Fresh Data Blog
Fresh Data Archive
What Canada’s New Anti-SPAM Law Means to You
Date: August, 2011 --
In December 2010 Canada finally adopted the anti-SPAM
bill first introduced in 2009 as the Electronic Commerce Protection Act. The
Fighting Internet and Wireless Spam Act (FISA) takes effect this fall and draft
regulations are scheduled to be issued for public comment in the very near
Unlike the United States, a commercial Emailer must
obtain the affirmative expressed consent from addressees before sending
commercial emails or other electronic messages, unless there is an existing
business relationship. For existing addresses on file who have not objected,
and with whom you have a business relationship, there is an assumed “implied
consent” to commercial messages for two years from the establishment of that
relationship. A “business relationship” includes enquiries as well, but only
for six months.
It’s not only just email that is regulated. The other electronic messages included in the
definition include any message by telecommunication, such as text/SMS, sound,
voice, image, IM, telephone, or "any similar account". Presumably,
this would also include social media venues.
The statute also makes illicit the loading of software on
a remote computer without consent, e.g., capturing, hacking, malware, spyware,
and more. If your customer acquisition or customer service functions include
direct contact through APIs that are loaded to the prospect’s or customer’s
computer, you’ll need affirmative consent.
Another important detail is that the name and contact
information of the sending company must be disclosed in the email. There must also be an easy means of
communication provided, which is currently being interpreted in the industry as
a phone number. And there should of
course be a mechanism allowing recipients to unsubscribe.
This law has real teeth and provides for fines of up to
$1 million for individuals and $10 million for businesses. The fines are “per
violation”, by the way, and there is some grounds to believe that a campaign
mailed over a multi-day period would draw a fine for each day. Thus a three-day
campaign might cost a company $30 million in fines.
In addition to these penalties there is a private right
of action for an individual or business that has been affected by a violation.
Compensation may be obtained for loss or damage suffered or expenses incurred
and a maximum penalty of $200 per contravention, or $1 million per day for the
spam violation, and $1 million per day for violating the hacking, malware or
The statute of limitations for a company or individual to
sue is three years. Moreover, to focus
the attention of management, corporate officers and directors can, in some
circumstances, be held personally liable for corporate violations by employees.
The “lore” of this statute is that these penalties were
intended to be aimed at really egregious examples of the worst spammers, but
courts can interpret laws in unexpected ways.
If you are a US or other non-Canadian company without physical presence
in Canada, it is possible that any lawsuit against you in Canada would not be
sustainable. At the very least you could not be sued in a US court under the
Nevertheless, nearly any company in the United States
with a substantial database of email addresses which are of “opt-out” origin
should probably consider searching for a means to determine the physical
location of the email addresses on file and obtaining consent where
possible. Obviously, “.ca” domains are
Canadian, but the nationality of gmail, AOL and MSN address-holders could be
anywhere in the world.
It is not unlikely that a certain class of individuals
and lawyers will be taking advantage of the liability provisions under this
statute. One may take some comfort in
the grace period provided for existing business and non- business
relationships. This should permit
continued emailing to current databases while further business relationships
are documented or consent obtained.
There is also an extended phase-in period for non-profits and small
businesses, which have three years to come into compliance. Either way Data
Services recommends utilizing the Canadian Pander Suppression services to
remove known complainers from your file.
your files that include physical addresses, locating Canadians and treating
them appropriately will be easy. As for
the rest, Data Services is prepared to assist you in determining the probable
location of the email addresses in your files and thus your compliance obligations
to obtain affirmative opt-in. Naturally,
if you have that opt-in already, the exercise may still be useful to help
geolocate your customers if you are using that information in your marketing or