Anti-Spam Law to Come into Force

December, 2013

On December 15, 2010, the Anti-Spam Act (the “Act”) received Royal Assent.  The Act states that its purpose is to promote the efficiency and adaptability of the Canadian economy by regulating commercial conduct that discourages the use of electronic means to carry out commercial activities.  Notable parts of the Act place comprehensive controls on the sending of electronic messages, like emails or texts, and the installation of computer software.   

At the end of September I gave a presentation about the Act to the Hamilton Law Association.  I was asked to publish an article in the Journal about the Act.  This article is an updated version of the article that was published in the Journal a few years ago.  The Act will begin to take effect on July 1, 2014 when most of the Act comes into force. On January 15, 2015, sections of the Act related to the unsolicited installation of computer programs or software come into force.  Lastly, on July 1, 2017, the right to commence a private action as a result of the breach of the Act comes into force.

1. Anti-Spam Provisions

The Act places restrictions on “commercial electronic messages” (CEM), which is defined roughly as an electronic message one of the purposes of which is to encourage participation in a commercial activity.  An “electronic message” means a message sent by any means of telecommunication including a text, sound, voice, or image message.

You are prohibited from sending a CEM to someone, unless the receiver has: (i) consented either expressly or impliedly to receiving it; and (ii) the message is in the prescribed form and contains the prescribed information.  If you cannot satisfy those requirements, you may qualify for an exemption.

Implied Consent

Consent will be implied if:  (i) the sender has an existing business relationship or an existing non-business relationship with the receiver; or (ii) the receiver has published its electronic address or has disclosed its electronic address to the sender, has not indicated that it does not want to receive unsolicited CEMs, and the message is relevant to the receiver’s business.

Express Consent

When requesting express consent to send someone a CEM, you must clearly and simply set out for what the consent is requested and the name of the person seeking the consent.

Prescribed Form and Prescribed Information Requirements of a CEM

The Act requires that any CEM must satisfy the following requirements: (i) the message must contain information enabling the receiver to readily contact the person who sent the CEM; (ii) set out the name of the sender; (iii) set out contact information of the sender which must be valid for 60 days after the message is sent; and (iv) set out an unsubscribe mechanism.

The unsubscribe mechanism must be displayed clearly and prominently and permit the receiver to indicate, at no cost, that they no longer wish to receive any messages.  The address or webpage to which the unsubscribe indication may be sent shall be valid for 60 days following the transmission of the message.  An indication to unsubscribe shall be implemented within 10 days of receipt.

Exemptions to the Requirements of a CEM

A CEM is exempt from the Act where the message is sent:

  1. to someone with whom the sender has a personal or family relationship; or
  2. to a person engaged in a commercial activity and the message consists solely of an inquiry or application about that activity; or
  3. by one organization to another organization pursuant to a business relationship, i.e. franchisor-franchisee; or
  4. in response to a request, inquiry, complaint, or is otherwise solicited by the person to whom the message is sent; or
  5. pursuant to the law; or
  6. and received on an electronic messaging service in the prescribed form and conspicuously publishes and makes readily available the prescribed information and the unsubscribe mechanism required by the Act and the receiver consents to receive the CEM either expressly or by implication; or
  7. to a limited-access secure and confidential account to which messages can only be sent by the sender who has provided the account to the receiver; or
  8. by the sender who reasonably believes the message will be accessed in a foreign state listed in a regulation to the Act and the message conforms to the law of the foreign state that is substantially similar to the Act; or
  9. by or on behalf of a registered charity and the message has as its primary purpose raising funds for the charity; or
  10. by or on behalf of a political party or organization or a person who is a candidate for publicly elected office and the message has as its primary purpose soliciting a contribution.

A CEM does not have to satisfy the consent requirements, where the CEM solely:

  1. is the first CEM sent by a sender to a receiver pursuant to a referral;
  2. provides a quote or estimate for a commercial activity;
  3. is sent in connection with an established commercial transaction;
  4. provides warranty or safety information;
  5. provides factual information about the ongoing use of a product or service or an ongoing business relationship i.e. membership;
  6. provides information about an employment relationship or benefit plan; or
  7. provides good or services, including upgrades and updates, the receiver is entitled to.

