Canada’s new anti-spam and online fraud act (Bill C-28), expected to be in force in Fall 2011, creates a comprehensive regime of offences, enforcement mechanisms, and potentially severe penalties (including personal liability for corporate directors and officers) designed to prohibit unsolicited or misleading commercial electronic messages (CEMs) and deter other forms of online fraud (including identity theft, phishing and spyware).

For most organizations, the key parts of the Act are the rules for CEMs, which apply to almost every electronic message (including email and instant messages) relating to a commercial activity. Subject to limited exceptions, the Act prohibits the sending of a CEM unless the recipient has given consent (express or implied in limited circumstances) to receive the CEM, and the CEM complies with prescribed formalities and is not misleading. The rules can be enforced by regulators and through private lawsuits. Contravention of the rules for CEMs can result in severe administrative penalties (up to $1 million per violation for individuals and up to $10 million per violation for organizations) and civil liability.

Following is a basic compliance action plan for Canadian organizations:

  1. Assessment: Determine how the Act applies to the organizations’ operations and marketing activities.  
  2. Education: Educate the organizations’ personnel about the Act, and implement policies for compliance.  
  3. Express Consent: Establish procedures for obtaining recipients’ express consent to receive CEMs, and for maintaining an accurate and current list of consenting recipients for each kind of CEM.  
  4. Implied Consent: Establish procedures for maintaining an accurate and current list of recipients who have given implied consent to receive each kind of CEM, and removing recipients when their implied consent expires (usually after two years).  
  5. Formalities: Establish procedures to ensure that all CEMs comply with prescribed formalities (information disclosure, unsubscribe mechanism, website unsubscribe process) and that unsubscribe requests are promptly implemented (within 10 days).  
  6. Accuracy: Establish procedures to ensure that CEMs are not misleading.  
  7. Contracts: Revise contracts with relevant third parties (e.g. agents, distributors and marketing agencies) to require compliance with the Act.  
  8. Due Diligence: Establish due diligence procedures for the organizations’ directors and officers, to manage personal liability risk.  
  9. Monitoring/Responding: Establish procedures for monitoring the organizations’ compliance and responding to violations.  
  10. Insurance: Obtain insurance for liability arising from violations of the Act.