On Monday, September 27, 2010 Canada’s proposed new “Anti-Spam” law, the Fighting Internet and Wireless Spam Act (or “FISA”), received second reading in the House of Commons.1 In moving that the Bill be sent to Committee, the Minister of Industry stressed the high priority that the government is giving to its adoption. Since the Bill also has the support of all three opposition parties, it appears likely that the legislation will soon become law.
The new law will have a significant impact on how mainstream Canadian businesses communicate with their existing customers and others, and how small businesses develop new customers. While the high-profile target of the law will be “spammers” – persons who send mass unsolicited e-mails marketing sketchy products through questionable business tactics – it will apply to the full cross-section of the commercial marketplace.
Overview – Impact on Business
The new law contains significant procedural and substantive rules governing commercial e-mails. For example, all e-mails must include a readily usable “unsubscribe” mechanism. New offences under the Competition Act are created for sending e-mails containing false or misleading subject lines or sender particulars. However, it is within the consent requirements that the new rules will have the greatest impact on businesses across Canada.
The general rule is that express “opt-in” consent must be obtained, subject to a proviso that “implied” consent may be used within specifically defined circumstances, such as a contractual relationship with the intended recipient. This approach contrasts broadly with the consent rules under the Personal Information Protection and Electronic Documents Act (“PIPEDA”) – which have governed businesses’ e-mail marketing activities since January 1, 2001 – and will require more stringent procedures than under that Act. Under PIPEDA, “opt-out” consent is permitted and implied consent is not limited to specific relationships or transactions, as it will be under FISA. The bottom line is that most organizations that currently maintain PIPEDA-compliant e-mail contact lists will discover that those lists are not grandfathered under FISA and that they will need to be requalified by fresh, opt-in consent.
The basic prohibition contained in FISA is against sending a “commercial electronic message” unless the recipient has consented to receiving the message and the message contains certain prescribed information, including the identity of the sender and the sender’s contact information, as well as the unsubscribe mechanism. The definition of “electronic message” is very broad and extends to voice communications (although a separate provision excludes two-way voice, pre-recorded one-way voice and fax communications, which currently are governed by the separate National Do Not Call Rules). What is considered “commercial” is similarly very broad – including any offer to transact any product or service or an interest in land, offer an economic opportunity (including gambling) or to promote any of these activities.
The required unsubscribe mechanism must remain operative for 60 days. An unsubscribe request must be acted on within 10 days.
Several broad categories of messages are excluded entirely from the prohibition or, while governed by it, will have no consent requirement.
Excluded entirely are messages between individuals having a family or other personal relationship (which will be defined more explicitly by regulation) and business-to-business inquiries or applications. A second category of messages will be required to comply with the content provisions but not the consent requirement. This category broadly includes commercial communications that have a consensual basis, specifically: providing a quote in response to a request, facilitating a commercial transaction, providing warranty, product recall or safety information about a purchased product, providing information regarding the ongoing use of a purchased product or service or an employment relationship, or delivering a product or service (including upgrades) respecting a previously purchased product or service, to which the purchaser is entitled.
A further broad group of electronic communications in effect is exempt from the consent requirements by falling under the category of “implied consent.” The most important of these are the sub-categories of “existing business relationship” and “existing non-business relationship.” The term “implied consent” is defined to include only specified circumstances: in addition to the two noted sub-categories, it includes a person posting an e-mail address in effect inviting communications or providing an e-mail address to a sender with no indicated intent not to receive messages provided that any message sent is relevant to the person’s business. There is scope to add additional sub-categories by regulation, however, to date, there is no indication that this will be done.
The scope of the “implied consent” rule is delimited by the explicit definitions given to the operative terms “existing business relationship” and “existing non-business relationship,” both of which – when account is taken for their differential contexts – have similar elements. In essence, the required element is either a commercial relationship (e.g. product purchase or written contract) or a non-commercial relationship (gift or donation, volunteer work or membership in an organization) in existence currently or within the previous two years. In addition to an actual transaction, an existing business relationship includes an inquiry made within the previous six months.
The scheme of the proposed legislation is, broadly, that if a person wishing to send commercial e-mails does not qualify within either of the exempt categories (essentially, personal or on-going commercial relationships) and cannot qualify under the defined “implied consent” category, that person must obtain a recipient’s express consent prior to sending any e-mail communication. This limitation extends to any e-mail requesting consent to receive future communications.
Express consent under FISA must be given on an opt-in basis. The request for consent must set out clearly the purposes for which it is sought and, in a prescribed manner, identity information of the requestor. A further provision places the onus on the organization to prove that consent was obtained.
