When the first spam email was sent on May 1, 1978 no one could have predicted that, thirty years later, approximately 70% of all email sent globally was spam. That percentage equates to about 53.8 trillion spam messages (Source: Pingdom). These messages are not only a nuisance, but also pose a serious threat to the safety and productivity of Canadians, and to the viability of the Internet as an efficient, effective means of communication and commerce. Recently, spam activity has evolved with the economic downturn and is drawing unwitting recipients into money laundering schemes disguised as “work-at-home” emails which offer “quick and easy money.”
The explosion in unsolicited commercial electronic messages prompted the creation of anti-spam software and legislation around the world. In Canada, the federal government established the Task Force on Spam in 2004. The Task Force issued a final report on May 17, 2005 recommending (among other things) the development of anti-spam legislation. After nearly four years of inaction, on February 3, 2009 the government proposed Bill S-220, the Anti-Spam Act. If passed, the Act will bring Canada in line with the other G8 countries which have implemented this type of legislation. The Bill was first introduced on May 7, 2008 as Bill S-235 and later re-introduced as Bill S-202 on November 20, 2008.
Commercial Electronic Message
The Bill concerns all unsolicited commercial electronic messages and not just spam which, technically, only refers to unsolicited commercial email messages. A “commercial electronic message” is defined broadly but does not include an electronic message sent by a government department or agency, court or tribunal. The government has chosen to address commercial electronic messages because this type of message is not protected by freedom of speech and accounts for most spamming.
General Prohibition and Exemptions
The Bill adopts an “opting-in” approach as opposed to the failed “opting-out” approach used in the United States. The latter approach requires a recipient to send an “opting out” message to the spammer (thereby confirming that the electronic address is valid, active and ripe to receive more spam). The “opting-in” method generally prohibits the sending of unsolicited commercial electronic messages without recipient consent, except when the message is sent by a political party or member thereof, a registered charity or other not-for-profit organization, an educational institution in which the recipient is or has been enrolled, a person who has an existing business relationship with the receipent, a public surveyor, or any other person prescribed by regulation.
A recipient’s consent can be inferred from the fact that his or her electronic address is generally available to the public and certain other criteria are met. Consent can be withdrawn at any time and by any means. After a recipient recieves a message from a person exempted under the Bill, he or she may withdraw consent from receiving any further communications from that person. Withrawn consent is deemed to take effect seven days after the day on which the unsubscribe request was sent by the receipient to the sender of the commercial electronic message.
Telecommunications service providers (i.e., ISPs) which provide access services that handle, transmit or relay prohibited messages are protected from liability under the proposed legislation. In fact, the Bill hopes to enlist ISPs to help fight unsolicited commercial electronic messages. ISPs can refuse or cancel service or access to anyone convicted under the Bill or to anyone who sends messages that the ISP believes are in contravention of the Bill. An ISP can also block or filter messages it believes to be in contravention of the Bill and which originate through another ISP.
Form and Content Requirements
Bill S-220 sets out form and content requirements for commercial electronic messages. The message must:
(1) clearly and accurately idenfity the sender or the person who authorized the sending;
(2) contain readily-accessible and accurate header and routing information, and information on how to easily contact the sender or person who authorized the sending of the message;
(3) include a subject line that is not intended or likely to mislead the receipient about a material fact regarding the contents or subject matter of the message; and
(4) include a clear and conspicuous, functional unsubscribe facility (i.e., an electronic address) and a clear statement to the effect that the recipient may use the unsubscribe facility, at no cost, to send an unsubscribe request to the person who sent or authorized the sending of the message.
Information contained in the message and the unsubscribe facility must be valid for at least 30 days after the message is sent.
Messages Sent from Outside Canada
Many unsolicited commercial electronic messages are sent from outside of Canada. To overcome extraterritorial jurisdiction issues, the Bill presumes that, in the absence of evidence to the contrary, the person who receives an economic benefit from the sending of a message authorized such sending. This commercial beneficiary is usually a Canadian resident to which Canadian laws apply. Additionally, if a message is received by a person in Canada, the act of sending is deemed to have taken place in Canada.
Bill S-220 prohibits the supply, offering, acquisition or use of address-harvesting software or harvested-address lists. Address-harvesting software searches the Internet to collect or “harvest” electronic addresses. While the Personal Information Protection and Electronic Documents Act can regulate this conduct for invasions of personal privacy, Bill S-220 is required to adequately respond to address harvesting generally. Commerical electronic messages may not be sent to an electronic address that the sender or person who authorizes the sending knows or ought to know was acquired using address-harvesting software, a harvested address list or an automated means that generates possible electronic addresses by combining letters, numbers or symbols or a combination thereof (i.e., dictionary attacks).
The Bill also addresses “phishing,” an activity whereby emails, websites or instant messagse are used to induce people to reveal personal information, which the “phisher” uses to commit fraudulent activities. The proposed legislation prohibits persons from:
(1) impersonating trusted websites or domain names without authorization;
(2) sending misleading commercial electronic messages which falsely represent that the messages are being sent by or on behalf of someone else;
(3) directing or linking the recipient to impersonating websites; and
(4) requesting or attempting to induce any person to provide personal information or any other means of idenfication using commercial electronic messages or impersonating websites or domain names.
Offences and Penalties
Every person who knows, or ought to know, that their trade, business, property, goods or services are being or will be advertised or promoted in a commercial electronic message sent without recipient consent or in contravention of the prescribed form and content requirements has a duty to take reasonable measures to prevent the sending of the message and to report any contravention to a law enforcement agency.
Failure to prevent the sending of a message in contravention of the Bill will result in stiff penalties, which the government hopes will serve as a deterrent to other spammers and phishers. Sending a message without receipient consent is an indictable offence. Corporations will be liable for a fine up to $500,000 for the first offence and $1,500,000 for a subsequent offence. Individuals may be fined up to $500,000 and/or two years in prison for the first offence, and up to $1,500,000 and/or five years in prison for a subsequent offence. A corporation or individual will be guilty of either an indictable offence or an offence punishable on summary conviction if a message is sent in contravention of the form and content requirements set out in the Bill or if any provision relating to address-harvesting, impersonation sites, misleading messages or the duty to prevent and report contraventions is violated.
Any person who knowingly aids or abets (or attempts to aid or abet) a person to commit any of the foregoing offences will be liable for the same penalty as that person. Furthermore, if a corporation commits an offence under the Bill, any officer, director, agent or mandatary who directed, authorized, assented to, acquiesced or participated in the commission of the offence is guilty of the offence and will be subject to a penalty on conviction, whether or not the corporation is prosecuted or convicted.
A person will not be convicted of an offence under the Bill if that person proves that the contravention was due to inadvertence or an honest mistake of fact.
The Bill also provides a right of civil action for any person who has been (or is about to be) adversely affected by prohibited conduct. A court may grant any or all of the following remedies: an injunction, order, compensatory and/or punitive damages or any other appropriate relief, including costs of the action.