Canada now has new anti-spam legislation.  The Government of Canada established a private sector task force to examine the issue of unsolicited commercial emails or spam in 2004.  It has been reported that by the end of 2004 spam had grown to encompass 80% of all global email traffic.  The report issued by the task force has led to the passing of Bill C-28.

Bill C-28 received royal assent in December 2010 but is not yet in force.  It is thought that this legislation will be brought into force in September of this year, with the intervening period intended to give time for regulations to be passed and for businesses to have time to adjust their procedures in order to comply with the new legislation.

In general terms, the purpose of the legislation is to address conduct which discourages the use of electronic technologies by undermining confidence in their use, increasing costs and compromising the privacy and security of confidential information.

Organizations do need to be concerned about this legislation because of the breath of the legislation and because of the very high level of potential liability.

Miller Thomson Analysis

In terms of exposure to liability, Bill C-28 establishes administrative monetary penalties (AMPS) with caps up to $1,000,000 for an individual and $10,000,000 for any other person.  The Act also establishes private rights of action by anyone affected by a prohibited act with potential liability consisting of compensation for actual loss, damages and expenses and extensive awards that are capped at $1,000,000 per day for breach of the spam, malware, spyware, message routing and other provisions and $1,000,000 for each act of aiding, inducing or procuring a breach of these provisions.

The scope of the potential liability is expanded by the accessorial and vicarious liability provisions.  Liability under the legislation extends to any person who aids, induces or procures a prohibited act.  Businesses are liable for acts of their employees within the scope of their authority, and liability extends to officers, directors, agents and mandatories if they directed, authorized, assented to, acquiesced or participated in the prohibited act.  With the private right of action comes the risk of class actions.

Because of this broad exposure to liability under Bill C-28, it is recommended that businesses review their practices prior to this legislation coming into force and to put in place policies and processes to reduce risk.

The anti-spam provision is found in Section 6(1) of Bill C-28.

It is prohibited to send or cause or permit to be sent to an electronic address a commercial electronic message unless:

  1. the person to whom the message is sent has consented to receiving it, whether the consent is express or implied; and
  2. the message complies with subsection (2) which sets out prescribed formalities for commercial electronic messages.

Bill C-28 sets out specific requirements for obtaining express consent.  It should be noted that the consent regime established is different from that under Canada’s privacy legislation.  A person who seeks express consent must set out clearly (i) the purpose of the consent and (ii) information that identifies the person seeking consent.  The requirements for consent will be further defined in the regulations.  Implied consent is tightly defined for the purposes of this legislation.  Consent is only implied in the specific circumstances set out in the legislation or the regulations.

In addition to consent, the second basic requirement in order to avoid the anti-spam prohibition of Bill C-28 is compliance with the format requirements for electronic messages when the message is sent.  Electronic messages must be in a form that conforms to the prescribed requirements and must:

  • set out prescribed information that identifies the person who sent the message and, if different, on whose behalf it is sent;
  • set out information enabling the person to whom the message is sent to readily contact the sender (the contact information must be valid for 60 days); and
  • set out the prescribed unsubscribe mechanism.

In addition to these anti-spam provisions, Bill C-28 also contains a number of other important provisions:

  • malware and spyware provisions;
  • provisions prohibiting altering transmission data;
  • amendments to the Personal Information Protection and Electronic Documents Act (Canada) relating to harvesting of electronic addresses through use of a computer;
  • amendments to the Competition Act which specifically address false and misleading representations in electronic messages, including in the sender information, subject matter information or locator.

The anti-spam provisions of Bill C-28 in particular will have application to a broad range of businesses.  This will include not only businesses that operate principally on the Internet but also to any businesses that use electronic messages to promote their business.

This article is a general overview, but the challenge in applying this new legislation will be in the detailed definitions, exceptions and specific requirements for consent and message format as provided in the Act and regulations to be promulgated.  An early review of business practices in this area is recommended prior to the legislation coming into force.