PROPOSED ELECTRONIC COMMERCE PROTECTION REGULATIONS COMMENTS SUBMITTED BY LORNE SALZMAN1 AND BARRY SOOKMAN2 7 September 2011____________________________________________________________________________1. We submit these comments in connection with the Electronic Commerce ProtectionRegulations that are proposed by both Industry Canada3 and the CRTC4.2. We are two Canadian lawyers who have carefully followed the development of Canada’sAnti-Spam Law in Bill C-28 (“CASL”), and the proposed regulations under that law. We havespoken and written on these topics.5 We have also assisted clients in understanding the lawand regulations and in formulating compliance programs. Through these experiences, we havedeveloped our views on the proposed regulations and, of greater importance, the omissionsfrom the proposed regulations. We submit these comments as individuals with a view toimproving the regulatory framework of CASL. As such, these comments do not necessarilyrepresent the views of any client, the firm in which we practice law, or any other party.Summary3. CASL is intended to deter spam and encourage electronic means of engaging incommerce, while not negatively impacting legitimate businesses. Recognizing the importanceof these objectives, we are concerned that CASL and the proposed regulations impose costsand inefficiencies that exceed the benefits. Accordingly, we make a number ofrecommendations that are intended to recalibrate CASL. We propose the addition of newregulations, and the modification of proposed regulations, that will better target the anti-spamprovisions of CASL against undesirable conduct involving commercial electronic messages. Ourspecific recommendations are summarized below.1 firstname.lastname@example.org email@example.com Canada Gazette, Part 1, 9 July 20114 Telecom Notice of Consultation CRTC 2011-400, 30 June 20115 See for example “Rethinking FISA” at http://www.barrysookman.com/2011/05/25/rethinking-fisa/
-2-4. Start-up companies will be impacted by CASL as they do not have existing lists ofcustomers and contacts on which to draw. They will therefore be forced into more expensivemechanisms to reach their intended audiences, for example, by using the post. Given theimportance of encouraging start-up businesses in Canada, a limited start-up business exceptionto CASL’s consent requirements is worthwhile. This would be accomplished by exempting 1000messages per month from CASL’s consent requirements, while still maintaining CASL’sformality and unsubscribe requirements.5. Opt-in messaging networks do not easily fit within the CASL framework which wasdesigned with emails in mind. Consequently, users who use them will face risks of offendingCASL, and operators will face risks of aiding conduct that is contrary to CASL. The presence ofsuch risks will deter users of messaging networks from beneficially exploiting them in Canada.6. We make recommendations to exempt many of these messaging networks from CASL.Most messaging networks contain protections that limit unwanted commercial electronicmessages from being carried over their networks. For example, some networks have rules thatprohibit certain types of commercial electronic messages, which rules are actively enforced. Inother cases, the networks may only permit messaging among consenting parties. Where suchprotections are in place, CASL’s requirements are not needed, and can be counter-productive.7. Because CASL applies to commercial electronic messages sent from Canadian servers,senders of messages to non-Canadians will seek to avoid using such servers, whether they arededicated to one company or are accessed through cloud computing. Consequently,companies that operate servers that are used to send commercial electronic messages to non-Canadians will have an incentive to migrate their activities outside Canada, thereby deprivingCanada of the resulting jobs and economic spin-offs. To counter this incentive, we recommendthat commercial electronic messages to non-Canadians be exempt form CASL, provided thatthe messages comply with the anti-spam laws of the destination country. This last proviso willhelp ensure that Canada does not become a haven for international spammers.8. Many companies have obtained consent to send commercial electronic messages aspart of their business activities taking into account their obligations under PIPEDA. UnderCASL, PIPEDA-compliant companies will still need to vet their existing lists and implement newprocesses, a potentially expensive undertaking with little practical benefit. Accordingly, we
-3-recommend that PIPEDA consents continue be recognized as implied consents under CASL.We set out three options for implementing this recommendation.9. The proposed CRTC regulations state the identification requirements for those who sendcommercial electronic messages and those that send requests for consent under CASL. Theregulations call for a variety of contact information to be provided in each such communication,for example, mail address, telephone number, web address and the like. By so doing, theregulations in effect force companies to maintain mechanisms and procedures to respond torecipients through each mode of contact. This will be unnecessarily burdensome oncompanies, notably those that wish to only communicate electronically. Accordingly, werecommend that only one means of contact be required.10. If the foregoing recommendations are adopted, or if other significant changes are madeto the proposed regulations, there is merit in holding a second consultation before theregulations are finalized.Introduction11. As a starting point, it is worthwhile to recall that the key goals of CASL are to “deter themost damaging and deceptive forms of spam from occurring in Canada and help drivespammers out of Canada”6 and to encourage the use of electronic means to carry ofcommercial activities.7 These goals are intended to be accomplished without negativelyimpacting legitimate businesses that use electronic means to market their products and servicesto Canadians.8 Thus the goals of CASL imply trade-offs: discourage spam, discouragespammers from using Canada for their activities, encourage electronic communications, but donot negatively impact Canadian businesses.12. Recognizing the importance of all of these objectives, we are concerned that CASL andthe proposed regulations will impose costs and inefficiencies on Canadians that exceed thebenefits. These costs and inefficiencies are significant. They are not just the substantial6 See http://www.ic.gc.ca/eic/site/ecic-ceac.nsf/eng/gv00521.html7 See section 3 of CASL.8 For additional information on the history, goals and objectives of CASL, see Government of Canada, Backgrounder, Questions and Answers, and Online Threats, http://www.ic.gc.ca/eic/site/ecic-ceac.nsf/eng/h_gv00567.html), Government of Canada Moves to Enhance Safety and Security in the Online Marketplace http://www.ic.gc.ca/eic/site/ic1.nsf/eng/05596.html
