As of December 2010, Canada’s anti-spam legislation, known informally as the Fighting Internet and Wireless Spam Act (“FISA”),² received royal assent. From early consideration within Canada’s legislature, through to the recent circulation of proposed regulations backstopping FISA, FISA has sparked significant interest by businesses operating within Canada.
Historically, Canada was a preferred location for spammers and was consistently referenced by international authorities as a haven for those who promulgate spam. In an attempt to uphold Canada’s international responsibilities in fighting spam, Canada responded by passing FISA. There are, among others, two conclusions one can reach on a review of FISA. Canada wanted to show the world that it takes spam seriously and, in so doing, has created a costly legislative labyrinth, one that significantly overreaches its mark, with which legitimate businesses and organizations must comply.
Commercial Electronic Messages
FISA targets and regulates the sending of “commercial electronic messages,” among other important issues such as the use of spyware and phishing. There are three key definitions to understand when assessing the scope of FISA’s application. An “electronic message” is any message sent by any means of telecommunication, including email, text, phone, sound, voice or image. “Commercial activity” is any transaction, act or conduct, or any course of conduct that is of a commercial character, whether or not the person who carries it out does so with the expectation of profit (subject to certain law enforcement specific exceptions). A “commercial electronic message” is an electronic message that, having regard to the content of the message, the hyperlinks in the message to content on a website or other database, or the contact information contained in the message, it would be reasonable to conclude has as its purpose, or one of its purposes, to encourage participation in a commercial activity, including an electronic message that: (a) offers to purchase, sell, barter or lease a product, goods, a service, land or interest or right in land; (b) offers to provide a business, investment or gaming opportunity; or (c) advertises or promotes anything referred to in (a) or (b) or who intends to do so.³ In addition to the foregoing, it is important for businesses to understand that any electronic message that contains a request for consent to send a message described above is also considered to be a “commercial electronic message.” This is an extremely broad scope of application and as one can start to see, captures standard business communications, far beyond the scope of what most people consider to be spam.
Many had hoped that the breadth of FISA’s application would be more refined through the regulations under FISA. Unfortunately, that was not the case. Each of the CRTC and Industry Canada circulated to the public, earlier this summer, proposed regulations for review and comment. The deadline for submitting comments to these proposed regulations recently passed. Numerous industry players and interested parties submitted comments. What was apparent from the comments was that legitimate businesses, from start-ups to well-established organizations, feel that the FISA will be costly in terms of pure dollars and resource allocation, and will get in the way of many common and acceptable business practices. One of the objectives for FISA was to “encourage the growth of electronic commerce.”4 Given the issues we are seeing from businesses trying to comply with FISA, FISA may not only fail to achieve this objective, but at least in the short term, may undermine it. While the regulations have not been passed yet, comprehending what has been proposed is worthwhile to understanding the direction the government is trying to take.
What content must be included in all commercial electronic messages?
Pursuant to FISA, certain information must be included in all commercial electronic messages. The proposed FISA regulations require the following information be included within the commercial electronic messages: the names of the person sending the commercial electronic message and the person on whose behalf the request was sent, any alternative names used by either person, and extensive contact information, including the physical and mailing address, a telephone number providing access to an agent or a voice messaging system, an email address and a web address of the person sending the message and, if different, the person on whose behalf the message is sent and any other electronic address used by those persons.5 In addition to this information, all commercial electronic messages must include an unsubscribe feature. The proposed regulations mandate that this feature must operate to unsubscribe the recipient of a message in a maximum of two mouse clicks.6
For many businesses, complying with the information required to be included in a commercial electronic message is not overly complicated, but it will take time and resources to carefully review company policies and procedures to make sure the required information is included with each and every communication. Creating an unsubscribe feature that complies with the regulations may entail upfront costs to get up and running and requires a regimented audit process to ensure compliance.
What constitutes valid consent?
In an attempt to reduce unsolicited emails (i.e. spam), FISA contains consent requirements. One major focus of FISA is that it prohibits the sending of a commercial electronic message unless the person receiving the message has consented to receiving it, and the message is in a form that identifies the sender and provides instruction on unsubscribing.7 Of course, organizations must not send electronic communications once consent is withdrawn.
