Setting the Record Straight On the ECPA (C-27)

The Industry Committee held two days of hearings on C-27, the Electronic Commerce Protection Act, this week with Industry Minister Tony Clement appearing on Tuesday and my appearance (together with CAUCE executives) on Thursday.  The line of questioning on both days was very similar and it is clear that some groups are seeking to sow seeds of doubt about the legislation.  I tried to address some of the misconceptions and inaccuracies during my appearance, but it is worth taking these claims head on (I will update as needed):

Messaging Provisions

Will the ECPA mean that businesses can't send newsletters, email updates, or other promotional materials to other businesses?

No.  Section 6(5)(b) includes an exception for legitimate business-to-business email.

Will the ECPA mean that I can't send emails to friends or family asking if they're interested in buying something from me or using my services?

No.  Section 6(5)(a) includes an exception for individual to individual email with a personal or family relationship.

Will the ECPA apply to non-commercial emails that I might send?

No.  The bill only applies to commercial email.

Why has Australia targeted direct marketing, while Canada talks about commercial messages?

Australia has not done that.  Both laws use commercial electronic messages.

Does the ECPA extend its jurisdictional reach too far beyond Canada's borders?

The law requires a connection to Canada to apply.  This is consistent with jurisdictional law more generally that mandates a real and substantial connection.

Will universities be blocked from sending commercial messages to alumnae?

No.  With opt-in consent, they can continue to send messages.  Even without such consent, universities are typically registered charities and thus qualify under the Section 10(6) exception for 18 months without the need for opt-in consent.

Will companies be prevented from sending consumers warranty or product recall information?

No.  In order to send consumers this information, companies must first obtain their contact information.  This provides an easy opportunity to obtain consent for sending future warranty or product recall information. Alternatively, companies will still be able to send information even without this consent for 18 months, providing ample opportunities to obtain the necessary consents.

Will real estate agents be unable to contact prospective clients via referral?

No.  Referrals can still take place as the personal relationship exception will allow for an individual to individual email that will facilitate a referral.  Alternatively, friends can simply provide the contact information for the real estate agent (which is typically the preferred approach anyway).

Does a business always need explicit, opt-in consent to communicate with customers?

No. Businesses can imply consent for 18 months for any existing customer.  That provides plenty of time to obtain an opt-in consent?

Does a business always need explicit, opt-in consent to communicate with potential customers?

No.  Businesses can imply consent for six months for any potential customer that has made an inquiry with them.

Software Provisions

Will software vendors be required to obtain consent before installing software updates?

Yes.  Software vendors should notify users what is they are installing on their computer and obtain consent before doing so.  Past experience involving cases such as the Sony rootkit provide ample evidence for why this is a good thing.

Does the ECPA stop web sites from using cookies?

No.  Cookies are text files and are not caught by the legislation.

Does the ECPA pose problems for the use of java or javascript on a webpage?

Possibly.  I have proposed some language to address this issue and Industry Minister Tony Clement has indicated his willingness to amend the law to address this concern.

Penalty Provisions

Does the ECPA contain very tough liability provisions?

Yes.  Experience in other countries shows that anti-spam law can only be effective with sufficiently tough penalties that create economic risk for spammers.

Is the private right of action really needed?

Yes.  Creating a private right of action was a recommendation of the Spam Task Force. Given the ongoing concerns about the enforcement history of the CRTC, Competition Bureau, and the Privacy Commissioner of Canada, a private right of action will allow the private sector to launch lawsuits of their own against Canadian-based spammers.  Previous lawsuits against Canadian-based spammers have been launched in the U.S., due to the absence of a Canadian private right of action.

Could the private right of action clog the courts?

Unlikely.  Unlike the U.S., Canadian class action lawsuits are rarer and there are court costs that create disincentives against frivolous lawsuits.

Email Harvesting Provisions

Will law enforcement be impeded due to the restriction on email harvesting?

Unlikely.  While the ECPA alters PIPEDA to address email harvesting, the numerous police powers to access far more than just an email address remain unchanged.


