In May of this year, the Government of Canada introduced anti-spam legislation titled Bill C-28, the Fighting Internet and Wireless Spam Act (FISA).
The centre-piece of FISA are prohibitions aimed at preventing spam. FISA specifically regulates the sending of commercial “electronic messages,” defined to include text, sound, voice and image messages sent to an email, instant messaging, telephone or similar account.
FISA also contains prohibitions on the unauthorized installation of computer programs (for example, spyware and other surreptitiously installed software) and the alteration of transmission data without prior consent. In order to combat phishing, FISA amends the Competition Act to create new prohibitions against sending false sender or subject matter information or false or misleading content in an electronic message. It also amends the Personal Information Protection and Electronic Documents Act to prohibit the collection of personal information by unauthorized access to computer systems, and the unauthorized collection of electronic addresses. By addressing a broad range of Internet issues, FISA goes beyond anti-spam legislation in the U.S. that focuses only on e-mail spam.
FISA requires express consent to the delivery of electronic messages, subject to limited exceptions. Most notably, businesses, charities and political parties with an established relationship with a recipient are generally permitted to rely on implied consent for the delivery of electronic messages for a period of two years after a purchase, donation or termination of the relationship, at which point express consent must be sought. FISA also sets out a number of exceptions to the consent requirement such as for commercial inquiries, applications, quotes, confirmations of transactions, warranty or product recall information, messages between those who have personal or family relationships, and messages that provide notification of factual information about an existing product, goods or a service.
FISA also specifies certain form and content requirements. Electronic messages sent must identify the sender and provide accurate contact information as well as a functional unsubscribe mechanism.
The penalties for FISA violators are significant. FISA would allow the Canadian Radio-television and Telecommunications Commission (CRTC) to impose administrative monetary penalties of up to $1 million per violation for individuals and $10 million for businesses. There is also a private right of action that would allow consumers and businesses to take civil action against anyone who violates the FISA, including statutory damages of $200 for each violation of the unsolicited electronic message provision of FISA, up to a maximum of $1 million each day.
FISA, once passed, will impose new compliance requirements, and organizations that send electronic messages should consider starting to plan for these changes now. In particular, organizations that are sending commercial electronic messages should consider whether express consent is required, whether they can rely on a prescribed form of implied consent or one of the exceptions to the consent requirement.
Organizations must also confirm their electronic messages and consent notices meet FISA’s form and content requirements. A review of privacy policies and related consent procedures is also advisable.
In addition, organizations that install computer programs on another person’s computer-based device (in the course of their commercial activities) should review their consent and disclosure practices to confirm compliance with FISA.
For a detailed briefing on FISA, please see the overview available at: www.accessprivacy.com/docs/FISA_brief.pdf