If you are a business operating within Canadian borders and you are involved in sending electronic messages to your customers, you hopefully have already made changes to comply with Canadas’ 2014 Anti-Spam legislation. We posted on this earlier however there are patterns emerging and we highly recommend corporate leaders read this article and take the actions prescribed to protect themselves. The CRTC has recently fined many individuals (personally, not the corporation) for violations. We believe our solutions offer a very high degree of protection for companies and their executives alike. If you are curious and would like to discuss options, the first 30-minute call is free for any new customer. Please use our contact form.
A quick overview of Canada’s Commercial Electronic Message (CEM) legislation.
Canada has adopted anti-spam legislation. The law is described in detail on this page (http://fightspam.gc.ca/eic/site/030.nsf/eng/home). This law went into effect July 1, 2014.
We have prepared this update of the new legislation as a service to readers and also as a public service to help those who seek an understanding of the new legislation and legal developments since its’ inception. This article is not meant to be a substitution for proper legal advice and if you have any questions about the legal nature of this legislation, it is your responsibility to contact a legal professional.
What is the Anti-spam legislation?
The Regulations prescribe the form and certain information to be included in commercial electronic messages (CEMs), and requests for consent with respect to the sending of CEMs, the alteration of transmission data in electronic messages, and the installation of computer programs.
The Regulations also define SPAM as “any electronic message” – text, sound, voice, image – sent to an electronic address for the purpose of encouraging participation in a commercial activity. It includes SMS messages amongst other things.
The Canadian Government fightspam.gc.ca website includes a wider and more sweeping definition for “spam”. Their legal definition of spam also encompasses:
- unauthorized alteration of transmission data
- the installation of computer programs without consent
- false or misleading electronic representations (including websites)
- the harvesting of addresses (collecting and/or using email or other electronic addresses without permission)
- the collection of personal information by accessing a computer system or electronic device illegally
How does it affect Canadians?
All Canadian citizens or companies with a presence in Canada that send electronic messages as described above are subject to the laws.
What are the legal remedies and penalties for violations?
Fines of up to $1 million for individuals and $10 million for corporations are possible. Additionally, the law will also allow those affected by a contravention of the law (such as getting spammed) to launch an action in court against those who have violated the law. Once into force, the private right of action will allow an applicant to seek actual and statutory damages.
The onus is on company owners to ensure all employees are complying with the legislation. Webstation cannot emphasize enough how important it is to develop an Anti-Spam Compliance Program (ASCP) within every company. Plenty of Fish was one of the companies fined ($48,000) and ordered by the CRTC to develop a company-wide ASCP. The president of the nGroup of companies received a $100,000 fine as “vicariously liable” for his actions. Note that certain individuals can be found vicariously liable for the non-compliance of an organization even if the regulator, the Canadian Radio-television and Telecommunications Commission (CRTC) does not pursue the organization.
What does the regulation prescribe?
First and foremost, the Regulations prohibit sending Commercial Electronic Messages (CEMs) unless the recipient has given express consent, or falls into a category where there is implied consent or one of the exemptions applies. It also prescribes the form and certain information to be included in commercial electronic messages (CEMs), and requests for consent with respect to the sending of CEMs, the alteration of transmission data in electronic messages, and the installation of computer programs. Most importantly, an unsubscribe mechanism must be in place to allow any recipient to unsubscribe and stop receiving any further CEMs.
What constitutes express consent?
The recipient has to opt-in, not opt-out. The request must be clearly identified. A pre-checked opt-in box or an unchecked opt-out box will not do. The recipient must take a positive step to opt-in. Silence does not mean consent. The onus to prove consent is on the sender.
What are the other requirements for getting express consent?
- Explain the purpose of the request.
- Name the person or organization, or on whose behalf, you are seeking consent.
- Give your name, mailing address and phone number, email or website address.
- Provide an unsubscribe option which is readily performed and will take effect within 10 days.
Are there any exceptions where consent is not required?
There are certain conditions that provide for exemptions under the new law. Briefly, these are:
- If the consent of the recipient can be implied. Typically this can be dangerous legal territory as the onus is on the “spammer” to be able to prove implied consent.
- For communications that are within the domain of business.
- Where there is an existing business relationship and/or the messages are relevant to the recipient’s role, function or duties.
- If the electronic messages is sent in response to a direct request for information.
- To enforce a legal right or obligation. This can be used in cases such as a new car owner being sent an email letting them know there is a recall with their vehicle that needs action.
- If it relates to an existing transaction. This could include items like shipping updates on ordered items.
- If a customer inquires about a business activity. Naturally it can be implied they are seeking a response, however, the responses need to be limited to the subject of the inquiry.
How does Webstation Help companies comply with the spam law?
From our experience in the industry, if you are a CEO or leader of a company, you need to do two things. The first is to develop a company-wide Anti-Spam Compliance Program (ASCP) and roll it out and ensure your employees have all been made aware of it. This shows the intent of complying with the legislation.
Prove Consent to a specific Terms of Service Document
The second thing that makes sense is to be able to prove every person on your mailing list has opted-in as prescribed by the legislation. While some email list programs can do this, WebstationHQ has a Consent Module (an HTML5 module) that can link an individual to an express consent event. The entire transaction is hash-tied to you can prove later that your customer absolutely opted in. When the person consents to the terms of service, our module stores the entire transactions’ fingerprint as an immutable record that can later be linked to a specific version of your Terms of Service, presumably where the consent is provided.
If you wish to get an overview of this technology, it is available from Webstation. Please use our contact form.
There are other considerations such as:
- Time limits on consent;
- Subject limits on implied consent;
- Express consent withdrawal;
- Legal responsibilities of the sender;
- What qualifies as an “existing business relationship”;
- Can you send someone an email to confirm they are unsubscribed;
- Is the recipient a relative;
- Has the recipient conspicuously published an email address or given you one and the CEM is relevant to the recipient’s business role (the ‘publication’ exception);
- Has the recipient disclosed an electronic address to you, has not indicated any wish not to receive unsolicited CEMs and the CEM is relevant to the recipient’s business role (the ‘business card’ exception).