  1. Aléatoire says:

    Consent before installing?
    Does that means that Google’s suspicious tactic of silently updating(without any knowledge of the user) chrome will be forbitten?… well regardless… I found a quick way to disable this “feature”…

    PS:Thanks for this info… it’s interesting and i’m actually looking foward to a law that *might* prevent another SonyBMG rootkit debacle.

  2. Xetheriel says:

    @ Aleatoire
    Indeed, the simplest way to prevent that behaviour is: Don’t install Chrome.

    I’m a tech guy, but I’m a skeptical tech guy, thus I always research new software/browsers/products *before* I install them. This ensures that I’m in full agreement with not only the products terms of use, but also the providers philosophies as well.

    I’m also a Linux user, which kindof leaves me out for Chrome anyways.

    I’m a Firefox user, And encourage others to be as well.


  3. How does a business to business newsletterpromotional material fall under the 6(5)(b) exception? Isn’t the exception explicitly limited to an “inquiry or application” related to the business activity of the “receiver”?

  4. michael geist says:

    To Curious
    I read this provision to mean that the B2B email must be relevant to the recipient – ie. must fall within their scope of activity. That means you can send B2B if its clearly relevant to the recipient, but you can’t just send business email with no obvious relevance to the recipient.

  5. Scott Elcomb says:

    Re: Software Provisions
    I can’t speak for Java really, but I am rather deeply interested in JavaScript (which is completely unrelated to Java) which many sites require in order to function properly.

    Michael, can you provide additional information on how the ECPA might affect today’s websites? Many thanks in advance.

  6. Scott Elcomb says:

    Re: Software Provisions
    Michael, can you provide further clarification as to how exactly the ECPA might affect today’s websites and web-based applications? As this is my life-blood I’m exceedingly interested.

    Just to be clear there is *absolutely* no connection, except in name, between Java and EcmaScript (commonly referred to as “JavaScript”).

  7. Scott Elcomb says:

    Trouble with comments…
    I apologize for the extra post(s), bad form I know. However, I seem to be having trouble with commenting on this post. A reference to the issue:

    Using Firefox 3.0.6 (with NoScript and exceptions granted to under Debian 4.1.2-24 (“Etch”)

  8. Insert Name here says:

    scripts and stuff
    If you can enter the captcha txt and click the “add comment” button, do a page refresh and it should show afterward.

    Happens to me as well, but i disable a lot of garbage. So It is probably similar with you.

    Try a test post and then follow with a page refresh, should show.

    (also make sure you put a “Name” or it won’t post)

  9. spotted and other
    So I listened to the audio from your “Appearance Before the Industry Committee” (ref. and it was a good listen.

    One thing caught my attention though. It was a person asking the question saying that, “network-world Canada has an article with a lawyer saying that this bill will ban the use of the Internet for canadians” (something like that).

    I googled the quote and found it on IT-World Canada, here: /b301e25a-034f-40d2-83da-ba8552153155.html

    The quote:
    “It’s just overkill,” Sookman complained. “The bill as currently drafted would actually ban the use of the Internet by Canadians unless a person with a Web site had written consent from a consumer to use it.” Instead of demanding consent for certain activities, he said, Ottawa should define activity that’s bad – for example, creating misleading e-mail headers.

    Now the part I have issue with is, “creating misleading e-mail headers”. Well I do this all the time when I need to send an Email anonymously, or using Email relays, or other types of anon-relays. I see no problem with it.

    Why define something bad? Its the use or abuse of certain things that are bad, not what they are.

    This, in my opinion, is the same as saying a proxy, VPN, or http relay, or socks proxy is bad since you don’t show your proper IP.

    Fakes headers, fake IP, fake anything is my right to use if not abused. Yet this lawyer wants ottawa to define it and label it as “bad”.

    Well I think this IP lawyer that was quoted is bad if he doesn’t respect my right to hide my headers and IP. Its part of my false sense of security and privacy on the net.

    When I read between the lines of this Mr. Sookman, this is what he is taking aim at. False online ID (IPs, Headers, etc and wants it defined as “bad”)

    This is one part you did not address at all, Dr. Geist. Or maybe you felt there was no need to?

    And I hope these things/tools are not “defined” or “labeled” as bad as was suggested in that article.

