On December 15, 2010, Bill C-28, Canada’s anti-spam legislation (the “Act”)1 received Royal Assent. It establishes the following regulatory framework, for the purpose of protecting electronic commerce in Canada:
- It addresses unsolicited commercial electronic mail (i.e. email, text messages, etc.) by prohibiting the sending of commercial electronic messages without consent;
- It prohibits conduct harmful to electronic commerce, protects the integrity of transmission data, and prohibits the installation of computer programs without consent in the course of commercial activity;
- It prohibits false or misleading commercial representations online;
- It prohibits the collection of personal information through unlawful access to computer systems and the unauthorized compiling or supplying of lists of electronic addresses;
- It provides for a private right of action for businesses and consumers;
- It allows the Canadian Radio-Television and Telecommunications Commission (“CRTC”) and Competition Tribunal to impose administrative monetary penalties on violators; and
- It authorizes the international sharing of information and evidence to pursue spammers outside of Canada through foreign enforcement agencies.
Most of the Act will come into force on July 1, 2014. However, the provisions dealing with the unsolicited installation of computer programs will come into force on January 15, 2015. In addition, the private right of action provisions will come into force on July 1, 2017.
Relevant Agencies and Responsibilities
The Act will be administered by the CRTC, the Competition Bureau, and the Office of the Privacy Commissioner of Canada. Industry Canada will also act as a national coordinating body to promote awareness of the law, to educate consumers, network operators and small businesses, to coordinate work with the private sector, and to conduct research.
The Role of the CRTC
The CRTC is generally responsible for ensuring the reliability, safety and effective operation of telecommunications networks in Canada, including the Internet. It will be responsible for enforcing the following prohibitions contained in the Act:
- Unsolicited commercial electronic messages (Section 6);
- The alteration of transmission data (Section 7);
- The installation of computer programs (Section 8); and
- Aiding, inducing, procuring (or causing to be procured) any of the above (Section 9).
Role of the Competition Bureau
The Competition Bureau currently has a mandate to ensure fair marketplace practices for business and consumers. The Act amends the Competition Act2 in a manner that allows the Competition Bureau to more effectively address false and misleading representations online and deceptive marketplace practices including false headers and website content.
Role of the Office of the Privacy Commissioner of Canada
The Privacy Commissioner is currently responsible for protecting the personal information of Canadians. The Act amends the Personal Information Protection and Electronic Documents Act3 in a manner that allows the Office of the Privacy Commissioner of Canada to enforce the following new violations:
- The collection of personal information through access to computer systems in violation of federal law; and
- The automated collection of email addresses (address harvesting), and the use of addresses collected in that manner.
The most significant prohibitions contained in the Act will be enforced by the CRTC. A detailed discussion of these prohibitions appears below.
Sending Unsolicited Commercial Electronic Messages (Section 6)
This prohibition addresses the sending of unsolicited commercial electronic messages. According to Subsection 1(2) of the Act, the term “commercial electronic message” is defined as an electronic message for which it would be reasonable to conclude has as its purpose, or one of its purposes, to encourage participation in a commercial activity, including an electronic message that:
- Offers to purchase, sell, barter or lease a product, goods, a service, land, or an interest or right in land;
- Offers to provide a business, investment or gaming opportunity;
- Advertises or promotes anything referred to in paragraph (a) or (b); or
- Promotes a person, including the public image of a person, as being a person who does anything referred to in any of paragraphs (a) to (c), or who intends to do so.
Subsection 1(1) of the Act defines the term “commercial activity” as any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, whether or not the person who carries it out does so in the expectation of profit, other than any transaction, act or conduct that is carried out for the purposes of law enforcement, public safety, the protection of Canada, the conduct of international affairs or the defence of Canada.
Section 6 of the Act prohibits the sending of a commercial electronic message to an electronic address unless:
- The recipient has given consent (express or implied) to receiving it; and
- The message complies with the related regulations and also: (1) identifies the sender (and, if different, the person on whose behalf it has been sent), (2) provides contact information (valid for at least 60 days after the message has been sent) allowing the recipient to readily contact the sender, and (3) provides for an unsubscribe procedure (any unsubscribe notification received must be put into effect within 10 business days).
