The Canadian Parliament finally has passed Bill C-28, which was formerly known as the "Fighting Internet and Wireless Spam Act" (FISA). It is anticipated that FISA will come into force 6–8 months, once regulations are in place.
FISA affects how business and other organizations market and advertise to clients and prospects using unsolicited commercial electronic messages (spam). It also impacts the use of software and other technology in communicating with customers (e.g. phishing). Finally, a privacy compliance review may be needed as result of FISA's passage. This bulletin focuses on FISA's impact on marketing and advertising activities of business and other organizations.
A. Prohibition on Sending "Spam"
FISA prohibits the sending of a commercial electronic message to an electronic address (e.g. e-mail, instant messaging) unless: (a) the recipient of the message has consented to receiving it, and (b) the message sets out certain information including how to unsubscribe from future messages. The prohibition applies to the sender and any person who acts on behalf of the sender, such as advertising and marketing agencies hired by a company.
A commercial electronic message is a message sent by any means of telecommunication (including a text, sound, voice or image message) where it would be reasonable to conclude that one of its purpose is to encourage participation in a commercial activity. The content, hyperlinks, and contact information contained in the message would be considered in determining the purpose of the message. A commercial activity means any particular transaction, act or conduct or regular course of conduct that is of a commercial character, whether or not the person who carries it out does so expecting profit.
Consent from a recipient can be express or implied. FISA sets out specific requirements for when express consent is obtained. It also sets out specific situations for when consent is implied (e.g. where the sender of the message has an "existing business relationship" or an "existing non-business relationship" with the recipient of the message, as those terms are defined in FISA).
Information required to be in the message includes information on the person who sent the message (as well as the person on whose behalf the message is sent, if different) and information allowing the recipient to contact the sender. The contact information of the sender must be valid for at least 60 days after the message has been sent. The message must also include information allowing the recipient to unsubscribe from receiving commercial electronic messages from the sender. The unsubscribe mechanism must be at no cost to the recipient, by way of the same electronic means the message was sent, and specify an electronic address or link to an internet page. The sender must ensure that the electronic address or link is valid for at least 60 days after the message has been sent. The sender has 10 business days to effect the recipient's request.
Although there is a three-year transition provision that provides for implied consent in limited circumstances, businesses will still have to set out prescribed information, including in respect of the unsubscribe mechanism, when Bill C-28 is proclaimed to be in force.
B. Prohibition on Installing Computer Programs
If, in the course of a commercial activity, a person installs a computer program on another's computer system, it will need to obtain the express consent of the owner or authorized user of the computer system, and provide a timely consent withdrawal mechanism. The same requirements apply where an installed computer program sends electronic messages from the computer system. Where a computer program performs one of the listed functions in FISA (e.g. collects personal information stored on the computer system), the consent must be informed based on certain disclosures, including the nature and purpose of the computer program. There is a three-year transition provision that provides for implied consent in limited circumstances.
C. Penalties and Enforcement
FISA gives the Canadian Radio-television and Telecommunications Commission (CRTC) power to investigate and impose administrative monetary penalties for violations of FISA – up to $1 million for an individual and up to $10 million for an organization. The penalties levied will be influenced by the nature and scope of the violation, past violations, the financial benefits of the violation, and ability to pay. FISA permits regulations to be made applying the maximum fines on a per day basis.
A FISA violation is not a criminal offence, and there is no possibility of imprisonment. Nonetheless, officers and directors can be held personally liable for violations, and employers can be held liable for violations committed by their employees or agents acting within the scope of their employment. There is a due diligence defence available.
Most notably, FISA contains a private right of civil action available to businesses and consumers affected by a violation of FISA, the unlawful collection, use, or disclosure of personal information in violation of the Personal Information Protection and Electronic Documents Act (Canada) (PIPEDA), or misleading electronic messages in violation of the Competition Act (Canada). The action may be brought against the persons who committed the violation and others liable for it, if not already subject to an undertaking or a notice of violation issued by the CRTC. The remedies available in a private action include compensation for loss, damage, and expense plus an additional payment of (i) up to $200 for each contravention to a maximum of $1 million for each day a contravention occurred in respect of a violation of the spamming prohibition, and (ii) up to $1 million for each day a contravention occurred in respect of a violation of the installation of a computer program prohibition.
D. Amendments to Other Legislation
FISA amends the Competition Act. Amendments include prohibiting the sending of electronic messages with false or misleading representations, whether in the sender information, subject matter of an electronic message, or in a locator (including a URL). The prohibition does not require the electronic message to be a commercial electronic message. Also, the definition of "telemarketing" would be broadened to cover "communicating orally by any means of telecommunication" and no longer simply applying to "interactive telephone communications".
FISA also amends PIPEDA. Amendments include preventing the unauthorized collection or use or an individual's electronic address if it was collected through a computer program designed for collecting electronic addresses. Also the unauthorized collection or use of personal information obtained through accessing a computer system in an illegal manner is prohibited.
In addition, FISA amends the Telecommunications Act (Canada), resulting in a possibility for the Do Not Call List to be replaced with a new regime.
E. Impact on Marketing Programs and Services
Once FISA is in force, before sending out any commercial electronic messages, businesses will have to determine whether they have the proper consent and that their messages include the information and unsubscribe mechanism required by FISA. Businesses will also need to review their electronic marketing practices to determine whether they distribute any software that would be captured under FISA. If they do, they must comply with disclosure and consent requirements.
Moreover, businesses will need to ensure that their third party service providers are knowledgeable about FISA and will comply with FISA when assisting with and implementing marketing programs and services.
Compliance under other legislation should also be taken into account given FISA's amendments on electronic messages generally under the Competition Act, the collection and use of personal information under PIPEDA, and telemarketing under the Telecommunications Act.
Businesses should start reviewing their marketing practices now to determine how to comply with FISA, as the internal process to effect compliance could require substantial lead time.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
