Canada’s anti-spam legislation was back in the news last week as the government unveiled revised regulations that may allow for the law to finally take effect next year. Canada is one of the only developed economies in the world without an anti-spam law and lengthy delays have created considerable uncertainty.
My weekly technology law column (Toronto Star version, homepage version) notes that calls for Canadian anti-spam legislation date back to 2005, when a national task force recommended enacting laws to target spam, spyware, and other online harms (I was a member of the task force). The government passed the anti-spam law in December 2010, with many expecting a quick introduction of the accompanying regulations that would allow the law to take effect. After business groups criticized draft regulations released in June 2011, however, the government hit the pause button, leaving the law in limbo.
Critics used the delay to spread fear about “job losses” and “regulatory red tape”, yet the reality is that the battle over the anti-spam battle boils down largely to a single issue: whether businesses should be required to obtain explicit, opt-in consumer consent before sending electronic commercial messages. The law says they should and much of the intense lobbying for new exceptions is premised on avoiding this requirement.
The new law unquestionably sets a high bar for consent. It envisions a marketing framework where consumers reassert some measure of control over their email in-boxes by opting-in to commercial messages, rather than being required to opt-out. Moreover, the law establishes email form requirements to simplify opting-out of future messages should consumers change their minds and backs the new framework with stiff penalties for violations the law.
While an opt-in consent system should be relatively uncontroversial – businesses benefit by sending messages to consumers who clearly want to receive them – the vociferous criticism makes it plain that many marketing organizations fear that if Canadians are asked directly for their email marketing consent, many will decline.
Given those fears, Industry Minister Christian Paradis faced considerable lobbying pressure to water down the law through the regulatory process. Earlier this month, he caved to some demands by introducing a host of new exceptions that limit the effectiveness of the opt-in model.
For example, the regulations include a broad new exception for third party referrals that will allow businesses to send commercial electronic messages without consent based merely on a referral from a third party. This issue was hotly debated when the law was being drafted and, at the time, the government rejected claims that such an exception was warranted.
The new regulations also include an expansive definition for a “personal relationships” exception that is likely to be used by organizations to send unsolicited commercial messages based on limited contact. The flexible definition of personal relationship may open the door to claims that Facebook “likes” or similar social media contact is sufficient to constitute a personal relationship.
Industry groups had asked the government to pre-approve existing consents obtained under PIPEDA, the private sector privacy law, arguing that obtaining new consumer consents will be disruptive. The government rightly rejected those requests, however, since the PIPEDA consents will often have been implied from consumer activity and not based on an actual, informed consent.
Those businesses concerned by the new consent standards may find comfort in the assurance that some requirements are unlikely to take effect until 2017. The law features a lengthy transition period that will allow businesses to rely on their existing consents for three years after the legislation takes effect. Assuming the regulations are finalized in 2013 and the law becomes operational in 2014, businesses will have been given seven years to ask Canadian consumers if they consent to the use of their personal information for marketing purposes.