The government today introduced a very long awaited although not highlyanticipated Billfor a Canadian law to deal with spam or, rather, “unsolicitedelectronic messages”. Canadian governments have looked at spamlegislation since before the US enacted the Can-Spam act.So what does this first version of the Bill look like?Generally speaking, the Electronic Commerce Protection Act (ECPA)has provisions against sending electronic messages without consent,although there are exceptions I’ll get to in a moment. It alsointroduces laws against phishing (by amending Canada’s personalinformation privacy law, PIPEDA); makingfraudulent commercial representations (by amending the Competition Act);and installation of malware. Jump straight to section6 of the ECPA to read the main provision against spam.Here’s what it says:
6. (1) No person shall send or cause or permitto be sent to an electronic address a commercial electronic messageunless(a) the person to whom the message is sent has consented to receivingit, whether the consent is express or implied; and (b) the message complies with subsection (2). (2) The message must be in a form that conforms to the prescribedrequirements and must (a) set out prescribed information that identifies the person who sentthe message and the person — if different — on whose behalf it is sent; (b) set out information enabling the person to whom the message is sentto readily contact one of the persons referred to in paragraph (a); and (c) set out an unsubscribe mechanism in accordance with subsection11(1).
You’re still here? Great! You may not read all 69 pages of the Bill,but you need to at least read Section 6 to understand it.So, the ECPA starts with an outright prohibition againstsending commercial electronic messages unless there is consent andthe message identifies the sender, has valid contact information forthe sender, and includes the means for the recipient to revoke consent. MichaelGeist has a blog post with more detail, but here are the points Ifind most salient:
- The Act defines “electronic messages” broadly so it will includeSMS spam and any other text, sound, voice or image message sent by anymeans of telecommunication. What isn’t included? In section6(7), we see that phone calls, phone messages, and fax messages areexcluded.
- Whether a message is commercial is judged by the Act based notonly on the content of the message but also by the hyperlinks and thewebsites they link to. Also, a message asking for consent to send acommercial message is itself a commercial message under the Act.
- ISPs are protected from liability for transmitting spam.
- There is a prohibition against changing the delivery informationin commercial messages, redirecting them or adding recipients (exceptfor ISPs — they can redirect messages as part of their networkmanagement).
- The Act prohibits malware — installing (or causing to install)any software without consent.
- Consent to receive commercial messages can be explicit orimplied. Implied consent requires an existing relationship, which isalso defined in the Act.
What are the consequences for violating the Act?
- The CRTC can require an ISP to preserve information for 21 days,which can be extended by another 21 days (Section 16)
- The CRTC can also require an ISP to produce information, or evento apply for a warrant to secure information itself.
- Fines can be imposed by the CRTC, specifically not for punitivepurposes but in order to promote compliance with the Act. The size afine depends on many factors, but they’re big: up to $1million for anindividual and up to $10million for organizations.
- Importantly, the Act includes a private right of action, allowingindividuals affected by spam to bring perpetrators to court forcompensation up to $200 per item, up to $1million per day.
Those are the most salient points. One other point is important tonote: throughout the act there is reference to “prescribed” informationor “prescribed” requirements. That is code meaning that there will beRegulations under the Act specifying that information in more detail.Some of that is just the administration of the Act, but some of it isimportant and it is hard to know what the Act will require withoutknowing what those regulations will say. In fact, the form requirementsfor commercial message, even if sent with consent, are left toregulations.