Marketing practices targeted at Canadian based consumers may soon be significantly curtailed by a bill aimed at protecting consumers from the bombardment of electronic messages, often referred to as "spam". In line with the U.S. legislative scheme known as "CAN-SPAM", which was enacted in 2003, it is meant to significantly reduce the amount of unwanted messages received by Canadian consumers. The bill provides a framework for when consumers may be contacted, but also provides the federal government with the legislated ability to stop, or at least discourage, such activity which affects consumers on a pure nuisance level, and often involves fraudulent activity that affects them financially.

That being said, this will also impact legitimate marketing efforts by restricting companies' ability to reach out to consumers by telephone and e-mail, without the consumer's consent, which, in most cases, means express consent.

On April 24, 2009, the Canadian Government introduced its proposed anti-spam legislation, the Electronic Commerce Protection Act ("ECPA"), designed to protect Canadians from unsolicited "electronic messages" - messages sent by any means of telecommunication, including text, sound, voice or image messaging. The bill recently passed second reading in the House of Commons.

Canada's Privacy Commissioner, Jennifer Stoddart, has been vocal about the need to protect the privacy rights of Canadians, which she has said are "being threatened by the scourge of spam and spam-borne online threats such as spyware and phishing attacks". As she pointed out in her letter to the Ministry of Industry on January 22, 2007, Canada is the lone G8 country without anti-spam legislation, and in 2007, was ranked number six in a list of top 10 worst countries for originating spam.

Spam and related online threats are a real concern to all Internet users as they can lead to theft of personal data, such as credit card information (identity theft); online fraud involving counterfeit websites (phishing); the collection of personal information through illicit access to computer systems (phishing/spyware); and false or misleading representations in the online marketplace.

While Canadian legislation contains provisions that could be expanded to protect Canadians from such activity, the ECPA makes certain that these apply to online threats, specifically deals with these threats, and creates some new prohibitions to bolster Canada's toolkit against online threats.

Newly created prohibitions

The legislation prohibits sending, or causing or permitting to be sent, a commercial electronic message to an electronic address without first obtaining the recipient's consent, with limited exceptions where consent is implied (for example, if there is an existing business relationship). Even with consent, the sender must ensure it is in prescribed form including proper contact information of sender and opt-out information.

To combat "phishing", it is also prohibited to alter transmission data so that a commercial electronic message is delivered to other recipients than those originally intended by the sender without the sender's express consent. Finally, the anti-spy/botnet provision disallows installing or causing to be installed a computer program on any other person's computer system, or causing electronic messages to be sent from that computer system, if the computer system or sender is located in Canada at the relevant time, without consent.

Amendments to current legislation

In addition to the prohibited activities noted above, the bill amends the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Telecommunications Act as well as the Personal Information Protection and Electronic Documents Act ("PIPEDA") to more clearly ensure that they address spam and spam-related activities.

Specifically, the false or misleading representation provisions as well as the deceptive marketing provisions of the Competition Act are proposed to be amended to render false header information, false or misleading content as well as false locator information, illegal.

The ECPA would amend PIPEDA to ensure that personal information is protected from spyware and "dictionary attacks" by ensuring that an individual's electronic address cannot be used or collected by the use of a computer program designed or marketed for use in generating or searching for, and collecting, electronic addresses, unless consent is obtained. There is a parallel provision which protects against the collection and use of personal information through any means of telecommunications, if the collection is made by accessing a computer system without authorization.

Depending on the interpretation of the term "personal information", the proposed amendments to PIPEDA could impact "behavioural advertising", which uses a consumer's online activity in order to deliver advertising targeted to the consumer's interests.


The legislation would empower each of the Privacy Commissioner, the CRTC as well as the Commissioner of Competition to enforce the anti-spam provisions, in various ways.

The CRTC is provided with a wide range of investigative powers. ISPs may be required to preserve transmission data related to an investigation, and individuals may be required to produce documents by the CRTC. A search warrant may even be issued to obtain evidence of a possible violation. The CRTC would be allowed to impose administrative monetary penalties of up to $10 million.

Directors and officers may be held liable for the actions of their companies whether or not the corporation is proceeded against, and the CRTC can set out a penalty to be paid.

The Privacy Commissioner may investigate complaints under the new provisions of PIPEDA or defer the investigation to the CRTC or Competition Bureau.

New Private Right of Action

There is a new private right of action. If an individual alleges they are affected by an act prohibited by the new ECPA provisions or the new or amended provisions of the Competition Act or PIPEDA, they may apply to court and penalties could reach $1 million per day. In addition, the court may order that the offender pay compensation for actual loss or damage suffered, or expenses incurred, by the applicant.

The ECPA and the Do Not Call List

As previously summarized in a Gowlings Privacy Briefing in 2007, the CRTC established a framework for unsolicited telemarketing calls and other unsolicited telecommunications received by consumers, creating a national "Do Not Call List".

In its brief period of operation, the Do Not Call List has been controversial, and sometimes cited as requiring fine-tuning as the opt-out mechanism creates a database of information that may lawfully be accessed by organizations exempt from the Do Not Call provisions.

The ECPA repeals the provisions of the Telecommunications Act which create the legislative framework for the list.

The opt-in provisions of the proposed legislation would mean that organizations could not contact an individual without first obtaining their consent.

It is not clear when these provisions would come into effect, and/or exactly how they apply to telemarketing, given the fact that "commercial electronic messages that are two-way voice communications or voice recordings" are excluded from the definition of "electronic messages". The CRTC is, however, given the power to regulate commercial electronic messages that are excluded from the provisions of the ECPA.


The ECPA is a complicated bill as it is meant to amend various pieces of legislation, and create some new prohibitions, in response to technological threats that did not exist when the existing statutes were enacted. The legislation is intended to address the weaker links in our legislative toolkit against spam.

As noted in the 2005 Report of the Task Force on Spam, the legislative response is one piece of a bigger shield against this problem, which should also include best practices for ISPs, e-mail marketing as well as user awareness and education and international cooperation.

For the full text of Bill C-27