December 29, 2010
Earlier this month, Canada passed its long-awaited anti-spam bill (Bill C-28 – the Fighting Internet and Wireless Spam Act) (“FISA”).
In passing this new legislation, Industry Canada stated:
“On December 15, 2010, the Government of Canada passed the Fighting Internet and Wireless Spam bill, Bill C-28. In doing so, the government is delivered on a key commitment made by Prime Minister Harper to Canadians and Canadian businesses in September 2008. The legislation is a critical element of the development of a digital economy strategy.
The intent of the legislation is to deter the most damaging and deceptive forms of spam, such as identity theft, phishing and spyware, from occurring in Canada and to help to drive out spammers.
This law addresses the legislative recommendations of the Task Force on Spam, which brought together industry, consumers and academic experts to design a comprehensive package of measures to combat threats to the digital economy. As well the government studied successful legislative models in other countries and, based on their experiences, has developed a focused plan to address spam and related online threats.”
In his online videocast (“Government of Canada Moves to Enhance Safety and Security in the Online Marketplace”), the Minister of Industry said that the passage of FISA was intended to “help … enhance safety and security in the online world”, “deter the most damaging and deceptive forms of spam from occurring in Canada” and “drive spammers out of Canada”. The Minister also said that “Canadians need to feel just as confident in the electronic marketplace as they do at the corner store” and that “spam is at best a nuisance but it can also discourage electronic commerce, undermine privacy and introduce a host of online threats”.
Overview of FISA (Bill C-28)
According to Industry Canada, the intent of the new legislation is as follows:
“The intent of the legislation is to deter the most damaging and deceptive forms of spam from occurring in Canada, creating a more secure online environment. It does this by addressing the sending of spam, the undesired installation of spyware and malware on the computers of businesses and individuals, and the alteration of transmission data. The bill also extends the provisions of the Competition Act concerning false and misleading marketing to electronic messages, and restricts the scope of certain exceptions under the Personal Information Protection and Electronic Documents Act.”
Some of the highlights of FISA include: (i) addressing spam by prohibiting the sending of commercial electronic messages without consent, (ii) prohibiting false or misleading commercial representations online, (iii) prohibiting the installation of computer programs without consent for commercial activities, (iv) prohibiting the collection of personal information through unlawful access to computer systems (as well as the unauthorized compilation or supply of lists of electronic addresses), (v) creating a private right of action for consumers and businesses, (vi) giving the CRTC and the Competition Tribunal the power to impose administrative monetary penalties for violations of FISA (of up to $1 million for individuals and $10 million for corporations) and (vii) allowing for cross-border exchanges of information and evidence to investigate spammers operating outside Canada.
The Government has also announced that it intends to create a spam reporting centre that will work together with the three enforcement agencies responsible for enforcing FISA (the CRTC, Office of the Privacy Commissioner and the Competition Bureau) to “engage in public awareness” and “identify and analyze trends in online threats”.
Enforcement
FISA will be enforced by the following three organizations:
Competition Bureau – The Competition Bureau’s mandate will be to focus on misleading and deceptive practices and representations online, including false or misleading headers and Internet website content. In this regard, FISA extends the Bureau’s existing jurisdiction over misleading advertising and deceptive marketing practices in Canada, which already included online advertising and marketing.
Canadian Radio-television and Telecommunications Commission (CRTC) – The CRTC will have the power to investigate and take action (including using significant monetary penalties) against unsolicited electronic messages, altering of transmission data or installation of computer programs without consent.
Office of the Privacy Commissioner of Canada – The Office of the Privacy Commissioner will have the power to take measures against the collection of personal information through access to computers (as well as the unauthorized compiling or supplying of lists of electronic addresses).
Penalties
Persons contravening FISA are subject to administrative monetary penalties of up to $1 million (for individuals) and $10 million (for corporations).
FISA also provides for the issuance of preservation demands to ISPs (requiring the preservation of transmission data), notices of production (requiring the production of documents or preparation of documents based on data, information or documents) and search warrants.