According to Subsection 2 of the CRTC’s Appendix to Telecom Regulatory Policy CRTC 2012-183 (the “CRTC Regulations”), the following information must be set out in any commercial electronic message:
- The name by which the sender carries on business, if different from their name (if not, the name of the person);
- If the message is sent on behalf of another person, the name by which that person carries on business, if different from their name (if not, the name of the person);
- If the message is sent on behalf of another person, a statement indicating the person sending the message and the person on whose behalf the message is sent; and
- The mailing address, and either a telephone number providing access to an agent or voice messaging system, an email address or a web address of the person sending the message or, if different, the person on whose behalf the message is sent.
If it is not practical to include the above information and an unsubscribe mechanism in a commercial electronic message, that information may be posted on a web page by means of a link that is clearly and prominently set out in the message.
The term “electronic message” is defined in Subsection 1(1) of the Act as a message sent by any means of telecommunication, including a text, sound, voice, or image message. This broad definition is intended to include a message sent over any means of telecommunication, including text, sound, voice or image, and therefore implicates voice mail messages, webcam messages, and the exchange of pictures or graphic files by electronic means as well.
The term “electronic address” is also defined in Subsection 1(1) as an address used in connection with the transmission of an electronic message to:
- An electronic mail account;
- An instant messaging account;
- A telephone account; or
- Any similar account.
As a result, Section 6 covers virtually all means of electronic communication, with the exception of broadcasting by a broadcasting undertaking (as defined in the Broadcasting Act4), which is explicitly exempted in Section 5.
Section 6 would also be used to prevent phishing attacks. For example, a typical phishing e-mail could appear to be sent from the recipient’s bank, requiring the recipient to send back personal information. In reality, the actual sender is a spammer who is attempting to steal the recipient’s personal information, which the recipient would not otherwise provide.
Section 6 provides several exemptions to the above prohibition, including a commercial electronic message that:
- Is sent by or on behalf of an individual to another individual with whom they have a personal or family relationship, as defined in the regulations;
- Is sent to a person who is engaged in a commercial activity and consists solely of an inquiry or application related to that activity;
- Provides a quote or estimate, if it was requested by the recipient;
- Facilitates, completes or confirms a commercial transaction that the recipient previously agreed to enter into with the sender;
- Provides warranty information, product recall information or safety or security information about a product, goods or a service that the recipient uses, has used or has purchased;
- Provides notification of factual information about: (1) the ongoing use or purchase of a product, good or a service offered under a subscription, membership, account, loan or similar relationship by the sender, or (2) the ongoing subscription, membership, account, loan or similar relationship of the recipient;
- Provides information directly related to an employment relationship or related benefit plan in which the recipient is currently involved, is currently participating or is currently enrolled;
- Delivers a product, good or a service, including product updates or upgrades, that the recipient is entitled to receive under the terms of a transaction that they have previously entered into with the sender; or
- Is otherwise exempted in the regulations.
According to Section 2 of the Governor in Council Electronic Commerce Protection Regulations5 (the “Governor in Council Regulations”), the term “family relationship” means that the sender and the recipient are related to one another through marriage, common-law partnership, or any legal parent-child relationship and those individuals have had direct, voluntary, two-way communication. “Personal relationship” also means the relationship between sender and recipient, if those individuals have had a direct, voluntary, two-way communication and it would be reasonable to conclude that they have a personal relationship, taking into account any relevant factors such as the sharing of interests, experiences, opinions, and information evidenced in the communications, the frequency of communication, the length of time since the parties communicated, or whether the parties have met in person.
