The Electronic Commerce Protection Act – The Spam Prohibitions

The Electronic Commerce Protection Act (aka Bill C-27 or the anti-spam bill) is a lengthy, complicated piece of legislation.  At 69 pages, it involves many new prohibitions, enforcement measures, and changes to existing laws.  Given its complexity, I'll divide the substance of the bill into several separate postings.  This post focuses on the prohibitions – there are three primary prohibitions but it quickly gets complicated.  The short version of this is that the bill requires all senders to obtain express consent before sending commercial electronic messages (including email, instant message, etc.) and to include contact and unsubscribe information.  It also includes provisions designed to counter phishing, spyware, and botnets used to send spam.

The more detailed version is:


The primary prohibition is found in Section 6(1) which is the basic anti-spam provision.  It provides that:

No person shall send or cause or permit to be sent to an electronic address a commercial electronic message unless (a) the person to whom the message is sent has consented to receiving it, whether the consent is express or implied; and (b) the message complies with subsection (2).

Not a particularly long sentence, but there is a lot there:

  • by including sending or cause or permit to be sent, the ECPA covers the entire chain of spamming – the party that commissions the spam, the party that does the sending, and the party that permits it to be sent.
  • an "electronic address" is very broadly defined as it includes email accounts, IM accounts, telephone accounts, or any similar accounts.  In other words, the law applies to all forms of spam, not just email spam.
  • the law only applies to commercial electronic messages.  It too is broadly defined in Section 2(2) to cover the content, hyperlinks, or contact information that would make it "reasonable to conclude" that the message has as one of its purposes encouraging participation in commercial activity.  The provision adds that this may include offers to purchase or sell products, goods or services; business opportunities; advertising or promotion of goods, services, products, etc.; and promotion of a person who does any of these commercial activities.  There is, however, an exception for law enforcement, public safety, protection of Canada, and international affairs.
  • Electronic messages that seek consent to send commercial messages (ie. obtain consent) are also commercial messages.  In other words, you cannot send a message to obtain consent without consent.

That is the basics of what it covers.  Then there are the three key requirements – form, consent, and jurisdiction. The law establishes form requirements for those who send commercial electronic messages.  These include:

  1. Identification of the person sending the message (as well as on whose behalf it is sent)
  2. Contact information of the sender
  3. An unsubscribe mechanism.  The unsubscribe mechanism (described in Section 11) must allow for an easy opt-out via email or hyperlink that remains valid for at least 60 days after the message is sent.  The sender has ten days to comply with the unsubscribe request.

The consent requirements are primarily about exceptions.  The starting point is a prohibition against sending electronic commercial messages without consent from the recipient. The consent must generally be express consent with clear identification of the sender and the purposes for which consent is sought.

But this does not apply if:

  • there is a personal or family relationship
  • there is an active commercial relationship and the message is an inquiry
  • the party is an ISP who is merely enabling the transmission
  • the message is an interactive two-voice communication, a fax, or a voice recording

The consent can be implied rather than express if:

  • there is an existing business relationship between the sender and recipient.  This includes purchase of a product, good or service over the prior 18 months; an active written contract, or an inquiry from the recipient over the prior 6 months
  • there is an "existing non-business relationship" between the sender and recipient.  This includes a donation or gift over the prior 18 months to a charity, political party or political candidate; volunteer work over the prior 18 months for a charity, political party or political candidate; or membership in a club, association, or voluntary organization over the prior 18 months.

These exceptions share many similarities with the do-not-call list.  As for jurisdiction, Section 12 of the law says that the basic anti-spam provision only applies if a computer system located in Canada is used to send, route or access the electronic message.

The second prohibition is the anti-phishing provision and it involves the alteration of the transmission data on electronic message (Section 7).  This is designed to deal with phishing, where the electronic message appears to go one place, but goes somewhere else.  The provision states that:

No person shall, in the course of commercial activity, alter or cause to be altered the transmission data in an electronic message so that the message is delivered to a destination other than or in addition to that specified by the sender, unless the alteration is made with the express consent of the sender or in accordance with a court order.

There is an exception for ISPs blocking or filtering these messages if done for the purposes of "network management."

The third prohibition is the anti-spyware and botnet provision (Section 8).  It is designed to deal with the increasingly common method of delivering spam – infect a user's computer and use their Internet connection to send millions of spam messages.  The provision states:

No person shall, in the course of commercial activity, install or cause to be installed a computer program on any other person's computer system or, having so installed or caused to be installed a computer program, cause an electronic message to be sent from that computer system, unless the person obtained the express consent of the owner or an authorized user of a computer system or is acting in accordance with a court order.

For this to apply, there must be a Canadian connection to the activity.

Part two – the enforcement provisions – will come soon.


  1. section 8 overly broad
    Many web site pages (like this one) install javascript programs in the visitor’s computer. These are clearly within the Criminal Code definition of computer program. Some of those programs then send messages back to the web server (this is how “ajax” features work, as in the comment handling system on this page). Additonally, web pages (like this one) “install” cookies on the visitor’s computer, which causes the visitor’s browser to send the cookies back later. That sending back is clearly an electronic message. All of this can be made to sound nefarious, but it ordinarily isn’t, and without it web site e-commerce just wouldn’t work. While cookie communications do not necessarily involve the installation (by the cookie source) of a program, the language of section 8 does not seem to require that the program installed (e.g., the web page javascript) be the means by which the perpetrator causes of the computer system to send the message.

