If you conduct business online, you should review your terms of use, privacy policies and other legal agreements and marketing processes to ensure compliance with Canada’s new Anti-Spam law which is expected to come into force this year.  The penalties are high ($1m for individuals and $10M for business) and the Act is very complex and the definitions are not as precise as they should be.

Anti-Spam

This Act is consent based and prevents one from sending commercial electronic messages unless the recipient has given express or implied consent. A “commercial electronic message” is defined as an “electronic message” where one of its purposes is” to encourage participation” in “commercial activity.” An “electronic message” includes any “message sent by any means of telecommunication, including a text, sound, voice or image message” which includes e-mails, text messages, instant messages, social media postings etc..  Excluded are two-way voice communication, faxing to a telephone account or accessing a voice mailbox which are covered by the DO-NOT-CALL LIST.

Express Consent

In order to request express consent to send a commercial electronic message, you must “clearly and simply” set out the purpose(s) for which consent is being sought and identify your organization seeking the consent. Excluded are commercial electronic messages that have the following purposes:

1. provides a requested quote or estimate;
2. facilitates, completes or confirms a previously agreed to commercial transaction;
3. provides warranty, product recall or safety information to a purchaser of goods or services;
4. provides factual information about the ongoing use or ongoing purchase of a product, goods or a service offered under a subscription, membership, account, loan or an ongoing subscription, membership, account, loan or similar relationship of the person to whom the message is sent;
5.  provides information directly related to an employment relationship; or
6.  delivers product, goods or a service, including product updates or upgrades, pursuant to a previously agreed to transaction

Implied Consent:

Consent to receive messages are implied where:

1. you and the recipient have an “existing business relationship” or a ” non-business relationship” (e.g., membership in a club or the recipient made a donation), where the relationship arose within the past two years or is pursuant to a contract in effect in the past two years;
2. the recipient has “conspicuously published” its electronic address and has not indicated a desire to not receive unsolicited commercial electronic messages, and the message is relevant to the recipient’s business role; or
3. the recipient has provided its electronic address to you without indicating a wish not to receive unsolicited commercial electronic messages from you, and the message is relevant to the recipient’s business role.

Opt-out Function:

This Act requires that all commercial electronic messages must identify the sender, who the message is for, include the sender’s contact information, and provide an  opt out mechanism.

Anti-Spyware, Anti-Malware Provisions:
 
This Act attempts to combat the spread of spyware and malware by prohibiting the installation of certain computer programs without the consent of the computer’s user or owner. When consent to install a program is requested, it must “describe clearly and simply the function and purpose of every computer program that is to be installed.”   For programs that perform the following potentially undesirable functions, it must bring its “foreseeable impacts” to the attention of the user:

1. collecting personal information stored on the computer system;
2. interfering with the user’s control of the computer system;
3. changing or interfering with settings or preferences on the computer system without the user’s knowledge;
4. interfering with access to or use of that data on the computer system;
5. causing the computer system to communicate with another computer system without the authorization of the user; or
6. installing a computer program that may be activated by a third party without the knowledge of the user.

These requirements apply to computers and computer servers as well as any electronic device that allows for the installation of third-party programs i.e.  tablets and smartphones.  Programs are exempted from these requirements if it is reasonable to conclude from the recipient’s conduct that the recipient consented to the installation of the programs which are listed in the Act: HTML code, Web cookies, javascript code, operating systems, patches and add-ons and any other program listed in the regulations.

Program upgrades and updates are also exempt if the recipient consented to the initial installation and is entitled to receive upgrades or updates.  Not listed are beacons but it will be interesting to see how they will be handled by regulation.

Amendments to the Competition Act

This Act also amends the Competition Act to prohibit false and/or misleading representations in the sender description, subject matter field or message field of an electronic message, or in the URL or other locater on a webpage. Be careful of catching reader’s attention by including untrue and boastful statements in subject matter.

Amendments to PIPDEA

The Act also amends PIPEDA, to prohibit the collection of personal information by means of unauthorized access to computer systems, and the unauthorized compiling of lists of electronic addresses (sometimes called “address harvesting”).

Penalties

The Act is enforced by the CRTC and violators of the anti-spam and anti-spyware provisions of the Act could face fines of up to $1 million for individuals and $10 million for organizations per violation. Officers and directors can also be liable for these provisions if they directed, authorized, acquiesced in or participated in the offending conduct.

A private right of action allows any business or consumer to take civil action directly against anyone who violates the Act, or the new false or misleading representations provisions of the Competition Act. The Act contemplates that a litigant will only be able to recover its actual damages and additional amounts that could amount to as much as $1 million per day.  Damages for pain and suffering are not covered by this Act.

Implementation of the Act:

The Act will come into force upon proclamation.

The regulations for this Act are expected as early as April of this year.

Do you conduct business online?  If yes, you should be aware of these new requirements and do the following:

1.  Review and update your privacy policies and terms of service
2.  Review and update your business practices
3.  Update your website to ensure express consent for e-mail and newsletters
4. Review and update procedures for consents, opt-out request, update unsubscribe requests within the requisite time frame;
5. ensure compliance with the amended PIPEDA;
6.  review and revise marketing, advertising etc. communication

If you are a software developer, you should:
1. review and update program-installation
2. if a program performs one of the prescribed undesirable functions, the disclosure mechanism will also need to describe the foreseeable impacts of these functions; and
3. revise end-user licence agreements to ensure that consent to install patches and upgrades is expressly obtained before installation of computer programs.

Name of Act is:

The old name for this act was the Fighting Internet and Wireless Spam Act but the new snappy name is:  An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act.”