The recent introduction of the Electronic Commerce Protection Act, Canada's long-awaited anti-spam bill, has been greeted with initial all-party support in the House of Commons. The bill just passed second reading with committee hearings the next step in the legislative process. My weekly technology law column (Toronto Star version, Ottawa Citizen version, homepage version) argues that looking ahead, the big fight seems destined to focus on the government's desire to establish a comprehensive regime with tough penalties that apply to most commercial communications to consumers. Consumer groups will likely welcome the reforms, while some business and marketing organizations may paint a gloomy picture of the costs associated with the new regulations.
The bill strives to address most Internet-related consumer harms. These include email and text message spam, software programs that are secretly installed on users' computers ("spyware"), the use emails and websites that trick users into thinking they are visiting a trusted site ("phishing"), as well as the use of computers infected by viruses to send spam ("botnets").
If enacted into law, the ECPA would make it illegal to send an electronic commercial message without the prior consent of the recipient. This would create an "opt-in" system, whereby, subject to certain exceptions, marketers would have to obtain consumers' consent before sending them commercial messages. Moreover, marketers would be required to meet several form requirements including identifying the sender and providing a mechanism to allow consumers to unsubscribe from receipt of further messages.
In addition to the consent requirements, the ECPA targets the tactics frequently employed by spammers. It would become illegal to harvest email addresses without consent or to alter the transmission information on an electronic message, a rule designed to target phishing practices.
The bill also makes several important amendments to the Competition Act to better ensure that the law captures false or misleading representations. This will grant the Competition Bureau the power to investigate and take action against the use of false headers in emails, false locator information, or the presence of false or misleading content.
Attempts to install computer programs without the users' express consent are also included within the ECPA. This not only addresses spyware that is secretly inserted into some emails, but also software companies that attempt to install updates without informing users or music companies that surreptitiously install anti-copying technologies.
The new provisions will only be effective if enforced and the ECPA features some of the toughest penalties in the world. The CRTC has been given a wide range of investigatory powers, including the power to compel Internet service providers to preserve transmission data. Once it concludes its investigation, the Commission can pursue a settlement or bring a notice of violation with penalties that can run as high as $10 million.
The Privacy Commissioner of Canada can also investigate certain complaints and the Competition Bureau can go after misleading representations with penalties up to 14 years in jail (indictment) or $200,000 and a year in jail (summary conviction). For those not content to wait for the CRTC or the Competition Bureau to act, the law also creates a private right of action to facilitate lawsuits against Canadian-based spammers.
The ECPA addresses many of the recommendations of the 2005 National Anti-Spam Task Force, but not everyone will welcome it with open arms. Some business groups are likely to oppose the shift toward an opt-in system, claiming that the new rules will impede commercial opportunities. Software companies may object to requirements to obtain express consent from users before installing new programs and opponents may try to sow fear within the business community, pointing to the regulatory costs and potential for multi-million dollar liability. Yet most of these provisions are standard fare around the world. All parties should recognize that providing reasonable consumer protections does not impede electronic commerce, but rather facilitate it.