Bill C-27: The Electronic Commerce Protection Act Last year, new federal legislation was proposed that would impose onerous obligations on all businesses that engage in online advertising and marketing. Bill C-27, which would enact the Electronic Commerce Protection Act (the "EPCA"), was introduced in April 2009 and by December 2009 had proceeded through all three readings in the House of Commons and first reading in the Senate. When Parliament was prorogued on December 29, 2009, all pending legislation, including Bill C-27, died on the Order Paper. Parliament resumed on March 3, 2010 and, in light of the enthusiasm with which it was supported by the government and the Minister of Industry, in particular, it is expected that this legislation will be re-introduced. If the opposition parties agree, the Bill could be re-introduced at the Senate review stage, such that it may be enacted and in force very soon.
All businesses that use e-mail, automatic downloads and telemarketing to advertise and promote their products or services should be concerned about the potential impact of Bill C-27. At the same time as it prohibits e-mail "spam," Bill C-27 would amend existing legislation that relates to telemarketing and privacy. As discussed in more detail below, it will be important to track the progress of any successor legislation through its review by the House of Commons and the Senate, in order to be prepared for new obligations that will be imposed on all businesses that engage in online promotional activities.
Goal: To Prevent Spam and Identity Theft In introducing the proposed ECPA in April 2009, the federal government described it as anti-spam legislation, intended to "boost confidence in online commerce, by protecting the privacy and personal security concerns that are associated with spam, counterfeit websites and spyware."1 The legislation generally implements the recommendations of the 2005 National Anti-Spam Task Force and would establish a regulatory framework to regulate activities that discourage reliance on electronic means of carrying out commercial activities and "deter the most dangerous forms of spam such as identity theft, phishing and spyware."2 Viewed in this light, the legislation would no doubt be welcomed by a majority of consumers and businesses.
However, there are reasons to be concerned about this proposed legislation, from the perspective of businesses that use e-mail and other "electronic messages" as a component of their marketing and advertising activities.
The core provision of the ECPA was contained in s. 6 which prohibited any person from sending, causing or permitting a "commercial electronic message" to be sent to an "electronic address" unless the recipient had provided prior consent or one of a limited number of exceptions3 was available. As proposed, the ECPA would have provided for the imposition of very high administrative monetary penalties ("AMPs"), of up to $1 million for individuals and up to $10 million for others, for violations of its prohibitions.4 It also provided for a private right of action for injured parties, which would have allowed them to seek both damages reflecting their actual losses and statutory damages of up to $1 million per day for each contravention of various provisions of the ECPA itself, of PIPEDA (defined below) and of the reviewable conduct misleading representation provision of the Competition Act.5
In addition to creating the ECPA, Bill C-27 would have amended the Telecommunications Act and the Personal Information Protection and Electronic Documents Act ("PIPEDA"), and, in so doing, expanded the authority of the Canadian Radio-television and Telecommunications Commission ("CRTC"), the Competition Bureau and the Office of the Privacy Commissioner. The CRTC would have acquired the authority to impose significant AMPs. All three federal agencies would have acquired the power to share information and evidence with their counterparts in other countries so that violators beyond Canada’s borders could not use Canada as a "spam safe haven."6 The legislation provided that Industry Canada would act as a "national coordinating body" to expand awareness, coordinate work with the private sector and conduct research and intelligence gathering.7
Broadly Worded Definitions As with most legislation, definitions formed the foundation of Bill C-27. An "electronic message" was defined very broadly as "a message sent by any means of telecommunication, including a text, sound, voice or image message" and an "electronic address" was defined as "an address used in connection with the transmission of an electronic message to (a) an electronic mail account; (b) an instant messaging account; (c) a telephone account; or (d) any similar account." Further, a "commercial electronic message" was defined as an electronic message for which "it would be reasonable to conclude has as its purpose, or one of its purposes, to encourage participation in a commercial activity," [including, among other things, one that ] … (a) offers to purchase, sell, barter or lease a product, goods, a service, land or an interest or right in land; (b) offers to provide a business, investment or gaming opportunity…." Building on this foundation, the draft legislation imposed significant limitations on business' use of commercial electronic messages that were sent without the prior, explicit or implicit, consent of the recipient.
