Last Wednesday (December 15) Royal Assent was given to Bill C-28. Although not officially titled, it is known as the “Fighting Internet and Wireless Spam Act”. The legislation can be found here. As of the moment, it has not been proclaimed into force, but this will come sooner rather than later. My expectation is that the Industry Ministry is busy finalizing the regulations and once they are done they will be released and there will be a short time period for businesses to adjust to the legislation and then it will be proclaimed into force. My suggestion is that you read the summary of the legislation below, then go to the Act and take a look and start to prepare now to ensure that you don’t run afoul of the new legislation.
While you will not see the word “spam” anywhere in the Act, it is very clear that this is what is being targeted. But it should also be noted that it does cover other activities such as altering data transmissions and the unauthorized installation of computer programs – although most small businesses will not have to worry about these issues, so I will simply focus on the anti-spam provisions. I will also take this opportunity to mention that even though I use the word “spam”, what is really being discussed in any uninvited e-mail or other communication (for example, faxes) that are sent as part of “mass e-mailings” or communications to promote your product. It is not only the “nefarious” communications but any mass promotion that is caught.
The basic framework of the legislation is that there is a prohibition, a bunch of exceptions and penalties or consequences of breach of the prohibition are set out.
Section 6 of the Act provides the basic prohibition on spam. However, spam can be permitted if either (a) express or implied consent has been given by the recipient; or (b) the message meets certain criteria. Let’s look at each of these possibilities. What constitutes either express or implied consent is set out in Section 10 of the Act. If there is a previously-existing business relationship (for example, spam sent to prior customers – as opposed to potential customers) or non-business relationship, then consent will be implied (at least until notice is given of withdrawal of any consent). Also, for consent to be express, there must be certain information found on whatever consentform you use to ensure that the consent given is a fully knowledgable consent.
If consent is not available, then the person sending the e-mail can still send out spam but only if it provides the name of the sender, the name of the person on whose behalf the communication is being sent (if different from the sender) and it must comply with the unsubscribe mechanism requirements of Section 11. In addition, the names of the sender and person for whom the communication is being sent MUST remain valid for 60 days. As such, if Employee A sends the mail e-mail mailing out and then quits 2 days later, the employer will have to ensure that Employee A’s e-mail account remains active and valid and, most importantly, is being monitored for another 58 days. Why is this important? Because, as part of the Section 11 requirements for the unsubscribe mechanism, the sender must provide confirmation of removal from the mailing list within 10 business days of the request being sent by the recipient of the spam.
Beyond the two general ways in which permission might be found to send out spam, there are also several specific exceptions which are found in Subsection 6(6) of the Act – for example, sending out information to subscribers or providing warranty information. You should check these exceptions to see if any will apply for your mass communication or e-mailing.
Another “exception” isn’t actually an exception per se but is rather a recognition of Canada’s territorial restriction on applying its laws. Section 12 provides that the prohibition in Section 6 only applies where the computer that is used to send the spam is located in Canada. This has two implications. The first is that, if you are really intent on sending out spam, you will want to see if it can be sent through a service company that uses “foreign” computers to send their messages. The second is that, as we will see below, there is a private right of action, so if your company is being inundated with spam and you want to sue, you will only be able to do so if the spammer is using a Canadian-based computer system.
If an allegation of spamming is made, the CRTC now has powers in Sections 15 to 19 to investigate the complaint and to preserve data either at your business location or through your Internet service provider. The result of this investigation can result in a notice of breach of Section 6 with a penalty being imposed of up to $1 Million for individuals and $10 Million for all others (for our purposes – your business). This can be sent to you up to 3 years after the spam communications. For present purposes, it’s similar in structure to a speeding or parking ticket. You get the “ticket” (albeit one for up to $10 Million) and you then have the opportunity to “fight the ticket”. If you lose, you do have appeal rights as well.
Beyond the “ticket” power of the CRTC, there is a private right to bring an application for a determination of a breach of Section 6. In other words, the recipients can go after the spammers themselves if they so wish. This is set out in Section 47. The application can be brought to either the Federal Court or to the provincial superior court (in Quebec and Ontario, the Superior Court, on the prairies the Court of Queen’s Bench, etc.) and, as with the “ticket” power, the application can be made up to 3 years after the fact.
It should also be noted that Section 52 expressly permits for directors and officers to be found liable for a breach of Section 6 and that this can occur even if the director or officer merely acquiesced in the breach. Similarly, Section 53 permits vicarious liability – so a company will not be able to say “that was just our employee goofing around, we didn’t know what he was doing” if the company gave him enough authority to do whatever it is that he did, even if the company didn’t realize that he would abuse this authority in this way. As such, if you are a director or officer, you or your company could find yourself on the wrong end of either a “ticket” type prosecution by the CRTC or a private lawsuit by an angry spam recipient (or recipients, as there appears to be nothing to preclude the bringing of a class action in this regard). That said, Section 54 does give some relief in that a defence exists if the director / officer / company can show that they used due diligence to prevent the spamming from occuring.
The result of this new legislation is that you should give some consideration to any mass e-mailings or other communications that you do. In particular, items that you would not ordinarily think of as “spam” just might fall under the legislation. I’ll give you a simple example. As some of you will know, this year Wilson Vukelich (the firm to which I provide counsel services) did not send out a physical Christmas card but, instead, sent out an e-card. While some people were very impressed by it, it is possible that others viewed it as “spam”. Subsection 1(2) of the Act states that a “commercial electronic message” is one from which “it would be reasonable to conclude [as having] as its purpose, or one of its purposes, to encourage participation in a commercial activity”. While there is no question that the primary purpose of the e-card was to extend holiday greetings, could it be said that “one of its purposes” was also to say “don’t forget to send us your legal work”? Arguably this could be the case and, if so, then the e-card, if sent next year, would fall within the scope of the new legislation. If it was sent only to existing or prior clients, then no problem. But what if it is sent to potential clients? As another example, I received more than a few e-cards this year from fraud investigators, forensic accountants, etc. with whom I have never worked in the past on commercial litigation or corporate files. If the legislation was in effect, and if I suddenly for some crazy reason took offence to these e-mails, I could potentially sue under the legislation. So, you may want to consider any marketing efforts being taken on a wide scale and think about whether you could run afoul of the new legislation.
Something to think about.