Canada’s Anti-Spam Legislation
Anyone with email has found recently that their inbox has been heavy with emails from companies and organizations asking for permission to keep in touch via email. The reason for this barrage of email is, ironically, because of the federal government’s desire to help the public decrease the amount of unwanted email received. Canada’s new anti-spam legislation came into effect on 1 July 2014 and places limits on electronic, commercial messages (“CEMs”) that can be sent. The legislation is colloquially called the ‘anti-spam legislation’ because the entire title is:
“An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act”
Accordingly, we shall refer to it as ‘the anti-spam law’ or ‘the law’.
The law is designed at prohibiting CEMs, which include messages sent by email, text, or by message to social media accounts, unless the recipient agrees to receive such messages. Whether or not the message is ‘commercial’ in nature will depend on the message’s content. If it promotes a product, service, or commercial activity (whether or not it is for profit), then it will likely be a commercial message. If, however, the message seeks donations, for example, it would generally not be captured under the law, as it is not promoting a commercial activity. The law applies to all businesses (whether or not they are incorporated), societies, associations, not-for-profits, and individuals.
Consent is the key issue here and the reason businesses were hurriedly sending polite requests for continued contact. If you consent to receiving these messages from a particular business, they can send them to you until your consent is withdrawn or for a reasonable period of time, depending on the type of consent given. There are two ways that you can give your consent. The first is expressly, such as in the emails where they ask you to consent by clicking a link. (Note that this must be an ‘opt in’ function and not an ‘opt out’.) The second way is impliedly, which, not surprisingly, is a bit more complicated.
You will be deemed to have given your implied consent to any organization to send you CEMs where you have an existing business relationship or non-business relationship with the sender. This means that businesses need not get the express consent of their clients and customers, people with whom they have entered into contracts or who have sent inquiries to the company. Non-business relationships capture circumstances such as where people who have donated time or money to your organization. (The anti-spam legislation goes into far greater detail about these definitions.) Implied consent can also arise where the recipient has “conspicuously published” their email address without an accompanying statement that they do not wish to receive spam. Implied consent can also arise in a circumstance where you interact with an organization or one of its representatives and give them your email address or business card. In that case, consent is implied provided that the message sent is relevant to their business or professional functions. Note that implied consent, unless express consent, is time-limited, generally lasting for about two years, although under the anti-spam legislation certain types of implied consent will be deemed to be valid until 1 July 2017.
There are exceptions from compliance with the law, which include, most notably, that the law only applies to Canadian organizations and it does not require consent for CEMs sent to people with whom the sender has a family or personal relationship (both of which are defined in the regulations to the anti-spam legislation).
For the owner of a business or other organization, what this means is that if you have not done so already, you need to be familiar with your obligations under the new law (which are more detailed than can be covered in a single blog post), and you must get the consent of those from whom you do not have prior express or implied consent. You must also ensure that any future CEMs comply with the law, which has certain requirements for all CEMs, including: that the message have an ‘opt out’ mechanism, that it identify the sender, and that it be truthful about the commercial activity being promoted in the message.
Although the anti-spam law will ultimately be beneficial for individuals, for businesses, it means that there is now an ongoing obligation for compliance. Businesses should assess their lists of contacts to determine if they have consent from all of them and, if not, must gain consent before sending CEMs. Going forward, new contacts should be screened to determine if their implied or express consent has been given before they are added to the businesses’ email list, and records should be kept of express consents received. If contacts withdraw their consent, the business must update its list accordingly. Although this may seem onerous for small businesses and not-for-profits, the most prudent thing to do is to establish and follow a policy to ensure compliance.
For businesses that violate the anti-spam law, the penalties can be severe. Monetary fines can be brought under the anti-spam law for up to $1 million and individuals who are wronged by businesses in violation of the law can bring civil suits for damages. Note that in determining whether a violation has occurred the onus will be on the business to prove that it had the express or implied consent of the recipient before it sent the CEM in question.
Fortunately for businesses and organizations that have not yet done all they can to comply with the anti-spam legislation, there is a grace period, which is that, for the first three years, any individuals with whom the company has an existing business relationship or non-business relationship will be deemed to have given their implied consent to receive CEMs and this implied consent will be valid until 1 July 2017. Additionally, the right of individuals to bring civil suits against businesses in violation of the law will not become effective until 1 July 2017.
Those exceptions aside, the other obligations for businesses under the law became effective on 1 July 2014, so the time to ensure compliance (if you have not already done so) is now. Where a business or organization is unsure of what policies and procedures to put into place, or of how the spam law applies to their particular circumstances or recipients of CEMs, they should consult the government website http://fightspam.gc.ca or speak to a lawyer for legal advice.