Published by the Technology & Licensing Group
McCarthy Tétrault 2011

Canada Passes Anti-Spam and Anti-Spyware Law
by: James Gannon, Charles S. Morgan, Lorne P. Salzman

Organizations that conduct business online should start preparing for Canada’s new anti-spam and anti-spyware legislation, which was passed in mid-December and is expected to come into force later this year.1 As the Act is complex and the penalties for violating the new law can be severe, organizations should review and modify their online practices, where necessary, at an early opportunity.

Anti-Spam Provisions

The Act prohibits organizations from sending commercial electronic messages unless the recipient has given express or implied consent. A "commercial" electronic message is an electronic message where one of its purposes is to encourage participation in commercial activity. An "electronic message" is defined broadly to include any "message sent by any means of telecommunication, including a text, sound, voice or image message." This covers e-mails, text messages, instant messages, "tweets" or Facebook® postings, but excludes two-way voice communication, faxing to a telephone account or accessing a voice mailbox.

When requesting express consent to send a commercial electronic message, an organization must "clearly and simply" set out the purpose(s) for which consent is being sought and identify the organization seeking the consent. However, consent is not required to send a commercial electronic message where the purpose is to:

  • provide a quote or estimate in response to a request;
  • facilitate, complete or confirm a pre-agreed commercial transaction;
  • provide warranty, product recall or safety information to a purchaser of goods;
  • provide information related to an ongoing subscription, membership, account or loan;
  • provide information related to an employment relationship; or
  • deliver a pre-authorized product, goods or service, including product updates and upgrades.

Consent to receive messages can also be implied, most notably where:

  • the sender and the recipient have an existing business relationship or non-business relationship (e.g., membership in a club), where the relationship arose within the past two years or is pursuant to a contract in effect in the past two years;
  • the recipient has "conspicuously published" its electronic address and has not indicated a desire to not receive unsolicited commercial electronic messages, and the message is relevant to the recipient’s business role; or
  • the recipient has provided its electronic address to the sender without indicating a wish not to receive unsolicited commercial electronic messages, and the message is relevant to the recipient’s business role.

The Act also requires that all commercial electronic messages must identify the sender, include the sender’s contact information, and provide an "unsubscribe" mechanism so that recipient can opt out of receiving future communications.

Anti-Spyware Provisions

To combat spyware, malware and other malicious software, the Act prohibits the installation of computer programs without the consent of the computer’s user or owner. When consent to install the program is requested, it must "describe clearly and simply the function and purpose of every computer program that is to be installed."

In addition, if a program performs certain potentially undesirable functions, it must bring its "foreseeable impacts" to the attention of the user. The prescribed list of undesirable functions includes:

  • collecting personal information stored on the computer system;
  • interfering with the user’s control of the computer system;
  • changing or interfering with settings or preferences on the computer system without the user’s knowledge;
  • interfering with access to or use of that data on the computer system;
  • causing the computer system to communicate with another computer system without the authorization of the user; or
  • installing a computer program that may be activated by a third party without the knowledge of the user.

These requirements apply not only to personal computers and computer servers, but also to any electronic device that allows for the installation of third-party programs — such as smartphones and tablets. Programs are exempted from these requirements only if it is reasonable to conclude from the recipient’s conduct that the recipient consented to the installation of the programs (e.g., HTML code, Web cookies, javascript code, operating systems, patches and add-ons). Program upgrades and updates are also exempt if the recipient consented to the initial installation and is entitled to receive upgrades or updates.

Amendments to the Competition Act and PIPEDA2

The Act amends the Competition Act to prohibit false or misleading representations in the sender description, subject matter field or message field of an electronic message, or in the URL or other locater on a webpage. Senders will have to be particularly wary of making overly boastful statements in subject matter lines in an attempt to catch readers’ attention.

The Act also amends PIPEDA, to prohibit the collection of personal information by means of unauthorized access to computer systems, and the unauthorized compiling of lists of electronic addresses (sometimes called "address harvesting").

Enforcement and Penalties

Violators of the anti-spam and anti-spyware provisions of the Act could face fines of up to $1 million for individuals and $10 million for organizations per violation. Officers and directors can also be penalized if they directed, authorized, acquiesced in or participated in the offending conduct. The Act is enforced by the Canadian Radio-television and Telecommunications Commission.

The Act also creates a private right of action that allows any business or consumer to take civil action directly against anyone who violates the Act, or the new false or misleading representations provisions of the Competition Act. The Act contemplates that a litigant will be able to recover its actual damages and additional amounts that could amount to as much as $1 million per day. These latter provisions will undoubtedly excite the plaintiff class action bar.

McCarthy Tétrault Notes

While aimed at preventing spam and spyware, the Act imposes strict requirements on all businesses that use electronic communication. Any company conducting business online (including through e-mails) should be aware of these new requirements and may need to adapt their business practices. In order to prepare for the Act coming into force, which is expected in the next six to nine months, organizations should consider taking the following steps:

  • review and update website privacy policies and terms and conditions to ensure proper consents for the collection of personal information and/or the installation of computer programs on dynamic websites;
  • review and update their forms for obtaining express consent to send commercial electronic messages (including e-mail or newsletters), or install software programs to ensure that the forms satisfy the prescribed requirements;
  • re-examine their procedures for documenting the receipt of consent, as the onus will rest on senders and software developers to prove they obtained consent;
  • ensure that any commercial electronic message contains the prescribed information and an unsubscribe mechanism that is operational for the specified period;
  • deal with unsubscribe requests within the requisite time frame;
  • ensure that any process that involves online collection of e-mail addresses or other personal information complies with the amendments to the PIPEDA;
  • generally review and revise marketing, advertising and external communication practices to comply with the requirements of the Act and the new provision of the Competition Act; and
  • in the case of software developers:
    • examine their program-installation procedures to ensure that information about the function and purpose of the program is provided prior to installation;
    • if the program performs one of the prescribed undesirable functions, the disclosure mechanism will also need to describe the foreseeable impacts of these functions; and
    • revise end-user licence agreements (EULAs) to ensure that consent to install patches and upgrades is expressly obtained before installation of computer programs.

1 The full name of the Act is long, and quite unmemorable: "An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act." The Act will come into force upon proclamation.

2 Personal Information Protection and Electronic Documents Act, which is the primary federal statute that addresses privacy matters.