In this 2011 edition of Canadian Technology Law Issues, Roland Hung canvasses the general provisions of the Fighting Internet and Wireless Spam Act (FISA), formerly known as Bill C-28. FISA was passed by Parliament and received Royal Assent on December 15, 2010. Jurisdiction over administration and enforcement of FISA is split between three federal branches: the Canadian Radio-television and Telecommunications Commission, the Office of the Privacy Commissioner and the Competition Bureau. FISA is relatively complicated and will likely require significant resources of all three branches. It is therefore reasonable to expect that the Act will not be proclaimed in force as law until at least the summer of 2011. Once FISA is in force, however, it will likely force many Canadian businesses to reassess their marketing and customer retention strategies and make significant changes to ensure compliance.

Purpose of FISA

The strongly worded and politically savvy title notwithstanding, a purposive reading of the Act and a review of relevant passages from Hansard, reveal that the underlying purpose is to promote e-commerce and consumer confidence in e-commerce. FISA aims to accomplish this purpose by discouraging high-volume or deceptive electronic marketing, “phishing” schemes and the unauthorized installation of malware on consumer devices. A contravention of FISA could come at a high price: the enforcement scheme includes stiff administrative monetary penalties, a private right of action and director/officer liability.

Devising a Strategy

With these risks in mind, marketing professionals need to think about FISA now, even before it becomes law. Even though, as Hansard indicates, FISA is not intended to target “legitimate business,” clearly it will move electronic marketing in Canada to a permissions-based model. The model will require that businesses have consent from consumers in order to contact them with commercial electronic messages. This change is likely to inspire hand-wringing amongst managers responsible for marketing and retention, as they wonder if they possess or need to obtain the requisite express (or implied) consent to contact clients or potential clients. Fortunately, a common sense approach can be taken to ethically obtain express or implied consent from clients. Consider the following strategic recommendations.

Inventory any existing express consents you have from clients and assess other client situations where you may have implied consent.

Express consent will survive enactment of FISA. As such, you should determine how many of your clients have already granted you express consent to contact them. You should also determine whether you have implied consent of any or all of your clients.

Assess your privacy policy and amend it if necessary.

Generally speaking, privacy policies deal primarily with identifying the categories of personal information your company will collect, how it will be used and whether your company will disclose it to other entities. If you are collecting information from your clients as they “click through” which will inform future marketing initiatives, then your privacy policy should indicate that one of the uses of your clients’ personal information will be to ascertain their needs and market to them accordingly. If you intend to disclose your clients’ personal information to a third party, this should be stated in your privacy policy as well.

Aggressively (but ethically) pursue express consent from your legacy clients before FISA is in force.

Before FISA is proclaimed in force, you may wish to contact your clients electronically to clarify the nature of their consent for the sake of legal certainty under FISA. To safeguard your reputation, be sure to proceed ethically, i.e., no flooding of email inboxes and always provide a clear, functional opt-out option on all messages.

Devise an ethical manner in which informed express consent may be efficiently obtained from new clients on an ongoing basis.

Personal information should be collected as close to the initial transaction as possible and the process for collecting it should be consistent with how you deal with your clients and how they interact with your products.  

For instance, the inclusion of a “product registration” card with a tangible product can encourage the client to register for warranty purposes on a “product service centre” website, which should include clear, functional options for opting in or out of various forms of contact with you.  

With software-based or handheld devices, a registration screen can pop up periodically to encourage the user to register on a similar website, where additional information and options for opting in and out are available.  

Exemptions from Consent

A notable exemption from consent that is available under FISA occurs where an electronic message “solely . . . provides warranty information, product recall information or safety or security information about a product, goods or a service that the person to whom the message is sent uses, has used or has purchased.”

How this exemption may apply to the ongoing common-law duty to warn consumers of unsafe products is uncertain, and the use of the word ”solely” is perhaps troublingly narrow. In some instances, especially those involving consumer devices such as firewalls, routers, and smartphones that use confidential consumer data, it may be reasonable to permit regular upgrades of both hardware and software, especially where an unsafe or less-safe device will no longer be regularly supported by the manufacturer. It is also possible that the duty to warn may constitute implied consent within FISA. How FISA may be interpreted in relation to any potential common-law duties remains to be seen.  

Permissions-based electronic marketing is poised to become law in Canada in the foreseeable future. As FISA’s proclamation approaches, companies should assess their strategies for adopting this model.