On Friday, April 24, 2009, Industry Minister Tony Clement tabled in the House of Commons Bill C-27, which would establish a new, standalone act entitled the Electronic Commerce Protection Act (ECPA), in addition to amending the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act, and the Telecommunications Act.
Four years have passed since the Task Force on Spam presented its Final Report to the government, which included a recommendation for legislative action to address spam. While some would argue that the government’s response is long overdue, there are benefits to a delayed response. For example, the government has had the opportunity to conduct an in-depth review of the issues, evaluate models in other jurisdictions, and develop a comprehensive approach to addressing a number of threats, including spyware, phishing, pharming and botnets.
The result is a relatively complicated piece of legislation which includes anti-spam provisions, anti-spyware provisions, anti-phishing and pharming provisions, enforcement and penalties and the potential abolition of the much maligned National Do-Not-Call List (DNCL).
The main purpose of ECPA is to reduce the amount of spam originating from Canadian sources by establishing rules for sending commercial electronic messages.
Generally speaking, "spam" refers to sending unsolicited commercial email, although more recent forms of communications such as text messaging and instant messaging are also subject to spam-like techniques. In order to remain as technology-neutral as possible, the term "electronic message" is broadly defined so that it includes email, SMS and virtually any other form of visual or audio messaging that could be spammed. However, ECPA does not apply to telemarketing, for example, a telephone conversation, voice mail or fax message. A "commercial" electronic message is also broadly defined to include any electronic message that includes any semblance of commercial activity.
The most important rule with respect to spam is a general prohibition against sending commercial electronic messages without the consent of the recipient. Consent may be either express or implied with consent being implied when the sender has an existing business or non-business relationship with the recipient.
There are a few explicit exceptions that are worth noting. First, ECPA states that an email sent to a business for the purposes of making an inquiry related to that business is not captured under the Act. Second, the Act clarifies that a message sent for the purposes of law enforcement, public safety, the protection of Canada, the conduct of international affairs or the defence of Canada is not caught under the Act.
More significant are the exceptions that exist by virtue of the fact that the ECPA only applies to electronic messages that are commercial. This means that religious organizations, political parties, and possibly even pollsters would be able to send unsolicited messages without being caught under the Act.
It is worth noting that ECPA makes it clear that a message sent for the purposes of seeking consent to send a commercial message is also, in and of itself, a commercial message. In other words, you cannot send unsolicited electronic messages to obtain consent.
In addition to consent, commercial electronic messages must also meet certain requirements as to their form. A commercial message must identify the sender and the person on whose behalf the message is sent, if different from the sender; provide contact information for the sender and provide easy access to a mechanism that allows the recipient to unsubscribe either by email or by following a hyperlink.
Internet service providers are immune from the anti-spam provisions where they merely provide the telecommunications service that allows for the transmission of a message.
It will be important for businesses that use email or other forms of electronic messaging for advertising and communication with customers to ensure that they are in compliance with the requirements under ECPA. It is worth noting that the Act attributes responsibility for sending a message not only to the sender, but to anyone who causes a message to be sent. This means that any business who engages another person (e.g., an advertising agency) to conduct advertising must ensure that they are compliant with ECPA.
At the end of the day, ECPA should not be particularly onerous for legitimate email advertisers, especially given that many advertisers are already compliant with similar requirements established in other jurisdictions, or industry best practices, such as the Canadian Marketing Association’s E-mail and Internet Marketing Guidelines.
The term "spyware" generally refers to any computer program that is installed without a computer owner’s consent, which may be used for a number of purposes. The most common symptoms of spyware are pop-up advertisements, loss of control over web browsers and a drastic loss in resources. Spyware that is used to deliver pop-up ads is also commonly referred to as "adware".
In its most virulent form, spyware can secretly track a user’s activities and collect personal information. Spyware can even be used to remotely control a computer to, among other things, send spam. A network of remotely controlled computers is often referred to as a "botnet".
ECPA deals with spyware by prohibiting the installation of a computer program on a computer system without the express consent of the computer owner or authority of a court order. The Act adopts the definition of a "computer program" as found in the Criminal Code, which is very broad and therefore likely to capture most forms of spyware. Also prohibited is the use of a computer program installed on another person’s computer for the purposes of sending an electronic message from that computer.
This provision will capture computer programs that are installed without a user’s consent (again, in the course of commercial activity), meaning that anyone who tries to secretly install a computer program without the users knowledge would be acting in violation under the Act. Consequently, any business that engages in the distribution of software that involves adware or other forms of spyware must ensure that express consent is obtained.
