The Canadian Parliament is now considering the Electronic Commerce Protection Act (ECPA), which was introduced by the Government of Canada on April 24, 2009 with the stated purpose “to boost confidence in online commerce by protecting the privacy and personal security concerns that are associated with spam, counterfeit websites and spyware”. The ECPA creates a comprehensive regime of offences, enforcement mechanisms and severe penalties, all designed to detect and deter specific kinds of fraud and deception in the online marketplace. All businesses engaged in electronic marketing and software distribution in Canada should be familiar with the ECPA and be prepared to comply with its requirements for the lawful use of commercial electronic messages and restrictions regarding the distribution of software.
I Regulated Conduct
(a) Commercial Electronic Messages – Spam
The ECPA establishes a permission-based regime for commercial electronic messages, by prohibiting the sending of a commercial electronic message to an electronic address unless the recipient has consented to receive the message and the message complies with specified formalities (including information regarding both the actual and beneficial sender of the message, a sender’s contact information, and an effective and timely unsubscribe mechanism).
The ECPA uses technology neutral language to broadly define “electronic message” and “electronic address”, to include all forms of messages sent by means of telecommunication, including email, instant messaging, and messages to telephone accounts. The prohibition applies to the person who actually sends the message and all persons on whose behalf the message is sent. An electronic message is considered to be “commercial” if the message content, including hyperlinks to websites and contact information, makes it reasonable to conclude that a purpose of the message is to encourage participation in a commercial activity, including transactions for goods, services, or land, business, investment or gaming opportunities, or the promotion of a person involved in any of those activities.
The prohibition does not apply to non-commercial messages. There are also various exceptions, including messages sent to telephone accounts by live voice communication, facsimile communication, or voice recording, messages between persons with a personal or family relationship, or an inquiry regarding a commercial activity sent to a person engaged in that commercial activity.
Consent to a commercial electronic message may be express or implied. Express consent must be based upon the disclosure of prescribed information (including the purposes for which consent is sought and the identity of the person seeking the consent). Consent may be implied in only limited circumstances, including a current or recent pre-existing business relationship between the sender and recipient (including a current written contract between them or a commercial transaction within the previous 18 months) or a pre-existing nonbusiness relationship between the sender and recipient (including a donation by the recipient to a sender charity or political party within the previous 18 months).
Notably, the requirements of prior consent and formalities also apply to an electronic message that seeks consent to send further commercial electronic messages.
(b) Fraudulent Data Collection – Phishing
Phishing is a fraudulent technique that uses counterfeit websites or fake electronic messages to fool individuals into disclosing their personal, financial, and other sensitive information to unintended recipients. The victim intends to send the information to one recipient, but in fact it goes somewhere else.
The ECPA contains an anti-phishing provision that prohibits a person, in the course of commercial activity, from altering the transmission data in an electronic message so that the message is delivered to a destination other than or in addition to the destination specified by the sender, without the sender’s express consent. The consent must be informed (based upon prescribed information disclosure), and an effective and timely consent withdrawal mechanism must be provided as well.
(c) Software Downloads – Spyware
Spyware is computer software that is surreptitiously installed on a computer system to collect information about the user and use of the computer system.
The ECPA prohibits a person, in the course of commercial activity, from installing a computer program on any other person’s computer system, or causing that computer program to send an electronic message from the computer system, without the express consent of the owner or authorized user of the computer system. The consent must be informed (based upon prescribed information disclosure), and an effective and timely consent withdrawal mechanism must be provided as well. These provisions are not limited to malicious spyware; they would apply to the legitimate distribution of software updates and software that autonomously sends messages for legitimate reasons.
The ECPA also amends the Canadian Personal Information Protection and Electronic Documents Act to prohibit the unauthorized collection of an individual’s electronic address or personal information by use of a computer program designed for collecting that information or by unauthorized access to a computer system, or the use of an electronic address or personal information collected in that manner, without the individual’s consent.
(d) Misleading Electronic Messages
The ECPA also amends the Canadian Competition Act to add new provisions prohibiting the sending of an electronic message that contains false or misleading information regarding the sender or subject matter of the message, false or misleading information in the content of the message, or false or misleading information regarding a source of data on a computer system (including a URL). The message recipient need not have been deceived or misled by the message for these provisions to apply, and they are not limited to commercial electronic messages.
