In 2002 the EU issued the Privacy and Electronic Communications Directive (2002/58/EC), which covers the sending of unsolicited commercial email. In December 2003 the British government transcribed the Directive into local law by implementing the Privacy and Electronic Communications Regulations 2003 ("PECR"). For the purposes of this bulletin PECR will be used to make cross jurisdictional comparisons between anti-spam laws in the United Kingdom/Europe and Canada.
Canada has also recently implemented anti-spam regulations to address the issue of unsolicited electronic mail. Originally tabled in early 2009, the Canadian Government has since developed and reintroduced its anti-spam legislation as Bill C-28, commonly known as the Fighting Internet and Wireless Spam Act' ("FISA"). Like PECR, FISA regulates the sending of commercial electronic messages which 'it would be reasonable to conclude has as its purpose, or one of its purposes, to encourage participation in a commercial activity'.
Principle Legal Obligations
Unsolicited Electronic Messages
Under PECR the sending of commercial messages by electronic mail is prohibited except where the individual in question has expressly signified their prior agreement to receiving such electronic communication or in certain other limited circumstances where consent can be implied. Electronic mail is defined in PECR as including any 'text, voice, sound, or image message sent over a public electronic communications network which can be stored in the network or in the recipient's terminal equipment until it is collected by the recipient'. Electronic mail has therefore been given a wide meaning and includes email and text picture, video and voicemail messages.
An electronic message or communication under FISA means any form of telecommunication, including text, sound, voice, and image. The definition of 'commercial electronic message' is equally as broad, with emphasis being placed on the content, form, and deemed purpose of the message.
Each message must conform to the FISA requirements and must include prescribed information to identify the sender (or on whose behalf it has been sent); information enabling the recipient to readily contact the sender and an unsubscribe mechanism which must be offered for free. In comparison PECR requires minimal content requiring only that the identity of a sender is not disguised or concealed and the inclusion of a valid address by which a recipient can opt-out of receiving the electronic mail.
PECR and FISA are similar in that they require consent (express or implied) to be obtained prior to the sending of unsolicited commercial mail and, as such, each operate on an opt-in basis.
Guidance on PECR issued by the Information Commissioner's Office highlights that senders of electronic mail must obtain a positive indication of consent from the individual intended recipient. In the Information Commissioner's view, express consent must be in some form of communication where an individual knowingly, and with full understanding, indicates consent. Examples given by the Information Commissioner include clicking an icon, sending an email or subscribing to a service. In the Information Commissioner's view, failing to register an objection will, by itself, be unlikely to constitute valid consent though failing to indicate objection may, in context, be part of the mechanism by which consent is given.
Under FISA, and unless an exemption applies (such as the implied consents situations described below), the sender of unsolicited commercial mail must first obtain the express consent of the intended recipient before sending such mail. In seeking express consent the sender should set out the purpose for which the consent is being obtained together with information identifying the persons seeking consent (or on whose behalf it is sought).
Consent to receive unsolicited electronic commercial communications will be implied, in the case of PECR, where: (i) the contact details of the recipient were obtained in the course of a sale, or negotiations for a sale, of a product or service to that recipient; (ii) direct marketing was carried out in respect of similar goods and services only; (iii) the recipient has been given a simple opt-out (without charge, except for the cost of transmission) at the time of the initial collection of the data so that the recipient can refuse the use of their contact details for direct marketing purposes.
The implied opt-in is therefore only available to the organisation collecting the details of the recipient initially and not to any purchase of information from a third party database. If the above conditions are not met, then express consent will be required prior to the distribution of electronic mail to a proposed individual recipient.
Similarly FISA also accounts for the possibility of implied consent which may arise where: (i) there is an existing business relationship; (ii) there is an existing non-business relationship; (iii) where the recipient has conspicuously published their email address or provided their contact details to the sender and not stated that they do not wish to receive unsolicited commercial mail; provided that the message is relevant to the person's business, role, function or duties in a business or official capacity.
PECR and FISA therefore share common ground in that they set out strict rules on implied consent thereby preserving the opt-in stance adopted. Similarities between PECR and FISA lie, in particular, in the fact that each allows consent to be implied where contact details have been obtained in the course of a sale or other business transactions.
Preference Services are central UK opt out registers, which ensure subscribers do not receive unsolicited marketing communications. They are a free service which has been available since May 1999 for individuals, and since June 2004 for corporate subscribers. Preference Services remove the subscriber's telephone number, address or fax number from lists used by the marketing industry, and so subscribers should not be contacted unless they have provided the marketing company with express consent. PECR prohibits direct marketing to subscribers registered on one of three lists: the Telephone Preference Service ("TPS"), Mail Preference Service ("MPS") and Fax Preference Service ("FPS"). As with the Canadian Do Not Call List Rules, the rules for existing customers differ. Under the PECR marketing companies can contact existing customers, provided they have not expressly prohibited them from doing so (opt-out).
Under PECR regardless of whether subscribers are registered on the TPS, automated marketing calls are prohibited, subject to consent. Live marketing calls are also prohibited, provided subscribers indicate a general objection through registering with the TPS or Corporate TPS, or directly notify marketing companies of their decision to opt-out.
Marketing organisations have a responsibility to ensure their data is accurate and up to date. The MPS list is updated monthly, whilst the TPS, Corporate TPS and FPS are updated weekly. As it is a legal requirement that companies do not make calls to numbers registered on either TPS list, or send faxes to those numbers registered with the FPS, it is in their best interest to ensure their lists are updated with equal regularity.
