Canadian Anti-spam Law Presentation from the IAPP Canada Privacy Symposium. Presented on May 28th, 2010. C-28, Fighting Internet and Wireless Spam Act

1. Electronic marketing under Bill C-28,
the Fighting Internet and Wireless
Spam Act
Shaun Brown – Counsel, Law Office of Kris Klein
Matthew Vernhout – Director, Delivery and ISP
Relations, Thindata 1:1

2. Goals
• General understanding of the legislation
– Substantive requirements
– Enforcement regime
• Practical guidance
• Address potential fears

3. How we got here
• May 2004 - IC establishes Task Force on Spam
• May 2005 – Task Force presents final report to IC
• April 24, 2009 – Bill C-27, the Electronic Commerce Protection
Act (FISA) introduced in the HoC
• November 30, 2009: passed House with unanimous support;
amended as a result of consultation and committee meetings
• December 15, 2009: passed 2nd reading in Senate
• December 30, 2009: Parliament prorogued
• May 25, 2010 – reintroduced as the Fighting Internet and
Wireless Spam Act

4. Fighting Internet and
Wireless Spam Act
FIWSA
Fy-za

5. Why anti-spam legislation?
• Last G8 country to enact anti-spam legislation
• Spam costs time and money
– Spam is well over 90% of all email (Microsoft - Security
Intelligence Report, version 8 - April 2010)
• Canada is a ‘spam haven’ – 10th in the world in terms
of spam production (Spamhaus)
• Establish trust and confidence in the use of e-
marketing – benefits those who play by the rules

6. FISA: overview
• Standalone legislation (FISA), and amendments to:
PIPEDA; Competition Act; Telecommunications Act;
CRTC Act
• Regulatory regime that applies to commercial
activity: based on general branch of the Federal
Trade and Commerce Power (91(2))

7. Substantive violations
• Section 7: regime for sending a commercial electronic
message (CEM)
• Section 8: prohibition against unauthorized altering of
transmission data
• Section 9: prohibition against installation of computer
programs without consent
• False and misleading information (content or sender info)
• PIPEDA amendments: address harvesting; dictionary attacks;
collection of personal information through unauthorized
access to a computer systems

8. Section 7 - commercial electronic message
regime: Overview
• Based on experiences and best practices
• CEM broadly defined to include any message with any
semblance of commercial activity
• More than email: IM; SMS; social media; voice*, etc.
• General rule: Consent (opt-in) required to send CEM
• Other requirements: identification; contact information;
unsubscribe mechanism
• Certain messages exempted altogether: family or personal
relationship; business inquiry
• No minimum # to be classified as spam
• Message to request consent deemed to be CEM

9. Section 7 - commercial electronic message
regime: Implied (deemed) consent
• No true implied consent clause
• Consent is deemed in a number of circumstances:
1. Existing business relationship
2. Existing non-business relationship
3. Conspicuous publication of electronic address
4. Recipient has provided electronic address to the sender
• No implied consent for referrals
• In most cases implied consent last for 2 years – window of
opportunity to obtain express consent

10. Section 7 - commercial electronic message
regime: no consent required
• Quotes or estimates, if requested
• Facilitates commercial transaction
• Warranty or safety information
• Information about ongoing subscription,
membership, etc.
• Information related to employment relationship or
benefit plan
• Delivers good or service

11. Questions for compliance, re: consent
1. Does section 7 apply?
2. If so, do I need consent (other requirements still
apply)?
3. If not, can I rely on implied consent?
4. If not, how do I obtain opt-in (express) consent?

12. Jurisdiction
• Section 12: “A person contravenes section 6 only if a
computer system located in Canada is used to send
or access the electronic message.”
• Thus, FISA applies to US (International) senders who
send messages into Canada

13. Defining Sent
• FISA states that an electronic message is considered
to have been sent once its transmission has been
initiated and that it is irrelevant if the intended
recipient address exists or if message reaches its
intended destination.
This reference makes bounce management even
more important for mailers to monitor and clean
from your list.

