Anti-Spam Legislation: A Work in Progress
At the end of 2010, Canada enacted strict anti-spam legislation (the “Act”) relating to the sending of electronic messages, as well as to other aspects of online commercial activity. Implementation of the Act has been delayed by public consultation regarding draft regulations. At this time regulations created by the Canadian Radio-television and Telecommunications Commission (“CRTC”) have been finalized, but additional regulations have yet to be finalized. It is expected that the Act will be proclaimed in force some time in 2013.
The Act is not limited to preventing wide-scale or mass-market spam messages: it will apply to the sending of any commercial electronic messages (“CEMs”), including email messages, SMS messages, or other electronic messages sent for a commercial purpose. The Act creates a consent regime, and requires that senders include particular content and a clear opt-out mechanism.
In addition, the Act limits certain forms of online commercial activity, including unauthorized harvesting of email addresses, misleading electronic communications, and prohibiting unauthorized installation of computer programs.
The Act includes large fines for failure to comply and also permits a private right of action for those individuals affected by an organization’s non-compliance.
There are three general requirements for CEMs:
- Identification Requirements: The Act requires that CEMs identify the person who sent the message and (if different) the person on whose behalf it is sent, including reference to accurate contact information. If it is not practicable to include contact information in the message, information may be provided by a link to a web page that sets out the necessary information.
- Consent Requirements: The Act requires the existence of express consent from recipients prior to the sending of a CEM, subject only to limited exceptions. The sending of an electronic message requesting express consent will itself be considered a CEM. Therefore express consent must be sought prior to the coming into force of the Act, or must be sought in some other manner (such as in a non-electronic form that would not be captured in the definition of a CEM). The Act also requires notice that consent may be withdrawn by the recipient.
- Unsubscribe Requirements: CEMs must include a clear and prominent unsubscribe mechanism, such as by way of reply email or other simple means. The recipient’s choice of the unsubscribe option must be given prompt effect.
Of these three requirements, compliance with the consent provisions will likely be the most challenging. Organizations should carefully
consider the steps necessary to obtain consent.
Existing Business Relationships: Consent to receive CEMs may be implied in certain circumstances, including in relation to existing business relationships. However, the Act contains limitations on the period of time during which organizations can rely on this implied consent. The relevant period will provide organizations with a time-limited opportunity to seek explicit consent, after which the original implied consent will expire.
Limitations on Oral Consent: Although express consent can be obtained either orally or in writing, a recent CRTC Enforcement Bulletin has placed severe restrictions on the use of oral consent. This Bulletin indicates that oral consent will only be available where this form of consent can be verified by an independent third party, or where there is a complete audio recording of the consent. Although Enforcement Bulletins do not have the force of law, they do indicate how the CRTC currently intends to interpret the Act. Unless there is a change to the CRTC’s intended interpretation of the Act, proof of oral consent will likely be out of reach for most organizations.
Limitations on Toggling: In some circumstances, online forms may be useful in obtaining express consent. However, a further CRTC Enforcement Bulletin indicates that pre-checked boxes that a user must uncheck (called “toggling”) will not constitute adequate express consent. Organizations should offer individuals the option of checking a box themselves, or of performing some other act to choose to accept CEMs, such as by entering their email address in a form, rather than relying on any sort of pre-checked option.
Questions about compliance? The Field Law Privacy Group can assist with your organization’s compliance with the anti-spam legislation and guide your organization through the complex landscape of privacy law.