The intent of the Fighting Internet and Wireless Spam Act (FISA), which received Royal Assent on December 15, 2010, is to deter the most damaging and deceptive forms of spam in Canada, and to create a more secure online environment. The Act creates a comprehensive regulatory regime of offences, enforcement mechanisms and severe penalties, all designed to protect individuals and businesses engaged in electronic commerce. FISA also extends the provisions of the Competition Act concerning false and misleading marketing to electronic messages, and restricts the scope of certain exemptions under the Personal Information Protection and Electronic Documents Act (PIPEDA). By addressing a broad range of Internet issues, FISA goes beyond the U.S. legislation, the CAN-SPAM Act, which focuses only on email spam.
FISA covers all “commercial electronic messages,” also known as spam. The term is defined broadly to capture any messages with a semblance of commercial activity, regardless of the types of organizations sending them. Further, FISA takes a technology-neutral approach, embracing all media and all forms of messaging. As a result, unsolicited email, text messages, instant messaging and cellphone spam — whether in the form of sound, text, voice or images — are all covered.
FISA prohibits the sending, or causing or permitting to be sent, of a “commercial electronic message” to an electronic address unless:
- The recipient has consented to receive the message; and
- The message complies with required formalities, including information regarding both the actual and beneficial sender of the message, a sender’s contact information, and an effective and timely unsubscribe mechanism.
Consent to receive a commercial electronic message may be express or implied. Express consent must be based on the disclosure of prescribed information including the purposes for which consent is sought and the identity of the person seeking consent.
Consent may be implied in limited circumstances where:
- The person who sends the message has an “existing business relationship” or an “existing non-business relationship” with the person to whom it is sent;
- The recipient has conspicuously published their electronic address, without an accompanying statement that they do not wish to receive unsolicited messages, and the message is relevant to their business, role, functions or duties in a business or official capacity; or
- The recipient has disclosed to the sender the electronic address without indicating a wish not to receive unsolicited messages, and the message is relevant to their business, role, functions or duties in a business or official capacity.
In sum, the general rule under FISA is that express “opt-in” consent must be obtained, subject to a proviso that implied consent may be used within specifically defined circumstances. This permission-based, largely “opt-in” approach to consent goes beyond the U.S. CAN-SPAM Act which allows marketing email messages to be sent to anyone, without permission, until the recipient “opts out” by expressly requesting that the messages cease.
FISA contains an anti-phishing provision that would prohibit a person, in the course of commercial activity, from altering the transmission data in an electronic message so that the message is delivered to a destination other than or in addition to the destination specified by the sender, without the sender’s express consent. The consent must be informed, and an effective and timely consent withdrawal mechanism must be provided as well.
The anti-malware provision under FISA prohibits a person, in the course of commercial activity, from installing any computer program on any other person’s computer system, or causing that computer program to send an electronic message from the computer system, without the consent of the owner or authorized user of the computer system. In most circumstances, the required consent must be express and informed, and an effective and timely consent withdrawal mechanism must also be provided. There are limited exceptions that permit implied consent to the installation of legitimate computer software. There is also a three-year transition provision that provides for implied consent to the installation of a software update or upgrade in limited circumstances.
Enforcement and Penalties
FISA gives the Canadian Radio-television and Telecommunications Commission (CRTC) broad powers to investigate and impose substantial administrative monetary penalties up to $1 million for an individual and up to $10 million for an organization for violations. In addition, FISA also creates a private right of action that would allow consumers and businesses to take civil action against anyone who violates FISA, including statutory damages of $200 for each violation of unsolicited electronic message provisions of the Act, up to a maximum of $1 million each day.
Tips for Businesses
In response to FISA, businesses will have to change their Internet marketing practices. The legislation is broadly drafted to capture all electronic messages sent to, through or from Canada, meaning that it applies to international senders who send commercial electronic messages into Canada.
Here are a few guidelines:
- Do not use false or misleading information about the subject matter or sender.
- Provide recipients with the prescribed information. Commercial electronic messages will be required to disclose information that identifies the sender, the sender’s contact information and information about the unsubscribe mechanism.
- Tell recipients how to opt out of receiving future email. Businesses will be required to ensure that commercial electronic messages are sent only to persons who have previously given express or implied consent to receive the message, and have not opted out of future messages. The message must include a clear and conspicuous explanation of how the recipient can opt out of getting future emails. Further, any opt-out mechanism offered must remain operative for 60 days.
- Honour opt-out requests promptly. Businesses must honour a recipient’s opt-out request within 10 days.
- Monitor third parties. Businesses will need to ensure that their third-party service providers are knowledgeable about FISA and in compliance with it when assisting with and implementing marketing programs and services.
- Ensure compliance when distributing software. Computer software businesses will be required to ensure that any electronic distribution of software (including software updates/upgrades) complies with disclosure and consent requirements.
Although FISA has yet to come into force, businesses should act now to evaluate their current practices and privacy policies to ensure compliance with this critical legislation.