Fighting Spam and Spyware Canadian Style — Part I
Canada recently enacted an anti-spam law that is likely to be effective in late summer/early fall of 2011, but it is very different from what other countries have done.
In addition to addressing what most Internet users would characterize as spam (namely unsolicited mass e-mail), the new Canadian legislation covers just about any form of "commercial electronic message" where the sender has not received the recipient’s express or implied consent. That’s right — it’s very broad indeed.
The expansive nature of this law can be best understood in contrast to the anti-spam legislation of other countries. All these rules are aimed at preventing unwanted e-mail (and the extra costs and risks they present), but the international legislation typically requires a degree of fraud or misinformation before making it illegal — whereas the Canadian law does not have such limitations. Thus, it is well worth drilling down into the new law, because it applies to virtually every organization — and individual Internet user as well — in Canada, not just the usual spammer suspects.
What’s in a Name?
But let’s start with the new law’s name. In its early bill version, it was referred to in shorthand as the Fighting Internet and Wireless Spam Act (FISA). This handy brief title was removed in the final version of the law and not replaced.
Instead, we have a fairly daunting purpose clause that reads as follows:
The purpose of this Act is to promote the efficiency and adaptability of the Canadian economy by regulating commercial conduct that discourages the use of electronic means to carry out commercial activities, because that conduct
- impairs the availability, reliability, efficiency and optimal use of electronic means to carry out commercial activities;
- imposes additional costs on businesses and consumers;
- compromises privacy and the security of confidential information; and
- undermines the confidence of Canadians in the use of electronic means of communication to carry out their commercial activities in Canada and abroad.
And given this purpose, the name of the new law is "An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities… ." For purposes of this discussion, we’re going to call the statute FISA anyway, because that’s a useful handle, and because calling it by the acronym of the new statute’s name (namely, "TPTEAAOTCEBRCATDROEMOCOCA") is somewhat unwieldy.
Unsolicited Electronic Messages
The core prohibition of FISA can be stated very succinctly: the law forbids a sender transmitting to an electronic address a commercial electronic message unless the receiver consents to receiving it. Let’s parse this busy sentence.
First, what is a "commercial electronic message"? It’s very broadly defined in FISA to include any electronic message the content of which "encourages participation in commercial activity," including an electronic message that: offers to purchase a good or a service; offers to provide a business, investment or gaming opportunity; advertises or promotes any of the foregoing; or promotes a person who does any of the foregoing.
And here’s an interesting twist: an electronic message that contains a request for consent to send a message described in the previous paragraph is also considered to be a commercial message. So how, you may well ask, does someone get consent from a potential recipient to send a commercial electronic message in the first place? More on that later.
It is also important that "electronic message" is defined very broadly in FISA to mean a message sent by any means of telecommunication, including a text, sound, voice or image message. For example, electronic messages would include postings on Facebook and other social media sites, as well as "tweets" (as messages conveyed by the Twitter service are known). As for the recipient, an "electronic address" is defined as an address used in connection with the transmission of an electronic message to: an e-mail account, an instant messaging account, a telephone account or any similar account.
Not surprisingly, in keeping with the technology — neutral drafting style of Canada’s other e-commerce/computer laws (think the provincial e-commerce statutes, the computer crime sections of the Criminal Code, etc.), FISA is drafted in a manner to accommodate all manner of today’s e-messaging platforms, as well as those of tomorrow.
Lots of Exceptions
While FISA’s general prohibition against any unsolicited commercial electronic message is very broad, the law does provide a goodly number of exceptions. Here are the bulk of them (in no particular order of importance):
- an electronic message sent for purposes of law enforcement or public safety (and the like) is not considered to be a commercial electronic message;
- messages between individuals who have personal or family relationships, as defined in still unwritten regulations, are exempted;
- an inquiry message to a business person is exempted, so long as the message pertains to the recipient’s commercial activity (you can see some notorious spammers trying to wedge their activity into this exception);
- messages that provide quotes for products requested by the recipient;
- the provision of warranty information to a recipient who has purchased goods or services;
- provision of factual information about a product or service offered under a subscription or similar basis;
- messages pertaining to an employment relationship;
- messages pertaining to product updates/upgrades to a recipient entitled to receive them;
- messages that constitute interactive, two-way voice communication;
- messages consisting of fax transmissions to a telephone account; and
- a voice recording sent to a telephone account.
Consenting Message Senders/Recipients
Another way to avoid running afoul of the core legislated prohibition of FISA is for the sender to receive express consent from the intended recipient of the electronic message. Where this path is chosen, the sender must set out clearly and simply the purpose for which the consent is being sought.
Express consent plays a major role in many of our e-commerce legal regimes. Under the typical provincial electronic commerce statute, a party wanting to create contracts online or by some other electronic means typically has to first obtain the consent of the proposed counter party. And in the privacy law context, invariably a collector of another party’s personal information requires the latter’s consent in order to collect, use or share such personal information. In order to be valid, such consent must be well informed in order to be meaningful and effective. Expect that a similar standard will develop for express consent under FISA.
On the other hand, the scope for arguing "implied consent" by the recipient is quite circumscribed under FISA. Consent is implied only if one of the following conditions exists:
- the sender and recipient have "an existing business relationship" (more on what this means below);
- the sender and recipient have an "existing non-business relationship" (again, see below); or
- the recipient has conspicuously published his electronic address, has not said he doesn’t want to receive unsolicited messages and the sender’s message is relevant to the recipient’s business.
An "existing business relationship" means, in a nutshell, that the sender and recipient have done some business together in the two years before the message is sent, or an inquiry was made by the recipient in the six months before the message is sent.
An "existing non-business relationship" means a situation where the recipient has made a donation to or performed volunteer work for a charity or political party in the previous two years preceding the message. Further categories to both existing "business" and "non-business" relationships might be fleshed out in future regulations made under FISA.
Notification and Unsubscribe
Assuming the sender’s commercial electronic messaging practices satisfy the conditions noted above, FISA goes on to provide that the message must be in the prescribed form (not yet promulgated), and must set out information that identifies the sender. In addition, the message must contain contact information for the sender.
Finally (are you still with us?), the message must contain an "unsubscribe" mechanism that satisfies the following criteria: it must enable the recipient to indicate — at no cost — that they no longer wish to receive any commercial electronic messages, using the same means as the message sent by the sender, or if those means are not possible, then other electronic means.
As well, the sender must specify an Internet address where the recipient could express his desire to unsubscribe — and this site must be available for at least 60 days after the message is sent. And then the sender must act on the recipient’s wishes within no more than 10 days. All in all, quite a tight process.
Consequences of Contravention
If by this point of the exposition of the new law you’re wondering if all this hassle is worth it — well, think again, because the consequences of non-compliance are serious. FISA provides for a wide range of remedies, including a fine for non-compliance of $1 million for an individual and $10 million for corporations. Moreover, an officer, a director or agent may also become personally liable if they participated in, directed, authorized or acquiesced in the specific activity.
Finally, there is a private right of action created by FISA. This is an intriguing provision, presumably heralding an era of private law enforcement of this new statute (as governments continue to be challenged by the task of tackling the spammers directly).
In the next edition, we consider the anti-spyware elements of FISA, and practical dos and don’ts that need to be considered in light of the new law.