2. Anti-Spyware Provisions

The Act prohibits the installation of a computer program on another person’s computer system without express consent.  The Act also prohibits the use of a computer program on another person’s computer system to send an electronic message without express consent.  A “computer system” means a device that contains computer programs which perform computer functions, which could include a mobile phone.

Express Consent

When requesting express consent to install a computer program on someone’s computer system, you must clearly and simply set out for what consent is requested and the name of the person seeking the consent.  Further, you must also clearly and simply describe the function and purpose of the computer program that is to be installed.

In addition, if the computer program performs any of the following functions you, apart from the license agreement, must bring to the computer owner’s attention the material elements of the computer program and the foreseeable impact of the computer program on the operation of the computer system:

  1. collects personal information stored on the computer system;
  2. interferes with the owner’s control of the computer system;
  3. changes or interferes with the settings of a computer without the owner’s knowledge;
  4. changes or interferes with computer data which frustrates use of the data;
  5. causes the computer to communicate with other computers without authorization of the computer owner; or
  6. installs a computer program that may be activated by a third party without the knowledge or consent of the computer owner.

Exemption to Express Consent Requirement

The requirements for express consent do not apply in respect of the installation of an update or upgrade to a computer program, which was installed with express consent, if the person who gave the consent is entitled to receive the update or upgrade under the terms of the express consent.  Moreover, a person is considered to expressly consent to the installation of a computer program if the program is a cookie, HTML code, Java Scripts, an operating system, patches, fixes, used to protect the security of, or used to upgrade, all or part of a network, or necessary to correct a failure in the operation of the computer system.

Removal of Installed Computer Program

A person who has received express consent to install a computer program on a person’s computer must ensure that for one (1) year after installation the person who granted consent has an electronic address through which such person can request the removal or disability of the installed program.  Also, if the express consent was given on the basis of an inaccurate description of what the computer program does, then the party who installed the program must assist the computer owner to remove or disable the program, where such party receives such a request within one (1) year of the installation of the program.    

3. Penalties

The maximum penalty for the contravention of the prohibitions concerning CEMs or the installation of computer programs (anti-spyware) is $1,000,000.00 for individuals and $10,000,000.00 for any other person, i.e. corporations, partnership, trustee, etc.

In determining the penalty amount, some factors must be taken into account such as the financial benefit obtained by the violator, the violator’s ability to pay, and the person’s history concerning any previous violation.

Directors’ Liability and Liability for Employees

Directors and officers of a corporation, that commit a violation under the Act, are liable for the violation if they directed, authorized, assented to, acquiesced in, or participated in the violation.  Any “person” is liable for a violation committed by their employee acting within the scope of their employment.  However, a person is not liable for a violation if they can establish that they exercised due diligence to prevent its commission.

4. Private Right of Action

The Act will generally be enforced against violators by the Canadian Radio-television and Telecommunications Commission.  Nevertheless, persons affected by a violation of the restrictions on CEMs, by a violation of the restrictions on the installation of computer programs on third-party computer systems, or by a violation of the prohibitions against false or misleading representations in the Competition Act, may apply for a court order compelling the violator to pay the affected compensation for actual loss or damages suffered or expenses incurred by the affected and additional amounts up to $1,000,000.00 per day.  The affected must make a court application within three (3) years after the date the subject matter became known to the applicant.

5. Coming into Force

As stated above, the Act will begin to take effect on July 1, 2014 when most of the Act comes into force.  On January 15, 2015, sections of the Act related to the unsolicited installation of computer programs or software come into force.  Lastly, on July 1, 2017, the right to commence a private action as a result of the breach of the Act comes into force.

*     *     *     *     *

Ryan K. Smith is a lawyer and trade-mark agent at Feltmate Delibato Heagle LLP. He specializes in corporate and commercial law with expertise in intellectual property matters including trade-marks, copyrights, privacy, information technology, and confidential information.  You can reach Ryan at rsmith@fdhlawyers.com and (905) 287-2215.