Practice Tips, by Dave Bilinsky, Practice Management Advisor
Canada’s new anti-spam law
Spam! Spam! Spam! Spam!
Lovely Spam! Lovely Spam!...
Lyrics, music and recorded by Monty Python
Canada’s new anti-spam law was passed in December 2010. According to the website fightspam.gc.ca, the date it comes into force will be set in the coming months.
Once the regulations are published in final form, there will be a period of time for businesses to review their activities and prepare for the Act. This gives law firms the opportunity to adjust their practices to comply with the Act.
What does the Act do?
There are three principal groups affected by the Act. One is anyone who sends commercial electronic messages. The other two deal with those who alter transmission data or are involved with the production and installation of computer programs. For the purposes of this column, we are only going to look at the first, the sending of commercial electronic messages.
The Act is aimed at promoting e-commerce by deterring spam, identity theft, and other malicious activities, such as phishing (the harvesting of passwords and personal information such as banking records), spyware, botnets and misleading online commercial representations. Its intent is to drive spammers out of Canada.
When does the Act come into force?
The Act comes into force on proclamation, which is expected to be in late 2013 or early 2014. Once in effect, the Act incorporates a three-year period that imputes consent to send commercial electronic messages. But if a recipient of an email message states that they don’t wish to receive any further commercial messages, this period, as it relates to this person, comes to an end.
What are the penalties?
The Canadian Radio-television and Telecommunications Commission (CRTC) will have a number of compliance tools, but the one that may be of most interest are the administrative monetary penalties. The penalties are significant. The maximum penalty is $1 million dollars per violation for an individual and $10 million per violation for entities (such as corporations).
There is also potential vicarious liability in the new Act. This includes directors, officers, agents or mandataries of a corporation and employers of people acting within the scope of employment. To avoid directors/officers/employers liability, law firms would need to show that they undertook due diligence before sending an offending message.
The relevant factors in determining a penalty include the purpose of the penalty, the nature and scope of the violation, the history of the sender, the financial benefit accruing from the communication and, not least of all, the ability to pay. The sender may also enter into an undertaking with the CRTC regarding future compliance.
What about private rights of action?
A private individual affected by a contravention will be able to apply to court for compensation. Remedies include maximum penalties of $200 per contravention with a maximum $1 million per day for spam and $1 million per act of aiding, inducing and procuring breach of spam (and malware, spyware or message routing).
What is a commercial electronic message?
A commercial electronic message is an email that encourages participation in a commercial activity. Presumably, any marketing email sent out by a law firm would fall into this category, including those aimed at clients, prospective clients and subscribers to email lists or newsletters. It includes messages containing text, sound, voice or images.
It does not matter if the spam messages originate within or outside of Canada, so long as they are received in Canada. It also does not matter if the spam message was sent with no expectation of profit (for example, holiday greeting messages).
What will be the requirements on law firms when sending out commercial electronic messages?
The law firm will need consent from the recipient before sending a message. Further, the firm will be required to include within the message information that identifies the sender and allows the recipient to opt out of any future messages.
Are there any exceptions to obtaining consent?
Yes, there are a number of exceptions. Messages between family members or those with personal relationships, for example. There are others listed in the Act, though much will depend on the regulations (which are still in draft form).
Consent is implied in certain circumstances. For example, consent would be implied if you had a business opportunity with someone in the last two years; had an inquiry in the previous six months from the recipient; or had an engagement with the person that ended in the last two years. But a law firm should ensure that it has explicit consent or falls clearly within an implied consent exemption before sending email to someone who is not currently a client.
What comprises express consent?
The CRTC has indicated that it requires a positive or explicit indication of consent, such as the use of an opt-in consent mechanism. Specifically, a subscription email, text message or other equivalent cannot be used to elicit consent.
You will need to provide the reason or purpose for the consent as well.
What about opt-out disclosure?
Each message must incorporate (directly or via a website link) the identification of the sender, the mailing address and phone, email or web address of the sender and an unsubscribe mechanism.
What should law firms do in the meantime?
Law firms should obtain express consent from clients and others so they can continue to communicate by email. Law firms should be undertaking an audit of their online communications, such as automated messages and client newsletters. Websites and blogs should have an opt-in mechanism to receive newsletters and communications from the firm.
Law firms should review their privacy policies and update their processes to incorporate consent from clients or prospective clients. They should add unsubscribe clauses to their communications. Firms need to provide training for lawyers and staff on the new Act. Principally, law firms need to consider the impact of the new Act and plan for the changes it will bring in their business processes.