Canada: Canada Introduces Anti-Spam Legislation

On April 24, 2009, the Canadian government introduced Bill C-27, which would establish the Electronic Commerce Protection Act (ECPA) and make significant consequential amendments to other federal legislation, including Canada's Competition Act, Telecommunications Act and Personal Information Protection and Electronic Documents Act (PIPEDA).

The primary purpose of Bill C-27, which incorporates a number of the legislative recommendations made in 2005 by the government-mandated "Task Force on Spam", is to cut down on spam (unsolicited junk e-mail). However, the proposed ECPA aims to regulate not only spam, but also counterfeit websites and spyware, among other issues. In the broadest sense, therefore, the legislation is intended to bolster consumer confidence in online commerce.

Canada is currently the only G8 country and one of only four OECD (Organisation for Economic Co operation and Development) countries without specific spam legislation. The Cisco 2008 Annual Security Report estimated that messages sent from Canada accounted for 4.7% of the world's spam. That percentage landed Canada in fourth place on the list of countries with the most originating spam, behind only the U.S., Turkey and Russia. The government has characterized Bill C-27 as a necessary step in fulfilling an international duty to join global partners in passing laws to combat spam and related cyber threats.

Having passed both First Reading and Second Reading in the House of Commons, Bill C-27 has been referred to the Standing Committee on Industry, Science and Technology for review. While almost everyone can agree that spam is a nuisance, concerns have been raised about the proposed legislation, as drafted. Thus, while initial predictions were that Standing Committee review would be completed before Parliament's summer recess, more recent estimates see the review continuing after Parliament returns in the fall, in order to ensure that the resulting legislative changes do not negatively affect legitimate business.

Main prohibitions

The anti-spam provisions would prohibit sending (or causing or permitting to be sent) a commercial "electronic message" (which is defined broadly to include a text, sound, voice or image message) to an electronic address, unless the recipient has given express or implied consent. As currently drafted, implied consent would be limited to situations in which there is an existing business or non-business relationship between the sender and recipient (although there is a provision that would permit future regulations to better define implied consent.) Both "existing business relationship" and "existing non-business relationship" are defined fairly narrowly, and would be restricted to situations in which the relevant parties had participated in a relevant transaction in the last eighteen months. Another aspect of the ECPA that appears to pose some practical difficulties is that it would prohibit the sending by email of any request for express consent to communications by email.

The ECPA also dictates some aspects of the form of permitted messages: the message must identify the person who sent the message (and, if it is different, the identity of the person on whose behalf the message was sent), along with contact information for those identified. Moreover, permitted messages must include an unsubscribe mechanism, which includes either a hyperlink (valid for at least 60 days after the message is sent) that the recipient can follow or a specified electronic address to which the unsubscribe indication can be sent. Unsubscribe requests must be given effect within 10 days.

The ECPA includes provisions directed to privacy and personal security concerns that are associated with counterfeit websites. Section 7 of the proposed ECPA would prohibit a person, in the course of a commercial activity, from altering or causing to be altered the transmission data in an electronic message "so that the message is delivered to a destination other than, or in addition to, that specified by the sender." This provision appears to be directed at one aspect of "phishing". Phishing, which is often undertaken in conjunction with a spoofed email, is the act of sending an email falsely claiming to be a legitimate business and directing the recipient to a specified counterfeit website, in an attempt to obtain sensitive information such as passwords, credit card numbers, and bank account information.

Section 8 of the proposed ECPA would prohibit a person, in the course of a commercial activity, from installing a computer program on another person's computer system without express consent. After a presumably authorized installation, it would also prohibit a person, in the course of a commercial activity, from causing an electronic message to be sent from that computer system, without express consent. The government's stated intent for the legislation is to prevent the collection of personal information through illicit access to computer systems (spyware), but as currently drafted, these provisions apply to all computer programs, and not just those with a harmful effect.
Requests for express consent must clearly and simply set out the purpose for which the consent is being sought, and identify the entity seeking consent. Moreover, consent in respect of the installation of a computer program must clearly and simply describe the function, purpose and impact of every computer program that would be installed if consent is given. There is some disagreement between the federal government and industry as to whether the drafting of the latter requirement could be considered to prevent current commercial practices that see some legitimate programs (such as anti-virus and anti-spyware programs) utilizing automatic updates to the software.

Administrative monetary penalties

The ECPA would subject any individual who violates any of the foregoing prohibitions to liability under an administrative monetary penalty ("AMP") of up to $1 million and corporate entities would be liable to an AMP of up to $10 million. Officers, directors, agents of a corporation that violates the prohibitions could also be held liable for such actions if they directed, authorized or participated in the commission of the violation. At the same time, a defence of exercising due diligence to prevent the violation is available, although there is no indication of the types of action that would constitute due diligence.

