Canada's new anti-spam law was passed in December 2010 and, following a Governor in Council order, it will enter into force on. Once the law is in force, it will help to protect Canadians while ensuring that businesses can continue to compete in the global marketplace. On , sections of the Act related to the unsolicited installation of computer programs or software come into force.
When the new law is in force, it will generally prohibit the:
- sending of commercial electronic messages without the recipient's consent (permission), including messages to email addresses and social networking accounts, and text messages sent to a cell phone;
- alteration of transmission data in an electronic message which results in the message being delivered to a different destination without express consent;
- installation of computer programs without the express consent of the owner of the computer system or its agent, such as an authorized employee;
- use of false or misleading representations online in the promotion of products or services;
- collection of personal information through accessing a computer system in violation of federal law (e.g. the Criminal Code of Canada); and
- collection of electronic addresses by the use of computer programs or the use of such addresses, without permission (address harvesting).
There are three government agencies responsible for enforcement of the law. When the new law is in force, it will allow:
- The Canadian Radio-television and Telecommunications Commission (CRTC) to issue administrative monetary penalties for violations of the new anti-spam law.
- The Competition Bureau to seek administrative monetary penalties or criminal sanctions under the Competition Act.
- The Office of the Privacy Commissioner to exercise new powers under an amended Personal Information Protection and Electronic Documents Act.
It will also allow all three agencies to share information with the government of a foreign state if the information is relevant to an investigation or proceeding in respect of a contravention of the laws of a foreign state that is substantially similar to the conduct prohibited by this Canadian law.
The law will also allow individuals and organizations who are affected by an act or omission that is in contravention of the law to bring a private right of action in court against individuals and organizations whom they allege have violated the law. Once into force, the private right of action will allow an applicant to seek actual and statutory damages. Statutory damages may not be pursued if the person or organization against whom the contravention is alleged has entered into an undertaking or has been served with a Notice of Violation.
Before filing a lawsuit against an individual or organization, get legal advice. An individual or organization could be responsible for paying considerable legal fees incurred by the alleged violator if they file an improper claim or one that is not considered to have merit.
Frequently Asked Questions
When will the final regulations be posted?
Final regulations from the CRTC were posted on March 28, 2012 and can be found on the CRTC website.
The Governor in Council draft regulations were open for a 60 day consultation period that ended on September 7th, 2011. The Government of Canada is in the process of analyzing all submissions and developing options for consideration. Next steps will be determined in the near future.
The Governor in Council draft regulations can be found on the Canada Gazette website.
When does the law come into force?
Canada's new anti-spam law was passed in December 2010 and will enter into force following a Governor in Council order. A specific date for coming into force will be set in the coming months.
Who needs to know about this law?
Anyone who makes use of commercial electronic messages, is involved with the alteration of transmission data, or produces or installs computer programs needs to be aware of this law.
Regardless of the date set for coming into force, will there be a phase-in period for compliance to allow businesses and organizations time to implement the requirements within their systems in order to ensure they are compliant with the law? In other words, will the coming into force date and the compliance dates be different?
The coming into force date will be the date for compliance with the legislation. However, businesses subject to the Act should start reviewing their existing activities now to prepare for compliance and coming into force. Once the regulations are published in final form, there will be a period of time between that date and the coming into force of these provisions, which will enable businesses and organizations to have time to comply with the requirements set out in the regulations (such as what information needs to be included in a commercial electronic message).
There is also a 3-year transitional period that starts when the legislation enters into force during which consent to send commercial electronic messages is implied in the case of pre-existing business and non-business relationships. Similarly, consent is implied for the same period for the installation of updates and or upgrades to computer programs. Note, however, that this period will end if the recipient of the commercial electronic messages says that they don’t want to receive any more commercial messages or if the person on whose system the update or upgrade have been installed withdraw their consent to such installations (section 66 and 67).
Note that some parts of the law have already come into force, particularly some provisions involving the Personal Information Protection and Electronic Documents Act (PIPEDA). For more information, please see the Office of the Privacy Commissioner of Canada.
What should I do with the spam I receive now?
At the present time, we recommend that you simply delete the spam messages you receive.
Does Canada's anti-spam law deal only with spam?
No. It also deals with other electronic threats to commerce, such as the installation of computer programs and the alteration of transmission data, without express consent. These threats also include the installation of malware, such as computer viruses.
What does "spam and other electronic threats" mean?
Under Canada’s anti-spam legislation, there are various types of violations including the sending of unsolicited commercial electronic messages, the unauthorized alteration of transmission data, the installation of computer programs without consent, false and misleading electronic representations online (including websites), the unauthorized collection of electronic addresses and the collection of personal information by accessing a computer system in contravention of an Act of Parliament.
These violations include, but are not limited to, spam, malware, spyware, address harvesting and false and misleading representations involving the use of any means of telecommunications, Short Message Services (SMS), social networking, websites, URL's and other locators, applications, blogs, Voice over Internet Protocol (VoIP), and any other current and future internet and wireless telecommunication threats prohibited by Canada's anti-spam legislation.
Commercial Electronic Messages
What is a commercial electronic message?
