Bill C-28: How will it affect Your Organization?
Bill C-28, the Fighting Internet and Wireless Spam Act, received Royal Assent in December 2010.
Similar in many respects to its predecessor, Bill C-27, the Electronic Commerce Protection Act, which died on the order paper in December 2009, Bill C-28 aims to prohibit the sending of unsolicited commercial electronic messages.
The anti-spam rules apply to “commercial electronic messages”. Messages are “commercial” if the nature or the purpose (or one if the purposes) of the message is to encourage participation in a commercial activity. The Act defines “electronic message” to include messages sent over any means of telecommunication, including text, sound, voice and image. The Act also defines “electronic address” broadly, in order to cover e-mail, instant messaging, text messages, and messages on “any similar account”. This definition could include messages sent using Facebook, Twitter, and other social media applications.
Commercial electronic messages may be sent only where the recipient consents, unless the sender can demonstrate that a statutory exception exist (for example: providing a quote or estimate, completing or confirming a commercial transaction, providing warranty information, or providing product recall information or safety information regarding a product that the message recipient has purchased or used).
Limits are placed on when consent may be considered to have been implied, including when there is an existing business relationship between the sender and the recipient. An “existing business relationship” exists where the sender can demonstrate that a business relationship arose from:
• the purchase or lease of a product, good or service within the previous two-year period;
• a written contract that exists with the recipient (for two years following the termination of the contract); or,
• the recipient having made inquiries with the sender about commercial activities within the previous six-month period.
However, the above-noted time periods do not apply during the first three years that the rules come into force if the existing business relationship includes communications that the recipient has not chosen to opt-out of.
In order to obtain consent for the purposes of the Act, businesses must clearly set out the purpose for which consent is being sought, and provide information identifying the person seeking consent and any other information required by the regulations. Commercial electronic messages must also include an “unsubscribe” mechanism that meets certain requirements, and messages must include the sender’s contact information.
Bill C-28, in addition to fighting against spam, also addresses the threats of spyware and pharming. With respect to spyware, a new consent-based regime for the installation of any computer program on a user’s computer has been created. Pharming, or the altering of transmission information in an electronic message without the consent of the sender, is prohibited.
Bill C-28 also amends other statutes. The Act restricts certain exceptions that exist under the Personal Information Protection and Electronic Documents Act, and amends the Competition Act with respect to misleading electronic marketing messages.
The Bill sets out significant administrative monetary penalties of up to $10 million for corporations and $1 million for individuals, as well as statutory damages of up to $1 million per day. It should be noted that corporate officers and directors can be held personally liable for corporate violations or contraventions, and for contraventions committed by employees who are acting within the scope of their employment. The Act also provides for a private right of action to allow consumers and businesses to commence enforcement proceedings in order to recover damages.
If enacted, Bill C-28 will impact many organizations and will create significant penalties for non-compliance. Given that it is unknown whether the government will delay the coming into force of the Bill in order to provide businesses with time to make necessary changes to their operations, organizations should start the process of reassessing their practices for sending commercial electronic messages now. Organizations may wish to reassess their procedures and systems with respect to obtaining and documenting consent, develop procedures and systems to meet the new disclosure rules, and provide for an “unsubscribe” mechanism for commercial electronic messages. Organizations may also wish to consider outsourcing e-mail campaigns to a third party that has developed appropriate systems and processes.