Please! By Josh Hallett (CC-BY 2.0) https://flic.kr/p/yALRk

Please! By Josh Hallett (CC-BY 2.0) https://flic.kr/p/yALRk

News

In Defence of Canada’s Anti-Spam Law, Part Two: Why the Legislation Is Really a Consumer Protection and Privacy Law in Disguise

My first post defending Canada’s anti-spam law focused on why spam remains a problem and how the new law may help combat fraudulent spam and target Canadian-based spamming organization. Most would agree that these are legitimate goals, but critics of the law will argue that it still goes too far since it covers all commercial electronic messages, not just fraudulent or harmful messages.

If the law were only designed to deal with harmful spam, they would be right. However, the law was always envisioned as something more than just an anti-spam bill. Indeed, when it was first introduced, it was called the Electronic Commerce Protection Act, reflecting the fact that it was expressly designed to address online consumer protection issues (the name CASL was an unofficial working name developed within Industry Canada). The law has at least three goals: provide Canada with tough anti-spam rules, require software companies to better inform consumers about their programs before installation, and update Canadian privacy standards by re-allocating who bears the cost for the use of personal information in the digital environment.

The need for tough anti-spam rules were discussed in my first post. The software installation provisions have yet to attract much attention since they do not take effect until 2015. Once they do, Canadian law will require companies to provide clear and prominent descriptions of the functionality of the software and to obtain express consent before installation. Business groups lobbied for significant changes to the rules, but the government and the CRTC refused to water down the requirements. The new rules are straight-forward consumer protection measures designed to enhance disclosure and require full consent before software programs are installed on users’ computers.

The third – and currently most controversial – aspect of the law is the update to Canadian privacy standards on consent for emails from legitimate businesses. Before CASL, most of the costs of commercial electronic messages were borne by consumers. With weak “implied consent” standards (as evidenced by the many unexpected opt-in emails Canadians received from organizations that harvested email addresses in a myriad of ways with little real awareness or consent from consumers), businesses sent messages safe in the knowledge that consumers would bear virtually all the costs. These include downloading the messages (particularly for mobile downloads where data still counts), higher ISP fees to account for filtering software and equipment costs, time spent reading the email, and the time to respond, delete or opt-out. Given those costs, organizations knew that relatively few would incur the cost (in the form of time) to opt-out.

Businesses unsurprisingly argue that this is a good approach, noting that the cost for any single opt-out is relatively trivial. Yet for consumers, the cumulative effect of hundreds or thousands of emails from different organizations adds up to a non-trivial cost. Multiplied by millions of consumers who each face the same thing and the off-loaded cost on consumers becomes significant. Moreover, from a privacy perspective, this leads to a weakened approach to consent under which privacy and consent start to mean very little. If anything is “ludicrous” or “absurd”, it is the notion that a simple inquiry should grant a business the right to burden the consumer with additional costs by marketing to them in perpetuity using their personal information unless the consumer pro-actively demands that it stop.

The new Canadian law re-calibrates this approach by giving consumers greater control over the costs they bear from commercial email. By shifting to an opt-in approach, the costs associated with receiving and dealing with email better reflects consumer choice since consumers only incur the costs for those commercial emails for which they have expressly provided consent. It is worth noting that the allocation of costs is also reflected in many (though not all) of the exceptions in the law. For example, product recalls and safety warnings are exempt from the consent requirements, reflecting the benefit to consumers, who bear the costs of receipt. Similarly, business-to-business email is generally exempted as a cost of doing business.

The debate over where to strike this privacy balance is an old one. For example, in 1991, the U.S. passed the Telephone Consumer Protection Act. The TCPA included a ban on sending unsolicited commercial faxes without prior express consent. Business groups objected to the TCPA, using many of the same arguments raised with CASL. In fact, a constitutional challenge on the ban was launched, but failed. A review of the Congressional thinking behind the bill notes:

It simply was not fair to require consumers to swallow the costs – paper, ink, wear-and-tear on the machine – of automatically-received, unwanted faxes promising great hotel deals or special car wash discounts. Congress reasoned that the consumer protection rights of the fax recipient – who must unfairly waste time waiting while a machine receives and prints out an unwanted transmission, all at the recipient’s cost – trumped any commercial speech rights of the marketers.

Faxes are not the same as email, but the reasoning is the same. There is a cost to consumers for the receipt of commercial email from legitimate businesses. For over a decade, businesses have effectively off-loaded those costs. CASL seeks to create a more equitable balance, leading to support from many Canadians but opposition from business.

In fact, the same balancing debate occurred with the creation of Canada’s do-not-call list. Marketers warned about the negative impact on many businesses, but the government noted that consumers faced the brunt of the cost for telemarketing calls in the form of time and interruption of privacy in the home. The result was a more balanced approach with an expanded opt-out system that requires all marketers to consult the do-not-call list before engaging in telemarketing.

