In May 2010, then-Industry Minister Tony Clement introduced anti-spam legislation that he admitted was long overdue. Clement acknowledged that “Canada is seen as a haven for spammers because of the gaps in our current legislation…a place where spammers can reside and inflict their damage around the world.” Despite heavy lobbying against the legislation by groups concerned with new rules on electronic marketing, the government pushed ahead, with the bill receiving all-party support and royal assent by the end of that year.
As my weekly technology law column notes (Toronto Star version, homepage version), two-and-a-half years later, the anti-spam law has still not taken effect, awaiting long-delayed final regulations that have been the target of an intensive campaign to water-down or repeal the legislation before it ever takes effect.
Last week, government officials disclosed that the best-case scenario for the law is that final regulations are released late this summer with the implementation of the law delayed until the fall of 2014. Moreover, many provisions may not become operational until at least 2017, eight years after the first anti-spam law bill was tabled in the House of Commons.
In fact, even if Industry Minister Christian Paradis takes advantage of the narrow window this summer to obtain the necessary approvals for final regulations, the law will contain a myriad of expanded exceptions and implementation delays.
When Parliament passed the legislation, it was touted as one of the toughest and most comprehensive in the world, adopting a pro-privacy consent model that requires explicit approval from consumers in order to send them commercial electronic messages. The law also includes safeguards against software installations on personal computers without consent, all backed by strong enforcement powers that include significant penalties for violation.
As with many deals, however, it pays to read the fine print. The law does not take effect until associated regulations are finalized and lobby groups have used the regulation-making process to raise a host of concerns. While some fine-tuning was to be expected, the regulations have already expanded many exceptions and officials have indicated that further changes may be on the way.
The heavy lobbying has left some politicians unsure of what to make of the law, understandably concerned when small businesses claim it will stop electronic marketing and charities express fear that it will cut off important sources of funding.
Yet the reality is not nearly as frightening as critics suggest. Businesses have been given years to adapt to the new system and a simple request for customer consent sometime before 2017 would address the key consent requirement. For charities, obtaining lifelong consent (or until consent is withdrawn) can be easily obtained when a member or volunteer joins the organization or when a donor makes a contribution.
The government’s dithering on legislation is particularly surprising given that it has otherwise pursued pro-consumer policies on telecom and Internet issues. Delivering anti-spam legislation fits squarely within that approach, since it provides Canadians with legal protections against spyware and assurances that businesses and other organizations will seek permission before sending electronic marketing materials. Unless the government acts quickly, however, the law may become a victim of a legislative delete button.
Typical – spy on mom and pop but …
… prove totally unable or unwilling (more likely) to deal with the proliferation of outright lies that attempt to extract information or money from the unwitting.
Maybe the anti spam legislation should include opt out provisions like the do not call list. With teeth. How about carriers that do not clamp get a surtax on their calls. May be interesting.
Or… it could be the bill is being delayed because there are legitimate problems with it
I work for a very successful medium sized company that does not deal with consumers; we deal exclusively with other businesses. This bill, in its current form, is incredibly disruptive to us.
As an example, our company sends out automated emails to our partner companies to notify them of payment. According to the current language in the bill (subsection 6.(2)(c)), we need to include an “unsubscribe” mechanism on those emails – and really on every and any email we send, automated or not.
Of course, the fun only starts when we have companies adding themselves to our Do Not Email registry. We then have to make sure our Sales team is checking that list anytime they send an email. (If we automate this process, we have to have some mechanism to notify our Sales group when they try to send to someone on the list. Either way, it’s a pain in the ass for everyone involved.)
I’m making up a number here, but something like 90% of our electronic communications with our customers (again, these are businesses) are of the “implied consent” variety, meaning they’ve asked us for information. Another example:
Customer: “Hey, how much is my next payment going to be?”
Us: “$2000, due on July 1st. If you don’t wish to receive electronic communications from us again, click here.”
I know it’s a ridiculous scenario, but that’s the point.
Because we don’t communicate at all with consumers, it’s tempting to ignore this legislation. Many other IT folks in small-mid sized companies are doing just that, even those that deal with consumers. But from our point of view, the risk is not worth it. The maximum penalty that can be awarded if someone complains (and we can’t show we’ve taken steps to adhere to the legislation) is $10M (subsection 20.(4))
Michael, I know you say that businesses have had years to adjust to the new system, but that’s glossing over the fact that the rules have been changing over the course of those years. As an IT person, there’s no way I’m going to build and implement an email system that makes our business less efficient ahead of when the legislation takes effect, particularly as the requirements are in flux.
