On May 25, 2010, the Canadian Parliament introduced Bill C-28, the proposed Fighting Internet and Wireless Spam Act (FISA) to set out certain prohibitions on the sending of a commercial electronic message without the consent of the recipient. The Bill is intended to replace an earlier Bill, the proposed Electronic Commerce Act (Bill C-27) which was introduced in 2009 but was not enacted.

Prohibitions Against Spam

The Bill defines a “commercial electronic message” as an electronic message for which it would be reasonable to conclude, based on such factors as the content of the message and the contact information contained in the message, that one of its principal purposes is to encourage participation in a commercial activity. Such a message would include one that offers to buy or sell a product or service, that offers a business or investment opportunity, or that advertises or promotes the foregoing.

Section 7(1) of Bill C-28 sets out a general prohibition against the sending of a commercial electronic message without the express or implied consent of the affected recipient. The message must also be in a prescribed form and set out prescribed information, including information that would identify the sender and that would enable the recipient to contact the sender.

Subsection 7(6) of FISA sets out exceptions to the circumstances in which the recipient’s consent is required before sending commercial electronic messages. Specifically, the consent of the recipient is not required for electronic messages sent in the following circumstances:

  1. the sender and recipient have a personal or family relationship;
  2. the message is an inquiry or an application to a person engaged in a commercial activity;
  3. the message is a quote or an estimate for a product or service sent in response to an inquiry;
  4. the message is to confirm a commercial transaction previously agreed to by the parties;
  5. the message is to provide warranty, recall or safety information to a person who has used or purchased a product or service;
  6. the message provides factual information about an ongoing membership or subscription, or about the ongoing use or purchase of a product or service provided under a membership or subscription;
  7. the message provides information related to an employment relationship or benefit plan; or
  8. the message is intended to deliver a product or service that the recipient has previously purchased under a separate transaction.

The Bill also provides for the adoption of regulations to set out additional purposes for which electronic messages may be communicated without the need for the recipient’s consent.

Section 8 of FISA, like its predecessor in Bill C-27, prohibits the altering of transmission data in an electronic message, unless the alteration was made in accordance with a court order or with the express consent of the sender or recipient. A person who has received the sender’s or the recipient’s express consent to alter transmission data must provide the sender or recipient (as applicable) with a means to withdraw his or her consent.


Section 9 of FISA prohibits any person from installing a computer program in the course of a commercial activity, or from causing such a program to be used to send an electronic message without the express consent of the owner or authorized user of the computer system. Moreover, when requesting consent to install a computer program that will collect personal information, or will interfere with the control of a computer system, a person must describe the program’s material elements, and its nature, purpose and foreseeable impact on the operation of the computer system. Section 11(8) of FISA sets out certain circumstances in which a person is considered to expressly consent to the installation of a computer program (e.g., where the program is a cookie or HTML code and the person’s conduct is such that it is reasonable to believe that they consent to the program’s installation).


Bill C-28 provides for fines of up to $1,000,000 for individuals and up to $10,000,000 for corporations for violations of FISA.

FISA also provides for a private right of action that may be brought by individuals against persons who send commercial electronic messages without consent. In any such action, a court may make an order for statutory damages in the amount of $200 for each electronic message sent in one day, up to a maximum amount of $1,000,000 for messages sent that day. FISA indicates that the purpose of an order for private action compensation is not to be punitive, but rather to promote compliance with FISA.

Power of the Regulators

FISA will also expand the mandate of each of the Canadian Radio-television and Telecommunications Commission (CRTC), the Competition Bureau and the federal Privacy Commissioner to give them certain regulatory powers to deal with spyware and spam. For example, the CRTC will have the power to serve a demand requiring a telecommunications service provider to preserve transmission data in its possession or control.