With respect to commercial email, the policy rationale is similar: since an opt-out do-not-spam list is not viable, the best way to address the cost imbalance on commercial email is to relieve consumers of some of the costs by granting them the right to opt-in to emails, rather than opt-out.

As for the business costs of compliance, business was already required to maintain lists and respect opt-outs. Much of the additional compliance costs stem from either seeking an opt-in or the complexity of relying upon exceptions. In the case of seeking opt-ins, businesses could have obtained an opt-in the first place, but chose not to do so. Moreover, businesses have been given a three-year transition period to address the requirement (note that if the law was only concerned with fraudulent spam, there would be no need for a three year transition). As for the compliance costs from relying upon exceptions, it seems reasonable that there may be some costs for those businesses that would prefer to avoid obtaining express consent.

Some may still disagree with the policy rationale or the privacy balance struck by CASL. However, what should be obvious to all is that the law is about far more than just harmful spam. The application to legitimate businesses is not an unintended consequence but rather a well-considered policy decision to update Canadian privacy standards by more fairly apportioning the costs associated with the use of personal information.

 

8 Comments

  1. Sorry Michael – as much as I don’t like spam or offensive speech, I couldn’t disagree more.

    Confidence on the Internet is the result of strong technology and user skill, not weak technology (like email) propped up with invasive laws as a crutch for the unrealistic expectations that go with low skills.

    Improving consumer confidence is irrelevant when the confidence isn’t warranted and Heartbleed has shown that the emperor has no clothes and likely never did, and that by taking ourselves too seriously we are stepping onto an ice-float.

    That would be bad enough, but unfortunately anti-spam legislation is also a veiled attack on net neutrality (a justification for censorship of “spam” today, tomorrow who knows what else…) as well as a rational for broader government interference online (as though talking about technology will fix it). This is a dangerous road and one that seems to be coming all at once on a global scale with data retention approved today in Mexico, the US Senate passing a data retention Bill, the UK expected to table one very soon to indemnify itself for prior abuses, and Canada… Oh, Canada: we’ve been standing on guard for thee, but they just keep pushing retention and spying online here too…

    At what point did we become so attached to our email address that we wouldn’t just throw it away and get another one if we didn’t like what was coming? People didn’t sign up for “cajun_king123@hotmail.com” expecting to use it forever, or for business, and wanting to “own” yourname@gmail is absurd. It’s Gmail’s – it’s not property.

  2. Dana Larsen says:

    I feel like Harper’s anti-spam law is really another way for him to attack non-profits, charities and political action groups that oppose the Conservative agenda. These laws weaken their ability to reach out to Canadians and take political action. Harper doesn’t pass laws unless they benefit his party or his base.

  3. I am not convinced yet that it has struck the right balance. We may still be in the learning curve here, but I have seen a number of unusual and wasteful responses. Maybe these are one time costs to me, but if so, then down the road I think it becomes less effective.

    The questions it raises in the charitable world, including higher ed, are interesting. If these sectors are characterized by risk adverse behaviours then I think they are going to loose out, which may imply society looses out?

  4. Brian Lambert says:

    Hi Michael. While I agree with much of what you have said, I am finding there are components of the law that are utterly ridiculous. I work at a College in PEI and we are just realizing that practically all of our electronic communication with our students can be considered a CEM and thus requires us to meet the requirements. While the consent and contact info is not a problem the unsubscribe is functionally impossible for us to manage without some substantial investment. We have a business relationship with students, yet we have to provide them with the option to unsubscribe from receiving emails that concern their on-going relationship with us. Providing an unsubscribe option is not the issue, it is how do we manage any unsubscribes that happen both from the logistical and practical issues. Do we stop providing students with information they require and that contractually we are obligated to provide if they choose to unsubscribe?
    The College provides every student with a College email address and we have (up to now) used this to send emails to all students, groups of students and individual students. Email can originate from one of many departments or one of several hundred employees each wit a legitimate reason for contacting the student or students. There should have been an exemption for privately owned/provided email addresses.
    I hope there will be some further clarification from the regulators in the near future.

  5. Pingback: Canada’s new anti-spam law | boot13

  6. Pingback: Law and Media Round Up – 14 July 2014 | Inforrm's Blog

  7. I certainly think the aim of CASL is admirable, but disagree with your assessment of its benefits.

    I must draw your attention to the manner in which I came across your most recent defence of the law: by means the very activity it claims will be effectively regulated by CASL.

    Your article was trending on my Twitter feed, so Twitter provided a link to the article through one of its unsolicited emails sent to my personal email account.

    Fortunately, my email provider both filters and sorts emails, so I was able to review emails from various social networking sites without these emails clogging my personal email folder. And I’m glad this article was brought to my attention – it is one of the few moderately convincing arguments I’ve heard in support of the new law.

    Nevertheless I couldn’t shake the irony of only reading the article in the first place because Twitter has not complied with the law. In this context, it is rather hard to believe that the legislation will be as effective as you claim.

  8. Pingback: CASL: The Sky Isn’t Falling | Prodigital