Organizations will need to reassess their practices for sending commercial electronic messages or face significant new penalties.

On December 15, 2010, Parliament passed Bill C-28, An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities […] (the Act), which introduces complex new rules for sending commercial electronic messages. The Act goes much further than regulating bulk, unsolicited email communications often referred to as “spam.” Rather, it creates a new “express” consent-based regime that applies to almost all electronic messages sent for a commercial purpose.

Stiff Penalties

The new anti-spam rules will be enforced with stiff penalties, including administrative monetary penalties of up to $10 million for corporations ($1 million for individuals) and statutory damages of up to $1 million a day. As well, a private right of action will allow consumers and businesses to commence enforcement proceedings and recover damages.

When Will the New Rules Apply

Draft regulations to the Act are expected to be published in March 2011, followed by a 60 to-70-day-consultation period. The Act is expected to come into force in the fall.

Scope of the New Anti-Spam Rules

The anti-spam rules apply to commercial electronic messages or “CEMs” sent by telecommunication to an email, instant messaging, telephone or similar account. A message will be regarded as being “commercial” in nature if it has, as its purpose or one of its purposes, the encouragement of participation in a commercial activity.

New Consent Requirements

Under the new regime, CEMs can only be sent with the express consent of the recipient, unless the sender can demonstrate that there is a statutory exception. Examples of exceptions include messages that solely:

  • provide a requested quote or estimate;
  • facilitate, complete or confirm a commercial transaction; and
  • provide warranty information, product recall information, or safety or security information about a product that the message recipient has used or purchased.

There are limited instances in which consent could be implied, including where there is an “existing business relationship” between the sender and the recipient. Generally speaking, such a relationship will exist if the sender can demonstrate that:

  • there is a business relationship arising from the purchase or lease of a product, goods or a service within the prior two-year period;
  • there is a written contract with the recipient (other than in respect of the purchase or lease of products, goods or services and certain other subject matter) until two years following termination of the contract; or
  • there was an inquiry or application made by the recipient within the prior 6 months regarding certain commercial activities, including purchases of goods or services.

Note, however, that these time periods will not apply during the initial three years after the anti-spam rules come into force if the existing business relationship includes communications using CEMs and the recipient has not opted-out of receiving them.

Consent Disclosure Requirements

When seeking express consent to send CEMs, businesses are required to set out clearly and simply the purposes for which the consent is being sought, prescribed information identifying the person seeking consent or the person on behalf of whom consent is being sought, and any other information prescribed in regulations.

Form and Content Requirements

Most significantly, CEMs need to include an unsubscribe mechanism that meets prescribed requirements. In addition, CEMs must include the sender’s contact information, identify the person who sent the message, identify the person on whose behalf the message is sent (if different from the sender), and set out any other information prescribed by regulations.

Other Prohibited Conduct

In addition to combating spam, the Act also addresses both spyware and pharming. The Act creates a new express consent-based regime for the installation of any computer program on a user’s computer. Further, the alteration of “transmission data” in an electronic message without the consent of the sender or the recipient is prohibited. This is intended to address the practice of “pharming.” Pharming occurs when a website user clicks on a link included in an email message which appears to be from the legitimate company but instead is redirected to a bogus website.

Related Amendments to other Legislation

The Act also introduces important amendments to other statutes. Highlights of these changes include the following:

  • Restrictions on Address Harvesting

The Personal Information Protection and Electronic Documents Act (PIPEDA) will be amended to restrict “address harvesting,” or the unauthorized collection of email addresses through automated means (i.e., using a computer program designed to generate or search for, and collect, email addresses) without consent. The use of an individual’s email address collected through address harvesting will also be restricted.

  • Misleading Advertising

The Competition Act will be amended to make it an offence to provide false or misleading representations in the sender information, subject matter information, or content of an electronic message. The same conduct will be “reviewable conduct” pursuant to the rules governing deceptive marketing practices.

  • Do-Not-Call List

The Telecommunications Act will be amended to repeal the national Do-Not-Call List. However, it is expected that these amendments may be postponed.

How the New Rules Will Affect Franchises

Franchisors will need to consider how the Act will impact current operations and policies. This will be particularly important in any franchise system in which the franchisor relies on the franchisees to obtain consent from customers (i.e., if the franchisor does not have a direct relationship with the customer but uses the customer’s personal information for marketing purposes), or otherwise markets to the franchisees’ customers, either on its own behalf or on behalf of the franchisees. The franchisor must consider whether its existing procedures and systems for obtaining and documenting consent are sufficient to address the new “express” consent requirements (i.e., relying on consent strategies developed under PIPEDA are no longer be appropriate). If not, the franchisor must establish new procedures and systems, and also scrub all existing databases. Given the possible damages for a breach of the legislation, and the limited relief that an indemnity provision from a franchisee would provide to the franchisor, the franchisor should consider educating franchisees of the significance and potential pitfalls of the new legislation.