The Electronic Commerce Protection Act (aka Bill C-27 or the anti-spam bill) is a lengthy, complicated piece of legislation. At 69 pages, it involves many new prohibitions, enforcement measures, and changes to existing laws. Given its complexity, I'll divide the substance of the bill into several separate postings. This post focuses on the prohibitions – there are three primary prohibitions but it quickly gets complicated. The short version of this is that the bill requires all senders to obtain express consent before sending commercial electronic messages (including email, instant message, etc.) and to include contact and unsubscribe information. It also includes provisions designed to counter phishing, spyware, and botnets used to send spam.
The more detailed version is:
The primary prohibition is found in Section 6(1) which is the basic anti-spam provision. It provides that:
No person shall send or cause or permit to be sent to an electronic address a commercial electronic message unless (a) the person to whom the message is sent has consented to receiving it, whether the consent is express or implied; and (b) the message complies with subsection (2).
Not a particularly long sentence, but there is a lot there:
- by including sending or cause or permit to be sent, the ECPA covers the entire chain of spamming – the party that commissions the spam, the party that does the sending, and the party that permits it to be sent.
- an "electronic address" is very broadly defined as it includes email accounts, IM accounts, telephone accounts, or any similar accounts. In other words, the law applies to all forms of spam, not just email spam.
- the law only applies to commercial electronic messages. It too is broadly defined in Section 2(2) to cover the content, hyperlinks, or contact information that would make it "reasonable to conclude" that the message has as one of its purposes encouraging participation in commercial activity. The provision adds that this may include offers to purchase or sell products, goods or services; business opportunities; advertising or promotion of goods, services, products, etc.; and promotion of a person who does any of these commercial activities. There is, however, an exception for law enforcement, public safety, protection of Canada, and international affairs.
- Electronic messages that seek consent to send commercial messages (ie. obtain consent) are also commercial messages. In other words, you cannot send a message to obtain consent without consent.
That is the basics of what it covers. Then there are the three key requirements – form, consent, and jurisdiction. The law establishes form requirements for those who send commercial electronic messages. These include:
- Identification of the person sending the message (as well as on whose behalf it is sent)
- Contact information of the sender
- An unsubscribe mechanism. The unsubscribe mechanism (described in Section 11) must allow for an easy opt-out via email or hyperlink that remains valid for at least 60 days after the message is sent. The sender has ten days to comply with the unsubscribe request.
The consent requirements are primarily about exceptions. The starting point is a prohibition against sending electronic commercial messages without consent from the recipient. The consent must generally be express consent with clear identification of the sender and the purposes for which consent is sought.
But this does not apply if:
- there is a personal or family relationship
- there is an active commercial relationship and the message is an inquiry
- the party is an ISP who is merely enabling the transmission
- the message is an interactive two-voice communication, a fax, or a voice recording
The consent can be implied rather than express if:
- there is an existing business relationship between the sender and recipient. This includes purchase of a product, good or service over the prior 18 months; an active written contract, or an inquiry from the recipient over the prior 6 months
- there is an "existing non-business relationship" between the sender and recipient. This includes a donation or gift over the prior 18 months to a charity, political party or political candidate; volunteer work over the prior 18 months for a charity, political party or political candidate; or membership in a club, association, or voluntary organization over the prior 18 months.
These exceptions share many similarities with the do-not-call list. As for jurisdiction, Section 12 of the law says that the basic anti-spam provision only applies if a computer system located in Canada is used to send, route or access the electronic message.
The second prohibition is the anti-phishing provision and it involves the alteration of the transmission data on electronic message (Section 7). This is designed to deal with phishing, where the electronic message appears to go one place, but goes somewhere else. The provision states that:
No person shall, in the course of commercial activity, alter or cause to be altered the transmission data in an electronic message so that the message is delivered to a destination other than or in addition to that specified by the sender, unless the alteration is made with the express consent of the sender or in accordance with a court order.
There is an exception for ISPs blocking or filtering these messages if done for the purposes of "network management."
The third prohibition is the anti-spyware and botnet provision (Section 8). It is designed to deal with the increasingly common method of delivering spam – infect a user's computer and use their Internet connection to send millions of spam messages. The provision states:
No person shall, in the course of commercial activity, install or cause to be installed a computer program on any other person's computer system or, having so installed or caused to be installed a computer program, cause an electronic message to be sent from that computer system, unless the person obtained the express consent of the owner or an authorized user of a computer system or is acting in accordance with a court order.
For this to apply, there must be a Canadian connection to the activity.
Part two – the enforcement provisions – will come soon.