(e) Do Not Call List
The ECPA amends the Canadian Telecommunications Act to cancel the National Do Not Call List, which was established by the Government of Canada in September 2008.
(a) CRTC Enforcement
The ECPA gives the Canadian Radio-television and Telecommunications Commission (CRTC) broad powers to investigate and impose substantial administrative monetary penalties for violations of the ECPA.
The CRTC’s investigatory powers include requiring telecommunications service providers to preserve transmission data that is in, or comes into, their possession or control; requiring persons to produce documents or data in their possession or control; and obtaining a warrant to search a place for evidence. There are significant financial penalties for non-compliance with investigatory requirements.
If the CRTC believes that an ECPA violation has occurred, it can resolve the matter on the basis of a voluntary “undertaking” from the person involved. The undertaking is a kind of settlement agreement that describes the unlawful conduct and the penalty required to be paid, and may include other conditions as well. Alternatively, the CRTC can issue a notice of violation that sets out the alleged ECPA violation, penalty to be paid and prohibitions against future misconduct. A person named in a notice of violation can either accept and comply with the notice or make representations to the CRTC disputing the notice and defending their conduct. If a notice of violation is disputed, the CRTC is then required to decide, on a balance of probabilities, whether the person committed the violation and the appropriate penalty and other prohibitions. CRTC decisions can be appealed to the Federal Court of Appeal, but permission to appeal is required in certain circumstances.
The stated purpose of an administrative monetary penalty is to promote compliance with the ECPA and not to punish. In most cases, the maximum penalties are $1 million for an individual and $10 million for an organization. The factors to be considered in assessing penalties include the nature and scope of the violation, past violations, the financial benefits of the violation, and ability to pay.
An ECPA violation is not a criminal offence, and is not punishable by imprisonment. Corporate officers and directors can be held personally liable for corporate violations, and employers can be held liable for violations committed by their employee or agent acting within the scope of their employment or authority. Due diligence to prevent the commission of the violation is a defence.
Canadian courts may enforce CRTC orders, and issue injunctions prohibiting ECPA violations.
(b) Competition Act Penalties
False and misleading electronic messages prohibited by the amendments to the Competition Act can be dealt with either as reviewable conduct (which is subject to administrative monetary penalties) or criminal offences (which are subject to severe penalties – a fine and up to 14 years in jail for conviction on indictment, or a fine not exceeding $200,000 and up to 1 year in jail for summary conviction).
(c) Private Enforcement
The ECPA gives a private right of civil action to a person affected by a violation of the antispam, anti-phishing, or anti-spyware provisions of the ECPA, the unlawful collection, use or disclosure of personal information in violation of certain provisions of the Canadian Personal Information Protection and Electronic Documents Act, or misleading electronic messages in violation of certain provisions of the Competition Act. The action may be brought against the persons who committed the violation and all other persons liable for the violation (including corporate directors and officers and persons whose employees or agents committed the violations within the scope of their employment or authority). A private right of action is not available if the violation is already subject to an undertaking or a notice of violation issued by the CRTC.
The remedies available in a private action include compensation for loss, damage and expense, and a penalty of up to $200 for each contravention to a maximum of $1,000,000 for each day on which one or more contraventions occurred.
The private action remedy is modeled on similar legislation in the U.S., where courts have issued multi-million dollar judgments against spammers.
(d) Consultation and Coordination
The ECPA permits the CRTC, the Commissioner of Competition and the Privacy Commissioner to consult with each other and to coordinate their activities regarding the enforcement of the ECPA, the Personal Information Protection and Electronic Documents Act, the Competition Act, and the Telecommunications Act. The ECPA also permits the disclosure of personal information to foreign governments and institutions and international organizations to assist in an investigation or proceeding regarding unlawful activities that would constitute violations of the ECPA or related laws.
The Government of Canada has also announced that Industry Canada will act as a national coordinating body in order to increase consumer and business awareness and education, to coordinate work with the private sector regarding voluntary guidelines, and to conduct research. Also, the Government intends to create a Spam Reporting Centre to receive reports of spam and related threats.