All businesses that use e-mail, automatic downloads and telemarketing to advertise and promote their products or services should be concerned about the potential impact of proposed federal legislation, Bill C-27, which would enact the Electronic Commerce Protection Act (ECPA) to, among other things, prohibit e-mail “spam” and amend existing legislation that relates to telemarketing and privacy. As discussed in more detail below, it will be important to track the progress of Bill-27 through its review by Parliamentary committee, further debate and third reading, in order to be prepared for stringent restrictions that may be imposed on widely used promotional activities, such as sending e-mails and making phone calls to potential customers and, by software providers, providing automatic downloads of software to customers.

Goal: To Prevent Spam and Identity Theft  

In introducing the proposed ECPA in April, the federal government hailed it as anti-spam legislation, which will provide protection to consumers by implementing the recommendations of the 2005 National Anti-Spam Task Force and establishing a regulatory framework to regulate “activities that discourage reliance on electronic means of carrying out commercial activities.”[1] The ECPA is meant to “deter the most dangerous forms of spam such as identity theft, phishing and spyware.”[2]  

The proposed ECPA provides for the imposition of very high administrative monetary penalties (AMPs) of up to $1 million for individuals and up to $10 million for others for violations of its prohibitions.[3] It also provides a private right of action for injured parties which would allow them to seek both damages related to their losses as well as statutory damages.[4]  

In addition to creating the ECPA, Bill C-27 would amend the Telecommunications Act and the Personal Information Protection and Electronic Documents Act (PIPEDA), and, in so doing, expand the authority of the Canadian Radio-television and Telecommunications Commission (CRTC), the Competition Bureau and the Office of the Privacy Commissioner. The CRTC would have the authority to impose significant AMPs. All three federal agencies would acquire the power to share information and evidence with their counterparts in other countries so that violators beyond Canada’s borders cannot use Canada as a “spam safe haven”.[5] Industry Canada would act as a “national coordinating body” to expand awareness, coordinate work with the private sector and conduct research and intelligence gathering.[6]  

Broadly Worded Definitions  

As with most legislation, definitions form the foundation of Bill C-27.[7] An “electronic message” is defined very broadly as “a message sent by any means of telecommunication, including a text, sound, voice or image message” and an “electronic address” means “an address used in connection with the transmission of an electronic message to (a) an electronic mail account; (b) an instant messaging account; (c) a telephone account; or (d) any similar account.” Further, a “commercial electronic message” is an electronic message for which “it would be reasonable to conclude has as its purpose, or one of its purposes, to encourage participation in a commercial activity,” [including, among other things, one that ] … (a) offers to purchase, sell, barter or lease a product, goods, a service, land or an interest or right in land; (b) offers to provide a business, investment or gaming opportunity….” Building on this foundation, the draft legislation would impose significant limitations on business’ use of commercial electronic messages that are sent without the prior, explicit consent of the recipient.  

The Impact of Bill C-27 on Personal Information and Privacy Law  

With respect to personal information and privacy, Bill C-27 expands the PIPEDA framework, which generally governs the collection, use and disclosure of personal information in Canada.[8] Section 6 of the ECPA would impose a generally-applicable prohibition against sending a commercial electronic message without the consent of the recipient. Exceptions to the prohibition are quite limited. This expands upon the current under PIPEDA regime, which provides that no person may collect, use or disclose the personal information of an individual without consent. Since e-mail addresses are generally “personal information,” Section 6 of ECPA has the same effect as PIPEDA, however it has a broader reach, since the prohibition would apply more broadly to all “commercial electronic messages”. Further, the ECPA would provide for significant levels of AMPs and create a private right of action against infringers.  

Bill C-27 directly amends PIPEDA to prohibit the collection of personal information by means of unauthorized access to computer systems, and the unauthorized compiling of lists of electronic addresses.[9] The ECPA would add a private right of action which would be available not only for a violation of some of its own provisions, but also for a violation of Section 5 of PIPEDA as it relates to the collection of personal information by such means.[10] This is a significant change from the current enforcement of PIPEDA which currently depends on a review by the Privacy Commissioner and provides for court action only where there has been non-compliance with orders issued by the Privacy Commissioner.  

