing which that person will be deemed to have committed the violation. If representations are made, the CRTC will evaluate them on the civil balance of probabilities standard, and may then impose the penalty set out in the notice of violation or reduce or waive the penalty. Appeal of decisions of the CRTC in respect of notices of violation can be made to the Federal Court of Appeal. The CRTC can also agree to an undertaking, which is in essence an agreement to settle an alleged violation on terms acceptable to both the CRTC and the offender.

Private right of action

One of the most controversial provisions of the ECPA is that it would establish a private right of action for persons who allege that they have been affected by a contravention of the anti-spam, anti-phishing and anti-spyware provisions of the ECPA. Such persons may apply for an order for compensation for actual loss or damages suffered or expenses incurred, as well as a maximum of $200 for each contravention of the breached provisions (with a limit of $1 million for each day on which a contravention occurred). Again, officers, directors or agents of corporations would be subject to this private right of action, if it could be proved that they directed, authorized or participated in the commission of the contravention.

That same private right of action would apply to persons who allege that they have been affected by breaches of the new provisions of PIPEDA and the Competition Act that would be brought into effect by Bill C-27 (discussed in the next section).

Changes to PIPEDA, the Competition Act and the Telecommunications Act

Bill C-27 would establish new prohibitions under PIPEDA in relation to collecting personal information, including a ban on (i) collecting an individual's electronic address through a computer program designed or marketed for use in generating (or searching for) and collecting electronic addresses, or using any address collected by the foregoing means; and (ii) collecting personal information through any means of telecommunications if the collection involves accessing a computer system (or causing one to be accessed) without authorization, or using any personal information that is collected that way.

Bill C-27 also proposes numerous amendments to the Competition Act, including the addition a new section 52.01, which broadens the criminal "false or misleading representation" provisions of the Competition Act by prohibiting activities such as knowingly or recklessly sending, for business promotion purposes (i) a false or misleading representation in the sender or subject matter information of an electronic message or (ii) an electronic message that contains a materially false or misleading representation. Under the proposed new section 74.011 of the Competition Act, such actions would also qualify as reviewable conduct, thus permitting the Commissioner of Competition to apply to court or the Competition Tribunal for an order prohibiting the conduct and/or imposing AMPs under the Competition Act.

Bill C-27 would also amend the Telecommunications Act to permit the government to either maintain the current "Do Not Call" list in such a way that it would not overlap with the ECPA regime, or to have the responsibility for regulating telemarketing fall under the ECPA entirely.

Other anti-spam bills

Bill C-27 is not the only bill with anti-spam implications currently moving through Parliament. Bill C-355, a private member's bill which aims to amend the Criminal Code to make cyberbullying an offence, proposes as part of that effort to make it an offence to make repeated telephone calls or to send repeated electronic messages to any person with intent to harass.

Bill S-220 also purports to be anti-spam legislation, introducing an offence for sending an unauthorized commercial electronic message, as well as a right of civil action for those adversely affected. Unlike Bill C-27, however, it does not propose to amend other statutes. Having been introduced in the Senate, Bill S-220 would also need to pass through the House of Commons before it could be enacted, which seems unlikely given the status of Bill C-27.