    And think about whether when you ask for a read receipt when composing an email message you are installing software on the recipient’s computer (i.e., “data representing instructions or statements that, when executed in a computer system, causes the computer system to perform a function”) and thereby causing the sending of the electronic message by means of which you receive the read receipt.

  2. otis, I don’t think your argument is valid. This web page does not “install” Javascript, rather, the browser – acting on behalf of the user – downloads the Javascript and executes it. The browser is also responsible for storing cookies.

    This is a “pull” technology, where data is requested by the user, not a “push” from some other person or system to the user.

    To make a real-world analogy, spam email is like having flyers delivered to your mailbox. Javascript embedded on site pages is like going to the grocery store and picking up a flyer on the way out.

  3. Devil's Advocate says:

    Here we go with the “commercial” disqualifier again!
    Why is it every “anti-spam” legislation always gets built around this same tired, idiotic principle – “COMMERCIAL electronic messages”??!

    Contrary to what these morons want us to believe, “spam” is defined as “that which we don’t want and didn’t ask for”… period! Who the hell “assumed command” and managed to change that very simple, direct qualification of spam needs his friggin’ head read!

    This legislation, should it pass, will have the same result as all the rest of them passed in other countries before it bearing the same disqualifier – the majority of spammers will simply qualify their spam as “non-commercial” when charged, and practically nobody will be guilty of breaking the law.

    And it also appears (of course!), there will be “exceptions” written in for charital, political, and religious messages, leaving more reasons why the Bill will not be worth the paper it will be printed on.

    As with its predecessors in other parts of the world, none of this surprises me.

  4. ade –
    how do you think spambot software get installed, except as a result of a “pull” of some kind by the victim — requesting a web page or picking up email and opening an attachment

  5. What about political spam?
    Is political spam covered in the bill?

  6. Anonymooose says:

    What about banning paper junk mail that costs us sooo much in recycling fees and enviromental damage, along with killing trees
    What about banning paper junk mail that costs us sooo much in recycling fees and enviromental damage, along with killing trees
    I sometimes wonder, why things are always to benefit big corporations.

    Then I remember, all federal government and organizations are corrupt and sleep well at night, knowing why.
    Where can I find the OPT-OUT options for the CRTC fees?

  7. United Hackers Association says:

    ajax does and what about cookies AND DPI
    DPI is made legal and thus the bill destroys any network neutrality as a slip in as an exception for ISP’s

    BAD bill and if the conservatives wanted to show that they are for the people then they would have given NO exception to the ISPS. ajax and even php can write files to a local drive and some games may require it, as well as cookies.

    Once again a non technical bunch a lawyers write a law that negatively affects innovation
    GOOD MOVE YOU TWITS in ottawa

  8. Q&A

    After having read the Gov website, it leaves me with many questions.

    When you have completed the analysis of this proposed Act would it be possible to also have a type of Q&A summary? Maybe rounding up the points you made and also grabbing some question from the comments area here?

  9. Am I reading the Act correctly in that where it says that at section “86. Sections 41.1 to 41.7 of the [Telecom] Act are repealed.” it means that the DNCL is gone?

  10. Sebastien Duquette says:

    “The starting point is a prohibition against sending electronic commercial messages without consent from the recipient.

    But this does not apply if: […] the message is […] a fax […]”

    In all form of spams, the one that I hate the most is fax-spamming. Every company out there receives unsolicited faxes weekly if not daily that go directly to the recycle bin and waste paper. Why is it part of the exceptions ?

  11. United Hackers Association says:

    because bell canada and the feds want to be able to spy on you and the printers are one of the worst secure ways to peek in on you.

  12. eponymous coward says:

    otis, I agree entirely…section 8 is so broad that it could capture just about any script or executable that has not been expressly initiated by the end-user. Plus, if you keep reading the Bill, it gets better:

    11(2) A person who seeks express consent for the doing of any act described in section 8 must, when requesting consent, also describe clearly and simply the function, purpose and impact of every computer program that is to be installed if the consent is given and set out any other prescribed information.

    So, not only must you obtain express consent every time a script is run, you have to clearly describe the function, purpose and impact of each one when obtaining consent…

  13. are spambot[net] victims liable?
    It seems to me that when joe-user’s computer has gotten owned and is joined to a spam botnet (unbeknownst to joe-user of course) that joe-user becomes one of the parties covered in:

    No person shall send or cause or permit to be sent to an electronic address a commercial electronic message unless …

    Joe-user caused/permitted the message to be sent by not keeping his computer up-to-date and allowing it to fall victim to a botnet.

    For that matter, joe-user could also be joe-corporation.

  14. Friend Invites?
    There has been some debate at my company about whether this would affect friend invites. The scenario is one where a user enters their friends email addresses and a message is sent inviting them to join the website. In this situation would the website be considered the origin of the email and thereby be sending spam, or would it just be an ISP that is a conduit for a user who has entered the email addresses?

