Canada Enacts Anti-Spam, Phishing, Spyware Legislation

This posting was written by Thomas A. Long, Editor of CCH Privacy Law in Marketing.

New Canadian anti-spam law legislation was approved by Parliament and received Royal Assent on December 15, 2010. The “Fighting Internet and Wireless Spam Act” (Statutes of Canada 2010, c. 23; Bill C-28) prohibits the sending of commercial electronic messages without the prior consent of the recipient. The legislation also addresses threats from other types of unsolicited electronic contact, including identity theft, phishing, spyware, viruses, and botnets.

The law grants a right of civil action to businesses and consumers targeted by the perpetrators of such activities. It will come into force on a day or days to be fixed by order of the Governor in Council.

Spam

Along with the prior consent requirement, the legislation provides that commercial e-mail messages must:

(1) Identify the person who sent the message and the person on whose behalf it is sent,

(2) Provide accurate contact information for these parties, and

(3) Set out an unsubscribe mechanism as outlined in the legislation.

The prohibition on spam does not apply to messages that facilitate, complete, or confirm a commercial transaction that has already been agreed to by the recipient, or that provides warranty, product recall, safety, or security information about a product, good, or service that the recipient has used or purchased.

Phishing

The same consent requirement for spam also applies to phishing messages. Phishing is described as e-mail that is sent from what appears to be an organization the recipient knows, such as a bank, requiring the recipient to send back personal information or confirm the information via a link.

Alterations of Transmissions

The legislation prohibits certain activities regarding electronic communications between two parties that have been intercepted. Such transmissions may not be altered so that the message is sent or copied anywhere other than where the sender thinks it is going.

All alterations to the transmission data require the express consent of the sender, with the ability to withdraw that consent at will. Service providers are exempt from this requirement, because they sometimes need to alter transmission data for technical reasons.

Unauthorized Software

The statute provides that no one may, in the course of a commercial activity, install or cause to be installed a computer program on any other person’s computer system, nor may anyone use any installed program to cause an electronic message to be sent from another person’s computer, without the owner’s express consent. This provision is aimed particularly at the surreptitious installation of spyware and malware.

Enforcement and Penalties

The law designates the Canadian Radio-television and Telecommunications Commission as the main regulatory agency responsible for pursuing administrative penalties against violators. The CRTC is given investigative powers by the statute, including the power to require production of documents.

The maximum penalty for an individual is $1 million and the maximum penalty for a corporation or other organization is $10 million. These penalties are to be imposed per violation.

The law also amends the Personal Information Protection and Electronic Documents Act (CCH Privacy Law in Marketing ¶42,200) to expand the Privacy Commissioner’s discretion and permit the Office of the Privacy Commissioner to take measures against the unauthorized collection of personal information through hacking or illicit trading of lists of electronic addresses.

In addition, the law amends the Competition Act, giving the Competition Bureau and the Commissioner of Competition a role in investigating and enforcing the new anti-spam provisions. Under the anti-spam legislation, the Competition Act’s existing regime on misleading and deceptive practices has been expanded to include online activity.

Private Right of Action

Persons affected by violations are able to bring a private action for actual damages. Courts may also award statutory damages of $200 for each violation, up to a maximum of $1 million per day.

Text of the legislation will appear in CCH Privacy Law in Marketing. More information on the law is available here at the Canadian Parliament’s website.