The Canadian Radio-television and Telecommunications Commission (CRTC) and Industry Canada have recently published proposed regulations under the Fighting Internet and Wireless Spam Act (FISA).
FISA, which is yet to come into force by government proclamation, will create a regulatory system to govern most forms of commercial electronic messages sent to Canadians, including email, text messages and, potentially, messages sent via social media (“electronic messages”). Under FISA, it will be necessary to have either express or implied consent to send such electronic messages, a requirement that will be set out in the regulations. Also, an unsubscribe mechanism complying with the statutory and regulatory requirements will be required.
The CRTC regulations outline the specific information that will be required in electronic messages, and the requirements for requests for consent to send electronic messages. Further, they prescribe that the unsubscribe mechanism required in such messages must be presented “clearly and prominently,” and be capable of activation in no more than two clicks or an equivalent level of efficiency.
When FISA comes into force, under the proposed CRTC regulations, electronic messages will need to include the following information:
- The name of the person sending the electronic message and, if different, the name of the person on whose behalf it is sent;
- Where applicable, a statement identifying the person sending the electronic message and the person on whose behalf it is sent, and indicating any other names by which they may carry on business; and
- The physical and mailing addresses, telephone number, email address and a web address of the person sending the message and, where applicable, of the person on whose behalf the message is sent.
Where it is “not practicable” to include the above information in the commercial electronic message itself, the CRTC regulations include a key exception that will allow this information and the unsubscribe mechanism, to be provided via a clearly and prominently labelled one-click link to a website that contains them. This exception will likely be essential for messages with space constraints such as text messages and, potentially, for messages through social media platforms.
The regulations also provide that information required in a commercial electronic message must also be included in a request for consent to send such messages; however, it would also be necessary to identify the purposes for which consent is sought, and to state that consent may be withdrawn at any time. Interestingly, the regulations state that a request for consent must be “in writing” and do not provide for verbal requests for consent, even if these are recorded.
The Industry Canada regulations provide definitions of a “family relationship” and a “personal relationship,” thus determining the scope of a broad exception to the requirements of FISA. Neither the consent nor the disclosure requirements will apply to electronic messages sent by or on behalf of someone with whom the recipient has a family relationship, defined as a blood relationship, marriage, common-law partnership, or adoptive relationship, and including persons connected by a blood relationship to such individuals. Similarly, the requirements for electronic messages will not apply to messages sent by or on behalf of someone with whom the recipient has a personal relationship established through at least one in-person meeting and a two-way communication within the previous two years. As proposed, the “personal relationship” exception would not extend to relationships established solely online, such as may be the case with many social media platforms.
The Industry Canada regulations also specify the uses that may be made of consent obtained when the person on whose behalf it is sought is not known, as is frequently the case for third-party mailing lists. In such cases, the person who first obtained the consent may authorize the recipient of the list to use it. However, the ultimate user of the list must identify the person who obtained the consent in their electronic messages, and the unsubscribe mechanism must allow the recipient of the message to withdraw consent — not only to the person who sent the message, but also from the person who obtained the consent as well as any other person they authorized to use it.
Both the CRTC regulations and Industry Canada regulations are currently open for public consultation. Interested parties have until August 29, 2011 to comment on the proposed CRTC regulations and until September 7, 2011 to comment on the proposed Industry Canada regulations.
Preparing To Comply with FISA
FISA allows for a three-year transition period (from the date on which the Act comes into force) over which businesses may rely on implied consent to send electronic messages to persons with whom they have an existing business relationship or non-business relationship that includes the sending of electronic messages. In such cases, the recipient is still permitted to withdraw their consent at any time. Existing business relationships will include persons who purchased a good or service within the two years immediately prior to the electronic message, or who inquired about a good or service within six months prior to the message.
Apart from this exception, when FISA comes into force, it will require many businesses to reconsider their existing consents for electronic marketing, and to ensure that future requests for consent and electronic messages are in compliance. Businesses involved in electronic marketing should consider the following practices in preparation for FISA:
- Review your existing consents to contact consumers. Existing express consent will survive the coming into force of FISA.
- Seek additional express consents to electronic marketing before FISA comes into force.
- Review the manner in which you are seeking express consent to ensure you are prepared to comply with FISA after it comes into force. Retain an accurate list of the consents you receive, and scrub it to remove persons who have withdrawn their consent.
- Review your procedures for maintaining an accurate and current list of the consumers for whom you can establish implied consent through either an existing business relationship or an existing non-business relationship.
- Review the categories of electronic messages you distribute to identify those that fall within exceptions to the consent requirements. Such exceptions are available for messages that solely: complete, facilitate or confirm a commercial transaction, provide warranty or recall information, or provide a quote or estimate in response to a request.
- After FISA comes into force, ensure your electronic messages provide the prescribed information and contain a functional unsubscribe mechanism.
- Honour unsubscribe requests within 10 business days.
- Establish a FISA compliance policy to ensure that the classes of electronic messages you send are in compliance with FISA. A defence is available to persons who can establish they undertook due diligence to prevent violations.
- Implement policies to train any staff and third-party suppliers involved in the dissemination of electronic messages to comply with FISA and your compliance policy. Also, inform them of the consequences for failing to comply.
- In obtaining marketing lists from third-party providers, review the contracts to ensure they contain a representation and warranty that the list was assembled in compliance with FISA and that the provider will maintain the list in compliance with all FISA requirements including withdrawals of consent.
- If you outsource electronic marketing to a third party, review and update your services contract to ensure it requires compliance with FISA.