Legislative History
FISA, which was first introduced in April, 2009 and reintroduced on May 25, 2010, addresses legislative recommendations made by the Task Force on Spam, which assembled consumers, academic experts and industry to design comprehensive legislation to fight spam in the digital economy. In 2005, the Task Force on Spam completed its one year mandate and issued its final report (Task Force on Spam Report: Stopping Spam: Creating a Stronger, Safer Internet). The Government also studied successful anti-spam measures in other countries.
From the time Bill C-28 was first introduced, amendments were made to address concerns raised during Industry Committee testimony (which heard from a wide variety of witnesses, including representatives from enforcement agencies, industry associations, ISPs, consumer groups, the financial sector and marketers). During third reading, the amended Bill received unanimous support in the House of Commons and received Royal Assent on December 15, 2010.
********************
Tips For Complying With
CASL (Canadian Anti-Spam Law)
Canada’s federal anti-spam legislation (CASL) came into force in 2014. Since then, electronic marketers and their advisors have been working to comply with what remains a complex law with outstanding uncertainties in some key areas. Having said that, many of the core requirements of CASL are not overly difficult to comply with (though still continue to be misunderstood in many cases).
The following are some key legal tips for complying with CASL:
Express Consent. If you cannot rely on any category of implied consent (e.g., an existing business relationship within two years of a purchase) or a CASL exemption, ensure that you have collected and documented express consent from recipients. Express consent requests must include all of the information set out in CASL and its regulations otherwise the consent will not be valid. The failure to correctly collect consents is the top CASL compliance issue we see and a key basis for CRTC enforcement. For more information, see: Anti-Spam Law (CASL), Anti-Spam Law (CASL) FAQs and Canadian Anti-Spam Law (CASL) Precedents.
Implied Consent. If you are relying on one or more categories of implied consent to send commercial electronic messages (CEMs) (e.g., an existing business relationship within two years of a purchase or six months of a product inquiry) ensure that all of the requirements of the particular type of implied consent are met. Remember that there is not a single blanket type of implied consent under CASL, but rather many different kinds of implied consent each of which with their own specific requirements. Also, as with express consent, CEMs that rely on implied consent must still include the prescribed sender identification information and unsubscribe mechanism. For more information, see: Anti-Spam Law (CASL), Anti-Spam Law (CASL) FAQs and Canadian Anti-Spam Law (CASL) Precedents.
Consent For Third Parties To Send CEMs. Under CASL, consent to send CEMs can be requested for a sender themselves, an identified third party (or multiple identified third parties) or unidentified third parties (i.e., entities whose identities are not yet known when consent is requested). Importantly, however, each type of consent request has specific requirements for the request and, in the case of consent requests on behalf of unidentified third parties, somewhat complex additional requirements. The failure of marketers to correctly request consent for third parties (e.g., partners, affiliates, co-sponsors in promotions, etc.) is another of the most frequent CASL-related error that we regularly see. For more information, see: Anti-Spam Law (CASL) FAQs and Canadian Anti-Spam Law (CASL) Precedents.
CASL Exemptions. Like implied consent, there isn’t a single exemption from CASL but many types of exemptions. If you are relying on a particular exemption (e.g., the “business-to-business” exemption) it is important to ensure that all of the requirements of the exemption are met. Importantly, there is little or no case law interpreting many of the CASL exemptions. This means that there is generally more potential risk relying on an exemption than express consent. Express consent is the strongest under CASL and does not expire unless a recipient unsubscribes.
Passive Consents. Remember that under CASL express consent or a category of implied consent is generally required to send CEMs unless a CASL exemption applies. As such, passive types of consents (e.g., language in general terms and conditions) will not be CASL compliant unless a sender does not need express consent (i.e., can rely on a category of implied consent or a CASL exemption).
