Email and other types of electronic communication provide their users with very cost-effective ways to reach out to a wide audience, and as anyone with an email account can tell you, this can result in copious quantities of unwanted emails or spam. Bill C-27, also known as the Electronic Commerce Protection Act (the “ECPA”), was introduced in order to address this problem and it has just passed first reading in the Senate. As the ECPA will apply to anyone who sends electronic communication, it is advisable for charitable and non-profit organizations to review their privacy policies and their electronic communication practices to ensure that they are aligned with the provisions of the ECPA, and to take advantage of the exemptions set out in the ECPA for charities and those engaged in non-commercial activities. This article provides a general overview of what the ECPA will entail.
The ECPA applies to electronic messages. An electronic message refers to a message sent by any means of telecommunication, including a text, sound, voice or image. An electronic address refers to an email account, an instant messaging account, a telephone account or any similar account. More specifically, the ECPA seeks to regulate commercial electronic messages. A commercial electronic message includes a message sent to an electronic address that:
- promotes, advertises or offers to purchase, sell, barter or lease a product, good, service, land or an interest or right in land;
- promotes, advertises or offers to provide a business, investment or gaming opportunity; or
- promotes a person as being a person who does, or intends to do, anything referred to above.
Implicit and Explicit Consent to the Receipt of Commercial Electronic Messages
Under section 6 of the ECPA, a person cannot send an electronic message without the recipient's prior consent. Consent is implied where there is an existing business or non-business relationship between the sender and the recipient of the message. Of particular interest for non-profit organizations is the term, "existing non-business relationship", which is defined as a non-business relationship between the sender and the recipient and within the two-year period preceding the date on which the message was sent:
- where a registered charity is the sender - the recipient had made a donation the sender, or had performed volunteer work for the sender.
- where the sender is a club, association or voluntary organization as defined in the ECPA regulations - the recipient was a member of the sender.
If the sender does not have an existing relationship with the recipient, the sender must obtain the express consent of the recipient prior to sending the electronic message by setting out clearly and simply:
- the purpose for which the consent is being sought;
- the information that identifies the person seeking consent or, if applicable, the person on whose behalf the consent is being sought; and
- any other information set out in the ECPA regulations.
Content of Electronic Messages
Regardless of whether the consent obtained is expressed or implied, the ECPA requires the sender to set out the following information in any unsolicited commercial electronic message and provide a mechanism that allows the recipient of the message to "unsubscribe" or withdraw his or her consent to receive further messages from the sender:
- information that identifies the sender of the message or, if applicable, the identity of the person on whose behalf the message is sent; and
- the contact information of the sender that is valid for at least 60 days.
The unsubscribe mechanism can operate through the same electronic means by which the message was sent, but otherwise the message must contain an electronic address or hyperlink by which the recipient’s unsubscribe request can be submitted. In addition, each unsubscribe request received by a sender must be put into effect no later than 10 business days after the request was sent.
Collection of Personal Information
The ECPA also amends the Personal Information Protection and Electronic Documents Act (PIPEDA) by requiring that the sender obtain the consent of the recipient to collect and use the recipient’s personal information through any means of telecommunication, if the collection is made by accessing a computer system without the recipient’s authorization. For more information on how PIPEDA applies to charities and non-profits see our January 2005 and November 2006 newsletters.
The maximum fine for a violation of the ECPA prohibitions is $1 million in the case of an individual, and $10 million in the case of any other person (i.e. an organization). However, violators of ECPA may also have to pay for loss or damage suffered by each individual who claims a private right of action under the ECPA prohibition on commercial electronic messages sent to them without their consent. Under a private right of action, the court may issue an order requiring the violator to pay compensation to each such recipient up to a maximum of $200 for each contravention, and up to $1 million for each day on which any contravention occurred.
Certain electronic messages are exempt from the ECPA prohibition, including:
- a message sent by an individual to a recipient with whom he or she has a personal or family relationship;
- a message that provides notification of factual information about the ongoing subscription, membership, or account of the person to whom the message is sent, or the use or purchase by a person to whom the message is sent about a product, good or service offered under a subscription, membership or account by the person who sent the message;
- an interactive two-way voice communication between individuals;
- a fax sent to a telephone account;
- a voice recording sent to a telephone account; and
- a message that is sent in circumstances that will be specified in the ECPA regulations (the ECPA regulations have not been developed at this time).
The ECPA requires that recipients provide consent for the receipt of electronic messages from the sender. In addition to obtaining consent, the sender must provide full disclosure of the intent or purpose of procuring the recipient’s electronic address, and inform the recipient that he or she can opt out of receiving information from the sender at any time. The sender must therefore have an opt-out or unsubscribe mechanism in place prior to sending electronic messages.
For the most part, these types of activities should be quite familiar to organizations with privacy practices. However, it is worthwhile to review of your organization’s practices and policies with respect to communications, compiling donor lists, volunteer lists, and protecting personal information to prevent inadvertent breaches of the ECPA when it comes into effect.