Fighting Internet and Wireless Spam Act


Published on

Canadian Anti-spam Law Presentation from the IAPP Canada Privacy Symposium. Presented on May 28th, 2010.

C-28, Fighting Internet and Wireless Spam Act

Published in: Business, Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Fighting Internet and Wireless Spam Act

  1. 1. Electronic marketing under Bill C-28, the Fighting Internet and Wireless Spam Act Shaun Brown – Counsel, Law Office of Kris Klein Matthew Vernhout – Director, Delivery and ISP Relations, Thindata 1:1
  2. 2. Goals • General understanding of the legislation – Substantive requirements – Enforcement regime • Practical guidance • Address potential fears
  3. 3. How we got here • May 2004 - IC establishes Task Force on Spam • May 2005 – Task Force presents final report to IC • April 24, 2009 – Bill C-27, the Electronic Commerce Protection Act (FISA) introduced in the HoC • November 30, 2009: passed House with unanimous support; amended as a result of consultation and committee meetings • December 15, 2009: passed 2nd reading in Senate • December 30, 2009: Parliament prorogued • May 25, 2010 – reintroduced as the Fighting Internet and Wireless Spam Act
  4. 4. Fighting Internet and Wireless Spam Act FIWSA Fy-za
  5. 5. Why anti-spam legislation? • Last G8 country to enact anti-spam legislation • Spam costs time and money – Spam is well over 90% of all email (Microsoft - Security Intelligence Report, version 8 - April 2010) • Canada is a ‘spam haven’ – 10th in the world in terms of spam production (Spamhaus) • Establish trust and confidence in the use of e- marketing – benefits those who play by the rules
  6. 6. FISA: overview • Standalone legislation (FISA), and amendments to: PIPEDA; Competition Act; Telecommunications Act; CRTC Act • Regulatory regime that applies to commercial activity: based on general branch of the Federal Trade and Commerce Power (91(2))
  7. 7. Substantive violations • Section 7: regime for sending a commercial electronic message (CEM) • Section 8: prohibition against unauthorized altering of transmission data • Section 9: prohibition against installation of computer programs without consent • False and misleading information (content or sender info) • PIPEDA amendments: address harvesting; dictionary attacks; collection of personal information through unauthorized access to a computer systems
  8. 8. Section 7 - commercial electronic message regime: Overview • Based on experiences and best practices • CEM broadly defined to include any message with any semblance of commercial activity • More than email: IM; SMS; social media; voice*, etc. • General rule: Consent (opt-in) required to send CEM • Other requirements: identification; contact information; unsubscribe mechanism • Certain messages exempted altogether: family or personal relationship; business inquiry • No minimum # to be classified as spam • Message to request consent deemed to be CEM
  9. 9. Section 7 - commercial electronic message regime: Implied (deemed) consent • No true implied consent clause • Consent is deemed in a number of circumstances: 1. Existing business relationship 2. Existing non-business relationship 3. Conspicuous publication of electronic address 4. Recipient has provided electronic address to the sender • No implied consent for referrals • In most cases implied consent last for 2 years – window of opportunity to obtain express consent
  10. 10. Section 7 - commercial electronic message regime: no consent required • Quotes or estimates, if requested • Facilitates commercial transaction • Warranty or safety information • Information about ongoing subscription, membership, etc. • Information related to employment relationship or benefit plan • Delivers good or service
  11. 11. Questions for compliance, re: consent 1. Does section 7 apply? 2. If so, do I need consent (other requirements still apply)? 3. If not, can I rely on implied consent? 4. If not, how do I obtain opt-in (express) consent?
  12. 12. Jurisdiction • Section 12: “A person contravenes section 6 only if a computer system located in Canada is used to send or access the electronic message.” • Thus, FISA applies to US (International) senders who send messages into Canada
  13. 13. Defining Sent • FISA states that an electronic message is considered to have been sent once its transmission has been initiated and that it is irrelevant if the intended recipient address exists or if message reaches its intended destination. This reference makes bounce management even more important for mailers to monitor and clean from your list.
