Readers of the Cassels Brock Report will recall our previous report on Canada’s new anti-spam legislation, enacted in December of 2010 but not yet fully proclaimed in force. Many of the provisions of this legislation refer to matters that will be dealt with by regulation. Industry Canada and the CRTC recently issued two separate sets of draft regulations for comment.
Observers expecting major developments or simplification of the legislation through the regulations are sure to be disappointed. The Industry Canada draft regulations define “family relationship” and “personal relationship”, which are two categories of electronic messages that are exempted from the consent and message format requirements of the legislation. These draft regulations also define the meaning of “membership” in a “club, association or voluntary organization”, one of the “existing non-business relationships” that qualifies for implied consent, provided that certain time parameters are met. More interestingly, where organizations are obtaining consent on behalf of unidentified third parties, the Industry Canada proposed regulations impose obligations on those organizations to ensure that individuals have an effective means of withdrawing their consent from any third parties to whom the original consent had been provided.
The draft regulations issued by the CRTC set forth the minimum identification and contact information that is to be included within a “commercial electronic message” and information that must be included in a request for consent. Readers should note that unsubscribe mechanisms must be two clicks, maximum - a welcome relief for those of us who have clicked our way through tedious unsubscribe web pages.
The provisions in the anti-spam legislation that have not received as much press are the sections dealing with computer programs. Intending to regulate spyware in addition to spam, the legislation requires express consent of the computer’s owner or authorized user to allow the installation of a computer program on that system, or the sending of an electronic message from that system, that has been caused by the installed program.
If the program is one of several program types specified in Section 10(5) of the legislation (e.g., a program that collects personal information stored on the computer, a program that changes or interferes with settings, preferences or commands without the owner’s or user’s knowledge, etc.), then, separately from the license agreement, when the program supplier is requesting consent, users are to be provided, in a clear and prominent manner, with a description of “the program’s material elements that perform the function, or functions, including the nature and purpose of those elements and their reasonably foreseeable impact on the operation of the computer system”. The CRTC draft regulations take this disclosure and consent requirement a step further by requiring an acknowledgement in writing that the user understands and agrees that the program performs the specified functions.
In addition, for the programs described in Section 10(5), in spite of any express consent in place, for one year following installation the supplier has obligation to provide an electronic address to which requests for removal may be sent and in certain situations, the supplier may have to assist in removing or disabling the program at no charge.
Although certain exceptions exist and a number of types of programs qualify for a form of deemed consent (e.g., installation of a cookie, HTML code or Java scripts), these provisions are sure to be a headache for the technology community for years to come.
Both the Industry Canada and CRTC draft regulations will come into force on the day they are registered. They are presently open for public comment until September 7, 2011 in the case of Industry Canada, and August 29, 2011 in the case of the CRTC. We will continue to monitor developments and keep our readers posted.