Government Finalizes Anti-Spam Legislation After Years of Delay

On December 15, 2010, the Canadian government (then described as the Harper Government) celebrated the granting of royal assent for the Fighting Internet and Wireless Spam Act, Canada’s long overdue anti-spam legislation. The last step for the bill to take effect was to finalize the associated regulations. Passing those regulations ultimately proved more difficult than passing the law itself, as an onslaught of lobby groups used the regulatory process to try to delay, dilute, and ultimately kill the anti-spam law.

Nearly three years after the legislation received royal assent, Industry Minister James Moore today announced that the regulations are now final and the law will begin to take effect next year (the spam provisions take effect on July 1, 2014; the software provisions start on January 15, 2015). The finalized regulations involve further concessions to the lobby groups opposed to the legislation as they create a new exception for third party referrals (permitting a single referral without consent) and largely exempt charities from many of the new rules. The private right of action that would facilitate lawsuits to combat spam will be delayed until July 1, 2017. These issues were all extensively discussed and debated during the legislative process and there was no need for further changes. 

While those changes are a disappointment, the far bigger story is that Canada finally has an anti-spam law grounded in an “opt-in” approach that requires marketers to obtain customer consent before sending commercial electronic messages.

The move will provide Canadians with greater control over their in-boxes, while also resulting in more effective electronic marketing campaigns for businesses. The shift to opt-in should be felt across all marketing as consumers increasingly expect prior permission before marketers and organizations use their personal information (think of Bell’s massive use of customer data for targeted ads or the do-not-call list, which are both premised on opting out, but may move to opt-in).

The finalized regulations include several new or expanded exceptions:

  • details on a business-to-business exception including emails sent “to an employee, representative, consultant or franchisee of another organization if the organizations have a relationship and the message concerns the activities of the organization to which the message is sent”
  • registered charities engaged in fundraising
  • political parties and political candidates seeking financial contributions
  • messages to sent to recipients in countries with approved anti-spam laws (there is a list of those countries in the regulations which highlight just how far behind Canada is on this issue)
  • messages on limited-access, secure and confidential accounts that can only be provided by the recipient
  • messages in messaging services that make information on opting out readily available
  • third party referrals for the first commercial message (ie. one opportunity to send a third party referral message)
  • messages responding to complaints or customer inquiries
  • messages related to legal obligations or enforcing legal rights

The finalized regulations are also significant in that they represent a rejection of an extensive lobby campaign based on generating fear, uncertainty and doubt about a law that actually allows for virtually any marketing with consent and includes a myriad of exceptions for organizations across the country. The Canadian Chamber of Commerce led the charge, arguing that opt-in should be dropped for business-to-business email altogether and that the government should have held another round of consultations to further delay the rest of the legislation (it hoped to change the definitions within the law, something the government rejected). The Chamber was joined by organizations such as CRIA/Music Canada, which claimed the law would pose an “immense threat to independent labels and young bands.”

Moreover, despite the numerous carve outs, the business groups claimed that the law would result in significant new expenditures, including the need to maintain a database of opt-in consents and a website to allow for easy access to contact information and unsubscribe mechanisms. Yet those businesses are already required to maintain databases with opt-out information and electronic marketing without a website seems somewhat pointless.

The reality is that the new law will require many businesses to adjust (I address some of key issues in posts here, here, here and here). However, opt-in systems, form requirements, and unsubscribe mechanisms are found in countries around the world and their businesses have not ground to a halt. For thousands of Canadian organizations with mailing lists and active marketing activities, once they ask for and obtain consent, there will be no need to focus on exceptions or loopholes in the law. Simply asking customers for consent – the slow pace of implementation means that all organizations have years to do it – and they will have met the major requirement to continue electronic marketing to them in compliance with Canada’s new law.

The law won’t stop all spam, but it should enable authorities to target the worst offenders backed by tough penalties. It should also foster a change in attitude toward the use of personal information for marketing purposes as consumers demand opt-in consents for electronic marketing and greater disclosure during the installation of computer software. With the government emphasizing a “pro-consumer” approach, finalizing the anti-spam regulations represents a long-overdue win for consumers as Canada becomes the last major developed economy to implement anti-spam legislation.