The Impact of Bill C-27 on Personal Information and Privacy Law With respect to personal information and privacy, Bill C-278 would have expanded the PIPEDA framework, which generally governs the collection, use and disclosure of personal information in Canada.9 The s. 6 prohibition against sending a "commercial electronic message" without the consent of the recipient would have expanded upon the current prohibitions of the PIPEDA regime, which provides that no person may collect, use or disclose the personal information of an individual without consent. Since e-mail addresses are generally "personal information,"10 s. 6 of the ECPA would have had the same effect as PIPEDA. The ECPA would however, have had a broader reach, since the prohibition would have applied more broadly to all "commercial electronic messages" and the exceptions were quite limited. Further, as noted above, the ECPA would have provided for significant levels of AMPs and created a private right of action.
In addition, Bill C-27 would have directly amended PIPEDA to prohibit the collection of personal information by means of unauthorized access to computer systems, and the unauthorized compiling of lists of electronic addresses.11 The ECPA would contain a private right of action provision which would be available not only for a violation of some of its own provisions, but also for a violation of s. 5 of PIPEDA as it relates to the collection of personal information by such means.12 This would be a significant change from the current enforcement of PIPEDA which currently depends on a review by the Privacy Commissioner and provides for court action only where there has been non-compliance with orders issued by the Privacy Commissioner.
"Ban with Exceptions" Approach The overall structure of the ECPA was to ban an extremely broad class of commercial activity while providing for very limited exceptions. As noted above, s. 6 generally banned all commercial electronic messages sent without the recipient’s prior consent. Aside from limited exceptions, the prohibition would have applied unless the receiver had consented13 and where the message included prescribed information, including contact information of the person who sent it (which must be valid for sixty days following the communication) and an unsubscribe mechanism14 (which must also meet certain requirements).15
In light of the EPCA's detailed requirements for consent,16 it would not be easy for businesses to obtain the necessary prior consent from all recipients of commercial electronic messages. Specifically, the requester would be required to (a) "clearly and simply" describe the purpose for which the consent is being sought; (b) identify the person seeking consent; and (c) provide additional prescribed information (to be identified in the Regulations, which had not yet been drafted). Any attempt to request consent electronically that did not meet these requirements would itself have violated the s. 6 prohibition.
Under the ECPA as proposed, implied consent to receive commercial electronic messages would be effective in the case of an "existing business relationship" between the parties.17 However, in s. 10(4),18 this term was defined very narrowly, such that, for example, the recipient of the message must have purchased a product or service within 24 months prior to the date the message was sent. Another exemption to the general prohibition in s. 6 existed where the recipient of a communication was engaged in a commercial activity and the communication was sent purely to inquire about that activity;19 this is a quite narrow exemption for online business-to-business marketing.20
Section 8 of the EPCA prohibited any person from installing a computer program on another person’s computer system unless express consent was given by the owner or authorized user of the system. Like s. 6, this provision would operate as a general ban with limited exceptions. As such, this would have prohibited automatic software downloads. While intended to prevent the distribution of unlawful programs, this would also have prevented legitimate downloads, such as routine updates or security patches. Among other requirements, obtaining express consent for the purposes of this section required that the person requesting consent clearly describe the function, purpose and impact of every computer program to be installed if the consent was given.21
The general ban with limited exceptions approach in the proposed ECPA was of concern for at least two reasons. First, in contrast to international "anti-spam" legislation, which generally prohibits electronic commercial speech on the basis that it is alleged to be misleading or fraudulent, the proposed ECPA imposed broad, general prohibitions that could not be overcome unless specific, limited exceptions applied. There was no consideration of the nature or character of the message. Second, the significant constraints imposed by the ECPA might yet be found to constitute an impermissible limit on commercial freedom of expression, by forcing businesses to rely upon a limited number of technical exceptions for each and every commercial electronic message sent.
