First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

What do I need to know about Canada’s new anti-spam legislation?

Canada’s anti-spam legislation is expected to be declared in force in 2013. It will regulate most forms of commercial electronic messages sent to Canadians, including email, text messages and messages sent through social media. Under the anti-spam legislation, either express or implied consent is required before sending commercial electronic messages. In addition, the message must comply with prescribed information disclosures, and a mechanism to unsubscribe must be provided.

The new law has an unwieldy name: An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act. It received royal assent in 2010, but is not yet in force.

The new statute gives the Canadian Radio-television and Telecommunications Commission (CRTC) the authority to regulate many commercial electronic messages, the alteration of transmission data in electronic messages, and the installation of computer programs on another person’s computer system, in the course of a commercial activity. The fundamental underlying principle in the new statute is that such activities can only be carried out with consent. Commercial electronic messages that are regulated under the new legislation include any type of electronic messages sent to Canadians, including email, text messages and messages sent through social media.

Once Canada’s anti-spam legislation is enacted, it will essentially restrict sending commercial email (or other electronic) messages to cases where there has been a business relationship (such as a sale) with a consumer within the past two years. However, there will be a three-year transition period before the new requirements are fully in effect.

The new legislation requires that prior consent must be obtained from the recipient in order to send an electronic message. (This differs from the approach in the United States whereby a message may be sent without prior consent provided that the recipient is able to readily opt out of receiving future messages. In Canada, the onus is on the sender to establish that consent was received before sending out a commercial electronic message.

Consent may be implied in the following circumstances:

  1. If the message is sent in the context of an existing (business or non-business) relationship between sender and recipient
  2. If the recipient has “conspicuously published” their email information, and the publication is not accompanied by a statement that the recipient does not wish to receive communications, and the message is relevant to the person’s business, role, functions or official capacity
  3. If the recipient has disclosed their email contact information to the sender without indicating that they do not wish to receive communications and the message is relevant to the person’s business, role, functions or official capacity
  4. Regulations to the statute may provide further cases of implied consent

The first implied consent concept listed is the one most likely to be relied upon: an existing business relationship in the two years before the date that the message is sent, or if the recipient has made an enquiry in the previous six months.

Express consent must be obtained if none of the four implied consent circumstances apply. The consent must clearly and simply set out the purpose for which the consent is being sought, as well as certain information prescribed by regulation, including identifying the party seeking consent.

The statute provides that it does not apply to commercial electronic messages that solely:

  • Provide a quote or estimate for the supply of a product, goods, a service, land or an interest or right in land, if the quote or estimate was requested by the person to whom the message is sent
  • Facilitate, complete or confirm a commercial transaction that the person to whom the message is sent previously agreed to enter into with the person who sent the message or the person—if different—on whose behalf it is sent
  • Provide warranty information, product recall information or safety or security information about a product, goods or a service that the person to whom the message is sent uses, has used or has purchased
  • Provide notification of factual information about a) the ongoing use or ongoing purchase by the person to whom the message is sent of a product, goods or a service offered under a subscription, membership, account, loan or similar relationship by the person who sent the message or the person—if different—on whose behalf it is sent, or b) the ongoing subscription, membership, account, loan or similar relationship of the person to whom the message is sent
  • Provide information directly related to an employment relationship or related benefit plan in which the person to whom the message is sent is currently involved, is currently participating or is currently enrolled
  • Deliver a product, goods or a service, including product updates or upgrades, that the person to whom the message is sent is entitled to receive under the terms of a transaction that they have previously entered into with the person who sent the message or the person—if different—on whose behalf it is sent
  • Communicate for a purpose specified in the regulations

There must be an unsubscribe mechanism so that the recipient may indicate that they no longer wish to receive commercial electronic messages. In addition, the sender must provide an electronic address or link to a web page where the recipient can unsubscribe. The unsubscribe mechanism must enable the recipient to unsubscribe using the same electronic means by which the message was sent (or if doing it that way is not practical, any other effective electronic means). The electronic address or web page where the recipient can unsubscribe must be valid for at least 60 days after the message is sent. A request to unsubscribe must be fulfilled within 10 business days.

There are serious penalties for non-compliance. A single violation by a corporation could be subject to a fine of up to $10 million. The legislation also provides for a private right of action so that any person can apply to a court to seek redress under the statute, with damages payable for every day that the breach occurred. Civil damages may also be sought through a class action.

