Cybele Negris
Bill C-28, The Fighting Internet and Wireless Spam Act (FISA) was passed by Canadian Parliament and received Royal Assent December 15, 2010. Prior to Bill C-28 passing, Canada was the only G8 country without specific spam legislation.
Essentially, this is Canada’s first anti-spam legislation which will empower authorities to aggressively fine spammers. The legislation has major implications on how businesses conduct their communication practices with clients and potential clients. Will the Bill really reduce spam? When will businesses need to be in compliance? How will violators be punished? I hope to summarize and bring attention to some of the key issues in this article.
What is Bill C-28
According to a news release issued by Industry Canada in May 2010, the FISA is “intended to deter the most damaging and deceptive forms of spam, such as identity theft, phishing and spyware, from occurring in Canada and to help drive spammers out of Canada.”
The legislation is modeled on international best practices and will be enforced by three agencies: the Canadian Radio-television and Telecommunications Commission, Competition Bureau Canada and the Office of the Privacy Commissioner of Canada.
In essence, with regard to the anti-spam provision, businesses must have an opt-in/opt-out process to communicate with anyone electronically. They must get express consent or implied consent from the receiver prior to sending commercial electronic messages. Implied consent is where an existing business relationship exists with a client or the electronic messages are relevant to the recipient’s business, role, function or duties, or the electronic address has been conspicuously published/disclosed (for example on a public website), without a statement that the person does not wish to receive unsolicited commercial electronic messages.
FISA also contains anti-phishing provision that prohibits someone from altering the transmission data in an electronic message so that the message is delivered to a destination other than or in addition to the destination specified by the sender, without the sender’s express consent.
Finally, anti-malware provision under FISA prohibits someone from installing computer programs on any other computer system, or causing that computer program to send an electronic message from the computer system, without the consent of the owner or authorized user of the computer system.
Types of Messages the FISA Covers
FISA defines “electronic address,” broadly to cover email, instant messaging (IM), text messages on phones, and messages on “any similar account,” which could include messages sent over Facebook, Twitter, and other social media applications. It also contains a new and broad definition of “electronic message,” which includes a message sent over any means of telecommunication, including text, sound, voice or image, and therefore implicates voice mail messages, webcam messages, and the exchange of pictures or graphic files by electronic means as well. This definition extends coverage of FISA to most means of electronic communication, with the exception of broadcasting, which is explicitly exempted.
Impact on Canadian Businesses
Canadian businesses that do any form of electronic communication with clients or potential clients need to understand the new legislation and be in compliance by September 2011. Here are some key points businesses should consider.
Canadian businesses need to review their email lists and make sure they have consent (either expressed or implied) from these people to receive commercial email. If there is no existing business relationship, companies have to get consent before the law is enacted and enforcement starts in September 2011.
Commercial electronic messages must provide recipients with a simple way to unsubscribe/opt out of future messages. Companies need to implement processes to remove addresses off email lists once someone has opted out.
The messages must also include the name of the actual sender (including the beneficiary of the email if a third party email company is being used) as well as the sender’s contact information. This contact information must be valid for at least 60 days after the message is sent.
Companies will likely need to keep copies of website pages and confirmations to prove people have provided consent. This is so that when a complaint is filed, the company has the ability to prove consent.
Companies should review and update their privacy policies to ensure they comply with the new rules.
Many companies may want to consider outsourcing email campaigns to third parties that have the systems and processes to handle this rather than trying to do it in-house.
Hefty Fines If Companies Don’t Comply
Rules have little teeth unless there are consequences and the FISA legislation comes with some heavy penalties. Companies really need to take note because financial penalties are substantial and liability extends to company directors and officers. Here is the gist of what happens to companies/individuals who don’t comply.
FISA designates the Canadian Radio-television and Telecommunications Commission (CRTC) as the regulatory agency responsible for investigating “violations” and imposing penalties against violators of the Act.
Violators can be fined up to $1 million for an individual and up to $10 million for an organization. Fines are imposed per violation, and the regulations may define some types of violations as being separate for each day that they continue, so the maximum amounts for these could therefore be imposed for each day that the law is found to have been violated. For example, a business that has been spamming for 10 days could conceivably be required to pay up to $100,000,000 in penalties.
Alternatively, consumers and businesses have a 3-year time limitation to take civil action against anyone who “contravenes” FISA. If the route of the courts is taken, the court may order compensation equal to the loss or damage suffered and expenses incurred, in addition to another $200 for each contravention up to a maximum of $1 million per day.
And for company owners who think this is an issue the marketing department needs to deal with, think again! Corporate officers and directors can be held personally liable for corporate violations or contraventions, and employers can be held liable for violations or contraventions committed by their employees acting within the scope of their employment.
Will the Act Actually Reduce Spam?
The new law will likely improve the business practices of Canadian companies around responsible advertising and communication. However, since so much spam originates from other countries and via botnets, it is unlikely the legislation will have huge impact on the total amount of spam we receive.
Sources & Links for More Info
Outlines of the various readings of Bill C-28 in Parliament
Legislative Summary of Bill C-28