The Canadian Parliament finally has passed Bill C-28, which was formerly known as the Fighting Internet and Wireless Spam Act (FISA). It was introduced by the Government of Canada on May 25, 2010 with the stated purpose of prohibiting unsolicited commercial email (spam), and deterring online fraud including identity theft, phishing, and spyware. It is anticipated that FISA will come into force 6-8 months, once regulations are in place.
While FISA initially captures businesses engaged in electronic marketing, Canadian not-for-profits (NFPs) must also become familiar with and comply with Bill C-28. The reason is that the activities of NFPs fall within the FISA definitions of “electronic commercial message” and “commercial activity”.
FISA would create a comprehensive regulatory regime of offences, enforcement mechanisms, and significant penalties to protect individuals and businesses engaged in electronic commerce, which is an increasing proportion of Canadian business activity.
The focus of this update is on the “spam” component of FISA, the area most relevant to NFPs.
B. PROHIBITION ON SENDING “SPAM”
FISA would prohibit the sending of spam or “commercial electronic messages”, including email, instant messaging, and messages to telephone accounts unless: (1) the recipient has consented to receive the message; and (2) the message complies with required formalities, including information regarding both the actual and beneficial sender of the message, a sender’s contact information, and an effective and timely process to unsubscribe.
The prohibition applies to the sender and any person who acts on behalf of the sender.
C. COMMERCIAL ELECTRONIC MESSAGES
A “commercial electronic message” means text, hyperlinks to a website or other database or contact information contained in the message that could reasonably be concluded to encourage participation in a “commercial activity” for goods, services, or land, business, investment or the promotion of a person involved in any of those activities. The definition of “commercial activity” is broad enough to capture NFPs because it includes conduct that is of a commercial character, whether or not the person who carries it out does so in the expectation of profit.
The prohibition does not apply to non-commercial messages such as messages that involve a personal or family relationship; messages that facilitate, complete, or confirm a commercial transaction; factual information regarding subscription, membership, account, or similar information. Commercial electronic messages that are interactive two-way voice communications between individuals, facsimile messages, or voice recordings to a telephone account are excluded.
Consent to receive a commercial electronic message may be express or implied. Express consent is obtained based on the disclosure of prescribed information.
Consent to receive commercial electronic messages may be implied in limited circumstances including a pre-existing non-business relationship between the sender and recipient. Pre-existing non-business relationships include a donation or gift by the recipient and a registered charity sender within the previous 2 years; volunteer work performed by a recipient for, or attendance at a meeting by the recipient of, a registered charity sender within the previous 2 years; and membership by the recipient in a club, association or voluntary organization (definition to be prescribed) within the previous 2 years. Consent is also implied if the recipient has conspicuously published the electronic address and has not pre-emptively declined unsolicited electronic messages, and the message is relevant to the recipient’s business, role, functions or duties in an official capacity.
The requirements of informed consent and formalities also apply to an electronic message that seeks consent to send further commercial electronic messages.
There is also a three-year transition provision that provides for implied consent in limited circumstances.
E. PENALTIES AND ENFORCEMENT
FISA would give the Canadian Radio-television and Telecommunications Commission (CRTC) power to investigate and impose administrative monetary penalties for violations of FISA – up to $1 million for an individual and up to $10 million for an organization. The penalties levied will be influenced by the nature and scope of the violation, past violations, the financial benefits of the violation, and ability to pay. FISA permits regulations to be made applying the maximum fines on a per day basis.
A FISA violation is not a criminal offence, and there is no possibility of imprisonment. Nonetheless, officers and directors can be held personally liable for violations, and employers can be held liable for violations committed by their employees or agents acting within the scope of their employment. There is a due diligence defence available.
Most notably, FISA contains a private right of civil action to businesses and consumers affected by a violation of FISA, the unlawful collection, use, or disclosure of personal information in violation of the Personal Information Protection and Electronic Documents Act, or misleading electronic messages in violation of the Competition Act. The action may be brought against the persons who committed the violation and others liable for it, if not already subject to an undertaking or a notice of violation issued by the CRTC. The remedies available in a private action include compensation for loss, damage, and expense plus an additional payment of up to $200 for each contravention to a maximum of $1,000,000 for each day a contravention occurred.
F. IMPACT ON CANADIAN NFPS
If FISA becomes law many Canadian NFPs and registered charities will have to change their Internet marketing practices. The internal process to effect such a change could require a substantial lead time. Commercial electronic messages would need to disclose prescribed information and provide recipients with an easy-to-use way to opt out of future commercial electronic messages. NFPs will also have to monitor commercial electronic messages to ensure that they are sent only to persons who have given express or implied consent to receive the message, and have not opted out of future messages.