Preference Services have the effect of reducing but not eradicating unwanted contact as not all sectors are covered, and contact for genuine market research purposes is not covered. Overseas companies are not governed by PECR, and as the provisions cannot be enforced there is no incentive to comply. Marketing firms which do not use these established industry lists but instead use random numbers are also not caught by Preference Services.
Complaints are directed to the Information Commissioner's Office, however sending direct marketing in breach of the law is generally not a criminal offence.
Do Not Call
The Canadian Radio-television and Telecommunications Commission ("CRTC") established the Unsolicited Telecommunications Rules to which telemarketers must adhere. These rules include Do Not Call List ("DNCL") Rules which are designed to reduce the number of unsolicited telemarketing calls and faxes received in Canada.
The DNCL Rules provide for the DNCL which is a database of personal contact numbers of those individuals who do not wish to receive unsolicited telemarketing calls. Numbers are added to the list within 24 hours, after which time telemarketers have 31 days to update their own information and make sure they do not contact the numbers on the list, subject to the provision of express consent to do so. Updates are provided online which allow telemarketing companies to update their details.
There are a limited number of exemptions available, including telemarketing by charities, calls to business customers, and to companies with whom the recipient has done business in the prior 18 months. Upon expiry of the 18 months window if the company is on the DNCL, permission to call will be needed.
Further to the above, as per the FISA prescribed requirements there are certain rules which must be adhered to by telemarketers when making calls. When calling, telemarketers must identify themselves and provide a contact number on which they can be reached should the recipient wish to do so. This same number or the number from which the call is being made must be displayed, and calls or faxes may only be sent between 9:00 a.m. and 9:30 p.m. on weekdays and between 10:00 a.m. and 6:00 p.m. on weekends.
Contravention of the DNCL Rules may lead to a notice of violation which provides for Administrative Monetary Penalties (AMPs). The maximum AMP is CA$1,500 per violation for an individual and CA$15,000 per violation for a corporation. In determining the amount payable, consideration will be given to factors such as the number of complaints, the type of violation, and the potential for future violations. Should a violation continue for more than one day, each day thereafter will be seen as a separate violation.
Individuals and companies alike should be aware that although the DNCL Rules apply to all telemarketing companies, they do not per se provide comfort against fraudulent telemarketing calls.
A notable difference between PECR and FISA can be seen in respect of corporate subscribers. Under PECR corporate subscribers (which include companies, Scottish partnerships, corporations sole, and any other body corporate or entity which is a legal person distinct from its members but not sole traders or partners in business partnerships in England and Wales who are considered to be individuals) do not benefit from the protection afforded to individuals in respect of electronic commercial mail. PECR also does not cover employees using corporate e-mail systems for personal purposes. As such, sending emails to an individual at a corporate entity email address is permitted if it is work related. However, if the content of the spam email is of a personal nature and does not relate to work matters then the rules in respect of spamming individuals will apply. Companies and limited liability partnerships, and their employees, therefore remain open to unsolicited electronic mail but in these instances a clear opt-out must be given. FISA does not draw such a distinction between natural individuals and legal entities.
Supervision and Enforcement
The Office of the Information Commissioner enforces PECR. Breaches of enforcement orders issued by the Information Commissioner constitute a criminal offence and can incur a fine of up to £5,000 in a Magistrate's Court, or an unlimited fine if the case comes before a Crown Court.
By contrast breach of FISA carries financial penalties of up to $1 million for individuals and $10 million for any other legal entity. In addition, a private right of action under FISA can lead to penalties of up to $1 million per day for certain violations and $1 million per act for other violations including aiding, inducing or procuring certain breaches.
The Canadian Radio-television and Telecommunications Commission, Competition Bureau Canada and the Office of the Privacy Commissioner of Canada are primarily responsible for supervision and enforcement of FISA.
FISA is broad in scope and liability under it is not restricted to Canada but carries extra territorial effect. The Act states that its provisions must be followed by anyone sending an 'electronic message' that is sent or accessed from a computer system in Canada. It is therefore possible that electronic commercial mail sent from the United Kingdom (or anywhere else) may be subject to FISA if such mail is accessed or received through a computer system located in Canada. It will be interesting to see how FISA will be enforced internationally. Unfortunately, PECR does not appear to benefit from a similar geographic scope. However, due to the nature of the EU member states it is possible for a recipient in the United Kingdom to bring a complaint against someone in another member state. PECR does not place any duty on the Information Commissioner to enforce where he has been so asked and does not require him to investigate any complaint he receives. It is entirely up to him to decide whether and how he pursues any such complaint.
In order to ensure PECR and FISA are being complied with businesses will not only need to understand their legal obligations and be aware of any changes but also utilise good record keeping and organisational skills. Below are a few suggestions to assist businesses in complying with the legislation:
- always include clear opportunities to opt-in or opt-out (as appropriate) when initially collecting personal data and when marketing to existing customers. Information should be provided so as to enable individuals to fully appreciate what they are consenting to;
- it will also be good practice, when obtaining consent, to seek confirmation that the individual recipient is happy to receive emails about products and services that you want to market to them, or about products and services other members of your group may offer;
- a clear statement of identity and valid contact address will need to be included for opt-outs on all marketing communications;
- as good practice, a valid website address (where further valid contact details can be found) or a valid PO Box number should be included in any promotional text message;
- once consent has been obtained, records of consents should be retained;
- records of consents should be kept under review and separate records or databases distinguishing between individuals to whom the business can and cannot send electronic mail should be maintained;
- check the Preference Services and remove any new registrants from your database;
- companies sending marketing e-mails from outside Canada should either take steps to prevent them being received within Canada or ensure that they comply with FISA.