Section 3 of the Governor in Council Regulations also exempts a commercial electronic message that:
- Is sent by an employee, representative, consultant, or franchisee of an organization:
- To such a person from the same organization and the message concerns the activities of that organization; or
- To such a person from another organization if the organizations have a relationship and the message concerns the activities of the organization to whom the message is sent;
- Is sent to a person:
- To satisfy a legal obligation;
- To provide notice of an existing or pending right, legal obligation, court order, judgment or tariff;
- To enforce a right, legal obligation, court order, judgment, or tariff; or
- To enforce a right arising under a law of Canadian federal, provincial, or municipal law, or the law of a foreign state;
- Is sent and received on an electronic messaging service if the information and unsubscribe mechanism are conspicuously published and readily available on the user interface through which the message is accessed, and the person to whom the message is sent consents to receive it expressly or by implication;
- Is sent to a limited access secure and confidential account to which messages can only be sent by the person who provides the account to the person who receives the message;
- If the person who sends the messages (or causes or permits it to be sent) reasonably believes that the message will be accessed in a foreign state (a list of countries appears in the schedule) having substantially similar anti-spam legislation and the message conforms to the law of the foreign state;
- Is sent by or on behalf of a registered charity, and the message has as its primary purpose raising funds for the charity; or
- Is sent by or on behalf of a political party or organization, or a person who is a candidate for publicly elected office and the message has as its primary purpose soliciting a contribution.
Finally, Section 4 of the Governor in Council Regulations exempts the first commercial electronic message that is sent by the sender for the purpose of contacting the recipient following a referral by any individual who has an existing business relationship, an existing non-business relationship, a family relationship, or a personal relationship with the sender or the recipient, and that discloses the full name of the individual or individuals who made the referral and states that the message is sent as a result of the referral.
Subsection 6(8) of the Act confirms that this prohibition does not apply to a commercial electronic message that is:
- In whole or in part, an interactive two-way voice communication between individuals;
- Sent by fax; or
- A voicemail message.
Clearly, the Act is not intended to apply to telephone calls, faxes, or voicemail messages.
Subsection 12(1) confirms that a person only contravenes Section 6 if the computer system used to send or to access the electronic message is located in Canada.
The Alteration of Transmission Data (Section 7)
This prohibition addresses the alteration of transmission data without authorization. Section 7 of the Act prohibits anyone, in the course of a commercial activity, from altering transmission data in an electronic message so that the message is delivered to a destination other than or in addition to that specified by the sender, unless:
- The alteration is made with the express consent of the sender or the recipient, and the person altering the data complies with provisions relating to the withdrawal of consent; or
- The alteration is made in accordance with a court order.
However, this prohibition does not apply if the alteration is made by a telecommunications service provider for the purposes of network management.
According to Subsection 11(4), where there is express consent to alter transmission data under Section 7, an unsubscribe mechanism must be provided to the recipient of the electronic message throughout the period covered by the consent and any activation of the unsubscribe option must be put into effect within 10 business days.
According to Subsection 1(1), the term “transmission data” is defined as data that:
- Relates to the telecommunications functions of dialling, routing, addressing or signalling;
- Either is transmitted to identify, activate or configure an apparatus or device, including a computer program, in order to establish or maintain a communication, or is generated during the creation, transmission or reception of a communication and identifies or purports to identify the type, direction, date, time, duration, size, origin, destination or termination of the communication; and
- Does not reveal the substance, meaning or purpose of the communication.
The above definition clearly covers any data transmission by means of telephone, Internet, and wireless, outside of the actual substance of the message.
The intent of Section 7 appears to be to capture all steps along the chain of transmission where a spammer or other malevolent communicator could insert some form of problematic technology such as malware or spyware, or fake an identity for the purposes of communication. This should include malicious activities such as man-in-the-middle attacks6, network re-routing, and even Caller-ID spoofing7.
Subsection 12(2) confirms that a person only contravenes Section 7 if a computer system located in Canada is used to send, route, or access the electronic message.
The Installation of Computer Programs (Section 8)
This prohibition addresses the installation of software on computer systems and networks without authorization. It is intended to cover malware, spyware and virus installations, including computer programs that can be hidden in spam messages or accessed through hyperlinks to infected websites.
Section 8 of the Act provides that a person must not, in the course of a commercial activity, install or cause to be installed a computer program on any other person’s computer system or, having so installed or caused to be installed a computer program, cause an electronic message to be sent from that computer system, unless:
- The person has obtained the express consent of the owner or an authorized user of the computer system and complies with the Act’s provisions relating to the preservation of transmission data; or
- The person is acting in accordance with a court order.
