Readers of The Cassels Brock Report will recall our 2010 reports on the former Bill C-27 (the Electronic Commerce Protection Act), which died when Parliament was prorogued in 2009, and on Bill C-28, known as the Fighting Internet Wireless Spam Act, click here. In mid-December, 2010 the Senate finally approved anti-spam legislation with the unwieldy title “An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act” (the “Act”). If the title is any indication of the clarity or precision of this legislation, we should be in for many years of confusion and litigation.

So, what of this new statute? Well, it is a very lengthy and rather technical read, due in part to the fact that it attempts to use a multi-faceted approach to address spam issues by empowering the CRTC both to administer and enforce the Act and to facilitate the sharing of information and co-ordination of activities between the CRTC, the Commissioner of Competition and the Privacy Commissioner of Canada. That said, the two main harms that it tries to address are unsolicited electronic messages, colloquially known as “SPAM”, and spyware/“phishing” issues. Although section 20 of the Act specifically states that the point of the legislation is to promote compliance and not to punish, the “administrative monetary penalties” that may be levied by the CRTC can be as high as $1 million in the case of individuals and $10 million in the case of other persons. That sure sounds like punishment.

Law abiding business people will be legitimately concerned about this new law and how to avoid being caught by it. What are the steps in the analysis?

Are You Sending an “Electronic Message?”

This Act deals with text, sounds, voice and image messages that are sent by means of telecommunications. As annoying as junk mail in your postbox may be, this Act will do nothing to stop that.

Is the Electronic Message “Commercial?”

Section 1(2) of the Act describes what is meant by a “commercial electronic message.” In essence, this section tells us that, when having regard to the content, hyperlinks or the contact information in the electronic message it would be reasonable to assume that the purpose or a purpose of the message is to encourage participation in a “commercial activity,” then the electronic message is considered to be a “commercial electronic message.” However, as simple as that may seem, it’s not quite so straightforward.

The Act also defines “commercial activity” and, in doing so, makes it clear that charities and not-for-profit organizations are not off the hook. The definition of “commercial activity” specifically states that it includes transactions, acts or conduct “of a commercial character, whether or not the person who carries it out does so in the expectation of profit.” For those clever spammers who might be tempted to first send an email to an individual seeking consent for a subsequent spam message, section 1(3) of the Act covers that as well and declares such electronic messages requesting consent to be “commercial electronic messages.”

Has the Recipient Consented to Receiving the Commercial Electronic Message?

The basic premise of the Act is that spam messages cannot be sent without consent and that, even if there is consent, the message must nevertheless meet certain requirements. Consent may be express or implied.

However, before discussing consent, it is important to note that, by virtue of section 6(5) of the Act, there are certain types of commercial electronic messages to which the Act does not apply at all. For example, the Act does not apply to commercial electronic messages sent to persons with whom the sender has a “personal or family relationship” or to commercial electronic messages sent to persons engaged in commercial activities if the message is merely an inquiry or application related to that activity. The Act also allows for further exceptions to be enacted through Regulation. Eventually the Regulations will define what “personal or family relationship” means. That definition will be interesting to read, especially given the casual way in which people accept “friends” through social networking sites like Facebook.

While section 6(5) exempts certain types of commercial electronic messages altogether from the purview of the Act, section 6(6) provides additional exemptions insofar as the requirement to obtain consent is concerned. These types of emails do not require consent:

  • Providing a requested quote or estimate for the supply of a product, good, service, land or interest/right in land;
  • Facilitating, completing or confirming a previously agreed commercial transaction with the recipient;
  • Providing warranty, production recall or safety/security information about a products, good or service that the recipient uses, has used or has purchased;
  • Providing notice of factual information about the ongoing use or purchase by the recipient of a product, good or service offered under a subscription, membership, account, loan or “similar relationship;
  • Providing notice of factual information about an ongoing subscription, membership, account, loan or “similar relationship” of the recipient;
  • Providing employment or benefits information to employees or plan participants; and
  • Delivery of a product, good or service (including updates/upgrades) that the recipient is entitled to receive under the terms of a previous transaction.

(These exceptions have been paraphrased for ease of reading. Please consult section 6(6) of the Act for the specific wording.)

If the commercial electronic message is not exempted from the Act under section 6(5) and not subject to the exemption to the requirement for consent under section 6(6), it may still be possible to argue that consent has been implied. Section 10(9) allows for a number of situations in which consent may be implied. Likely the one that will be heavily relied upon and sorely tested will be the “existing business relationship” and “existing non-business relationship” situations. Essentially, if the sender and recipient have done business together by way of the purchase or lease of a product, good, service, land or interest/right in land in the two- year period immediately before the message is sent, then they will be considered to have an “existing business relationship” and the recipient’s consent to the commercial electronic message will be implied.

