Canadian Government Unveils Big Loopholes in Anti-Spam Regulations

Industry Canada unveiled long-awaited revised anti-spam regulations on Friday for the Canadian Anti-Spam Law. The regulations are in draft form and comments can be submitted to the government until February 3rd. Given the intense lobbying by business groups to water down the legislation passed in 2010 and the initial draft 2011 regulations, it comes as little surprise to find that the proposed regulations include several significant loopholes and exceptions that undermine the effectiveness of the law.  The key new regulations include:

third party referrals: the regulations include a broad new exception for third party referrals that will allow businesses to send commercial electronic messages without consent based merely on a referral from a third party. This issue was hotly debated when the bill was being drafted and, at the time, the government rejected claims that such an exception was warranted.  In the face of intense lobbying, however, the opt-in approach to electronic marketing is being dropped and replaced by a system that allows for unsolicited commercial electronic messages based on third party referrals.

personal relationships: the 2011 draft regulations featured a fairly restrictive definition for the personal relationship exception that allows for commercial messaging without consent where there is a family or personal relationship. The new definition is far broader and is likely to be used by many organizations based on limited contact. The regulation defines personal relationship as:

those individuals have had direct, voluntary, two-way communications and it would be reasonable to conclude that the relationship is personal taking into consideration all relevant factors such as the sharing of interests, experiences, opinions and information evidenced in the communications, the frequency of communication, the length of time since the parties communicated and if the parties have met in person

legal or juridical obligations: the new regulations exclude commercial emails that either satisfy legal or juridical obligations, enforce legal rights, or provide notice of an existing or pending right.

computer programs: the new regulations include two new definitions for computer programs that are excluded from the scope of requirements in the law to obtain express consent when installing those programs. The new definitions cover efforts by telecom providers to install programs to “prevent activities that the telecommunications service provider reasonably believes are in contravention of an Act of Parliament and which present an imminent risk to the security of its network” or a program installed “for the purpose of updating or upgrading the network, by or on behalf of the telecommunications service provider who owns or operates the network on the computer systems that constitute all or part of the network.”

business-to-business exceptions: the new regulations expand the scope of business-to-business communications to alleviate concerns they would be caught by the Act.

While the third party referral and personal relationship regulations will raise particular concern, the government did reject efforts to grandfather consents obtained under PIPEDA, the private sector privacy law. While marketing groups argued that obtaining new consents would be disruptive, the reality is that the anti-spam law creates tougher consent requirements (explicit opt-in consent vs. implied opt-out consent in some instances) and relying on the weaker, implied PIPEDA consents would be inappropriate.

Moreover, the law already features a lengthy transition period that will allow businesses to rely on their existing consents for three years after the legislation takes effect. In other words, despite the fear mongering about the anti-spam legislation, current customer lists will be exempted from the new consent requirements until 2017 (assuming the law does not take effect until 2014). Since the law was passed in 2010, seven years is surely enough time for businesses to ask Canadian consumers if they consent to the use of their personal information for marketing purposes.


  1. Jean-Francois Mezei says:

    So let me get this straight. Government spends years listening to lobbyists, but us regular plebes only get 30 days to comment ?

    The government could have sterted by banning all html emails in commercial emails. This way, canadians can see the actual URLs they are about to click on and see that the “banking alert” for a canadian bank does not point to that bank’s web site.

  2. Jean-Francois Mezei says:

    “The proposed exemption would limit the application of CASL so it does not apply when the sender could not reasonably have been expected to know their messages would be accessed in Canada.”

    So basically, a spammer sending to a .com domain cannot be expected to know the company is in canada so they are allowed to spam.

  3. Jean-Francois Mezei says:

    “The proposed Regulations include an exemption for telecommunications service providers (TSPs) from the requirement to have consent to install a computer program for the limited purposes of preventing illegal activities that present an imminent risk to the security of its network.”

    So, the incubents want to be able to send emails that quietly install software on the person’s computer without the use giving consent ?

    I can understand removing consent to receive the email. But consent to install a program must never be removed.

    And when TSPs do software upgrades on modems/routers for which they have administrative control, those upgrades are not performed vi email, so they do not need an exemption in the spam law.