This prohibition is aimed at the surreptitious installation of spyware and malware, such as the kind that compromise a computer in order to relay spam without the owner’s permission.
According to Subsection 11(5), where there is express consent to download a program onto a person’s computer under Section 8, a mechanism whereby the recipient can send a request to remove or disable the computer program because its function, purpose or other details were not as advertised in the original consent request, has to be provided for a year after the program’s installation. In addition, the providers of the program must grant the request to uninstall, without cost, if the request is made because of misrepresentation of the program in the original request for consent.
Subsection 12(1) confirms that a person will contravene Section 8 only if the computer system is located in Canada at the relevant time or if the person either is in Canada at the relevant time or is acting under the direction of a person who is in Canada at the time when they give the directions.
As mentioned above, this prohibition will come into force on January 15, 2015.
Related Prohibitions (Section 9)
According to Section 9 of the Act, it is prohibited to aid, induce, procure or cause to be procured the doing of any act contrary to any of Sections 6 to 8.
Requirements for Express and Implied Consent
According to Subsection 10(1) of the Act, a person who seeks express consent under Sections 6 to 8 must clearly and simply set out the following information:
- The purposes for which the consent is being sought;
- Prescribed information that identifies the person seeking consent and, if the person is seeking consent on behalf of another person (if known), prescribed information that identifies that other person; and
- Any other prescribed information.
According to Section 5(1) of the Governor in Council Regulations, a person who obtained express consent on behalf of a person whose identity was unknown may authorize any person to use the consent on the condition that the person who obtained it ensures that, in any commercial electronic message sent to the recipient:
- The person who obtained consent is identified; and
- The authorized person provides an unsubscribe mechanism that allows the recipient to withdraw their consent from the person who obtained consent and any other person authorized to use it.
According to Section 3 of the CRTC Regulations, a request for consent may be obtained orally or in writing and must be sought separately for each act described in Sections 6 to 9 of the Act and must include:
- The name by which the person seeking consent carries on business, if different from their name (if not, the name of the person seeking consent);
- If the consent is sought on behalf of another person, the name by which the person on whose behalf consent is sought carries on business, if different from their name (if not, the name of the person on whose behalf consent is sought);
- If consent is sought on behalf of another person, a statement indicating which person is seeking consent and which person on whose behalf consent is sought;
- The mailing address, and either a telephone number providing access to an agent or a voice messaging system, an email address or a web address of the person seeking consent or, if different, the person on whose behalf consent is sought; and
- A statement indicating that the person whose consent is sought can withdraw their consent.
For the purposes of Section 8 of the Act (installation of computer programs), the person seeking express consent must also clearly and simply describe the function and purpose of the computer program that is to be installed. In addition, if the person knows and intends to cause that computer system to operate in a manner that is contrary to the reasonable expectations of its owner or authorized user, the person requesting consent must clearly and prominently (separately from the license agreement):
- Describe the program’s material elements that perform the function(s), including the nature and purpose of those elements and their reasonably foreseeable impact on the operation of the computer system; and
- Bring those elements to the attention of the person from whom consent is being sought in the prescribed manner.
According to Subsection 10(5), this extra information must be provided if the installation will do one of the following: (1) collect personal information stored on the computer system; (2) interfere with the recipient’s control of the computer system; (3) change or interfere with the recipient’s existing settings, preferences or commands; (4) change or interfere with data that affects the recipient’s lawful access to it; (5) cause the recipient’s computer system to communicate with another computer system or device without the recipient’s consent; or (6) install a computer program that may be activated by a third party without the knowledge of the recipient. According to Section 5 of the CRTC Regulations, the computer program’s material elements that perform one or more of these functions must be brought to the attention of the person from whom consent is sought separately from any other information provided in the request for consent and an acknowledgement in writing must be obtained from the person from whom consent is being sought, confirming that they understand and agree that the program performs the specified functions.
Express consent is not required for the installation of an update or upgrade to a computer program if express consent was previously given in accordance with Section 10 of the Act, the person who gave the consent is entitled to receive the update or upgrade under the terms of the express consent, and the update or upgrade is installed in accordance with those terms.
