In December 2010, the Canadian Parliament passed Bill C-28, which was formerly known as the Fighting Internet and Wireless Spam Act (FISA). It is anticipated that FISA will come into force 6 – 8 months, once the regulations are in place.

FISA will affect how educational institutions market and otherwise communicate with others. This article focuses on the prohibition on sending unsolicited commercial electronic messages.  


FISA prohibits the sending of a commercial electronic message to an electronic address (e.g., e-mail, instant messaging) unless: (a) the recipient of the message has consented to receiving it, and (b) the message sets out certain information including how to unsubscribe from future messages. The prohibition applies to the sender and any person who acts on behalf of the sender, such as marketing agencies hired by an educational institution.


A commercial electronic message is a message sent by any means of telecommunication (including a text, sound, voice or image message) where it would be reasonable to conclude that one of its purposes is to encourage participation in a commercial activity. The content, hyperlinks, and contact information contained in the message would be considered in determining the purpose of the message. A commercial activity means any particular transaction, act or conduct or regular course of conduct that is of a commercial character, whether or not the person who carries it out does so expecting profit.


Consent from a recipient can be express or implied. FISA sets out specific requirements for when express consent is obtained.

FISA also sets out a number of situations where consent may be implied. One is where the sender of the message has an “existing business relationship” or an “existing non-business relationship” with the recipient of the message.

An example of an existing business relationship is where the sender and recipient have a business relationship arising from the purchase of a product, goods, or a service within 2 years of when the message was sent.

The definition of “existing non-business relationship” includes a non-business relationship between a sender and recipient arising from the following situations:

  1. a donation or gift made by the recipient to the sender within 2 years of when the message was sent, where the sender is a registered charity as defined under s. 248(1) of the Income Tax Act;
  2. volunteer work performed by the recipient for the sender, or attendance at a meeting organized by the sender, within 2 years of when the message was sent, where the sender is a registered charity as defined under s. 248(1) of the Income Tax Act; or
  3. membership (as defined in the regulations) by the recipient in a club, association or voluntary organization (as defined in the regulations), within 2 years of when the message was sent.  

Note that an electronic message requesting consent to send a commercial electronic message is considered a commercial electronic message.


Information required to be in the message includes information on the person who sent the message (as well as the person on whose behalf the message is sent, if different) and information allowing the recipient to contact the sender. The contact information of the sender must be valid for at least 60 days after the message has been sent. The message must also include information allowing the recipient to unsubscribe from receiving commercial electronic messages from the sender. The unsubscribe mechanism must be at no cost to the recipient, by way of the same electronic means the message was sent, and specify an electronic address or link to an internet page. The sender must ensure that the electronic address or link is valid for at least 60 days after the message has been sent. The sender has 10 business days to effect the recipient’s request.

Although there is a three-year transition provision that provides for implied consent in limited circumstances, educational institutions will still have to set out prescribed information, including in respect of the unsubscribe mechanism, when Bill C-28 is proclaimed to be in force.


A person who contravenes the spamming provisions is liable to an administrative monetary penalty of a maximum of $1 million in the case of an individual, and $10 million in the case of any other person. FISA permits regulations to be made applying the maximum fines on a per day basis.

Officers and directors of a corporation can be held personally liable for violations. An employer can be vicariously liable for a violation committed by an employee acting within the scope of his/her employment. There is a due diligence defence to avoid liability.

FISA also provides a potential private right of action for those who are affected by the spamming violation under FISA.  


FISA also prohibits, in the course of a commercial activity, altering transmission data such that an electronic message is delivered to a destination other than, or in addition to, the destination specified by the sender, without the sender’s express consent.

In addition, FISA prohibits, in the course of a commercial activity, installing a computer program on a person’s computer system, as well as distributing electronic messages from such person’s computer system, without the owner’s or authorized user’s consent.


FISA amends other legislation, such as the Personal Information Protection and Electronic Documents Act (Canada) in terms of preventing the unauthorized collection or use or an individual’s electronic address if it was collected through a computer program designed for collecting electronic addresses. Another example is amendments to the Telecommunications Act (Canada), resulting in a possibility for the Do Not Call List to be replaced with a new regime.


Once FISA is in force, before sending out any commercial electronic messages, educational institutions will have to determine whether they have the proper consent and that their messages include the information and unsubscribe mechanism required by FISA. In addition, if their electronic marketing practices involve the distribution of software that would be captured under FISA, they must comply with disclosure and consent requirements.

Moreover, educational institutions will need to ensure that their third party service providers are knowledgeable about FISA and will comply with FISA when assisting with and implementing marketing and communication programs and services.

Educational institutions should start reviewing their marketing and communication practices now to determine how to comply with FISA, as the internal process to effect compliance could require substantial lead time.