Canada Raises the Antispam Stakes
Privacy & Information Security Update
Date: May 21, 2012
Businesses accustomed to the terms of U.S. antispam legislation that designed their marketing accordingly need to revisit old assumptions, at least if they market in Canada.
Final regulations were promulgated in March 2012 under Canada's new antispam legislation, passed in December 2010. The new statute and regulations are expected to take effect sometime in 2013. Once in effect, the new statute, known as Bill C-28 (Act), will significantly impact all companies that market in Canada. Advance planning will help to minimize the Act's impact on business.
The Act notably requires the affirmative opt-in consent of customers to receive commercially oriented electronic messages. It also carries stiff administrative penalties - up to $1 million for individuals and $10 million for corporations per violation - that are enforceable against both domestic and foreign individuals and entities that violate its provisions. The Act creates a private right of action for aggrieved individuals and provides for the award of actual and statutory damages.
The Act is not restricted to unsolicited electronic transmissions. It also governs the alteration of transmission data, the installation of certain computer programs and "address harvesting."
CAN-SPAM and “Do Not Call” Compliance Is Not Enough
The Act goes well beyond the U.S. CAN-SPAM regime in important ways. It will prohibit the sending of "commercial electronic messages" to "electronic addresses" without consent. Electronic addresses include not only email and telephone accounts, but also Internet and social media messaging. Electronic messages include text, sound, voice or image messages sent by any form of telecommunication.
Unlike the more familiar compliance methods associated with CAN-SPAM and "Do Not Call" in the United States - advertisers generally may direct unsolicited communications to recipients until and unless they affirmatively opt out of receiving them - Canada's Act requires opt-in consent by recipients. It also mandates consent for the alteration of transmission data and the installation of a program on another's computer.
When express consent is sought, the sender must clearly state the purpose (or purposes) for which the consent is sought and identify both the person seeking consent and the person on whose behalf consent is sought. Consent may be implied in some instances, such as when an individual has prominently published an electronic address without an accompanying notification that unsolicited messages should not be sent to it, or where there is a preexisting business relationship between the parties. Electronic messages also must:
- Identify the sender of the message.
- Identify the person on whose behalf a message is sent, if different than the sender.
- Provide contact information that will be valid for at least 60 days.
- Offer a simple and straightforward method to unsubscribe from further messages.
In the case of computer programs, the request for consent must also clearly and simply describe (in general terms) the function and purpose of the program to be installed. If the program will collect personal information; change settings, preferences or data; or communicate with other computer systems, additional information regarding those activities and their foreseeable impact on the user's computer system must be included in the consent request. Consent for certain types of programs (such as cookies, HTML code and java scripts) is considered express if "the person's conduct is such that it is reasonable to believe that they consent to the program's installation."
Penalties Are Severe
The Act provides for robust enforcement mechanisms through three government agencies: the Canadian Radio-Television and Telecommunications Commission, the Competition Bureau and the Office of the Privacy Commissioner. The agencies are authorized to share and exchange information with each other, as well as with agencies of foreign governments, to facilitate enforcement.
The Act provides authority to require telecommunications service providers to preserve transmission data upon enforcer request. It also provides authority for enforcers to obtain warrants to verify compliance with the Act and to determine if a violation has taken place. Injunctive relief is available, as are monetary penalties. Officers, directors and agents of corporations may be personally liable for violations if they "directed, authorized, assented to, acquiesced in or participated in the commission of the violation," even if no action is taken against the entity itself. Individuals may face penalties of up to $1 million, and up to $10 million can be assessed against entities.
The Act creates a private right of action with a three-year statute of limitation. Private actions include the right to statutory damages of $200 per "each contravention" of the Act, up to $1 million per day on which a contravention occurred. Statutory damages are unavailable, however, in civil actions if the defendant has been served with a "Notice of Violation" by an enforcement agency or has entered into an undertaking with an enforcement agency.
Transition Period Provided
The Act, not yet in force, is awaiting a Governor in Council Order, which is anticipated at some point during 2013. Even after it is placed in force, Sections 66 and 67 of the Act provide windows of up to three years of "implied consent" for recipients having prior relationships with senders or relating to upgrades and updates of previously installed computer programs. Recipients may negate the implied consent by giving notification that they no longer consent.
Preparing for Implementation
A company's careful preparation will ease its compliance with the Act. Entities engaging in commercial electronic communications with Canadian residents should review their mailing and subscriber lists, identify Canadian recipients and promptly unsubscribe any who do not consent to continue receiving messages once the Act comes into force. They also should obtain affirmative consents from Canadian residents subsequently added to mailing or subscription lists and, in the longer term, have a process in place to obtain opt-in consents from Canadian residents. Entities that purchase mailing lists from third parties should ensure that their vendors comply with the Act.
Foresight & Preparation
Our Privacy & Information Security team of multidisciplinary international lawyers are experienced in complex national and international issues including privacy, data protection, information security, records retention, employment and labor law, consumer protection, Internet law and intellectual property. We help clients develop, implement and benefit from globally compliant data management practices. We have helped many companies develop and implement global privacy and data protection programs and strengthen their strategic use of competitively critical data.