Obtaining express consent to send commercial e-mails will be a significant consideration under FISA. While the two exempt categories and the defined “implied consent” sub-categories will permit e-mail communication for active, or recently ended, commercial and non-commercial relationships, organizations that rely on e-mail to communicate and market to a broader community will need to obtain express consent to ensure that their messages are compliant. Furthermore, most organizations that maintain e-mail contact lists are unlikely to want to limit those lists to current or recent customers (or donors). While such recipients clearly are an important element in contact lists, organizations typically do not remove them from their lists once that active relationship has ended. To comply with FISA, removal of names from a list would need to be done at the two-year post-transaction (or six-month post-inquiry) point. Even if organizations were inclined to “scrub” their lists in this manner, effective management of such a process would be challenging, requiring not only comprehensive input criteria (e.g. relevant end-dates of transactions; date of last inquiry) but also an active due diligence function to ensure compliance.
Requalifying Contact Lists
It is more likely that organizations will seek to develop permanently qualified contact lists, which can only be done through obtaining express consent. Clearly, qualifying contact lists under FISA will be a challenging – and potentially costly – process for organizations. Various strategies may be identified. However the common denominator will be that, over and above currently existing, PIPEDA-compliant, consents (which likely do not qualify under FISA as express consent, or in any event are unlikely to be recorded as such), a new, positive opt-in consent will be required.
FISA appears to recognize – to a degree – the burden that this requalification will place on organizations. A three-year transitional period is provided for – essentially eliminating, during that time, the two-year post-transaction (or six-month post-inquiry) period in respect of lists that otherwise qualify under the implied consent rule when the legislation comes into force. However this extension only applies in respect of the defined categories of existing business and non-business relationship. It does not address any general grandfathering or transitional mechanism for existing contact lists. Consequently, organizations should be considering initiating FISA-qualification procedures in advance of the legislation coming into force, since, once that occurs, current consents may not qualify for purposes of e-mail requests for a FISA consent – only FISA-qualifying consents may be used, which for the most part likely will fall under one of the new defined “implied consent” sub-categories.
FISA also contains anti-hacking provisions – essentially prohibitions against malicious or unauthorized interference with private electronic messages, as well as prohibitions against unauthorized access to computer systems (such as through spyware, malware and “bot nets”). Such programs may be used to collect and transmit a user’s personal information to criminal elements for illegal purposes such as identity fraud. However, as with the Bill’s approach to commercial e-mail, the prohibitions cast a much wider net – subject to specific exceptions, requiring all downloads of computer software to have the express consent of the user (which would include updates or upgrades to existing programs initiated typically by the software vendor or licensor). Furthermore, if the downloaded software will perform functions such as collecting the user’s personal information or changing the settings already installed on the computer, or interfering with data already stored on the computer, this fact must be described clearly, prominently and separately apart from the licence attached to the software.
In response to concerns that, as initially written, prohibitions were too broad and could be unworkable, FISA’s predecessor bill, the Electronic Commerce Protection Act, was amended to allow downloading of specified computer programs, such as cookies, where it is reasonable to assume the user’s consent, as well as upgrades to existing programs that have been installed previously with the user’s consent.
The implication of non-compliance with the FISA e-mail prohibitions can be severe, as is reflected in the remedial and offence provisions in the legislation. Here again, the legislation’s thrust is to remedy bad practices of spammers but casts its net so widely that compliance-oriented organizations across the board, as well as small businesses who may lack the sophistication to knowledgeably comply, will face the same risks of non-compliance.
FISA provides for three categories of remedies or penalties:
- administrative monetary penalties (or “AMPs”) for violations of FISA in amounts of up to $1,000,000 for individuals and $10,000,000 for other entities;
- criminal offences for obstructing an investigation; and
- a private right of action for persons suffering actual loss or damage as a result of non-compliance with FISA or the related prohibitions contained in the Competition Act and PIPEDA.
With respect to both the violations and the criminal offences, directors and officers who authorized an organization’s non-compliance will be personally liable.
The private right of action is significant and potentially far-reaching. It is available to any individual or other person who has suffered damage as a result of non-compliance. While it will be necessary to prove actual damages, it is possible to envisage class actions involving potentially thousands, or even millions, of plaintiffs.2
Canada’s new proposed new anti-spam law, FISA, while containing significant tools to combat spam and to make e-mail marketing more user-friendly and respectful, will require Canadian businesses and charities to devote significant attention (and resources) to requalifying their procedures for e-mail communications. Industry Canada, the author of FISA, appears to appreciate this potential impact. However, the transitional provisions contained in the Bill may be of limited assistance, and organizations should be focusing on what they can do in advance of the legislation coming into force. Compliance procedures available under FISA are likely to be more limited than under current PIPEDA rules.