This article talks about what the Anti-Spam Act defines as spam, the myriad of exceptions, and what needs to be tracked to prove compliance. This will be presented by way of the thought process to be followed to determine whether a message is spam, and whether or how it can be sent without violating the act. The graphic that accompanies this article may be helpful.
This is the second of a series of 5 articles that will introduce the Act, describe what spam is and is not, talk about collateral provisions, what we can do now, and some of the challenges going forward.
The first question to ask to determine if you are about to send spam is whether it is a “commercial electronic message” (“CEM”), which is very broadly defined. In part, the definition says it is “…an electronic message that, having regard to the content of the message, the hyperlinks in the message to content on a website or other database, or the contact information contained in the message, it would be reasonable to conclude has as its purpose, or one of its purposes, to encourage participation in a commercial activity…”
It is worth noting that “An electronic message that contains a request for consent to send a message described in subsection (2) is also considered to be a commercial electronic message.” In other words, if you want to send a message or messages that are considered spam, it is considered spam to even send a message asking for permission.
“Electronic message” is broadly defined to include a message via email, instant message, phone, or “any similar account”. That could include things like a twitter direct message or a facebook message or chat.
“Commercial activity” means “any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, whether or not the person who carries it out does so in the expectation of profit…”.
If you are not sending a commercial electronic message, then it is not spam and the act does not apply.
If it is a CEM, the next question to ask is whether:
- it is sent to an individual with whom the sender has a personal or family relationship; or
- it is an inquiry re the recipients commercial activity; or
- it is exempted by the regulations.
If any of those apply, it is not spam.
If none of those work to exempt the message as spam, there is a long list of possible exceptions. Those exceptions include things like:
- a requested quote
- to facilitate a commercial transaction that has been agreed to
- warranty, safety or recall info to a buyer
- providing factual info about ongoing use or an ongoing subscription, membership or account
- providing info about an ongoing employment or benefit plan
- delivering a product or upgrades that a person is entitled to
- is otherwise allowed by regulation
If the message does not fall into any of those exemptions, and the sender does not otherwise have consent from the recipient to send the message, then it is spam and cannot be sent. The Act and the CRTC regulations spell out at length what is required to obtain consent, which can be express or implied. The onus is on the sender to prove that it has consent, so consents will have to be recorded and tracked. What amounts to consent is defined at length. It is worth noting that a consent that one already has from someone under PIPEDA or other applicable privacy legislation may not qualify as consent under the Act.
Implied consent includes if the message is to someone:
- the sender has an existing business or non-business relationship with (both terms are extensively defined in the Act and the Industry Canada regulations); or
- who has published their address, not stated they don’t want to receive unsolicited CEM, and the message is relevant to the recipient’s business; or
- who has disclosed their address to the sender, not stated they don’t want to receive unsolicited CEM, and the message is relevant to the recipient’s business; or
- as set out in the regulations
But you are not out of the woods yet. If you have consent, or if it falls under an exemption, you can send the message, but only if the message:
- conforms to requirements contained in the regulations; and
- identifies the sender; and
- provides contact info for the sender; and
- provides an unsubscribe mechanism.
The Act’s application to charities must be considered. An indication of the broad interpretation of commercial activity and purposes intended by the Act is that the definition of implied consent includes references to volunteers and donors. Specifically, “existing non-business relationship” includes messages from charities to:
- donors within the past 2 years; or
- volunteers who performed work or attended a meeting within the last 2 years.=