I just finished listening to another IT-Can teleconference on the anti-spam act, this one presented by Barry Sookman and Lorne Salzman of McCarthy Tetrault. For those wanting more detail, slides will be posted soon on the IT-Can website, the McCarthy Tetrault website, and Barry’s blog.
It reinforced my earlier concerns that this legislation is going to affect almost every business or organization. Many of its provisions strike me as a sledgehammer to kill a fly approach. Some of the highlights from the teleseminar are as follows:
Why be concerned?
There are large penalties for violations. They include extensive awards for private actions, including class actions.
There is broad vicarious liability – which extends to mere acquiescence, including officer and director liability .
It will be important to have policies and processes to mitigate, and to look at D&O insurance to see if it is covered.
The act applies where there is any connection to Canada – even just routing through Canada or accessing from Canada brings conduct under the act.
The act is a significant departure from other spam legislation in other countries, so foreign entities can’t rely on processes they have developed to comply with other spam legislation.
Various definitions, eg “electronic message”, are open ended non-exclusive lists.
It is thus crucial to think about various forms of electronic messaging, such as social networking, text messaging, etc. Different solutions may be required for different platforms.
Where consent is required or obtained – need to express both the purpose and yet to be prescribed information. But sending a message to get consent is itself considered spam.
Consents obtained for PIPEDA may not be good enough for this. “Implied” means something different here than in PIPEDA.
The spyware sections deal with any software – good or bad – installed on someone’s computer. Applies to computer programs and computer systems as defined in Criminal code – which is very broad. Would include smartphones, e-book readers, cars. etc.
The e-mail collection (harvesting) sections alter PIPEDA. These sections are not tied to spam related activity. Need to look at to what extent email addresses are collected for any reason. Damages are attached to this – which is not otherwise the case in PIPEDA.
It amends Competition Act to add specific provisions for electronic communications to deceptive marketing practices regime that already exists.
Adds 4 new deceptive marketing practices:
- if make false or misleading misrepresentation in electronic message in a material respect
- if make false or misleading misrepresentation in sender portion
- if include false or misleading information in subject area
- if there is false or misleading misrepresentation in locator (eg url).
It is noteworthy that only # 1 says “in a material respect”. Also that there is no notion of these needing to go to the public – so numbers sent and the type of recipient doesn’t matter. There is no notion of consent or pre-existing relationship here.
Consider e.g. an email that says “fly from X to Y for $200”, with a body that goes on to set limits on time, taxes, extras, etc. Is that a contravention? Or “lose 20 pounds in 4 weeks” – or “our best sale of the year”.
CRTC will deal with spam and spyware aspects of the Act. It will designate enforcement officers (aka “spam police”). They have broad powers to investigate and enforce.
Undertakings (a negotiated settlement) may be common.
Due diligence defenses are available – but unclear what would be required to meet that.
The penalties are “per violation”. Not clear what a violation is – eg. If send the same email more than once, are they separate violations?
The Act includes language that could replace the do not call phone regime with this. The feeling is that this is there in case this is desired in the future, but that there are no current plans to do that.
Private right of action can apply to any misconduct under the Act, including the amended provisions in PIPEDA or the Competition Act. Remedies include compensation for loss and expenses, “private fines” (statutory damages) really as a bonus for pursuing the action. Up to a $ 1,000,000 per day, or $1,000,000 per event for some things.