Although the national "do not call" ("DNC") list, administered through the CRTC under the Telecommunications Act, was only launched in September 2008, this regulatory regime to limit telemarketing could have been repealed in its entirety by Bill C-27. Specifically, s. 86 of Bill C-27 would have provided the federal government with the option to repeal the national DNC provisions of the Telecommunications Act regime at any time in the future, by Order in Council. Further, the s. 2 definitions of "electronic address" and "electronic message" included a telephone account and a voice message, respectively. As a result, telemarketing would have become subject to the opt-in approach of the ECPA whereby all telemarketers would have been required to obtain consent before contacting consumers by telephone or by e-mail. As such, telemarketing would have become subject to the much broader prohibitions, and to the AMPs, contained in the ECPA.22
Significant, and Possibly Punitive AMPs In addition to the rigorous technicalities involved in trying to meet the requirements for prior consent or an exception, that would have permitted them to send commercial electronic messages, businesses also faced the risk of having to pay significant and potentially punitive AMPs, of up to $1 million for an individual and up to $10 million for a corporation , after having been found to have contravened the prohibitions of the ECPA. A serious concern with these high penalties, which were stated to be intended to "promote compliance" and "not to punish,"23 was that they could have been imposed by the CRTC without the right to a trial. If an accused individual or entity did make submissions to defend an alleged violation of the ECPA, the CRTC would have been required to decide whether there was a violation only on a balance of probabilities.24 In addition, officers and directors of a corporation could have been held liable, whether or not an action was commenced against the corporation.25
Practical Concerns, for Compliance If, as expected, Bill C-27 is reintroduced, or if substantially similar legislation is tabled, businesses will need to review all of their policies and procedures relating to their online marketing activities. Activities that include the generation of e-mails will need to be reviewed, to ascertain whether the prohibition of s. 6 of the ECPA will be triggered, specifically whether the e-mail in question is captured by the s. 2 definition of a "commercial electronic message," such as one that offers to sell a produce or service or offers to provide a business or investment opportunity.
For all "commercial electronic messages" the second stage of analysis will be to categorize them, to ascertain whether an exemption applies, that would permit them to be sent, whether or not the recipient has provided a consent. As noted above the exemptions are limited, but, among other things, include commercial electronic messages that only provide a quote or estimate,26 that facilitate, complete or confirm a transaction,27 or that provide warranty or product recall information about a product that the addressee has used or purchased.28
Where no category exemption is available, a third step would be to review the relevant e-mail mailing lists, in order to identify whether each of the recipients has provided his or her explicit consent to receive the commercial electronic message at issue. Where no explicit consent has been received, additional searches will need to be conducted to determine whether each addressee is an existing customer who has purchased a product or service within the past 24 months, such that the "existing business relationship" exception29 would be available. Where this is not the case, another route will be to consider whether the situation is one in which consent may be implied, such as where the recipient has conspicuously published his or her e-mail address, without making a statement that he or she does not wish to receive unsolicited commercial electronic messages and the message is relevant to that person’s business role or duties.30 Alternatively, research could be done to determine whether one of the other exemptions is available, such that the e-mail can be sent. (The Regulations, which had not been drafted prior to prorogation, were to have provided for additional exemptions.31)
On an ongoing basis, it will be important that all current customers be contacted, with a request that they provide a consent to receive marketing e-mails. Procedures will need to be established to ensure that such requests for consent are issued to new customers, before the end of the 24-month period provided for in the exemption.
Finally, procedures will need to be established to ensure that the content of all "commercial electronic messages" is reviewed prior to being sent out, to ensure that their content complies with the ECPA. For example, each commercial electronic message must include information that identifies the sender of the message, or the person on whose behalf it is being sent, include information enabling the recipient to contact the sender, and include an “unsubscribe” mechanism, in a prescribed format.32
Continued Monitoring of Successor Legislation If Bill C-27 is re-introduced and enacted in a substantially similar form, businesses will face significant new limits on their ability to advertise and promote their products and services using e-mail and telemarketing. If they fail to comply with the consent provisions and prohibitions of the ECPA, they could face significant monetary penalties, as well as the risk of private actions against them by message recipients. In general, businesses will be forced to obtain direct consent from potential customers before sending any commercial electronic messages, including e-mails and automatic software downloads. Given the prevalence of electronic messaging as an important component of commercial marketing and advertising, this is likely to be onerous for businesses, and some may decide that it is preferable to curtail or even cease using methods of communication that can be effective and cost-efficient.