Sharing Lists With Third Parties. Consider the potential risks of sharing e-mail or other electronic marketing lists with third parties. While this is certainly possible under CASL, marketers need to be aware that there are specific requirements that must be met depending on who a list will be shared with (e.g., to expressly identify a third party with whom consent is being gathered on behalf of, including their contact information and other requirements for unidentified third parties). Marketers should also be aware that there is also potentially not only risk if they themselves violate CASL (e.g., send CEMs without consent), but also if they assist a third party that violates CASL. As such, it is often prudent for marketers that want to share electronic marketing lists with third parties to ensure that they have list sharing agreements in place with parties with whom they share e-mails. For more information, see: Anti-Spam Law (CASL) FAQs, Anti-Spam (CASL) Compliance Errors and Canadian Anti-Spam Law (CASL) Precedents. See also: Influencer, Co-Sponsor and List Sharing Agreements.
Sender Identification Information. Ensure that all CEMs include the prescribed sender identification information required by CASL unless an exemption applies. For more information, see: Anti-Spam Law (CASL) and Anti-Spam Law (CASL) FAQs.
Unsubscribe Mechanism. Ensure that all CEMs include a CASL-compliant unsubscribe mechanism. For more information, see: Anti-Spam Law (CASL) and Anti-Spam Law (CASL) FAQs.
Document Consent. Under CASL, the onus is on senders of CEMs to document consent. As such, it is important to document the type of consent (express or implied) or exemption being relied upon, evidence of consent (e.g., subscription logs, forms, dates and names/e-mail addresses), divide lists according to the type of consent or exemption being relied upon and to scrub lists after recipients have unsubscribed or the relevant time period for a category of implied consent has expired (e.g., two years after a purchase). The failure to adequately document consent is another of the most common CASL-related compliance errors we see, including not documenting consent at all, not segregating distribution lists and inadequately documenting consents or types of implied consent. For more information, see: Anti-Spam Law (CASL), Anti-Spam Law (CASL) Compliance and Canadian Anti-Spam Law (CASL) Precedents.
CASL Compliance Program. Consider adopting a CASL compliance program, particularly if electronic marketing is a core aspect of your marketing strategy. The CRTC has issued guidance on CASL compliance programs including key recommended elements. For more information, see: Anti-Spam Law (CASL) Compliance and Canadian Anti-Spam Law (CASL) Precedents.
CASL and Specific Types of Promotions. Care should be taken in relation to specific types of promotions under CASL. Just one of many examples is friends and family type promotions (e.g., contests where entrants can gain more entries for sharing with or tagging a friend). While there is an exception to the unsolicited CEMs section of CASL (section 6) for messages sent to a person with whom the sender has a personal or family relationship, these terms are very specifically defined. For example, “family relationship” is limited to spouses, common-law partners and parent-child relationships. “Personal relationship” is defined in a multi-factor and case-by-case fashion, such that it is often impractical to rely on this exception for any broad “friends and family” type promotion. Marketers should also be aware that there is potential risk for both themselves and their clients in running friends and family type promotions, if they cannot meet the specific definitions of “family relationship” and/or “personal relationship” under CASL for a promotion. For more information, see: Anti-Spam Law (CASL) Compliance Errors and Running a Friends-and-Family Promotion in Canada? Cruel, Cryptic CASL Strikes Again.
____________________
SERVICES AND CONTACT
I am a Toronto competition and advertising lawyer offering business and individual clients efficient and strategic advice in relation to competition/antitrust, advertising, Internet and new media law and contest law. I also offer competition and regulatory law compliance, education and policy services to companies, trade and professional associations and government agencies.
My experience includes advising clients in Toronto, Canada and the US on the application of Canadian competition and regulatory laws and I have worked on hundreds of domestic and cross-border competition, advertising and marketing, promotional contest (sweepstakes), conspiracy (cartel), abuse of dominance, compliance, refusal to deal, pricing and distribution, Investment Canada Act and merger matters. For more information about my competition and advertising law services see: competition law services.
To contact me about a potential legal matter, see: contact
For more regulatory law updates follow me on Twitter: @CanadaAttorney