According to Subsection 10(8)(a), a person is also deemed to have given express consent to the installation of a computer program if:
- The program is: (1) a cookie, (2) HTML code, (3) Java script, (4), an operating system, (5) any other program that is executable only through the use of another computer program whose installation or use the person has previously expressly consented to, or (6) any other program specified in the regulations; and
- The person’s conduct is such that it is reasonable to believe that they consent to the program’s installation.
Section 6 of the Governor in Council Regulations adds the following additional programs:
- A program installed by or on behalf of a telecommunications services provider solely to protect the security of all or part of its network from a current and identifiable threat to the availability, reliability, efficiency, or optimal use of its network;
- A program installed for the purpose of updating or upgrading the network, by or on behalf of the telecommunications service provider who owns or operates the network, on the computer systems that constitute all or part of the network; and
- A program that is necessary to correct a failure in the operation of the computer system or a program installed on it solely for that purpose.
According to Subsection 10(9) of the Act, for the purposes of Section 6 (unsolicited electronic messages), consent is implied if:
- The sender of the message (including those who cause or permit it to be sent) has an existing business relationship or an existing non-business relationship with the recipient;
- The recipient has conspicuously published (or caused it to be conspicuously published) their electronic address, the publication is not accompanied by a statement that they do not wish to receive unsolicited commercial electronic messages, and the message is relevant to the recipient’s business, role, duties or functions in a business or official capacity;
- The recipient has disclosed their electronic address to the sender without indicating a wish not to receive unsolicited commercial messages at that address, and the message is relevant to the recipient’s business, role, functions, or duties in a business or official capacity; or
- The message is sent in circumstances set out in the regulations.
According to Subsection 10(10), the term “existing business relationship” means a business relationship between the sender (including those who cause or permit the message to be sent) and the recipient, arising from:
- The purchase, lease or bartering of a product, good, service, land or an interest or right in land by the recipient within the two-year period preceding the sending of the message;
- The acceptance by the recipient, within the preceding two-year period, of a business, investment, or gaming opportunity offered by the sender;
- A written contract entered into between the recipient and the sender in respect of a matter not referred to above, if the contract is currently in existence or expired within the preceding two-year period; or
- An inquiry or application made by the recipient to the sender, within the six-month period preceding the sending of the message, in respect of anything mentioned above.
According to Subsection 10(12), if the owner of a business has an existing business relationship with another person and the business is subsequently sold, the purchaser who purchases the business is also considered to have an existing business relationship with that other person.
According to Subsection 10(13), the term “existing non-business relationship” means a non-business relationship between the recipient and the sender (including anyone who causes or permits the message to be sent) arising from:
- A donation or gift made by the recipient within the two-year period preceding the date that the message is sent, where the sender is a registered charity, a political party or organization, or a person who is a candidate for publicly elected office;
- Volunteer work performed by the recipient for, or attendance at a meeting organized by, a registered charity, a political party or organization, or a person who is a candidate for publicly elected office; or
- Membership (as defined in the regulations) by the recipient in a club, association, or voluntary organization (as defined in the regulations), within the two-year period preceding the date that the message is sent.
Subsection 7 of the Governor in Council Regulations defines “membership” as the status of having been accepted as a member of a club, association, or voluntary organization in accordance with its membership requirements. It also defines “club, association, or voluntary organization” as a non-profit organization that is organized and operated exclusively for social welfare, civic improvement, pleasure or recreation, or for any other purpose other than personal profit, if no part of its income is available for the personal benefit of any proprietor, member, or shareholder of that organization unless the proprietor, member or shareholder is an organization whose primary purpose is the promotion of amateur athletics in Canada.
According to Section 66 of the Act, a person’s consent to receive commercial electronic messages from another person is implied until three years after the date that Section 6 comes into force (July 1, 2017) or until they withdraw their consent, whichever comes first, if when that section comes into force (July 1, 2014):
- Those persons have an existing business relationship as defined in Subsection 10(10) or an existing non-business relationship as defined in Subsection 10(13), even those occurring outside the two year period mentioned in those subsections; and
- The relationship includes the communication of commercial electronic messages between them.
