No one likes getting spam whether it is unwanted e-mails or computer viruses or misleading messages. However, the new Canadian Anti-Spam Act (the "Act") imposes significant burdens on Canadian businesses in combatting spam and significant penalties for failure to comply. The Act is complex and we have only provide a general summary here.
There are three main prohibitions under the Act: .
- Sending commercial electronic messages such as e-mails ("CEM's") without express or implied consent of the recipient;
- Alteration of transmission data in an electronic message to a destination other than that specified by the sender without express consent; and
- Installation of a computer program on another person's computer without express consent of the recipient.
1. Sending CEM's
To determine whether you have the right to send a CEM you need to answer the following questions: .
- Do you have express consent?
The sender of a CEM must first obtain written or oral consent from the recipient informing the recipient of the purpose for which CEM's are to be sent, the name and contact information for the sender of the CEM, a statement that the consent can be withdrawn and the unsubscribe mechanism.
- Do you have implied consent?
Implied consent can be inferred in the following circumstances:
- The 2 Year Business Relationship Exception
The sender has an existing business relationship with the recipient for the previous 2 years in the context of:
- the purchase or lease of a product, service or land;
- recipient of a business opportunity; bartering; and
- a valid contract between sender and recipient.
- The 2 Year Non-Business Relationship
The sender has an existing non-business relationship with the recipient (which is generally defined as a registered charity, political party, or qualifying clubs or voluntary organizations) where such recipient has made a donation, volunteered at or attended a meeting or had a membership within the previous 2 years.
- The Website Exception
If the recipient conspicuously published its electronic address (e.g. on a website) without including a statement that they do not wish to receive unsolicited messages and the CEM is relevant to the recipients business.
- The Business Card Exception
If the recipient provides the sender their electronic address (e.g. via a business card) without indicating a wish that they do not wish to receive unsolicited messages and the CEM is relevant to the recipients business.
- The 2 Year Business Relationship Exception
- Do you have any other exemption?
There are various other exemptions in sending CEM's, including in the context of:
- personal or family relationships;
- an inquiry or application in a commercial activity;
- a quote or estimate for supply of a product, service or land if requested; and
- providing a warranty, product recall or safety information
concerning a product or service the recipient has used or
- Is the CEM in the prescribed form?
The CEM must identify the person who sent the CEM and include an unsubscribe mechanism.
- Is there an unsubscribe or opt-out mechanism?
The unsubscribe mechanism must allow the recipient, at no cost, to indicate to the sender that they no longer wish to receive CEM's from the sender by way of the same electronic means as the original message sent to the recipient. Where this is not practicable, the sender must post such information on the web that is readily accessible at no cost to the recipient by means of a link that is clearly and prominently set-out.
2. Alteration of Transmission Data
The Act prohibits, in the course of a commercial activity, the alteration of the transmission of data in an electronic message such that is delivered to an additional destination other than that specified by the sender.
3. Unauthorized Installation of Computer Programs
The Act prohibits the installation of a computer program on another person's computer system during the course of commercial activity unless express consent is obtained. Implied consent is not acceptable.
The aim here is to prevent the installation of spyware, malware or other programs that may be harmful to computer systems and the forwarding of information from the computer system that has not been authorized by the owner of the computer system.
The installer in obtaining express consent must describe the function and purpose of the computer program. If such program is, for example, malware or spyware, then the installer must go further to describe material elements and functions of the computer program and the foreseeable impact on the computer system.
The consequences for failing to comply with the Act are severe.
Individuals can be fined up to $1 million and businesses can be fined up to $10 million per violation of the Act.
As well, there is a private right of action in the absence of one of the governmental authorities investigating a breach of the Act. The damages that may be claimed in a private action are for the actual loss or damage suffered, expenses incurred and statutory damages.
WHAT SHOULD YOU DO
If you use electronic means to communicate to your clients or customers and you cannot answer affirmatively to the questions set-out above concerning consent or meet the criteria for an exemption, your business is at a potential significant risk.
The Act and Regulations have not yet been brought into force but this is expected to happen before the end of the year. In the meantime, you have an opportunity to bring your business into compliance with the Act.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.