You also state that that all of this can be avoided if we just get consent from our customers. That’s easier said than done. The rules for express consent are _complicated_. I don’t believe it’s in the act per se, but our legal team was advised that express consent required had to be in writing, or if verbal consent was given, a recording of that needed to be maintained.
I started off my rant here by saying that this legislation is disruptive to us. Here’s why: we’re having to divert resources away from projects that would make our business more efficient and more competitive. And we’re doing this to make ourselves, or at least our sales team, less efficient. It’s a complete waste of our time and energy, yet we’re doing it anyway because we don’t want to risk that $10,000,000 penalty.
I’m all for reducing spam and phishing attacks, etc. but this bill just seems to be missing the point.
Also, offtopic, but I find it … amusing … that robocalls are exempt from this. (Subsection 6.(8)(c))
The Exceptions
Have you read the Act, especially the exceptions at 6(5) and 6(6) that cover your scenarios?
Re: The Exceptions
Yes, those have been considered. 6(5)(b) actually clears us from most of this, except that we still have to go through and catalog the types of messages that we send out, to make sure they’re related to actual transactions we’re performing. Of course, the hardest part of creating such a catalog is the email sent out by staff manually. We are leaning towards putting an unsubscribe link on all of our emails though, just to cover all bases, and so that we don’t have to maintain a catalog of the different types of email messages. It’s a big make-work project.
Regarding 6(6)… using the example in my first message, if a customer clicks on the link to unsubscribe, we will only unsubscribe them from Sales-related messaging. We can still communicate with them again via email the next time they ask us a question, or if we need to go after them for outstanding payments, etc. (That’ll actually be super confusing to anyone who actually does try to unsubscribe.)
Also, 6(6) only excludes us from requiring consent 6(1)(a). But it’s 6(1)(b) that requires messaging to have the unsubscribe functionality. Still, 6(1)(a) is a step in the right direction because it basically means most of our employees don’t have to think about this in their day to day jobs; really, it’s only our Sales and Marketing teams that will have to be wary of what they say in an email and how they say it.
Our company isn’t interested in communicating with people who don’t want our services. Most of our customers don’t even come directly to us, but rather through other partners. We’re by no means a company that engages in spamming. Yet here we are worried about it, because of the potentially huge damages. Meanwhile, the real targets of this legislation likely aren’t in Canada.
Honest question
I get the need to fight actual spam, which i would call the influx of penis growth, mortgage, etc etc emails I get daily.
But are we in some kind of crisis when it comes to consumers getting emails from legit companies they’ve dealt with in some way? Is it causing so much pain and suffering for consumers to hit delete or unsubscribe, that it’s worth the government time and effort, the million dollar compliance strategies from industry, and the loss in business efficiency? I get that it’s a mild annoyance, but is the solution proportional to the problem here?
Nothing understandable about it. If they are going to let lobbying from the spammers affect influence the law, there isn’t much point in having anti-spam legistlation anyway.. Electronic Marketting is just another word for spam, and unsolitited messages from charities or anyone else are just spam as well. You ask roaches how you should manage pest control, you probably won’t get rid of them.
Need to know where this come from
You write that “Last week, government officials disclosed that the best-case scenario for the law is that final regulations are released late this summer with the implementation of the law delayed until the fall of 2014. ”
Could you point to the reference to where you got that government officials disclosed this update on when the law should come into force? I feel like many law firms communication agency are just capitalizing on this not yet into force law to make money on consulting and seminar.
@ emartin
On June 17, 2013, Andre Leduc of Industry Canada, Lynn Perrault of the CRTC, along with Toronto IT lawyers Mike Fekete and Mark Hayes, spoke at IT.Can’s The 2003 Information Technology Law Spring Forum. Andre’s best guess of when CASL will come into force, subject to the decisions of the political masters, is next fall (fall 2014). (from barry sookman’s blog)
will the upcoming prorogation and the new industry minister affect CASL in any way?
I’m thinking no since CASL received royal assent already in 2010, so…. any thoughts?