Canada’s proposed new Anti-Spam legislation (Bill C-27), which would enact the Electronic Commerce Protection Act (“ECPA”), has recently gone through a second reading in the House of Commons, and is now in committee hearings. According to the Federal Government, the ECPA will “deter the most dangerous forms of spam” such as email and text message spam, phishing, identity theft, email address harvesting, spyware and botnets, and “help drive spammers out of Canada”.
The key anti-spam, anti-phishing and anti-spyware features of the ECPA are set out in Sections 6 to 8, respectively. Unless prior consent has been obtained, the ECPA prohibits (for commercial purposes): sending electronic messages (Section 6), altering the transmission data in an electronic message (Section 7), and installing a computer program on any other person’s computer or causing electronic messages to be sent from another person’s computer (Section 8).
The ECPA would give the Canadian Radio-television and Telecommunications Commission (“CRTC”) greater powers to deal with spammers, such as the ability to impose administrative fines of up to $1 million against individuals and up to $10 million against non-individuals.
There is also a private right of action under the ECPA. A person who alleges that they are affected by a contravention of certain key provisions of the ECPA (which also relates to the unlawful collection, use or disclosure of their personal information without their knowledge or consent pursuant to the Personal Information Protection and Electronic Documents Act) can apply to the courts and, if successful, be awarded compensation in the amount of the loss or damage suffered, as well as up to $200 for each contravention, up to a maximum of $1 million per day.
In both of the above cases, officers, directors and agents of corporations, as well as employers, can potentially be found personally liable.
While few would question the merits of introducing legislation to deal with harmful forms of electronic communication (such as skyrocketing rates of malicious spam), a closer look at the ECPA reveals that it could affect the business practices of more than just spammers.
The main anti-spam provisions of the ECPA (found in Section 6) stipulate that no commercial electronic message can be sent to an electronic address unless the recipient has consented to receiving it and the form of the message meets prescribed requirements. Basically, recipients will have to “opt-in” to receive commercial emails or text messages, and must be provided a means of contacting the sender to quickly and easily “unsubscribe” from further messages.
Such strict consent and form requirements are cause for concern for employers who may be found personally liable for the actions of well intentioned employees who are simply unfamiliar with the requirements of the legislation. This is especially troubling in light of the quick and often casual nature of electronic communications, particularly when coupled with the all encompassing definition of “commercial electronic message”.
Even if consent and form requirements are well understood and followed, the “opt-in” requirement may cause some headaches for many ordinary businesses in initiating legitimate business communications with potential or past customers, suppliers and other contacts. Consent will only be implied if there is an existing business or non-business relationship. Such relationships are narrowly defined in the ECPA and generally require specific transactions within the last 18 months. As a result, businesses will need to seek express consent from potential customers and even from existing customers if there have been no transactions between the parties within the past 18 months. And to further complicate matters, an electronic message to request consent to send a commercial electronic message is deemed to be a commercial electronic message… and thus cannot be sent without consent. This can result in a catch-22 situation for a business trying to initiate or re-establish contact with potential customers, regardless of whether such customer is an individual or another business.
Another far reaching section of the ECPA is the anti-spyware provision found in Section 8, which requires express consent to install a computer program on a computer system. In seeking express consent, the installer must describe clearly and simply the function, purpose and impact of every computer program to be installed. This may pose a logistical problem for certain businesses (such as software companies providing automatic patches and updates to customers), as the exact function, purpose and impact of such programs may not be known at the time of original consent. In addition, certain forms of electronic communication devices may not have the capability to allow customers to expressly consent to each application installed.
While the goals of the ECPA are laudable and effective anti-spam legislation is long overdue, we question whether the ECPA casts its net too widely by setting up a blanket prohibition of the transmission or installation of ALL commercial electronic communications and programs without consent. A more strategic approach (and one less arduous for legitimate businesses) might be to focus on prohibiting only the malicious or bulk transmission or installation of fraudulent or misleading communications or computer programs. Legitimate businesses and individuals should not be burdened with the onerous responsibility of ensuring that each individual commercial email conforms to stringent legal requirements prior to hitting “send”.
As the ECPA is currently in Committee stage, it is not too late to have your say. Individuals or companies concerned that they will be impacted by the ECPA may submit their concerns to the House of Commons Standing Committee on Industry, Science and Technology.