The Act states that “existing non-business relationships” also qualify for implied consent treatment. These are not the “personal or family relationships” mentioned above. Rather, they are relationships arising from the recipient’s activities as a donor or volunteer for a registered charity, political party or political candidate in the two-year period preceding the sending of the message, as well as relationships occurring as a result of the recipient’s involvement as a member of a club, association or voluntary organization in the two years preceding the sending of the message. The practicality of time limits on relationships remains to be seen. While Parliament likely intended to require express consent in situations of dormant “existing business relationships” and “existing non-business relationships”, one might argue that two years is far too short a period, especially in industries where transactions and contact are infrequent.

Another interesting implied consent scenario is the “business card” implied consent. Section 10(9)(c) allows a sender to imply consent where the recipient has provided his/her electronic address and has not indicated that he/she does not want to receive unsolicited commercial electronic messages and the message is relevant to the recipient’s “business, role, functions or duties in a business or official capacity.”

How to Comply?

Assuming that no exceptions apply and that consent cannot be implied, what is an organization to do that wants to send an unsolicited commercial electronic message? Quite simply, there is no easy way around this. At this point, the sender must obtain consent or risk substantial “administrative monetary penalties”. When signing up customers, include language in your application forms to permit the sending of these types of commercial electronic messages much in the same way as privacy consents are collected. This will take some organizational discipline, but, since most Canadian organizations are used to collecting consent for privacy purposes, theoretically, adding another consent request should not be too onerous.

What are the Other Message Requirements?

Even once consent is obtained, the Act requires that certain formalities be met for the actual commercial electronic messages themselves. Each such message must:

  • Set out certain information (to be prescribed in the Regulations) identifying the sender or person on whose behalf the message has been sent;
  • Set out contact information about the sender that is good for sixty days following the date of sending. This requirement is fairly specific in that the recipient has to be able to “readily” contact the sender using the information. A general email box may not necessarily suffice;
  • Provide an unsubscribe mechanism (either through an electronic address or a link to a web page) that is good for sixty days after the sending of the message. The unsubscribe request must be honoured ten business days after the request was sent.

(Requirements paraphrased.)

What’s the Downside of Not Complying?

As mentioned above, the Act has significant “teeth” in terms of the ability of the CRTC to impose severe administrative monetary penalties for “violations.” These “AMPs” can be as high as $1 million in the case of individuals and $10 million in the case of corporations. In addition, the Act gives the CRTC the ability to pierce the corporate veil and hold directors, officers, agents and mandataries liable if they direct, acquiesce in, authorize, assent to or participate in the violation, whether or not the CRTC proceeds against the corporation itself. The AMP process assumes that violators are guilty – i.e., violators are issued a “notice of violation” that already sets forth the amount of the AMP. The alleged violator then has an opportunity to make representations as to either the amount of the AMP or as to why he/she did not contravene the Act. However, the potential problems don’t end there.

The Act also creates a private right of action for aggrieved individuals for a breach of sections 6 to 9 of the Act, section 5 of the Personal Information Protection and Electronic Documents Act (for a breach that relates to subsections 7.1(2) or 7.1(3) of that legislation) and for reviewable conduct under section 74.011 of the Competition Act. The private right of action allows for compensatory damages in addition to the imposition of additional monetary penalties that are similar in scope to the AMPs.

Is the Act in Force Yet?

Although the Act has received Royal Assent, it has not yet been proclaimed in force. There’s no official word yet on when the proclamation may be made or whether the entire Act will be proclaimed in force at once. Given that the Act, if proclaimed in its entirety, would regulate telemarketing and do away with the recently-created “Do Not Call List,” it is possible that it may be proclaimed in stages, in order to give the CRTC an opportunity to gain experience in regulating spam and spyware before dismantling the Do Not Call List.

What Can You Do?

Now is the time for businesses to assess their email marketing campaigns and clean up their email lists. Look for whether email recipients have granted consents to receive emails and if not, whether any exceptions from the requirement to obtain consent applies or whether you can shelter your email campaign under an “implied consent” rule. If you do not have any form of consent and no exception applies, get working on obtaining consents so that when the Act is proclaimed in force, you can continue with your email marketing campaigns without any hiccups. Be prepared!