News - Fresh Data Archive Article

Return to Fresh Data Blog
Return to Fresh Data Archive

What Canada’s New Anti-SPAM Law Means to You

Date: August, 2011 --


In December 2010 Canada finally adopted the anti-SPAM bill first introduced in 2009 as the Electronic Commerce Protection Act. The Fighting Internet and Wireless Spam Act (FISA) takes effect this fall and draft regulations are scheduled to be issued for public comment in the very near future.

Unlike the United States, a commercial Emailer must obtain the affirmative expressed consent from addressees before sending commercial emails or other electronic messages, unless there is an existing business relationship. For existing addresses on file who have not objected, and with whom you have a business relationship, there is an assumed “implied consent” to commercial messages for two years from the establishment of that relationship. A “business relationship” includes enquiries as well, but only for six months. 

It’s not only just email that is regulated.  The other electronic messages included in the definition include any message by telecommunication, such as text/SMS, sound, voice, image, IM, telephone, or "any similar account". Presumably, this would also include social media venues.

The statute also makes illicit the loading of software on a remote computer without consent, e.g., capturing, hacking, malware, spyware, and more. If your customer acquisition or customer service functions include direct contact through APIs that are loaded to the prospect’s or customer’s computer, you’ll need affirmative consent. 

Another important detail is that the name and contact information of the sending company must be disclosed in the email.  There must also be an easy means of communication provided, which is currently being interpreted in the industry as a phone number.  And there should of course be a mechanism allowing recipients to unsubscribe.

This law has real teeth and provides for fines of up to $1 million for individuals and $10 million for businesses. The fines are “per violation”, by the way, and there is some grounds to believe that a campaign mailed over a multi-day period would draw a fine for each day. Thus a three-day campaign might cost a company $30 million in fines.

In addition to these penalties there is a private right of action for an individual or business that has been affected by a violation. Compensation may be obtained for loss or damage suffered or expenses incurred and a maximum penalty of $200 per contravention, or $1 million per day for the spam violation, and $1 million per day for violating the hacking, malware or spyware prohibitions. 

The statute of limitations for a company or individual to sue is three years.  Moreover, to focus the attention of management, corporate officers and directors can, in some circumstances, be held personally liable for corporate violations by employees. 

The “lore” of this statute is that these penalties were intended to be aimed at really egregious examples of the worst spammers, but courts can interpret laws in unexpected ways.  If you are a US or other non-Canadian company without physical presence in Canada, it is possible that any lawsuit against you in Canada would not be sustainable. At the very least you could not be sued in a US court under the Canadian law.

Nevertheless, nearly any company in the United States with a substantial database of email addresses which are of “opt-out” origin should probably consider searching for a means to determine the physical location of the email addresses on file and obtaining consent where possible.  Obviously, “.ca” domains are Canadian, but the nationality of gmail, AOL and MSN address-holders could be anywhere in the world. 

It is not unlikely that a certain class of individuals and lawyers will be taking advantage of the liability provisions under this statute.  One may take some comfort in the grace period provided for existing business and non- business relationships.  This should permit continued emailing to current databases while further business relationships are documented or consent obtained.  There is also an extended phase-in period for non-profits and small businesses, which have three years to come into compliance. Either way Data Services recommends utilizing the Canadian Pander Suppression services to remove known complainers from your file.

For your files that include physical addresses, locating Canadians and treating them appropriately will be easy.  As for the rest, Data Services is prepared to assist you in determining the probable location of the email addresses in your files and thus your compliance obligations to obtain affirmative opt-in.  Naturally, if you have that opt-in already, the exercise may still be useful to help geolocate your customers if you are using that information in your marketing or product development!