  15. Adam Glauser says:

    Will this break the web?
    Despite the suggestions of otis, United Hackers Association and eponymous coward, I think the answer is no.

    The definition of an electronic message in the bill may be broad, but I don’t think it can reasonably be construed to include your usual run-of-the-mill HTML/CSS/Javascript over HTTP. It seems to be focussed on messages intended for human consumption, sent to “accounts” which are primarily used for human-to-human communication.

    @United Hackers Association:
    PHP runs on the web server, and can’t save files to the client’s hard drive without authorization, unless it exploits some sort of browser bug. I think such exploits already fall under existing computer crime legislation. Although Javascript is executed on the client computer, it is similarly confined in its ability to access files on the local hard drive.

  16. a thought
    Adam Glauser,

    What’s your opinion on Rogers injecting their spam via DPI on their users?

    Many are livid as is that the webpages they go to have Rogers spam on it that can not be removed.

    What’s your take on this?

  17. Html, CSS, Javascript = Software
    @Adam Glauser

    No one has suggested that Html, CSS, and Javascript fit the definition of “electronic message.” The problem is that they clearly fit the Criminal Code definition of “software” that this bill incorporates as its own. Installation of software without specific prior consent is prohibited whether message sending ensues or not. And the prohibition is not limited to software that can access the local hard drive.

    If web servers don’t “install” html, CSS and particularly javascript code on the client computer, if you argue that it is not the server but the user or his/her browser that installs the code, then to what means of infecting a computer with trojan/bot software would that argument not equally apply?

  18. Adam Glauser says:

    Rogers content injection

    Good question. I certainly would not want my ISP to inject content as Rogers does. However, I’m not sure it should be illegal. For example, I think that it might be reasonable for an ISP compete by offering partially (or completely) ad supported Internet connections.

    I guess it comes down to consent.

  19. Adam Glauser says:

    Re: Html, CSS, Javascript = Software

    Yes, I’m sorry I mistook your meaning about “electronic messages” vs. “software”.

    To answer your question about installing software, I’d say that the question is whether the user authorized the installation of the software. Any means of installing software that exploits bugs in other software (worms), or software that is installed when the user installs some other software (trojans) is a problem.

    That said, there can be a problem as well when software has some sort of hidden function. I would say that this is covered by the part of section 8 that mentions consent of the user. If I am installing software that will send messages of any sort, I want to know about it. This is already happening, and I don’t think it’s going to cause undue hardship. For example, some Linux distros ask whether you would like to send anonymous hardware configuration details to the distro organizers. Windows asks before sending problem reports when a program crashes.

  20. Re: Html, CSS, Javascript = Software
    @Adam Glauser

    Yes, the statute requires detailed, express prior consent to the installation of any ‘software’ at all, not just software that acts as you have described. And how does a web site get provable consent to install Html code, CSS code, javascript code, flash code, etc., without first (without consent) installing (at least) Html on the client computer and causing the client computer to send back (at least) a cookie?

  21. Adam Glauser says:

    Re: Html, CSS, Javascript = Software
    otis, does the Criminal Code definition of software that you cited in your first comment provide a definition of installation? I can’t see a definition in C-27.

    As a programmer, I wouldn’t really consider HTML or CSS to be software, neither would I consider Javascript or Flash code to be installed when I visit a web page.

  22. Re: Html, CSS, Javascript = “computer program”
    @Adam Glauser
    I have been using “software” as shorthand for “computer program” which is the term actually used in s. 8 of C-27 and in the Criminal Code definition it incorporates by reference. That definition is:

    “‘computer program’ means data representing instructions or statements that, when executed in a computer system, causes the computer system to perform a function”

    Html, CSS and Javascript clearly fit this definition: they cause the computer to do something.

    The Criminal Code does not use the word “install” in connection with the concept “computer program”. C-27 does not define “install”. In the context in which it is used, “install” must refer to a process by which the “instructions or statements” become executable by the computer system.

    If html, css and javascript are not “installed” they won’t affect what a browser displays. Javascript is called client-side scripting because the script runs in the client (i.e., the site visitor’s computer system), not on the server. The legal definition does not distinguish between simple and complex code, nor between benign and malicious code.

  23. Moremi Adeyinka says:

    definition of “spam” on social networking sites
    I suppose “electronic account” will also include an account/page on say myspace, facebook, twitter etc. Does this mean that no one can market to anyone on these social networking sites without consent? For example, can I send messages to many people on myspace to check out my new home-made video on Youtube (with the Youtube link imbedded)? OK granted that may not be “commercial”, but does it become “commercial” if my page has advertising tat pays me per click? What if the page I invite them to visit is a blog with lots of advertising? Can I invite multipe people on Facebook who I have never saved as friends to listen to my sample guitar music page on say “myguitar-dot-whatever”? Assume that the page has advertising on it. Is the opportunity for start-ups to market on ocial networking sites in danger by this legislation? Thots everyone?

  24. When is Part two coming?
    I would love to know how to file a complaint, or to sue someone continually spamming me and refusing to remove me from their list.