Sending emails to promote one’s business will no longer be the same now that the Canadian Parliament has passed Bill C-28, which was formerly known as the Fighting Internet and Wireless Spam Act (FISA). It is anticipated that FISA will come into force in 6 – 8 months, once regulations are in place.

An employer can be vicariously liable for a violation of FISA committed by an employee acting within the scope of his/her employment. Moreover, officers and directors of a corporation can also be held personally liable for violations.


FISA prohibits the sending of a commercial electronic message to an electronic address (e.g., e-mail, instant messaging) unless: (a) the recipient of the message has consented to receiving it, and (b) the message sets out certain information including how to unsubscribe from future messages. The prohibition applies to the sender and any person who acts on behalf of the sender, such as a marketing agency hired by a company.


A commercial electronic message is a message sent by any means of telecommunication (including a text, sound, voice or image message) where it would be reasonable to conclude that one of its purposes is to encourage participation in a commercial activity. The content, hyperlinks, and contact information contained in the message would be considered in determining the purpose of the message. A commercial activity means any particular transaction, act or regular course of conduct that is of a commercial character, whether or not the person who carries it out does so expecting profit.


Consent from a recipient can be express or implied. FISA sets out specific requirements for when express consent is obtained.

FISA also sets out a number of situations where consent may be implied. One is where the sender of the message has an “existing business relationship” or an “existing non-business relationship” with the recipient of the message.

An example of an “existing business relationship” is where the sender and recipient have a business relationship arising from the purchase of a product, goods, or a service within two years of when the message was sent.

An example of an “existing non-business relationship” includes a non-business relationship between a sender and recipient arising from a donation or gift made by the recipient to the sender within two years of when the message was sent, where the sender is a registered charity as defined under s. 248(1) of the Income Tax Act.

Note that an electronic message requesting consent to send a commercial electronic message is considered a commercial electronic message.


Information required to be in the message includes information regarding the person who sent the message (as well as the person on whose behalf the message is sent, if different) and information allowing the recipient to contact the sender. The contact information of the sender must be valid for at least 60 days after the message has been sent. The message must also include information allowing the recipient to unsubscribe from receiving commercial electronic messages from the sender. The unsubscribe mechanism must be at no cost to the recipient, by way of the same electronic means the message was sent, and specify an electronic address or link to an internet page. The sender must ensure that the electronic address or link is valid for at least 60 days after the message has been sent. The sender has 10 business days to effect a recipient’s request.

Although there is a three-year transition provision that provides for implied consent in limited circumstances, one must still set out prescribed information, including in respect of the unsubscribe mechanism, when FISA is proclaimed to be in force.


A person who contravenes the spamming provisions may be subject to an administrative monetary penalty of a maximum of $1 million in the case of an individual, and $10 million in the case of any other person. FISA permits regulations to be made applying the maximum fines on a per day basis. There is a due diligence defence to avoid liability. FISA also provides a potential private right of action for those who are affected by the spamming violation under FISA.


FISA also prohibits, in the course of a commercial activity, altering transmission data such that an electronic message is delivered to a destination other than, or in addition to, the destination specified by the sender, without the sender’s express consent. In addition, FISA prohibits, in the course of a commercial activity, installing a computer program on a person’s computer system, as well as distributing electronic messages from such person’s computer system, without the owner’s or authorized user’s consent.


FISA amends other legislation, such as the Personal Information Protection and Electronic Documents Act (Canada) in terms of preventing the unauthorized collection or use of an individual’s electronic address if it was collected through a computer program designed for collecting electronic addresses. Another example is amendments to the Telecommunications Act (Canada), resulting in a possibility that the Do Not Call List be replaced with a new regime. A further example is amendments to the Competition Act (Canada) prohibiting the sending of electronic messages with false or misleading representations, whether in the sender information, subject matter of an electronic message, or in a locator (including a URL). This prohibition does not require the electronic message to be a commercial electronic message.


Once FISA is in force, businesses will have to determine whether they have the proper consent and that their messages include the information and unsubscribe mechanism required by FISA, before sending out any commercial electronic messages. In addition, if their electronic marketing practices involve the distribution of software that would be captured under FISA, they must comply with disclosure and consent requirements.  

Moreover, businesses will need to ensure that their third party service providers are knowledgeable about FISA and will comply with FISA when assisting with and implementing marketing and communication programs and services.  

Businesses should start reviewing their marketing and communication practices now to determine how to comply with FISA, as the internal process to effect compliance could require substantial lead time.