Anti-Spam Act – Bill C-28 – How It Might Affect You

The anti-spam bill – Bill C-28 – was recently passed, and is expected to be in force sometime later this year.

If you think it won’t affect you because you don’t send mass emails trying to sell random products, and don’t infest other people’s computers with spyware, you would be wrong.

It applies to the sending of commercial electronic messages that many of us would not consider to be spam. An email to just one person that you consider a potential customer or client who you met at an event may fall into the prohibitions. And it applies to other forms of electronic communications, such as instant messages, and various kinds of social media.

It can also apply to software updates in certain circumstances.

So while the intention is to control what we all understand as spam and spyware, it has the potential to affect many things that we may not intuitively consider spam or spyware. Similar to privacy legislation, this Act will no doubt lead to situations where our first reaction is to label it spam or spyware if we receive it, but not consider the same thing spam or spyware if we send it.

There are details that will be covered in yet to be drafted regulations. Personally, I would like to see some kind of volume threshold where it is deemed not to be spam if it’s a targeted message sent to a small number of individuals.

Until we see the regulations, it is going to be hard to give specific advice to a typical business or organization as to what they must do to comply. Many things that could potentially affect a typical business fit threshold situations that might result in a different answer depending on the regulations. The penalties are significant, so it’s not legislation to be taken lightly. Remedies include fines of up to $1,000,000 for individuals, $10,000,000 for others, and private rights of action.

Some things are “reviewable conduct”, meaning that it is subject to the investigatory and order making powers of the Privacy or Competition Commissioners.

The act is long and complex, and includes amendments to four existing acts – the CRTC Act, Competition Act, PIPEDA, and Telecommunications Act.

Directors and officers can be personally liable if they authorized or acquiesced in the offence. Employers are vicariously liable for the actions of their employees acting within the scope of their authority.

While we await the regulations, here are some things to ponder for those who don’t consider themselves spammers.

The act starts with a broad definition of “commercial electronic message”, and says that you can’t send them unless it fits within a specific exemption. One of the keys will be to figure out what the boundaries are of “commercial activity”.

“Electronic message” is broadly defined to include a message to email, instant message, phone, or “any similar account”. That could include things like a twitter direct message – but I would think not a general tweet to people who choose to follow you.

In some circumstances you can send the message, but must include accurate information about the sender, and a way to opt out of future messages.

It is not spam if the recipient consented to receive the message. The Act has extensive provisions defining what amounts to explicit or implicit consent. It includes things we might expect, such as on ongoing business, personal or family relationship – some of which have two year windows. Also exempted are messages to those who publish their address or have provided you with their address – so long as the message is relevant. I suspect that means that since my email address is published on our firm web site and other places, you will be able to email me with anything relevant to the practice of law – but you won’t be able to email me trying to sell me a trip.

Or if I hand you my business card, the same applies.

It is up to the sender to show that they have consent if there is a complaint. So will we need to track that to be safe, i.e. somehow track that you got my address from our web site, or the card I handed you?

Directors and officers personal liability will be tempered if they can show diligence. Since almost everyone in an organization routinely sends email, tweets, etc., organizations may want to set up policies and training programs to educate employees and reduce potential corporate, director and officer liability.

Exemptions for an “existing non-business relationship” includes donations, volunteer work, or memberships – with a two year window. Charities will need to review these provisions carefully, as they will affect how they approach prospective donors and volunteers.

One example to think about is a press release. Those sending a press release will need to think about the purpose of the release, and who is on the email list. Is it being sent beyond traditional news services? Does the fact that a recipient has published their email address on their firm’s website mean that they can or cannot get the release depending on the content of the release? Does the fact, for example, that my email address is listed on my newspaper column mean I can be sent emails that could not be sent if my address was only on our firm web site? Does it make a difference that I may be listed somewhere on a list of journalists because I write a newspaper column? Are bloggers considered the same as journalists? Does it make a difference if my address is disclosed on various social media platforms, such as Facebook, LinkedIn, Twitter, or .tel?

Am I restricted from sending personalized individual emails to a handful of influential people active on social media who I hope will spread whatever message I want to get out? Am I going to have to analyse each recipient to see how close or distant a connection they have under the exemptions, or how their email address has been published?

Will the answer be different if I send it to them as direct message on twitter, rather than by email?

How will senders possibly track all this, or find the time to do so?

Those creating and selling software will need to consider how this affects them. The Act adopts the broad definitions of “computer program” and “computer system” from the criminal code. It thus applies to any electronic instructions that execute to perform a function, on any device capable of executing them. That would include phones and tablets. And since almost everything includes some kind of computing power these days – might some of these provisions affect things such as PVR’s or cars?

The Act has provisions that affect software that collects personal information. Certain functions will require specific permission, such as anything that changes or interferes with settings, interferes with a user’s control, or causes it to communicate with another computer. Consider, for example, how that might apply to software that is licensed for a specific term that automatically stops working at the end, or allows the vendor to cripple it for non-payment.

Software vendors may have to amend their EULA’s to comply. And some circumstances will require specific permission with full disclosure before the change can be made, regardless of the contents of a EULA. So software vendors will have to think through how their software works, how the Act might come into play, and what permissions are required. 

Another thought for software vendors is whether changing from a traditional installed software model to a hosted SAAS or cloud model will avoid some of these issues.

Stay tuned for more as the regulations are drafted and we come to grips with the ramifications. There will no doubt be a lot written about this over the next few months, as well as educational opportunities.