With Canada’s anti-spam law now in effect, many are starting to ask about enforcement of the law. While no one should expect the law to eliminate spam, the goal much more modest: target the bad actors based in Canada and change the privacy culture by making opt-in consent the expected standard for consumer consents. The CRTC, the lead regulatory agency, has made it clear that the fear-mongering of million dollar penalties for inadvertent violations is not going to happen. Chair Jean-Pierre Blais recently stated:
Wiertz Sebastien - Privacy by Sebastien Wiertz (CC BY 2.0) https://flic.kr/p/ahk6nh
Privacy
The Benefits of Consent
Commercial email did not grind to a halt the day after Canada’s anti-spam legislation took effect and neither did the coverage about the law’s impact (I appeared on CBC’s The Current to debate the issue). Coverage included Microsoft backtracking from its earlier decision to stop security update emails, apparently taking the time to actually read the legislation and find the exception for security notification. There was also a CBC story about the Canadian Avalanche Centre, which stopped an email service after hundred of customization options became “too much of a hassle to maintain”, but the CBC used the timing to link the decision to CASL.
But what really caught my attention was this tweet from Jason Faber, the marketing manager at BoldRadius.
Keep Calm and Get Consent: Canada’s Anti-Spam Law Takes Effect This Week
Canada’s anti-spam legislation takes effect this week, sparking panic among many businesses, who fear that sending commercial electronic messages may grind to a halt on July 1st. The reality is far less troubling. The new law creates some technical requirements for commercial email marketing alongside tough penalties for violations, but left unsaid is that Canadian law has featured rules requiring appropriate consents for over a decade.
My weekly technology law column (Toronto Star version, homepage version)The concern over the new anti-spam law, which mirrors similar worries from 2004 when private sector privacy legislation arrived, suggests that many may not have complied with their existing obligations. As Canadians receive a flood of requests for consent from long-forgotten organizations they never realized had collected and used their personal information in the first place, the controversy over the rollout of the new anti-spam law says more about poor compliance rates with current privacy laws than it does about the new regulations.
The Canadian Anti-Spam Law Panic: Same As It Ever Was
As the Canadian media reports on the panic associated with the new anti-spam law set to take effect next week, consider the following from Macleans titled “Few Companies Prepared for New Privacy Law“:
The new law..says organizations can only collect personal information for a stated reason – and can use it only for that purpose. Among others things, that means a company that supplies a service can’t sell its list of subscribers to another company’s marketing department. Individuals must be informed, and give their consent, before personal information is collected, used or disclosed..But most firms are unaware of the new law.”
The article continues by noting that “there’s confusion over which organizations might be exempt” and that “there is no grandfather clause – all existing customer information needs to be compliant.” The message is similar in a Globe and Mail article titled “Many small firms not ready for privacy rules“, which also notes the possibility of a constitutional challenge. An IT World Canada reiterates that concern in its coverage:
most Canadian organizations are not aware of the [law]. And very few are prepared to comply.
Say Anything: The Government’s Response to its Disintegrating “Privacy” Reform Strategy
The Supreme Court of Canada’s Spencer decision is still only a few days old, but it has become clear that the ruling has left the government’s privacy and lawful access strategy in tatters. I’ve posted earlier on how the decision – which held that Canadians have reasonable expectation of privacy in their subscriber information and that voluntary disclosure of such information to the police constitutes an unlawful search – blows away the government’s plans for Bills C-13 and S-4 by contradicting longstanding government policy positions.
While there are options for the government to establish reforms that are consistent with the court ruling and that would grant police the access they say they need, government ministers have instead adopted a rather bizarre response of saying anything, no matter how inconsistent with prior positions, the court’s analysis, or public comments from authorities such as the Privacy Commissioner of Canada. There is admittedly a track record for this: Conservatives have dismissed privacy concerns from Carole Todd, the Boys and Girls Club of Canada, the Privacy Commissioner of Canada, and many more. Further, the Conservative leader in the Senate claims Spencer has “no impact whatsoever” on Bill S-4.
Recent Posts
Canadian Government Caves on Digital Services Tax After Years of Dismissing the Risks of Trade Retaliation 
The Law Bytes Podcast, Episode 238: David Fraser on Why Bill C-2’s Lawful Access Powers May Put Canadians’ Digital Security At Risk 
Ignoring the Warning Signs: Why Did the Canadian Government Dismiss the Trade Risks of a Digital Services Tax? 
Why Bill C-2 Faces a Likely Constitutional Challenge By Placing Solicitor-Client Privilege at Risk 
The Law Bytes Podcast, Episode 237: A Conversation with Jason Woywada of BCFIPA on Political Party Privacy and Bill C-4