A commercial electronic message is any electronic message that encourages participation in a commercial activity, regardless of whether there is an expectation of profit.
What are the general requirements concerning the sending of commercial electronic messages for which the CRTC is responsible?
Generally, the sender will need to obtain consent from the recipient before sending the message and will need to include information that identifies the sender and enables the recipient to withdraw consent.
When Canada's anti-spam law comes into force, what law will govern consent with regard to commercial electronic messages: Canada's anti-spam law or the Personal Information Protection and Electronic Documents Act?
Once in force, Canada's anti-spam law will set out the rules regarding consent with respect to commercial electronic messages.
Alteration of Transmission Data
What is an example of altering transmission data?
An example is when an individual causes an electronic message to be sent to a destination that is different from that which the sender intended.
What are the general requirements for altering transmission data?
Express consent will be necessary before transmission data in an electronic message can be altered. There are other requirements that will need to be met when requesting consent, such as clearly and simply describing why, and for what purpose, consent is being requested, as well as the identity of the requester.
These requirements will apply when the alteration of transmission data occurs in the course of a commercial activity.
Installation of Computer Programs
What are the general requirements for the installation of computer programs?
Generally, computer programs may be installed only after express consent has been obtained. There are also requirements that will need to be met when requesting express consent, such as clearly and simply describing the function and purpose of the computer program, as well as information enabling consent to be withdrawn.
These requirements will apply when the computer program is to be installed in the course of a commercial activity.
Do these requirements have to be met every time a computer program is installed?
Not necessarily. For example, updates or upgrades will not trigger these requirements when express consent has already been obtained.
Does express consent need to be obtained in all cases?
Not necessarily. Express consent is considered to have been given in the case of computer programs such as cookies, HTML code and Java Scripts where it is reasonable to believe from their conduct that the person wants the program to run on their computer.
What is "address harvesting"?
This refers to the collection of email addresses through the use of things such as:
"Web crawlers," which are computer programs that scan websites, usenet groups and social networking sites, trolling for posted electronic addresses; and
"Dictionary attacks," in which a computer program guesses live email addresses by methodically trying multiple name variations within a particular group of common email domains, such as Hotmail or Gmail.
Once collected, email addresses are often sold to spammers as destinations for unsolicited electronic messages.
How can I know if my email address has been harvested?
It may be very hard for you to determine if your address has been harvested. However, you can still help in the effort to fight back against this activity by reporting suspicious electronic messages to the Spam Reporting Centre when it opens.
What is meant by "collection of personal information through access to computer systems contrary to an act of parliament"?
Generally, this refers to the collection of people's personal information from a computer through illicit means such as criminal hacking or spyware.
How can I know if my computer has been infected with malware such as spyware which can collect my personal information? And if it has been, what should I do about it?
Here are a few common signs that your computer may be infected:
It is functioning far more slowly than usual;
Your Internet homepage has been reset without you having done anything;
When examining your file system, you notice a program there which you have not installed yourself.
If you notice any of these signs, you should get in touch with an information technology expert for necessary cleaning or repairs.
Enforcement Agencies Roles and Responsibilities
What are the activities that fall under the CRTC's mandate pursuant to Canada's anti-spam law?
There are three broad activities that will engage the CRTC. They are:
sending of commercial electronic messages without consent;
alteration of transmission data in an electronic message without express consent; and
installation of computer programs without express consent.
The underlying principle is that these activities can only be carried out with prior consent and that such consent may be withdrawn.
What compliance tools will be available to the CRTC?
The CRTC will have a number of compliance tools; one such being administrative monetary penalties (AMPs). The maximum AMP is $1 million per violation for an individual and $10 million per violation for entities, such as corporations.
Where can I get more information on my responsibilities with respect to the Competition Act?
For more information on ensuring compliance with the false or misleading representations provisions of the Competition Act, please consult the Competition Bureau's website, at www.competitionbureau.gc.ca.
What is the Competition Bureau's role with respect to Canada's anti-spam law?
The Competition Bureau will investigate and take action where appropriate against false or misleading representations and deceptive marketing practices in the electronic marketplace, including false or misleading sender or subject information and web links, as well as website content. The Competition Bureau, as an independent law enforcement agency, ensures that Canadian businesses and consumers prosper in a competitive and innovative marketplace.
What changes have been made to the Competition Act?
The new law amends the Competition Act in two key areas.
First, it modifies certain provisions in the Competition Act so that the Bureau can more effectively address false or misleading representations online and deceptive marketing practices, including false or misleading sender or subject information and web links, as well as website content.
Second, it includes technology-neutral language that catches emerging technologies. This will assist the Bureau in enforcing provisions in the Competition Act as technological threats evolve.
What is the Office of the Privacy Commissioner's role with respect to Canada's anti-spam law?
The Office of the Privacy Commissioner of Canada protects the personal information of Canadians. The new law will allow the Commissioner to enforce the legislation with respect to two types of conduct:
the collection of personal information through access to computer systems contrary to an act of parliament;
electronic address harvesting where bulk email lists are compiled through mechanisms; including the use of computer programs that automatically mine the Internet for addresses.