The Canadian Anti-Spam Act was passed in December of 2010, and is expected to come into force sometime in 2013.
If you think it won’t affect you because you don’t send mass emails trying to sell random products, or don’t infest other people’s computers with spyware, you would be wrong. It creates tools to fight spam, but unfortunately defines spam so broadly that it will affect how most of us conduct business. The definition of spam is so broad that it goes far beyond what the average person would consider to be spam.
My personal view is that this Act is fundamentally flawed. Creating tools to combat spam such as emails sent out by the thousands to try to sell drugs would be welcome by most people. But the Act defines as spam things that most of us would consider innocuous, and indeed desirable. For example, if you and I meet at an event, it may be spam if afterwards one of us sends an email to the other suggesting that we should talk further about our respective services. Or if the child of a friend emails you offering to shovel the snow off your driveway for money, it might be spam.
The Act’s biggest impact will be the compliance headache it will cause the average business or charity that is caught by the Act.
This is the first of a series of 5 articles that will introduce the Act, describe what spam is and is not, talk about collateral provisions, what we can do now, and some of the challenges going forward.
The Act is long and complex, and includes amendments to four existing acts – the CRTC Act, Competition Act, PIPEDA, and Telecommunications Act.
The first indication that the Act is overly complex is its name: An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act.
It applies to the sending of commercial electronic messages that many of us would not consider to be spam. It applies to various forms of electronic communications, including email, instant messages, and social media.
Essentially, any electronic message with any kind of commercial purpose is caught, subject to a myriad of complex provisions setting out exceptions, and consent requirements. And since the onus is on the sender to show compliance with the Act, all this will somehow have to be tracked and recorded.
It also includes provisions that require specific permission to install certain types of software and software updates.
So while the intention is to control what we all understand as spam and spyware, it will affect many things that we may not intuitively consider spam or spyware. Similar to privacy legislation, this Act will no doubt lead to situations where our first reaction is to label it spam or spyware if we receive it, but not consider the same thing spam or spyware if we send it.
Some of the details required to understand the daily impact of the Act are contained in regulations. These regulations come from two different entities. The CRTC has finalized regulations that deal with issues surrounding information to be disclosed and consent to receive electronic messages. The CRTC has also issued two Compliance and Enforcement Information Bulletins that set out some CRTC views on enforcement. While they are helpful, their interpretations are also somewhat troubling as they set out requirements that are more onerous and commercially unfriendly than the Act seems to contemplate.
Industry Canada regulations deal with some of the exceptions to the definition of spam. The first version of the draft regulations received significant criticism – the second try was released on January 5, and is subject to a 30 day commentary period.
I believe there should be a volume threshold where it is deemed not to be spam if it’s a targeted message sent to a small number of individuals – but that is not contemplated.
The penalties for non-compliance are significant, complex and detailed. Remedies include fines of up to $1,000,000 for individuals, $10,000,000 for others, and private rights of action. Statutory damages are included, so a plaintiff does not have to prove actual damages. Private rights of action allow lawsuits by individuals, including class actions.
Some things are “reviewable conduct”, meaning that it is subject to the investigatory and order-making powers of the Privacy or Competition Commissioners.
Directors and officers can be personally liable if they authorized or acquiesced in the offence. Employers are vicariously liable for the actions of their employees acting within the scope of their authority. To lessen the risk to directors and officers, many boards will mandate anti-spam policies and procedures to take advantage of a defence section that says: “A person must not be found to be liable for a violation if they establish that they exercised due diligence to prevent the commission of the violation.” Boards may also want to look at their D&O insurance to determine whether violations of the Act are covered. D&O insurance typically does not cover fines and penalties, so it is an important question to ask.
Remedies also include the ability to obtain an injunction to prevent a contravention of the Act.
The next article will discuss what spam is under the Act, the myriad of exceptions, and what needs to be tracked.