I. Introduction

On December 15, 2010, Canada finally legislated against the problem of unsolicited electronic communication (i.e. "spam") by signing into law Bill C-28 ("FISA").[2] With the passage[3] of FISA, companies which commercialize their products and services across North America as a single market, and which use electronic communications such as newsletters, bulletins and issue alerts, now need to comply with both the new FISA, and with the United States' Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 ("CAN-SPAM")[4]. FISA represents a significant step in the regulation of unsolicited electronic communications, and while it contains certain similarities with CAN-SPAM, it also contains important differences. This bulletin therefore presents a high-level comparison of the anti-spam regimes in Canada and the United States with a view to assisting companies marketing cross-jurisdictionally in complying with what is now, collectively, a North American anti-spam regime.[5]

II. Scope of the Legislation

In addition to prohibiting activities that facilitate viruses and "phishing",[6] FISA sets out detailed rules that must be followed by anyone sending a "commercial electronic message" that is sent or accessed from a computer system in Canada.[7] More specifically, FISA sets out what type of electronic communications are permitted, the information such communications must include, and mechanisms to investigate any contravention and enforce certain penalties.

CAN-SPAM, similarly to FISA, applies to all commercial email messages. Unlike its Canadian counterpart, however, CAN-SPAM does not cover the installation of computer programs, and as such, it is significantly narrower in scope than the equivalent Canadian laws.[8]

III. What is a "Commercial Electronic Message"?

FISA and CAN-SPAM each have their own definition of what is consider to be a commercial electronic message, a definition which is obviously critical as it forms the nexus for the application of the anti-spam restrictions.

While there is significant overlap between the Canadian and US definitions, the critical difference lies in the purpose of the message being sent. The definition of "commercial electronic message" in FISA includes any electronic message that "it would be reasonable to conclude has as its purpose, or one of its purposes, to encourage participation in a commercial activity".[9] Accordingly, to the extent that a commercial electronic message has – even if not as its sole purpose – as at least one of its purposes the encouragement of participation in a "commercial activity", FISA will apply.

Under CAN-SPAM, in contrast, a "commercial email message" is defined as "any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service (including content on an Internet website operated for a commercial purpose)".[10] Furthermore, CAN-SPAM builds on this requirement that the purpose of the message be "primarily" commercial, in order to explicitly permit the inclusion of links to websites of a commercial entity without necessarily deeming the communication to be commercial in nature. This would allow, for example, the sending of an electronic newsletter with advertisements, without falling into the category of commercial electronic messages.

In light of the relative breadth of the Canadian definition, then, organizations which have adopted a single electronic messaging solution for both Canada and the United States, should seek the comply with the higher standard in Canada.

IV. Consent: Opt-Out vs. Opt-In

Both FISA and CAN-SPAM require some form of consent from the recipients to permit the sending of commercial electronic messages (unless one of the exceptions is met: see V. (Consent Exceptions) below). The key difference between FISA and CAN-SPAM is the nature of the consent mechanism built into the legislation.

FISA requires that customers must "opt-in" to accepting the message – that is, each customer must affirm that they wish to receive such messages. In contrast, CAN-SPAM has adopted an "opt-out" approach. This means that, under CAN-SPAM, individuals who receive an unsolicited message are considered to have implicitly consented to receiving said message until they indicate they no longer wish to receive it.[11] This places the burden on the receiver of the unsolicited communication to unsubscribe from the communication.

The doctrine of implied, or "opt out" consent is not unknown in Canada, but the circumstances under which it may be applied are stricter. Under FISA, the recipient of a message also may be assumed to have consented to receiving the commercial electronic message in certain circumstances. For example, a recipient is deemed to have consented if they have "conspicuously published" their email address and did not include a statement that they do not wish to receive unsolicited commercial electronic messages, or provided their contact information to the sender and did not include a statement that they did not want to receive unsolicited messages[12]In both cases, any commercial message sent to a person must be "relevant to the person's business, role, functions or duties in a business or official capacity".[13]

Again, an organization which is seeking to adopt a single, North American-wide email marketing strategy, must endeavour to rely on one of the above-noted examples of where implied consent is acceptable, or else adopt an express consent strategy.

V. Consent Exceptions

There are permitted exceptions to the requirement under FISA that a sender need always obtain express consent from a receiver. For example, both the Canadian and the US anti-spam regimes provide an exception to consent for situations where contact information has been provided in the course of a sale or transaction or pursuant to other existing relationships.

In Canada, FISA states that the requirement to obtain consent does not apply where that electronic commercial message solely:

delivers a product, goods or a service, including product updates or upgrades, that the person to whom the message is sent is entitled to receive under the terms of a transaction that they have previously entered into with the person who sent the message or the person — if different — on whose behalf it is sent[14] (emphasis added).

Note however that this exception only applies to the extent that the commercial electronic message in question solely delivers a service which the recipient is entitled to receive, under the specific terms of the transaction. For example, after downloading a particular software product a consumer may be entitled to receive software updates from time to time via email.