  4. Devil's Advocate says:

    Business as usual
    So, all in all, it’s business as usual – and business (as usual) gets to do what it bloody well wants to – the same way it was before all the anti-spam legislation was even thought of.

    I would be interested in a clarification of what the hell “install a computer program for the limited purposes of preventing illegal activities that present an imminent risk to the security of its network” could possibly be referring to.

    ISPs do NOT have the need, purpose, or right (legal or otherwise) to silently install anything on a user’s computer. And, if there were ever a security threat to their network emanating from a user’s computer, the ISP would simply disable that account and (if necessary) contact the authorities.

  5. Fully agree with the above post. This all adds up to 1 conclusion: useless.

    Ban government lobbying.

    (I’ll lobby for that)

  6. System Update & Malware
    Devil’s Advocate / maebnoom – I am torn on this one myself. I see 2 reasons why the exception is required:

    1) There are other devices on a network besides computers. I think this applies to say Cell Phones, Cable Modems, Cable and Satellite boxes on a network who’s software needs to be updated for the network to work properly. Ex. A new Firmware flash for a cable modem because they are making a network protocol change, etc.

    While I agree that you should always try to get the user’s permission, in the case that the device does not have a used UI (who looks at their cable modem lights?) or where the device will be kicked off of the network and will not be able to function, it does not make sense to try to contact all of your users for approval for this system maintenance.

    2) Massive bot-nets that run on people’s computers with out their knowledge. There was talk about companies shutting these computers down remotely, or remotely removing the malware, in order to protect the network. Perhaps there are better ways to achieve this but I don’t think I am against companies installing or removing software for this purpose.

  7. It appears to me that the third-party concession negates the entire concept of regulation – everyone can make a case to be a third party.

  8. Devil's Advocate says:

    1) Network hardware belonging to the provider would be outside of any user consent issues. Anti-spam legislation can only be applied where spam is possible. Spam needs to have an end user to exist (definition of spam). And, at the user level, silent online provider installations are simply not done. That would be unnecessary and illegal.

    2) Computers that are either infected or being used deliberately to threaten a provider’s network are simply cut off from the internet, and users are contacted by their providers. Attempting to invade their operating systems over the wire would be time-consuming and pointless.

    Having said all that, I do regard personal cellphones as having the same status as personal computers, and deserving of the same rules. The trouble with the cellphone scenario is, the user generally doesn’t literally *own* the phone, which is usually being “financed” through the customer contract, and subject to all sorts of conditions and escape clauses.

    We need to be acquiring and owning our phones in the same manner we buy a PC or any other personal gadget. The way we’re getting them now is allowing us, en masse, to be extorted in a big way by commercial interests, and lose not only a great deal of control of our private communications, but also some pretty important human rights.

  9. @Devil’s Advocate
    1) In the bill, is that the definition? I am not looking it up again, but I recall it being a LOT more vague. As is “Any Electronic Message”.

    In any case, not all network hardware belongs to the provider. As far as I know, I paid for my Bell ExpressVu box. It is mine to use or sell if I wish. Yet Bell seems to upgrade the software on it all the time with our my consent.

    Even in your example of a cell phone that I have under contact with say Rogers, I don’t believe the ownership of the hardware remains with Rogers. I can sell it to anyone I want at anytime. If I sell it or not, i still owe Rogers money per our contract. If I bring my own device to rogers, say an unlocked iPhone that I purchased from Apple, Rogers will still update carrier settings as needed. They may technically own the SIM card though.

    2) In this scenario, I agree the ISP should do it. But they are under no obligation to do so. I have yet to see any major ISP shut down their customers on mass due to DOS attacks from their subscribers. They will be happy to charge those subscribers for going over their bandwidth cap though 🙂

  10. non spammer says:

    RE lulitadow92
    here were talking about spam and this idiot is spamming!

  11. Adam Guerbuez says:

    Glad to see things are unfolding according to plan
    Although the third party referral exemption is all that was really needed. The other updates are just icing on the cake.

  12. Who are the lobbyists who WANT spam?
    Can someone please tell me who is lobbying FOR spam? I’d like a list of the lobbyists and the companies they represent, please. Then I won’t buy anything from those companies.