“Ban with Exceptions” Approach  

The overall structure of the ECPA is to ban an extremely broad class of commercial activity while providing for very limited exceptions. As noted above, Section 6 generally bans all commercial electronic messages that are sent without the recipient’s prior consent. Aside from limited exceptions, the prohibition applies unless the receiver has consented[11] and where the message sets out prescribed information including contact information of the person who sent it (which must be valid for sixty days following the communication) and an unsubscribe mechanism[12] (which must also meet certain requirements[13]).  

It will not be easy for businesses to obtain prior express consent, in light of the EPCA’s detailed requirements for consent[14] which require the requester to “clearly and simply” describe the purpose for which the consent is being sought, identify the person seeking consent and provide additional prescribed information (to be identified in the Regulations, which have not yet been drafted). Any attempt to request consent electronically would itself violate the Section 6 prohibition.  

Implied consent to receive commercial electronic messages would be effective in the case of an “existing business relationship” between the parties.[15] However, this term is defined very narrowly, at Section 10(4)[16] such that, for example, the recipient of the message must have purchased a product or service within 18 months prior to the date the message is sent. Another exemption to the general ban in Section 6 prohibition exists where the recipient of a communication is engaged in a commercial activity and the communication is sent purely to inquire about that activity[17] - a rather narrow “business- to-business” exemption.  

Section 8 states that no person shall install a computer program on another person’s computer system unless express consent has been given by the owner or authorized user of the system. Like Section 6, this provision operates as a general ban with limited exceptions and, as such, could make common business activities illegal. Notably, this provision prohibits automatic software downloads, which, while intended to prevent the distribution of unlawful programs, would also prevent legitimate downloads, such as security patches. Among other requirements, obtaining express consent for the purposes of this section requires that the person requesting consent clearly describes the function, purpose and impact of every computer program that is to be installed if the consent is given.[18]  

The general ban with limited exceptions approach in the proposed ECPA is of concern for at least two reasons. First, in contrast to international “anti-spam” legislation. which generally prohibits electronic commercial speech on the basis that it is alleged to be misleading or fraudulent, the proposed ECPA imposes broad, general prohibitions that cannot be overcome unless specific, limited exceptions apply. There is no consideration of the nature or character of the message. Second, the significant constraints imposed by the ECPA may well be found to constitute an impermissible limit on commercial freedom of expression, by forcing businesses to rely upon a limited number of technical exceptions for each and every commercial electronic message that is sent.  

Although the national “do not call” (“DNC”) list, administered through the CRTC under the Telecommunications Act, was only launched in September, 2008, this regulatory regime to limit telemarketing would be repealed in its entirety. Specifically, Section 86 of Bill C-27 repeals the “DNC” list provisions of the Telecommunications Act, and the Section 2 definitions of “electronic address” and “electronic message” include a telephone account and a voice message respectively. This would result in telemarketing becoming subject to the much broader prohibitions, and the AMPs, contained in the ECPA.[19]  

Significant, and Possibly Punitive AMPs

In addition to the rigorous technicalities involved in trying to meet the requirements for prior consent or an exception that would permit them to send commercial electronic messages, businesses also face the risk of having to pay significant and potentially punitive AMPs, noted above. A serious concern with these high penalties, which are stated to be intended to “promote compliance” and “not to punish”,[20] is that they can be imposed by the CRTC without the right to a trial. If an accused individual or entity does make submissions to defend an alleged violation of the ECPA, the CRTC must only decide on a balance of probabilities as to whether there was a commission of a violation.[21] In addition, officers and directors of a corporation can be held liable, whether or not the corporation itself is proceeded against.[22]  

Continued Monitoring of the Bill’s Progress  

If Bill C-27 is enacted as it is currently drafted, businesses will face significant limits on their ability to advertise and promote their products and service using email and telemarketing. If they fail to comply with the consent provisions and prohibitions of the ECPA, they could face significant monetary penalties as well as the risk of private actions against them by message recipients. In general, businesses will be forced to obtain direct consent from potential customers before sending commercial electronic messages, such as e-mails and automatic software downloads. Given the prevalence of electronic messaging in modern commercial activity, this is likely to be extremely burdensome, forcing businesses to curtail or even cease using methods of communication that can be effective and cost-efficient.

Please click here to view the draft legislation