Post Tagged with: "ecpa"

The Electronic Commerce Protection Act – The Privacy Provisions

The Electronic Commerce Protection Act includes a noteworthy change to Canada's private sector privacy legislation (earlier posts on anti-spam provisions, enforcement, do-not-call). PIPEDA includes specific provisions dealing with the issue of consent for the collection of personal information, including the possibility of collecting personal information without knowledge or consent in certain circumstances. The ECPA adds a new provision that effectively overrides this exception – ie. it requires consent. The provisions are designed to target both spyware and the harvesting of email addresses or other collection of personal information without consent (a practice known as dictionary attacks).

The new PIPEDA Section 7.1(2) states:

April 29, 2009 — 1 comment — News

The Electronic Commerce Protection Act – The Enforcement Prohibitions

The Electronic Commerce Protection Act will accomplish little if there is not a real commitment to enforcement. The enforcement provisions form the bulk of anti-spam bill (my review of the prohibitions here, the effect on the do-not-call list here). The enforcement part of the bill includes details on who does the enforcing, investigative powers, and penalties associated with anti-spam violations. The short version is that the CRTC has been given a wide range of investigatory powers, including the power to compel ISPs to preserve transmission data. Once it concludes its investigation, it can pursue a settlement or bring a notice of violation. The penalties run as high as $10 million. There are also smaller roles for the Privacy Commissioner and Competition Bureau as well as provisions to facilitate anti-spam lawsuits.

The more detailed version is:

April 28, 2009 — 3 comments — News

The Untold Story of Do-Not-Call Enforcement (aka Why Killing Do-Not-Call Can’t Come Fast Enough)

Earlier today, I posted on how one of the most significant aspects the anti-spam bill introduced on Friday was not reported or discussed in government briefing materials. Namely, that buried at the very end of the 69-page bill, are provisions that lay the groundwork to kill the National Do-Not-Call list. I noted that the proposed approach is very complicated, but boils down to the government repealing the provisions that establish and govern the do-not-call list. In its place, the Electronic Commerce Protection Act approach of requiring an opt-in would apply, meaning that Canadians would no longer need to register their phone numbers on a do-not-call list.

My weekly technology law column (homepage version, Ottawa Citizen version, Toronto Star version) provides some reasons why that the change cannot come fast enough. The column reports that while misuse of the do-not-call list remains a concern, a review of thousands of pages of internal government documents released under the Access to Information Act reveal that it is only the tip of the iceberg. In addition to lax list distribution policies, the enforcement side of the do-not-call list raises serious alarm bells with the majority of complaints being dismissed as invalid without CRTC investigation, the appearance of a conflict of interest in sorting through complaints, and a regulator that has been content to issue to "warnings" rather than levying the tough penalties contained in the law.

The CRTC documents obtained under Access to Information include a list of companies that have downloaded the do-not-call list. Given the broad exceptions under the law, virtually no charities, survey companies, political parties, or newspapers have acquired it. Instead, real estate agents, car dealers, financial advisors, and lawn care companies dominate the list of over one thousand organizations. Many of those organizations are identifiable, yet there are also over a hundred provincial numbered companies for which little is known, as well as cryptic names such as “My broker office” or “Michele.” It is unclear whether the CRTC invoked further verification before granting access to unknown organizations.

The proliferation of the do-not-call list is certainly disconcerting, but picture that emerges about its enforcement is even more troubling. The documents reveal that the CRTC receives over 20,000 telemarketing complaints each month, many involving the do-not-call list (some complaints may relate to other telecommunications rules that cover automated dialers or curfews).

The initial evaluation of complaints is handled by Bell, which manages the do-not-call list, rather than the CRTC. Bell reviews each complaint and provides a prima facie evaluation of whether it is valid, invalid, or indeterminate (which require further investigation). Despite tens of thousands of complaints, very few have been categorized by Bell as a prima facie violation of the do-not-call list. For example, in January, Bell reported that there were only 42 valid prima facie national do-not-call violations, while 3,033 national do-not-call complaints were ruled invalid (an unknown number of do-not-call complaints were treated as indeterminate).

April 27, 2009 — 11 comments — Columns

Why the ECPA Lays the Groundwork To Kill The Do-Not Call List

While the focus of attention on the Electronic Commerce Protection Act has obviously been on the anti-spam provisions (more on the enforcement as well as changes to privacy and competition law shortly), possibly the biggest story in the bill is one that has been unreported and is not discussed in the government briefing materials. Buried at the very end of the bill, are provisions that would kill the National Do-Not-Call list. Section 86, the second last provision in the bill, states simply that Sections 41.1 to 41.7 of the Telecommunications Act are repealed. Those sections are the provisions that create a legislative framework for the national do-not-call list.

What is going on?

It would appear that the Government is laying the foundation for killing the do-not-call list with plans to replace it with the approach found in the ECPA. That could be a good news story, since the ECPA adopts an opt-in model (ie. companies need consent before sending electronic commercial messages). This means that Canadians would not need to register their phone numbers on the list, since the presumption would be that there is no right to call unless the caller/marketer has express or implied consent. While many of the current do-not-call exceptions are found in the ECPA, some are not. For example, the newspaper exception contained in the do-not-call list is not part of the ECPA and would therefore disappear with this transition.

April 27, 2009 — Comments are Disabled — News

The Electronic Commerce Protection Act – The Spam Prohibitions

The Electronic Commerce Protection Act (aka Bill C-27 or the anti-spam bill) is a lengthy, complicated piece of legislation. At 69 pages, it involves many new prohibitions, enforcement measures, and changes to existing laws. Given its complexity, I'll divide the substance of the bill into several separate postings. This post focuses on the prohibitions – there are three primary prohibitions but it quickly gets complicated. The short version of this is that the bill requires all senders to obtain express consent before sending commercial electronic messages (including email, instant message, etc.) and to include contact and unsubscribe information. It also includes provisions designed to counter phishing, spyware, and botnets used to send spam.

The more detailed version is:

April 24, 2009 — 24 comments — News