FISA also includes certain other permitted exceptions from having to obtain consent. These other permitted exceptions include exceptions to the consent requirement where the communication in question is to (a) provide a quote or estimate in response to a request; and (b) facilitate, complete or confirm a pre-agreed commercial transaction.[15]

The only consent exception under CAN-SPAM is that messages relating to an existing transaction or business relationship do not have to follow the same opt-out rules. Other than this exception, commercial electronic messages must follow the CAN-SPAM requirements.

For organizations endeavouring to rely on a common consent exception across both jurisdictions, while both FISA and CAN-SPAM consent exceptions relate to existing commercial relationships/activities, the consent exceptions under FISA are more narrowly drafted and detailed than those under CAN-SPAM. As a result, each organization should ensure that it understands and can comply with the Canadian exceptions in order to ensure statutory compliance across both jurisdictions.

VI. Mandated Content for Commercial Electronic Messages

Both the Canadian and US anti-spam legislation include requirements that mandate certain content for unsolicited commercial electronic messages. FISA requires that:

The message must be in a form that conforms to the prescribed requirements and must (a) set out prescribed information that identifies the person who sent the message and the person — if different — on whose behalf it is sent; (b) set out information enabling the person to whom the message is sent to readily contact one of the persons referred to in paragraph (a); and (c) set out an unsubscribe mechanism in accordance with subsection 11(1)[16].

CAN-SPAM includes more specific requirements as to the form and nature of the content of the electronic message. In addition to the requirements that the email include valid identifying information and a proper email address or other Internet-based mechanism that allows a recipient to opt-out from receiving messages, CAN-SPAM also requires that the email contain a valid physical postal address of the sender.[17]

In summary, two content requirements are common across Canada and the United States: that the message (a) must contain a clear and direct method of unsubscribing, including a valid return email address or other Internet-based mechanism, and (b) cannot prohibit the concealment of the identity of the sender. However, the additional US requirement to have a valid physical postal address of the sender, is not a stringent requirement.

VII. Enforcement

Under FISA, administrative authorities, including the Canadian Radio-television and Telecommunications Commission ("CRTC"), are primarily responsible for enforcement. A contravention of FISA can result in an administrative monetary penalty of a maximum of $1 million in the case of an individual, and $10 million in the case of any other person.[18]. Prior to an investigation, if a sender wants to make voluntary disclosure, it is required to make an undertaking to identify every act or omission committed and to pay a set fine agreed upon by the CRTC.[19]

In the United States, there are three branches of penalties under the anti-spam regime: administrative, civil, and criminal. The Federal Trade Commission ("FTC") is responsible for the bulk of the administration of CAN-SPAM, including the application of administrative penalties, because any contravention of CAN-SPAM is characterized as an "unfair or deceptive act or practice"[20] which falls within its jurisdiction. CAN-SPAM provides the FTC with the power to enforce compliance with the same powers as they would have under all applicable terms of the Federal Trade Commission Act.[21]

Additionally, civil suits can be brought by the attorney general of each state and, in limited circumstances, by internet service providers ("ISPs"). The limitation on damages that may be awarded in such civil cases is up to $1,000,000. However, even if comparable state laws expressly permit individuals to bring suit specifically against the sender of unsolicited commercial messages, CAN-SPAM pre-empts such laws and removes these rights from the hands of individuals. Finally, in further contrast to FISA, if the actions of the sender contravene certain sections of CAN-SPAM, criminal charges and damages can be brought and may result in punishments of up to five years in prison and forfeiture of the assets of the sender.[22]

VIII. Jurisdiction

FISA sets out rules that must be followed by anyone sending an "electronic message" that is sent or accessed from a computer system in Canada.[23] As a consequence, electronic communications sent from computer systems located and controlled from outside of Canada may come under the jurisdiction of FISA, if a computer system located in Canada either accesses, or has routed through it, the message. This provides a wide jurisdictional scope to FISA.

There is no geographic limitation in CAN-SPAM itself as to its jurisdictional application. As such, it falls to traditional conflict of laws principles to determine whether a US court is able to enforce the provisions of CAN-SPAM. With respect to extra-jurisdictional enforcement, the FTC has expressed frustration with respect to its inability to effectively enforce CAN-SPAM against spam malfeasants outside of the United States.[24] However, while there is some difficulty in enforcing CAN-SPAM or other legislation against foreign senders, Canadian companies should take note that US courts have shown a willingness to bring foreign defendants within their jurisdiction. For example, in the case of Facebook, Inc. v. Guerbuez,[25]Facebook successfully sued Montreal-based spammer Adam Guerbuez in a California court for contravening the provisions of CAN-SPAM and then successfully sought to enforce the $873 million dollar judgement it was awarded in the US in a Canadian court (in the province of Quebec).[26]

In conclusion, there is therefore a significant risk that, notwithstanding the location of the organization implementing an electronic communications marketing plan, the organization may be caught by both laws

IX. Conclusion

As our review indicates, for organizations implementing cross-border electronic marketing strategies, it is not impossible to comply with the anti-spam legislation in both jurisdictions. However, compliance does require an understanding of both sets of legal requirements, both at a high level as we have outlined here, and also with respect to specific issues – for example, the definition of "commercial activity" for the purposes of FISA. With some judicious planning, then, organizations can ensure that legitimate commercial emails strategies are not forestalled by legislation which is aimed at the real purveyors of spam.