Anti-Spam Anti-Spyware Legislation Passed

February, 2011

On November 30, 2009, the House of Commons passed Bill C-27, whose short title is the Electronic Commerce Protection Act.  The Act is aimed at reducing practices which can have the effect of interfering with or frustrating electronic commerce.  Notable parts of the Act place comprehensive controls on the sending of email messages and the installation of computer software.   

1. Anti-Spam Provisions

The Act places restrictions on “commercial electronic messages” (CEM), which is defined roughly as an electronic message one of the purposes of which is to encourage participation in a commercial activity.  An “electronic message” means a message sent by any means of telecommunication including a text, sound, voice, or image message.

You are prohibited from sending a CEM to someone, unless the receiver has: (i) given express or implied consent; and (ii) the message meets certain requirements.  If you cannot satisfy those requirements, you may qualify for an exemption.

Implied Consent

Consent will be implied if:  (i) the sender has an existing business relationship or an existing non-business relationship with the receiver; or (ii) the receiver has published its electronic address or has disclosed its electronic address to the sender, has not indicated that it does not want to receive unsolicited CEMs, and the message is relevant to the receiver’s business.

Express Consent

When requesting express consent to send someone a CEM, you must clearly and simply set out for what the consent is requested and the name of the person seeking the consent.

Certain Requirements of a CEM

The Act requires that any CEM must satisfy the following requirements: (i) the message must be in the prescribed form; (ii) set out the name of the sender; (iii) set out contact information of the sender which must be valid for 60 days after the message is sent; and (iv) set out an unsubscribe mechanism.

(The unsubscribe mechanism must permit the receiver to indicate, at no cost, that they no longer wish to receive any messages.  The address or webpage to which the unsubscribe indication may be sent shall be valid for 60 days following the transmission of the message.  An indication to unsubscribe shall be implemented within 10 days of receipt.)

Exemptions to the Requirements of a CEM

A CEM does not have to satisfy the consent requirements or the certain requirements where the message: (i) is sent to someone with whom the sender has a personal or family relationship; or (ii) is sent to a person engaged in commercial activity and the message consists solely of an inquiry or application about that activity.

A CEM does not have to satisfy the consent requirements, where the CEM solely:

  1. provides a quote or estimate for a commercial activity;
  2. is sent in connection with an established commercial transaction;
  3. provides warranty or safety information;
  4. provides factual information about the ongoing use of a product or service or an ongoing business relationship i.e. membership;
  5. provides information about an employment relationship or benefit plan; or
  6. provides good or services, including upgrades and updates, the receiver is entitled to.

2. Anti-Spyware Provisions

The Act prohibits the installation of a computer program on another person’s computer system without express consent.  The Act also prohibits the use of a computer program on another person’s computer system to send an electronic message without express consent.  A “computer system” means a device that contains computer programs which perform computer functions, which could include a mobile phone.

Express Consent

When requesting express consent to install a computer program on someone’s computer system, you must clearly and simply set out for what consent is requested and the name of the person seeking the consent.  Further, you must also clearly and simply describe the function of the computer program that is to be installed.

In addition, if the computer program performs any of the following functions you, apart from the license agreement, must bring to the computer owner’s attention the material elements of the computer program and the foreseeable impact of the computer program on the operation of the computer system:

  1. collects personal information stored on the computer system;
  2. interferes with the owner’s control of the computer system;
  3. changes or interferes with the settings of a computer without the owner’s knowledge;
  4. changes or interferes with computer data which frustrates use of the data;
  5. causes the computer to communicate with other computers without authorization of the computer owner; or
  6. installs a computer program that may be activated by a third party without the knowledge or consent of the computer owner.

Exemption to Express Consent Requirement

The requirements for express consent do not apply in respect of the installation of an update or upgrade to a computer program, which was installed with express consent, if the person who gave the consent is entitled to receive the update or upgrade under the terms of the express consent.  Moreover, a person is considered to expressly consent to the installation of a computer program if the program is a cookie, HTML code, Java Scripts, an operating system, patches, or fixes.

Removal of Installed Computer Program

A person who has received express consent to install a computer program on a person’s computer must ensure that for one (1) year after installation the person who granted consent has an electronic address through which such person can request the removal or disability of the installed program.  Also, if the express consent was given on the basis of an inaccurate description of what the computer program does, then the party who installed the program must assist the computer owner to remove or disable the program, where such party receives such a request within one (1) year of the installation of the program.    

3. Competition Act Revisions

The Act makes changes to the Competition Act so that any person, when promoting a business or a good or service by way of electronic message, is prohibited from making representations that are false or misleading in a material respect and is prohibited from making the name of the sender or subject line of the message false or misleading.

4. Personal Information Protection and Electronic Documents Act Revisions

The Act revises PIPEDA so that the collection of electronic addresses, such as email accounts, instant messaging accounts, or similar accounts, by a computer program designed for that purpose is prohibited along with the use of electronic addresses collected by such a program.  This is colloquially referred to as “address harvesting”.

Another amendment to PIPEDA in the Act prohibits the collection of personal information, and the use of such information, if that information was collected by accessing a computer without the authorization of the computer owner.

5. Penalties

The maximum penalty for the contravention of the prohibitions concerning CEMs or the installation of computer programs (anti-spyware) is $1,000,000.00 for individuals and $10,000,000.00 for any other person, i.e. corporations, partnership, trustee, etc.

In determining the penalty amount, some factors must be taken into account such as the financial benefit obtained by the violator, the violator’s ability to pay, and the person’s history concerning any previous violation.

Directors’ Liability and Liability for Employees

Directors and officers of a corporation, that commit a violation under the Act, are liable for the violation if they directed, authorized, assented to, acquiesced in, or participated in the violation.  Any “person” is liable for a violation committed by their employee acting within the scope of their employment.  However, a person is not liable for a violation if they can establish that they exercised due diligence to prevent its commission.

6. Private Right of Action

The Act will generally be enforced against violators by the Canadian Radio-television and Telecommunications Commission.  Nevertheless, persons affected by a violation of the restrictions on CEMs, by a violation of the restrictions on the installation of computer programs on third-party computer systems, or by a violation of the prohibitions against false or misleading representations in the Competition Act, may apply for a court order compelling the violator to pay the affected compensation for actual loss or damages suffered or expenses incurred by the affected and additional amounts up to $1,000,000.00 per day.  The affected must make a court application within three (3) years after the date the subject matter became known to the applicant.

7. Coming into Force

The Act will come into force upon proclamation by the federal government.

*     *     *     *     *

Ryan K. Smith is a lawyer and trade-mark agent at Feltmate Delibato Heagle LLP. He specializes in corporate and commercial law with expertise in intellectual property matters including trade-marks, copyrights, privacy, information technology, and confidential information.  You can reach Ryan at rsmith@fdhlawyers.com and (905) 287-2215.