Canada Passes Anti-Spam and Anti-Spyware Law

Organizations that conduct business online should start preparing for Canada’s new anti-spam and anti-spyware legislation, which was passed in mid-December and is expected to come into force later this year.¹ As the Act is complex and the penalties for violating the new law can be severe, organizations should review and modify their online practices, where necessary, at an early opportunity.

The Act prohibits organizations from sending commercial electronic messages unless the recipient has given express or implied consent. A “commercial” electronic message is an electronic message where one of its purposes is to encourage participation in commercial activity. An “electronic message” is defined broadly to include any “message sent by any means of telecommunication, including a text, sound, voice or image message.” This covers e-mails, text messages, instant messages, “tweets” or Facebook® postings, but excludes two-way voice communication, faxing to a telephone account or accessing a voice mailbox.

When requesting express consent to send a commercial electronic message, an organization must “clearly and simply” set out the purpose(s) for which consent is being sought and identify the organization seeking the consent. However, consent is not required to send a commercial electronic message where the purpose is to:

• provide a quote or estimate in response to a request;
• facilitate, complete or confirm a pre-agreed commercial transaction;
• provide warranty, product recall or safety information to a purchaser of goods;
• provide information related to an ongoing subscription, membership, account or loan;
• provide information related to an employment relationship; or
• deliver a pre-authorized product, goods or service, including product updates and upgrades.

Consent to receive messages can also be implied, most notably where:

• the sender and the recipient have an existing business relationship or non-business relationship (e.g., membership in a club), where the relationship arose within the past two years or is pursuant to a contract in effect in the past two years;
• the recipient has “conspicuously published” its electronic address and has not indicated a desire to not receive unsolicited commercial electronic messages, and the message is relevant to the recipient’s business role; or
• the recipient has provided its electronic address to the sender without indicating a wish not to receive unsolicited commercial electronic messages, and the message is relevant to the recipient’s business role.

The Act also requires that all commercial electronic messages must identify the sender, include the sender’s contact information, and provide an “unsubscribe” mechanism so that recipient can opt out of receiving future communications.

In addition, if a program performs certain potentially undesirable functions, it must bring its “foreseeable impacts” to the attention of the user. The prescribed list of undesirable functions includes:

• collecting personal information stored on the computer system;
• interfering with the user’s control of the computer system;
• changing or interfering with settings or preferences on the computer system without the user’s knowledge;
• interfering with access to or use of that data on the computer system;
• causing the computer system to communicate with another computer system without the authorization of the user; or
• installing a computer program that may be activated by a third party without the knowledge of the user.

These requirements apply not only to personal computers and computer servers, but also to any electronic device that allows for the installation of third-party programs — such as smartphones and tablets. Programs are exempted from these requirements only if it is reasonable to conclude from the recipient’s conduct that the recipient consented to the installation of the programs (e.g., HTML code, Web cookies, javascript code, operating systems, patches and add-ons). Program upgrades and updates are also exempt if the recipient consented to the initial installation and is entitled to receive upgrades or updates.

Amendments to the Competition Act and PIPEDA²

The Act amends the Competition Act to prohibit false or misleading representations in the sender description, subject matter field or message field of an electronic message, or in the URL or other locater on a webpage. Senders will have to be particularly wary of making overly boastful statements in subject matter lines in an attempt to catch readers’ attention.

The Act also amends PIPEDA, to prohibit the collection of personal information by means of unauthorized access to computer systems, and the unauthorized compiling of lists of electronic addresses (sometimes called “address harvesting”).

The Act also creates a private right of action that allows any business or consumer to take civil action directly against anyone who violates the Act, or the new false or misleading representations provisions of the Competition Act. The Act contemplates that a litigant will be able to recover its actual damages and additional amounts that could amount to as much as $1 million per day. These latter provisions will undoubtedly excite the plaintiff class action bar.

• review and update website privacy policies and terms and conditions to ensure proper consents for the collection of personal information and/or the installation of computer programs on dynamic websites;
• review and update their forms for obtaining express consent to send commercial electronic messages (including e-mail or newsletters), or install software programs to ensure that the forms satisfy the prescribed requirements;
• re-examine their procedures for documenting the receipt of consent, as the onus will rest on senders and software developers to prove they obtained consent;
• ensure that any commercial electronic message contains the prescribed information and an unsubscribe mechanism that is operational for the specified period;
• deal with unsubscribe requests within the requisite time frame;
• ensure that any process that involves online collection of e-mail addresses or other personal information complies with the amendments to the PIPEDA;
• generally review and revise marketing, advertising and external communication practices to comply with the requirements of the Act and the new provision of the Competition Act; and
• in the case of software developers:
  • examine their program-installation procedures to ensure that information about the function and purpose of the program is provided prior to installation;
  • if the program performs one of the prescribed undesirable functions, the disclosure mechanism will also need to describe the foreseeable impacts of these functions; and
  • revise end-user licence agreements (EULAs) to ensure that consent to install patches and upgrades is expressly obtained before installation of computer programs.

¹ The full name of the Act is long, and quite unmemorable: “An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act.” The Act will come into force upon proclamation.

² Personal Information Protection and Electronic Documents Act, which is the primary federal statute that addresses privacy matters.