According to Section 67 of the Act, if a computer program was installed on a person’s computer system before Section 8 comes into force (January 15, 2015), their consent to the installation of an update or upgrade to the program is implied until three years after the date on which that section comes into force (July 15, 2018) or until they withdraw their consent, whichever comes first.
Administrative and Criminal Penalties
Administrative Monetary Penalties
Pursuant to Section 20 of the Act, the CRTC has the authority to impose an administrative monetary penalty for any violation of Sections 6 to 9. According to Subsection 20(4), the maximum penalty for a violation is $1,000,000 in the case of an individual and $10,000,000 in the case of any other person.
According to Section 30, violations are not considered criminal offences. Subsection 20(2) also confirms that the purpose of the penalty is to promote compliance with the Act and not to punish violators. Subsection 33 provides for a due diligence defence, but other common law defences can only be used to the extent that they do not conflict with other provisions of the Act.
According to Section 31, an officer, director, agent or mandatary of a corporation may be liable for a violation committed by the corporation if they directed, authorized, assented to, acquiesced in or participated in the commission of the violation, regardless of whether proceedings are commenced against the corporation itself. In addition, Section 32 states that an employer is also liable for a violation that is committed by their employee acting within the scope of their employment (or their agent or mandatary) acting within the scope of their employment, whether or not the employee is proceeded against or identified.
The Act also contains several criminal offences:
- Section 42 makes it an offence for a person who fails to comply with a demand, notice, or warrant issued in connection with the administration of the Act. However, according to Subsection 46(2), a person will not be convicted under Section 42 if they establish that they exercised due diligence to prevent the commission of the offence.
- Section 43 makes it an offense for a person to obstruct or hinder, knowingly make a false or misleading statement, or provide false or misleading information to a designated person who is carrying out their duties and functions under the Act.
According to Subsection 46(1), every person who commits an offence under Section 42 or 43 is guilty of an offence punishable on summary conviction and is liable:
- To a fine of not more than $10,000 for a first offence or $25,000 for a subsequent offence, in the case of an individual; or
- To a fine of not more than $100,000 for a first offence or $250,000 for a subsequent offence, in the case of any other person.
Private Right of Action
According to Subsection 46(1) of the Act, a person who alleges that:
- They are affected by a violation of Section 6, 7, 8 or 9 of the Act;
- Their electronic address has been obtained without consent through data mining or other automated crawling, or where personal information has been obtained through accessing a computer system, or causing it to be accessed, without authorization (in violation of related amendments to the Personal Information Protection and Electronic Documents Act); or
- They have been the target of false or misleading electronic messages (in violation of related amendments to the Competition Act);
may apply to the court for an order of compensation against one or more persons who they allege have committed a violation or reviewable conduct. However, according to Subsection 46(2), no application may be brought later than three years after the day on which the subject matter of the proceeding became known to the applicant.
As mentioned above, this private right of action provision will come into force on July 1, 2017.
Information Sharing with Foreign States and International Organizations
According Subsection 60 of the Act, the CRTC, the Commissioner of Competition, and the Privacy Commissioner are authorized to share information with foreign states and international organizations for the purposes of pursuing violations. All such information-sharing arrangements must be in the form of written agreements and they may concern only illegal activity under foreign laws that do not have penal consequences. However, a written agreement can be presumed from the acceptance of a written request for assistance from a foreign state or international organization if it is accompanied by a declaration that assistance between Canada and the requesting party will be reciprocal.
Although the Government of Canada hopes that the Act will discourage spam originating from Canada, it is not expecting to completely eliminate it, since a significant amount of spam originates from other countries. Nevertheless, as Canada is the last of the G8 countries to introduce anti-spam legislation, the Act’s implementation will certainly add to existing global efforts aimed at eliminating spam.
Canadian businesses will need to exercise due diligence in order to ensure that they do not violate the Act. These businesses should review their existing internal policies on the use of commercial electronic messages, in order to ensure compliance once the Act comes into force on July 1, 2014.