The Electronic Commerce Protection Act – The Enforcement Prohibitions

The Electronic Commerce Protection Act will accomplish little if there is not a real commitment to enforcement.  The enforcement provisions form the bulk of anti-spam bill (my review of the prohibitions here, the effect on the do-not-call list here).  The enforcement part of the bill includes details on who does the enforcing, investigative powers, and penalties associated with anti-spam violations.  The short version is that the CRTC has been given a wide range of investigatory powers, including the power to compel ISPs to preserve transmission data.  Once it concludes its investigation, it can pursue a settlement or bring a notice of violation.  The penalties run as high as $10 million.  There are also smaller roles for the Privacy Commissioner and Competition Bureau as well as provisions to facilitate anti-spam lawsuits.

The more detailed version is:


CRTC Enforcement

The CRTC is granted the power to levy Administrative Monetary Penalties for violations of the ECPA.  The maximum penalty for individuals is $1 million and $10 million for any other person   Section 20(3) identifies the factors to be considered in assessing the penalty, including past violations and financial benefits from the activity. 

The ECPA provides the CRTC with a wide range of investigative powers, including the power to require ISPs to preserve transmission data related to the investigation (there are detailed provisions on the preservation issue), require individuals to produce documents, or obtain a warrant to search a place for evidence of a possible violation.

Once it completes the investigation, the CRTC has two options if it finds evidence of a violation.  First, it can obtain an "undertaking" from a party that is alleged to have violated the law (an undertaking is effectively a settlement).  The undertaking can include identifying past violations and include a penalty and additional conditions.  Alternatively, the CRTC can file a notice of violation that sets out the alleged violations and penalty to be paid.  The Commission has up to three years to commence an action from the time it is notified of an alleged violation.  Once someone is served with a notice of violation, they can make representations to the CRTC defending their conduct.  The CRTC is then required to decide, based on a balance of probabilities, if there has been a violation.  The Commission has the right to make public the names of the people who enter into undertakings or are found to have violated the law.  The CRTC decision can be appealed to the Federal Court of Appeal. 

While a notice of violation is not the equivalent of an offence under the Criminal Code, officers and directors can be held liable for the actions of their companies.  Courts are empowered to issue injunctions prohibiting further ECPA violations and the bill also includes significant financial penalties for violating the investigatory requirements (ie. obstruct or fail to comply with the investigation requests).

Private Right of Action

One of the Spam Task Force's recommendations was the establishment of a private right of action to facilitate lawsuits against Canadian-based spammers.  The ECPA creates a new right that could allow for such lawsuits with penalties that reach a maximum of $1 million per day.  The private right of action extends beyond just violations of the ECPA, as it includes contravention of the new PIPEDA provision and the Competition Act provisions.

New Anti-Spam Coordination and Complaints Mechanisms

Although not contained in the ECPA, the government materials that accompanied the release point to two new administrative efforts to address anti-spam enforcement in Canada.  First, Industry Canada will serve as a "national coordinating body" with responsibilities for public awareness, the development of voluntary guidelines, and further research.  Second, there are plans to establish a Spam Reporting Centre.  It would "receive reports of spam and related threats allowing it to collect evidence and gather intelligence to assist the three enforcement agencies."  The SRC appears to be similar to the U.S. FTC reporting mechanism, often referred to as the spam fridge.


  1. Stephen Tyers says:

    New Anti-Spam Bill will cost Canadian businesses millions
    My name is Stephen Tyers. I am a Canadian that has been living in New Zealand for the last 3 years. My current position is Director of Deliverability and ISP relations at a company called Jericho Ltd. We handle the marketing emails for Telecom and as well as a number of other large New Zealand corporates. I have also been actively involved with the Marketing Association here and I am currently involved with a group proposing changes to the New Zealand anti-spam law. I have a unique viewpoint having been a for ISP in Canada.

    As I am sure that you are aware the Canadian Bill closely follows the New Zealand law that was passed last year. What you may not be aware of is that companies here in New Zealand faced with new law here last year were advised by their lawyers to confirm opt-in for all subscribers as opt-in was required under the law. The result was that New Zealand business lost the ability to communicate by email with up to 60% of its customer base. The misconception is that a business has done business with all the people subscribed to its current lists. The reality is that companies such as Air Canada, Canadian Tire, Futureshop and many more have interested people on their current lists that have not yet purchased. The fallout will not be felt until the Law passes and it will result in a loss of millions of dollars in invested marketing efforts and loss of future business. I am happy to provide you specific numbers of loss, and New Zealand corporate lawyers advice that resulted in what I have described.
    The same will happen in Canada as corporate risk averse lawyers will ultimately be involved in advising their clients.

    The problem that is also not being considered is that common tool used by marketers which is “friend get friend.” This involves a friend requesting that his friend should a receive an single email (This does not give the company the right to send further emails unless the recipient opts-in). Under the law in New Zealand and the Bill in Canada this activity in not allowed.

    This means the functionality in Facebook as well as other many other sites will be liable under the Bill as it reads.

    This need to be carefully reviewed in light of what has happened in other countries. Canadian companies will face millions in legal fees and loss of business as a result.

    According to a recent international study Laws need to draw “bright lines”. What laws seem to miss the distinction between transactional email and bulk email. They choose to use the nature of the email “Commercial or Not” as the point of distinction. Spam is unwanted or unsolicited commercial bulk email. Laws need to support internationally accepted best practices enabling the industries suffering the cost of Spam as well as consumers the ability to enforce consequences. Mail box providers and legitimate permission based senders live in a commercial environment so their best practices are already based on workable rules.

  2. David F. Skoll says:

    Stephen Tyers wrote: “What you may not be aware of is that companies here in New Zealand faced with new law here last year were advised by their lawyers to confirm opt-in for all subscribers as opt-in was required under the law.”

    Well? Isn’t that a good thing?

  3. Bonjour
    Cest qe tu pa?