The proposed regulations also have set forth special rules for those instances where a person obtains consent on behalf of an unidentified third party. In such a situation, the person who obtains the consent can allow others to use the consent, provided they ensure that any commercial electronic message sent identifies who originally obtained the consent and contains an unsubscribe mechanism that allows the consumer to withdraw their consent from this person and anyone subsequently authorized to use it.8 This means that, even where an organization obtains valid consent, they must be careful to monitor the usage of those consents by third parties, and be ready to inform any affiliates of a withdrawn consent as soon as it is withdrawn.
The proposed regulations in support of FISA circulated by the Canadian Radio-television and Telecommunications Commission (CRTC) demand that the request for consent contain all the elements required in a commercial electronic message, in addition to the name(s) and contact information of the person(s) making the request.9 Moreover, the request must contain a statement that informs the recipient that they can withdraw consent by using the contact information included in the request. A separate consent must be sought for each regulated act that a company would like to perform.10
Exceptions to the Consent Requirement
There are exceptions to the consent requirements which include: the existence of a personal relationship or family relationship, providing a requested estimate or quote, a message to facilitate, complete or confirm a commercial transaction, providing product recall or warranty information, safety information about a product the message recipient has purchased, a message about an ongoing membership or subscription, and a message related to an employment relationship or benefit plan.11
The Department of Industry’s proposed regulations sought to clarify some of these exceptions by providing definitions for some terms in FISA. “Family Relationship” contemplates immediate blood relatives and includes those through marriage (common-law included) and adoption.12 The same section defines “personal relationship” as where both parties have met in person at least once, and have exchanged a non-commercial message within the past two years.13 You can see that the term “personal relationship” does not account for personal relationships that have developed online or via email as it requires an in-person meeting.
Memberships in Not-For-Profit Organizations
Pursuant to FISA, consent to receive commercial electronic messages is “implied” if, among other circumstances, the person who sends the message, the person who causes it to be sent or the person who permits it to be sent (collectively, the “sending party”) has an “existing non-business relationship” with the person to whom the commercial electronic message is sent. An “existing nonbusiness relationship” includes relationships between the person to whom the message is sent and any of the sending parties, arising from: (a) a donation or gift made by the person to whom the message is sent to any of the sending parties (which must be a registered charity pursuant to the Income Tax Act (Canada)) within the twoyear period immediately before the day on which the message was sent, or a political party or organization or a person who is a candidate for publicly elected office; (b) volunteer work performed by the person to whom the message is sent for any of the sending parties, or attendance at a meeting organized by that other person, within the two-year period immediately before the day on which the message was sent, where the sending party is a registered charity pursuant to the Income Tax Act (Canada)), a political party or organization or a person who is a candidate for publicly elected office; or (c) “membership” by the person to whom the message is sent, in any one of the sending parties, within the two-year period immediately before the day on which the message was sent where that other person is a club, association or voluntary organization.14
The proposed regulations attempt to clarify what constitutes “membership” for purposes of (c) above. “Membership” is the status of having been accepted as a member of a club, association or voluntary organization in accordance with the membership requirements of the club, association or organization. Further to this, a club, association or voluntary organization must be a non-profit organization and operated exclusively for social welfare, civic improvement, pleasure or recreation, or for any purpose other than for profit. For some, it will be clear whether or not their organization fits within the “existing non-business relationship” resulting in such organization being able to rely on an implied consent for sending commercial electronic messages. For all, it is advisable to closely examine its organization mandate, and account for fees and funds prior to sending out messages to its members.
FISA and Privacy
FISA also provides additional amendments to the Personal Information Protection and Electronic Documents Act (“PIPEDA”), including prohibiting the collection of personal information through unauthorized access to computer systems, and prohibiting the unauthorized compiling of electronic address lists.
Does FISA combat spyware, malware and phishing?
FISA addresses spyware and malware issues, and prohibits, in the course of a commercial activity, the installation of a computer program that causes an electronic message to be sent from another person’s computer, without the individual’s express consent.15
FISA also attempts to prevent “man in the middle attacks,” where an electronic communication, intended to travel between two parties, is intercepted and redirected without either party’s knowledge. FISA prohibits the altering of transmission data in a message so that the message is routed to another destination. Under this act, all alterations of transmission data require the sender’s express consent.
What are the penalties for non-compliance?
There are monetary penalties for violating FISA, including up to one million dollars per violation for individuals and ten million dollars for businesses. Furthermore, FISA allows for a private right of action, which would permit individuals and businesses to take civil action against someone who violates this bill.