  14. 14. Identification Requirements • All messages being sent must; – Clearly identify the person who sent the message • Add your physical postal address and company name to all emails – The messages must provide a method where the recipient can readily contact the person(s) responsible for sending the message • Set replies to go to your customer service, stop using • MUST be active for 60 days after the messages was sent – Provide a working unsubscribe mechanism that removes an address within 10 days
  15. 15. Managing Unsubs • The unsubscribe mechanism must specify an electronic address to which the unsubscribe notice may be sent or provide a hyperlink by means of which the recipient can provide their opt-out notice. Providing both options: an email unsubscribe and a web enabled unsubscribe is highly recommended
  16. 16. Oversight and enforcement: 3 Agencies • Canadian Radio-television and Telecommunications Commission (CRTC) – Primary enforcement agency – Can make preservation demands on TSPs – Administrative monetary penalties (AMPS): up to $1 million for individuals and $10 million in all other cases per violation • Competition Bureau – False and misleading representations online – Deceptive marketplace practices including false headers and website content – AMPS regime already exists in the Competition Act: $750,000 for individuals and $10 million for corporations • Office of the Privacy Commissioner (OPC) – Enforcement of provisions in PIPEDA (address harvesting; dictionary attacks; collection of personal information through unauthorized access to a computer systems) – No AMPS
  17. 17. Oversight and enforcement: Private Right of Action (PRA) • PRA can be exercised by any person affected by a violation of FISA as well as provisions in Competition Act and PIPEDA • Remedies: – Damages suffered and expenses incurred – Statutory damages of $200 per violation, up to $1 million per day
  18. 18. Oversight and enforcement: Protection for ‘Honest Mistakes’ Three mechanisms: 1. Undertakings & Compliance (s.22) – At any time – Restricts all other action (notice of violation and PRA) 2. Due Diligence Defence and Common Law Principles (s.34) – Cannot be found liable – Justification or excuse consistent with the Act 3. Factors to be Considered re: AMPs (s.21) – Nature and scope of violation – Financial benefit – Any relevant factor
  19. 19. Oversight and enforcement: Domestic and International Cooperation • Coordination and consultation between 3 enforcement agencies responsible for compliance • Information sharing and consultation between the three agencies and their international equivalents • A broadly defined Canadian link which stipulates that FISA would apply to electronic messages sent to, through or from Canada
  20. 20. FISA vs. CAN-SPAM: Similarities • Requirement to accurately identify sender • Prohibition false and misleading transmission data/subject lines • Requirement for unsubscribe mechanism • Liability for brands who knowingly allow spam to be sent on their behalf
  21. 21. FISA vs. CAN-SPAM: Key Differences FISA CAN-SPAM Addresses broad range of Internet issues Addresses spam only (spam, spyware, pharming, etc.) Applies to all forms of electronic Applies only to email messaging (email, SMS, IM, etc.) Primarily opt-in; permission based Opt-out; you can technically mail any person at least once PRA available to anyone (individuals, PRA available only to ISPs businesses, etc.
  22. 22. FISA and Social Networks • Most social networks are self directed opt-in/out solutions that allow individuals to manage their own preferences – Follow/Unfollow – Friend/Un-friend – Like/Unlike
  23. 23. Why prepare now? • Most marketing programs are planned several months in advance, don’t be caught of guard • Plan your changes now and get them into your project development plans • Your Email Service Provider needs to plan as well – Work with your third party vendors to get any necessary changes on their road map for development
  24. 24. Why Marketers Need Not Fear • International laws are already being followed by most – Identification (Postal address), 10 day Unsubscribe, No misleading information • PIPEDA already requires consent to collect PI – Email, Name, Phone numbers, etc… • Important exemptions – Personal communications with family, friends and replies to inbound inquiries • Protection for honest mistakes
  25. 25. Questions? Shaun Brown Matthew Vernhout, CIPP/C Law Office of Kris Klein Thindata 1:1 Twitter: @emailkamra