The regulations under the anti-spam legislation are still being refined, and some definitions and circumstances have yet to be clarified. Regulations published to date include the items below.

Information to be included in commercial electronic messages

The following information must be set out in any commercial electronic message:

  • The name by which the person sending the message carries on business, if different from their name, if not, the name of the person
  • If the message is sent on behalf of another person, the name by which the person on whose behalf the message is sent carries on business, if different from their name, if not, the name of the person on whose behalf the message is sent
  • If the message is sent on behalf of another person, a statement indicating which person is sending the message and which person on whose behalf the message is sent
  • The mailing address, and either a telephone number providing access to an agent or a voice messaging system, an email address or a web address of the person sending the message or, if different, the person on whose behalf the message is sent

If it is not practicable to include the information in a commercial electronic message, that information may be posted on a page on the World Wide Web that is readily accessible by the person to whom the message is sent at no cost to them by means of a link that is clearly and prominently set out in the message.

Information to be included in a request for consent

A request for consent may be obtained orally or in writing and must include:

  • The name by which the person seeking consent carries on business, if different from their name, if not, the name of the person seeking consent
  • If the consent is sought on behalf of another person, the name by which the person on whose behalf consent is sought carries on business, if different from their name, if not, the name of the person on whose behalf consent is sought
  • If consent is sought on behalf of another person, a statement indicating which person is seeking consent and which person on whose behalf consent is sought
  • The mailing address, and either a telephone number providing access to an agent or a voice messaging system, an email address or a web address of the person seeking consent or, if different, the person on whose behalf consent is sought
  • A statement indicating that the person whose consent is sought can withdraw their consent

With its aim to regulate electronic communications between vendor and customer, the anti-spam legislation should work to maintain clearer privacy boundaries as well as providing useful guidelines for businesses. The best-case scenario would result in a more creative, resourceful use of the media at hand, rather than a nonstop onslaught of messages from advertisers and marketers.

To learn more about these upcoming changes in detail, please refer to the latest Finance and Accounting PolicyPro (FAPP) Release 2012-05.

This release consists of a replacement for all of Chapter 6 of the third volume of Finance and Accounting PolicyPro, Operations and Marketing, which is included in the electronic version of FAPP. All policies have been updated and rewritten as required, including guidelines on the new anti-spam requirements.

Chapter 6 includes the following policies:

6.01 – Plans, Research and Strategy
6.02 – Advertising and Direct Marketing
6.03 – Product Identifiers
6.04 – Corporate Image and Communication Standards
6.05 – Corporate Website
6.06 – Sales Training
6.07 – Customer Relationship Management
6.08 – Trade Shows
6.09 – Customer Satisfaction Survey
6.10 – Request for Quotation
6.11 – Sales Leads
6.12 – Do Not Call Registry
6.13 – Anti-Spam Requirements

Additional guidelines by the CRTC

Two information bulletins have been published by the CRTC to help businesses better understand the federal anti-spam legislation. The bulletins include examples of acceptable practices among other things.

The first bulletin Compliance and Enforcement Bulletins CRTC 2012-548 provides guidance on the interpretation of the Electronic Commerce Protection Regulations, and includes details on acceptable unsubscribe mechanisms for each of email and SMS messages, including visual mock-ups of acceptable approaches.

The second bulletin Compliance and Enforcement Information Bulletin CRTC 2012-549 provides guidelines on the use of toggling as a means of obtaining express consent under Canada’s anti-spam legislation and acceptable forms of obtaining express consent under the Act, among other things.

Jeffrey D. Sherman
BComm, MBA, CIM, FCA

Follow me

Jeffrey Sherman

Chief financial officer, author, lecturer and professor focussing on corporate finance at Atrium Mortgage Investment Corporation, Canadian Mortgage Capital Corp., Trimel Pharmaceuticals Corporation, and Anagram Services
Jeffrey D. Sherman, BComm, MBA, CIM, FCA, is a director or CFO of several public companies and has had over 20 years of executive management experience. He is the author of Finance and Accounting PolicyPro, Not-for-Profit PolicyPro and Information Technology PolicyPro (guides to governance, procedures and internal control, all published by First Reference and the CPA). Read more
Follow me
Send to Kindle

, , , , , , , , , , , , , , , ,

Comments are currently closed.