14. Identification Requirements
• All messages being sent must;
– Clearly identify the person who sent the message
• Add your physical postal address and company name to all emails
– The messages must provide a method where the recipient can readily
contact the person(s) responsible for sending the message
• Set replies to go to your customer service, stop using
NoReply@client.com
• MUST be active for 60 days after the messages was sent
– Provide a working unsubscribe mechanism that removes an address
within 10 days

15. Managing Unsubs
• The unsubscribe mechanism must specify an
electronic address to which the unsubscribe notice
may be sent or provide a hyperlink by means of
which the recipient can provide their opt-out notice.
Providing both options: an email unsubscribe and a
web enabled unsubscribe is highly recommended

16. Oversight and enforcement: 3 Agencies
• Canadian Radio-television and Telecommunications Commission (CRTC)
– Primary enforcement agency
– Can make preservation demands on TSPs
– Administrative monetary penalties (AMPS): up to $1 million for individuals and $10
million in all other cases per violation
• Competition Bureau
– False and misleading representations online
– Deceptive marketplace practices including false headers and website content
– AMPS regime already exists in the Competition Act: $750,000 for individuals and
$10 million for corporations
• Office of the Privacy Commissioner (OPC)
– Enforcement of provisions in PIPEDA (address harvesting; dictionary attacks;
collection of personal information through unauthorized access to a computer
systems)
– No AMPS

17. Oversight and enforcement: Private Right
of Action (PRA)
• PRA can be exercised by any person affected by a
violation of FISA as well as provisions in Competition
Act and PIPEDA
• Remedies:
– Damages suffered and expenses incurred
– Statutory damages of $200 per violation, up to $1 million
per day

18. Oversight and enforcement: Protection for
‘Honest Mistakes’
Three mechanisms:
1. Undertakings & Compliance (s.22)
– At any time
– Restricts all other action (notice of violation and PRA)
2. Due Diligence Defence and Common Law Principles (s.34)
– Cannot be found liable
– Justification or excuse consistent with the Act
3. Factors to be Considered re: AMPs (s.21)
– Nature and scope of violation
– Financial benefit
– Any relevant factor

19. Oversight and enforcement: Domestic and
International Cooperation
• Coordination and consultation between 3
enforcement agencies responsible for compliance
• Information sharing and consultation between the
three agencies and their international equivalents
• A broadly defined Canadian link which stipulates
that FISA would apply to electronic messages sent
to, through or from Canada

20. FISA vs. CAN-SPAM: Similarities
• Requirement to accurately identify sender
• Prohibition false and misleading transmission
data/subject lines
• Requirement for unsubscribe mechanism
• Liability for brands who knowingly allow spam to be
sent on their behalf

21. FISA vs. CAN-SPAM: Key Differences
FISA CAN-SPAM
Addresses broad range of Internet issues Addresses spam only
(spam, spyware, pharming, etc.)
Applies to all forms of electronic Applies only to email
messaging (email, SMS, IM, etc.)
Primarily opt-in; permission based Opt-out; you can technically mail any
person at least once
PRA available to anyone (individuals, PRA available only to ISPs
businesses, etc.

22. FISA and Social Networks
• Most social networks are self directed opt-in/out
solutions that allow individuals to manage their own
preferences
– Follow/Unfollow
– Friend/Un-friend
– Like/Unlike

23. Why prepare now?
• Most marketing programs are planned several
months in advance, don’t be caught of guard
• Plan your changes now and get them into your
project development plans
• Your Email Service Provider needs to plan as well
– Work with your third party vendors to get any necessary
changes on their road map for development

24. Why Marketers Need Not Fear
• International laws are already being followed by
most
– Identification (Postal address), 10 day Unsubscribe, No
misleading information
• PIPEDA already requires consent to collect PI
– Email, Name, Phone numbers, etc…
• Important exemptions
– Personal communications with family, friends and replies
to inbound inquiries
• Protection for honest mistakes

25. Questions?
Shaun Brown Matthew Vernhout, CIPP/C
Law Office of Kris Klein Thindata 1:1
sbrown@krisklein.com mvernhout@thindata.com
Twitter: @emailkamra