Unfortunately, many individuals unknowingly download and install spyware while downloading and installing other software applications that are bundled with spyware. In consenting to downloading and the bundle of programs, these individuals may be deemed to have expressly consented to the installation of the spyware if he or she clicks on an "I Agree", or similar button, when agreeing to the end user license agreement that is typically presented to a user before downloading or installation. Whether or not the supplier of such spyware will have contravened the anti-spyware provision will depend largely on whether the supplier has set out clearly and simply the purpose for which it is seeking such consent and the function, purpose and impact of every computer program that is to be installed if consent is given.
5. Anti-phishing and pharming
The term "phishing" generally refers to a form of social engineering where Internet users are intentionally directed to a counterfeit website for fraudulent purposes. The most typical phishing scam involves a falsified bank website when a user is sent an email (the "lure") purporting to be from their bank which states that the individual must log in to their account to take some sort of immediate action. The email includes a link to a website that is intended to look identical to the real site, and when the user logs in they are in fact handing over their authentication information to criminals.
Pharming is a slightly more sophisticated variation of phishing that avoids the need to lure the victim through an email message. When a user requests a website through their web browser, a hacker is able to redirect the user to the fake website.
The ECPA addresses pharming by prohibiting the alteration of "transmission data" in an electronic message without consent. Essentially, if a user requests a certain website, and is directed to another, this constitutes a violation of ECPA.
Phishing, however, is arguably not caught under this provision given that a user typically clicks on a link provided in an email message. As such, while there may be fraud, there is no "alteration of transmission data", given that the user has actually requested the fake website by clicking on the link. Arguably, phishing, as addressed under the anti-spam provisions as the "email lure", would be in violation of both the consent and form requirements.
In addition to protecting consumers, the anti-phishing and anti-pharming provisions may also provide a means of relief for businesses that are affected by phishing and pharming. For example, it could provide an opportunity for banks to pursue civil remedies against offenders for harm to their reputation or to recover losses incurred as a result of fraud against the bank and its customers.
6. Enforcement and Penalties
Enforcement under ECPA is shared among the Canadian Radio-television and Telecommunications Commission (CRTC), the Competition Bureau and the Privacy Commissioner of Canada.
The CRTC is given the largest share of the enforcement powers under the Act. Procedurally, the CRTC can order telecommunications service providers (TSPs) to preserve and produce records. The Act also provides a process for obtaining a warrant that would allow the CRTC to enter a place of business or dwelling to examine records.
Penalties under ECPA are substantial. The CRTC can issue administrative monetary penalties (AMPs) of up to $1 million for individuals and $10 million for "other persons" for violations of the Act. The CRTC can also agree to an "undertaking", which is effectively a form of settlement between the CRTC and the offender, and apply to a court for an injunction.
Also noteworthy is the creation of a private right of action which would allow individuals to seek financial compensation for violations of the Act.
While ECPA is welcome legislation, authorities will still face the difficult challenge of tracking down and locating offenders. In addition, the effectiveness of this legislation will depend largely on the amount of resources made available to enforcement agencies.
7. National Do-Not-Call List
Bill C-27 includes a provision that would eliminate the much maligned Do-Not-Call List (DNCL), which has only been up and running since September 2008. The DNCL, widely criticized as a failure, requires individuals to register their numbers on a list indicating that they do not want to be subject to telemarketing. Many Canadians have complained that the amount of unsolicited phone calls they receive has actually increased since being on the list. At the end of Bill C-27 is a section that would repeal the provisions from the Telecommunications Act, establishing the legislative framework for the DNCL.
It is important to note that the DNCL would not necessarily be eliminated with the passing of Bill C-27. Rather, as stated at the very end of the bill, the provisions under the Act come into force by order of the Governor in Council, and not all provisions are required to come into force at the same time. With this provision, the government effectively reserves the right to repeal the DNCL at any time in the future, which can be done by an Order in Council rather than by going back to Parliament.
8. Next Steps
Having just been introduced in Parliament, Bill C-27 must pass two more readings as well as an intensive review by a House of Commons standing committee (presumably the Committee on Industry, Science and Technology, or "INDU"), before going to the Senate for approval. From a political perspective, there is no obvious reason why Bill C-27 will be held up in Parliament as it is relatively uncontroversial and certain members of the opposition have demonstrated support for anti-spam legislation in the past. However, it remains to be seen how much progress can be made before Parliament recesses for the summer, and an election call might precede the passing of the Act, thereby derailing the legislation process.