The process for imposing liability under the AMP is a fairly expedited administrative process. A notice of violation (which must include details of he alleged violation and the amount of the AMP) will be issued and served upon an offender if the CRTC believes that there are reasonable grounds on which to believe that a person has committed a violation under the ECPA. The person served with the notice of violation then has 30 days to make representations to the CRTC regarding the allegations or the amount of AMP, failing which that person will be deemed to have committed the violation. If representations are made, the CRTC will evaluate them on the civil balance of probabilities standard, and may then impose the penalty set out in the notice of violation or reduce or waive the penalty. Appeal of decisions of the CRTC in respect of notices of violation can be made to the Federal Court of Appeal. The CRTC can also agree to an undertaking, which is in essence an agreement to settle an alleged violation on terms acceptable to both the CRTC and the offender.

Private right of action

One of the most controversial provisions of the ECPA is that it would establish a private right of action for persons who allege that they have been affected by a contravention of the anti-spam, anti-phishing and anti-spyware provisions of the ECPA. Such persons may apply for an order for compensation for actual loss or damages suffered or expenses incurred, as well as a maximum of $200 for each contravention of the breached provisions (with a limit of $1 million for each day on which a contravention occurred). Again, officers, directors or agents of corporations would be subject to this private right of action, if it could be proved that they directed, authorized or participated in the commission of the contravention.

That same private right of action would apply to persons who allege that they have been affected by breaches of the new provisions of PIPEDA and the Competition Act that would be brought into effect by Bill C-27 (discussed in the next section).

Changes to PIPEDA, the Competition Act and the Telecommunications Act

Bill C-27 would establish new prohibitions under PIPEDA in relation to collecting personal information, including a ban on (i) collecting an individual's electronic address through a computer program designed or marketed for use in generating (or searching for) and collecting electronic addresses, or using any address collected by the foregoing means; and (ii) collecting personal information through any means of telecommunications if the collection involves accessing a computer system (or causing one to be accessed) without authorization, or using any personal information that is collected that way.

Bill C-27 also proposes numerous amendments to the Competition Act, including the addition a new section 52.01, which broadens the criminal "false or misleading representation" provisions of the Competition Act by prohibiting activities such as knowingly or recklessly sending, for business promotion purposes (i) a false or misleading representation in the sender or subject matter information of an electronic message or (ii) an electronic message that contains a materially false or misleading representation. Under the proposed new section 74.011 of the Competition Act, such actions would also qualify as reviewable conduct, thus permitting the Commissioner of Competition to apply to court or the Competition Tribunal for an order prohibiting the conduct and/or imposing AMPs under the Competition Act.

Bill C-27 would also amend the Telecommunications Act to permit the government to either maintain the current "Do Not Call" list in such a way that it would not overlap with the ECPA regime, or to have the responsibility for regulating telemarketing fall under the ECPA entirely.

Other anti-spam bills

Bill C-27 is not the only bill with anti-spam implications currently moving through Parliament. Bill C-355, a private member's bill which aims to amend the Criminal Code to make cyberbullying an offence, proposes as part of that effort to make it an offence to make repeated telephone calls or to send repeated electronic messages to any person with intent to harass.

Bill S-220 also purports to be anti-spam legislation, introducing an offence for sending an unauthorized commercial electronic message, as well as a right of civil action for those adversely affected. Unlike Bill C-27, however, it does not propose to amend other statutes. Having been introduced in the Senate, Bill S-220 would also need to pass through the House of Commons before it could be enacted, which seems unlikely given the status of Bill C-27.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

In association with
Up-coming Events Search
Font Size:
Mondaq on Twitter
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
Email Address
Company Name
Confirm Password
Mondaq Topics -- Select your Interests
 Law Performance
 Law Practice
 Media & IT
 Real Estate
 Wealth Mgt
Asia Pacific
European Union
Latin America
Middle East
United States
Worldwide Updates
Check to state you have read and
agree to our Terms and Conditions

Terms & Conditions and Privacy Statement (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

Use of

You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.


Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.


Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.

Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

If you do not want us to provide your name and email address you may opt out by clicking here .

If you do not wish to receive any future announcements of products and services offered by Mondaq by clicking here .

Information Collection and Use

We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to with “no disclosure” in the subject heading

Mondaq News Alerts

In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.


A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

Log Files

We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.


This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

Surveys & Contests

From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.


If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.


This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to

Correcting/Updating Personal Information

If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to

Notification of Changes

If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

How to contact Mondaq

You can contact us with comments or queries at

If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at and we will use commercially reasonable efforts to determine and correct the problem promptly.