Tags: / /


  1. Time to grab the popcorn
    Oh don’t mind me, i’m just waiting for Barry’s comments.

  2. “the business groups claimed that the law would result in significant new expenditures, including the need to maintain a database of opt-in consents”

    Err… Did they not already have an opt-out database? If not, then get on with it.

  3. Jim Jornyski says:

    Opt-out databases
    Businesses do have opt-out databases for email advertisements, but that’s not enough for this legislation. This legislation applies to any electronic message with a commercial character; the definition is (intentionally) broad enough to capture a large number of commercial communications that most people wouldn’t consider advertising or spam. Given this, businesses will need to build new systems to manage the new requirement; I work for an organization that has already begun working with the requirements, and the price tag is much higher than Mr. Geist’s posts would imply.
    All of the above would be fine, if the legislation was more surgical in its approach, and focused on spam rather than any commercial message. Mr. Geist says that the law will allow authorities to target the worst offenders, but that’s not an accurate description of the law; the law is meant to capture offenders, big and small, and imposes costs on all businesses operating in Canada, or sending messages to Canada.
    Ultimately, Canada has been without anti-spam legislation for a long time, and this has been a bit of an embarrassment. Unfortunately, I think this embarrassment has led the government to draft overly-harsh legislation to demonstrate its “purity”.

  4. Chris Brand says:

    Isn’t opt-in *easier* to manage ?
    If somebody opts in, add their email address to your database (mailing list). If they don’t, just forget it, because there’s no need to remember whether they’ve opted in or out.
    As opposed to “keep track of everybody’s contact info, and whether they’ve opted out or not”, because you need to pick up both when an opt-out appears before an email address and vice-versa.

  5. @Jim Jorynski
    Mr. Jorynski,

    In your comment, you make a distinction between 1) spam and 2) other commercial messages that most wouldn’t consider spam or advertising. Could you give examples of what you consider to fall into each of these two groups — it would help me more clearly understand your position.

  6. Is there anything here to deal with pre-checked opt-in boxes obscurely placed on a web site? These tend to trick people into inadvertently opting-in.

  7. Jim Jornyski says:

    Reply to Helen S.
    No problem. Referring to the Act as an “Anti-spam Act” is actually somewhat deceptive, as it doesn’t only address spam and the word “spam” doesn’t appear in the Act’s title. The Act prohibits the sending of any electronic message that can be seen as an encouragement to participate in a commercial activity.
    Examples in the Act itself include offers to purchase, sell or lease a product good or service, but it could really be anything with a “commercial character”. Because of this, many law firm publications (as another example) have started sending out opt-in consent forms for legal update newsletters, even though no one receiving those would consider them to be “spam”. It’s also telling that the Regulations to the Act had to specifically include (after several rounds of public consultation) exemptions for business to business communications (e.g., a business sending an email to another business with a proposal for a joint venture of some kind), even though no one really thinks that those sorts of communications need to be regulated.
    And the opt-in is only one requirement if a message falls under the Act. There are also requirements that include having specific language in the email and having an unsubscribe mechanism.
    Even with those problems, most businesses would probably be fine with the above if the Act weren’t so poorly written. As it is right now, it’s a confusing mess that is administered by several different bodies (Competition Bureau, the CRTC and the Privacy Commissioner), it’s hard to figure out if a message is regulated, and the penalties for making a mistake can be more than a $1,000,000.
    Mr. Geist keeps referring to “intensive lobbying” to make it sound like bug business is out to screw consumers, but that just ignores the real issues with this legislation. I think a lot of businesses are going to get caught with their pants down on this because they assume they’re not sending out “spam”, but fail to realize other communications (via text, email or whatever) are also captured by the Act.

  8. Jim Jornyski says:

    Reply to Ray
    The guidance released with one of the Regulations has indicated that businesses can’t use a pre-checked box or bury the consent to receive a commercial electronic message in another consent.

  9. Devil's Advocate says:

    “Spam” is what “all those others” are sending
    @Jim Jornyski:

    You’re basically saying that “spam” can and should be defined by you and/or “others”, rather than by the recipients, and that whatever you’re sending simply cannot be construed as spam.

    Like every other spammer since e-mail’s inception.

  10. Jim Jornyski says:

    To Devil’s Advocate
    No, nowhere did I say that the person sending a message should get to decide whether or not it is spam. What I did say was that the Act creates complicated requirements for “Commercial Electronic Messages”, and the definition of that term is so broad it captures (intentionally) electronic messages that most people wouldn’t think of as “spam”.

