The Canadian Anti-Spam Bill

The Electronic Commerce Protection Act, Bill C-27, has passed second reading in Parliament and will go to committee for review.

Views seem to differ on parts of the bill, while other parts are generally accepted.

One of the areas of contention deals with the degree of consent required to send someone an email. The Bill has an ‘opt in’ system, by which the sender needs the express or implied consent of the addressee to send a message. An existing business relationship may imply consent.

However, some people say that the Bill is so broadly drafted that it would prohibit someone from contacting a business that the person wanted to deal with, even on a business-to-business basis. For example, I look at your website and see that you offer a product that I could use in making my product. If we have no business relationship, I cannot send you an email to inquire about pricing or whatever, and I can’t send you an email to ask for consent to send you a substantive email. The Bill is not limited to messages sent in bulk.

Is that a fair interpretation of the Bill?

The Bill also prohibits downloading software into someone’s computer without their consent. While this is a useful prohibition against the installation of spyware, concerns have been expressed about its prohibition of cookies, which are very commonly installed to govern either the session during which a web site is visited, or future visits, without transmitting any personal information.

The prohibition is said to bar in practice even consent to accept software updates, because of the alleged impossibility of describing in sufficient detail the function of future updates at the time one wants to subscribe to them.

Again, is that a fair interpretation of the Bill?

The Bill gives a private right of action for violations of its provisions, or some of them — and for violations of some sections of PIPEDA on privacy. This is a fairly dramatic change from the current enforcement of PIPEDA, which depends on a review by the Privacy Commissioner and a possible court action if there is no compliance with what the Commissioner orders. The change will give to the courts, not the Commissioner, the task of evaluating the balancing of interests that is the essence of that Act. Is this a problem? Courts balance interests all the time in interpreting statutes.

Michael Geist’s column in the Toronto Star gives little weight to these business concerns (“opponents may try to sow fear within the business community”) and says the Bill’s provisions are standard fare in the rest of the world.

The McCarthy Tétrault review of the bill gives more weight to the concerns.

Your views?

Retweet information »

Comments

  1. This seems quite silly. It would prohibit “legitimate” (I used that term loosely) enterprises from disseminating information on products and services that people might (but probably won’t) actually want. I doubt very much that it would reduce significantly the deluge of spam originating from Nigeria and Brazil.

  2. I have been involved in the public consultation leading up to this bill, representing both anti-spam groups and the industry itself.

    The bill is very carefully oriented towards best practise
    (both marketing and others) that most of the legitimate
    organizations in North America and elsewhere are already
    implementing. This can be seen by the support of such
    organizations that has been published to date.

    Secondly, while this legislation, by itself, won’t directly impact spam sent from elsewhere in the world, by
    bringing our laws into rough agreement with the best
    legislation in the world (such as the EU and Australia),
    it provides a basic level of requirements of email sent
    by or to Canadians, and makes it possible for international reciprocal agreements on prosecution – the law has specific provisions for entering into international agreements.

    I recommend reading

    http://www2.parl.gc.ca/Sites/LOP/LEGISINFO/index.asp?List=ls&Query=5800&Session=22&Language=e

    for more interpretation.

    Per your specific questions:

    - does this prohibit unsolicited one-on-one queries about
    an offered service/product? No. See section 6(5):

    Exceptions include messages sent between those who have a personal or family relationship, and any message sent to someone engaged in a commercial activity that is solely an inquiry or application relating to that activity.

    - Re: cookies and software updates.

    The law, neither explicit or intended requires that the provider of software updates, cookies and so on
    go into minute detail of everything that is being done.
    For example, it would not require that Microsoft provide
    byte-by-byte explanations of each patch. What it does do
    is require that Microsoft make available general descriptions of what each patch is for. For example,
    “fix bug A, remove vulnerability B, run faster”. They already do, as do all other reputable software vendors. Industry already demands this. This law is designed for those who will try to get you to download software or patches that go beyond what you want them to.

    As for cookies, data collection etc., it requires that the organization publish in general terms what the captured information is, and what it will be used for. This already required by PIPEDA (and similar legislation elsewhere) and already implemented by virtually all legitimate organizations world-wide – that’s what the “privacy policies” you see on so many web sites are.

    A software vendor could say, for example, “this patch
    fixes bug A and B”, but if it also sniffs out and
    transmits to others your banking information and didn’t
    tell you about it (like spyware does), it would be a violation.

    The goal is simply informed consent for the release of personal information or modification of your computer. You can hardly argue with that.

    This law doesn’t require anything that reputable organizations are not already doing. It’s not new, it’s just setting the bar at what is already routine and expected of reputable players on the Internet.

  3. That’s helpful, Chris. Any chance that the bill might be passed if this Parliament lasts till, say, late October? Or would it need 6 months or a year in the ‘normal’ course?

  4. John asked whether this might pass by October.

    From all indications all of the federal parties are in basic agreement on this bill and support it pretty much as written. There’s the usual partisan posturing on mostly extraneous/irrelevant issues, and one or two things that might need a careful explanation (that is being done). The vote certainly seems there if it were actually called.

    At least up until the parliamentary break, people who “know these things” seemed quite confident that this would easily pass final reading in early fall without trouble.

    I had gotten worried through the break. Previous legislation died before introduction when the Martin government fell. I didn’t want that to happen again -
    this has been in the works for about 6 years.

    But recent events seem to indicate that there’s no reason why they can’t get it through in the fall.

    I’m hoping to see it in the order paper.