    Its a choice.

    So I do not want to see this type of thing being defined by Ottawa. With whats going on in the states, ie. Texas, where people are being charged with hacking for using a false name on MYSpace, or how they want “social boards” to require full name, address, gender, phone number, and so forth, its just to invasive and invades my right to privacy.

    So bottom line, this Mr. Sookman is proposing (reading between the lines) that no Canadian should have the right to hide who they are or what IP they are since he wants Ottawa to define these activities/tools/methods as “bad”.

    One last question, though not Email spam, but rather web spam. Would Rogers web-injected spam that is forced fed on all Rogers users on webpages they look at be subject to this anti-spam bill? Would Rogers require it’s users to opt-in to get their hijacked DPI web-injected spam?

  10. This is horrible… Since when is it okay for Canada post to spam paper advertisement materials to every known persons mailbox in Canada. I actually like some of the coupons I get in the mail and quite frankly I like local business advertising their services to me.

    What I don’t like is the People from Turkey, Slovenia, China and Zimbabwe who sent me spam every day. I don’t get any spam from Canadians at ALL!!!

    What about the Auto Dialers or the Predictive Dialers? Those get to run crazy and I get to get harassed by telephone calls all hours of the day, but my email which I actually like, is now under fire?

    I really do not understand. I think this is just a bunch of people who keep signing themselves up for casino lottery and porn mail lists who now want the government to bail them out. Give it up… the spam is going to keep coming if you keep giving shady business your email address. And this Bill does nothing to stop the worst spammers, because quite frankly people… you are opting in…

    Thank you so much for taking the global spam epidemic out on local Canadian businesses. We are hardly spammers. jmo…

  11. I would like them to add a section to this bill which states that if any person attempting to sue a business for sending them an email has ever in their life, given their email address to a website which they have not personally done business with, that they should have to surrender their internet access for 20 years.

  12. To James: I’m afraid you have a vast misconception of how e-mail addresses are harvested. First off, if an e-mail address is posted on a webpage in an accessible format, it can be harvested by automated crawlers. And second, most often when dealing even with legitimate businesses there is a clause in policies which states something about “affiliate businesses”. There have been many cases where companies simply sell their customers information to those “affiliates” and it spreads from there… And there are other methods as well, where addresses are harvested through no fault of the individual.

  13. don’t forget SMS spam
    Lets not forget SMS spam from the telco’s themselves.

    Or premium SMS spam that people never signed up for in the first place and which you are on the hook to pay for.

    BTW: Does this anti-spam Act include SMS and those Premium SMS spam’s?

  14. At Kai,

    I think you have a great mis-conception on how marketers employ “harvesting” tactics to send junk snail mail, solicit businesses with predictive auto-dialers and advertising in general.

    If someone has posted their email address on a webpage… they have essentially asked every marketer on the planet to which has access to the page to contact them.

    Much in the same way that Canada Post will send you Junk mail if you make use of a physical home address.

    I would like to be the first to thank the Canadian government for overlooking local problems by focusing on a global one and acting locally to solve the problem.

    Thanks Canada…

  15. In any event… Using an open relay to randomly guess at passwords is technically what spam is. Contacting someone via a known address with an advertisement is not spam.

    The meanings behind what is spam and what is not spam has changed to include whatever someone dislikes and that is subjective matter which cannot be enforced.

    This is deterrent which will most likely put the professional spammers into overdrive while pushing the legitimate marketers into a corner where they cannot compete.

    Anybody with half a brain and a die hard dedication to spam to Canadians will simply register their business in Las Vegas and continue pummeling Canadians from across the border.

    Penalizing Canadians is not the answer to solve a global problem. I receive no spam from Canadians. Has anybody even stopped to look at where all the spam is coming from or is this just a witch hunt?

  16. Sorry for the triple post. (Hopefully this solicitation of my business ideals will not land me a 10,000,000 fine!!)

    I will continue to contact local businesses via email regardless of what some consider to be illegal. Quite frankly Canadian businesses need to contact each other to strengthen their ties with each other. Business to business email is an essential means to foster growth amongst Canadians.

    So sue me… or opt out… your choice…