    Your insurance company sending you information on your benefits would fall into that definition, and may be able to rely on a partial exemption in the Act, but event there some of the new requirements would apply. My point is that that is not the sort of message that someone would normally think needs to be regulated.

    My broader point is that I think Mr. Geist’s posts on this tend to gloss over the issues in the legislation for the benefit of his “big business trying to screw you” narrative.

  11. Devil's Advocate says:


    To simplify what you’ve been saying, you think that the bar is set too high for “Business” or “Commerce”.

    My point is, it is the “Business” world – and only the “Business” world – that seems to have that problem with any proposal to curb spam. I never see any other groups fearing they will miss “important stuff”, no matter how broad the “commercial” brush is applied.

    It is also “Business” that created spam in the first place, and wouldn’t listen to any of the many objections as it did this. You’ve got “Business” to thank for everything from simple unwanted mail to malware and virus-laden attempts to thwart providers’ and recipients’ efforts to control the problem themselves. So, in the real sense, I’d say “business” DID “screw us over”.

    “Your insurance company sending you information on your benefits would fall into that definition…”

    That’s horseshit. Insurance companies have a relationship with their clients, and such information would only be sent to those clients. It’s not mass-distributed, and not unsolicited. That’s 2 reasons off the top of my head as to why your statement is a red herring.

    If anything, it’s the endless propaganda from the “business” side of things, coupled with Government’s willingness to legitimize too much of it, that keeps our inboxes rich in beneficial offers from both Nigeria and Desjardins alike.

  12. Old-timey Internet User says:

    The original terms for “spam”…
    … were “unsolicited commercial e-mail” (UCE) and “unsolicited bulk e-mail” (UBE). That was 20 years ago when most Internet communications took place via e-mail and Usenet. Those three simple criteria still apply today: unsolicited, bulk, commercial. Of course, it isn’t black-and-white, but even a grey area describes some sort of border.

    An insurance company e-mailing policy information specific to one subscriber would not be spam (does not meet “bulk” requirement). The same company e-mailing a new product announcement could be spam (largely the same message sent indiscriminately in bulk). In the latter case, the difference would be consent. If it was properly given, then the message is not spam. Pretty simple guidelines that have largely worked for the the past two decades.

  13. Jim Jornyski says:

    Re: the above
    Old-Timey Internet User and the one above that, the problem is you’re using your own definitions for what you think “spam” is, rather than what it is in the legislation. Under the legislation, spam is not the bulk sending of emails; it can be one email to one person if that person didn’t opt-in to receive it. It also doesn’t need to try and sell a product or service, it can be anything with a “commercial character”. As I said, it’s telling that the regulations had to be revised to specifically include an exemption for business to business communications; without that, one business sending an emailed proposal to another could be liable for the extremely heavy penalties (upto $1,000,000) under the legislation.

    Even where a business has a relationship with a client (and therefore may qualify for a partial exemption under the legislation), they would still need to follow certain requirements, particularly after the transition period built into the legislation.

    Again, I think spam legislation makes sense, but I think this legislation is overkill for what is really needed. Why place a huge compliance burden on Canadian businesses when you’re really only concerned about those companies sending (what is effectively) junk mail through email or text message?

  14. Jim Jornyski says:

    As an aside
    It’s also worth noting that the issue of spam was much worse 3 years ago, when this legislation really began. Since then, most email providers have gotten very good at filtering out spam messages, to the point where I haven’t received anything in my inbox that I would call “spam” in months.

    Million dollar penalties and the threat of class actions seems like overkill for something that has, thanks to better technology, become a mild to non-existent nuisance for most people.

  15. Non-profit e-mails
    I manage a non-profit. We have a lot of different activities, but one of them is operating volunteer-run non-profit workshops, and we also have many business partners and sponsors.

    That means pretty much every monthly newsletter I send out can be categorized as a commercial electronic message (CEM).

    It also means that, though all of our subscribers opted-in to receive our newsletter, and they can all unsubscribe easily (i.e. basically we meet almost all the requirements of the new act), because they didn’t expressly opt-in to receive CEM, we now stand to lose many of our subscribers: not because they no longer wish to receive our e-mails, but because they have to essentially re-subscribe to something they believe they’re already subscribed to.

    Is there a grandfather clause, or just the initial grace period?