-4-compliance costs that Canadian businesses must bear. They extend to impeding the use ofelectronic means of communicating, putting Canadian businesses at competitive disadvantagesto their foreign competitors, retarding the growth of small and start-up businesses, andpotentially limiting the use by Canadian businesses of modern messaging platforms. In short,CASL and the proposed regulations fail to properly recognize the trade-offs that theGovernment set out for CASL, and thus they take a disproportionate approach to dealing withthe problem of spam.13. A key source of the problem is the design of CASL. Its approach is to forbid practicallyall commercial electronic communications, and then set out certain exemptions to thesestrictures in both the law and the regulations. Thus, rather than targeting truly offensive conductin the first place, the law and proposed regulations are grounded with the sweeping propositionthat, in effect, nothing is permitted except that which is specifically allowed. This prescriptiveregulatory approach goes far beyond what any other country has implemented to addressspam. CASL’s overreach also raises questions as to whether it could survive a challenge underthe Canadian Charter of Rights and Freedom.14. It is this design approach that makes the development of proposed regulations all themore important. CASL contemplates that the regulations can be used to add some flexibility tothe law. The proposed regulations, however, take only very modest steps in this direction.They offer some clarifications and refinements, but they do not address fundamental issues ofoverreach that the regulations should strive to remedy. Moreover, the proposed regulations addto the difficulty and cost of compliance with CASL.15. In the following comments, we focus on what we consider to be the most importantareas of concern. We do not intend to address all conceivable modifications that should beconsidered. We do however suggest modifications to the proposed regulations that willrecalibrate CASL so that it better meets the objectives set by the Government. With appropriateregulations, CASL can achieve its goal of deterring the most damaging and deceptive forms ofspam and help drive spammers out of Canada. It can do so without discouraging the use ofelectronic means to carry of commercial activities. And, these goals can be accomplished withmuch less likelihood of negatively impacting legitimate businesses that use electronic means tomarket their products and services to Canadians.
-5-16. We understand that businesses, trade organizations and other commentators intend tofile submissions on the proposed regulations. Many will highlight the ways in which CASL andthe proposed regulations have failed to fully achieve the Government’s goals, and they will tomake recommendations for new or amended regulations. The breadth of the commentsunderscores the implications of CASL’s prescriptive approach to regulating spam. It alsohighlights the need to use the regulation making power to ensure that CASL better meets theGovernment’s objectives.17. Given that we (and likely other commentators) propose changes that will substantiallywiden exempt activity under CASL, to the extent that any of these proposals are accepted, werecommend that revised regulations be published and that Industry Canada and the CRTC holda second round of public consultations. In that way, these important regulations can benefitfrom informed comment before they are finalized and implemented.Start-Up Companies Need Increased Messaging Flexibility18. Unlike established companies, start-up companies do not have a ready list of electroniccontacts they can approach to market their products and services. Rather, they will developemailing lists from a variety of sources and use them to launch their products. For example, anewly graduated financial advisor may look up the lawyers and doctors in his/herneighbourhood using a published professional or business directory or other publication such asa magazine, book, or newspaper and invite them to an educational event. A newly establishedorthodontist may send an announcement to dentists in her town, with the electronic addressesderived from a conference attendance list. A university student wanting to earn some money asa contract programmer may contact professors and lecturers using their electronic addressesfound in the university catalogue or telephone directory. A new real estate agent in search oflistings may want to contact owners of properties using information recorded in publicallyavailable registries.19. Although few would find these activities offensive, they will all be potentially problematicunder CASL. Rather than using electronic communications, business start-ups will therefore beforced to send their messages using the post or other more expensive and less convenient andefficient mechanisms, or limit the persons to whom they can send messages to the limitedexception that permits use of conspicuously published e-mail addresses. The new start-upscould also be thwarted from relying on the alternative route of using software that is designed toassist them in searching for relevant business or other connections because it may well be
-6-problematic to use such software or electronic addresses gathered using such software giventhe amendments to PIPEDA included in CASL.20. Although it is easy to say that the impositions on small businesses are not thatimportant, most countries, Canada included, actively promote small business formation andexpansion. Policy-makers understand that small business is a vital part of the economy in itsown right and, as well, that all big businesses were small start-ups at one point. As such,Canada should not want to impede start-up businesses from making effective use of digitalcommunications to launch and sustain their businesses. This is especially so given that start-ups in other countries, notably the United States, do not face similar impediments.21. Turning this recommendation into regulation language is not straight-forward. Ratherthan trying to develop a suitable definition of “start-up business”, a step which will be difficultand controversial, we propose to focus on a different and more measurable factor: namely,allowing businesses to send a minimum number of commercial electronic messages withoutconsent. (The messages would still have to comply with the unsubscribe and formatrequirements under CASL.) We suggest a monthly limit of 1000 messages with the same orsubstantially similar content.922. Adopting such an approach should not open the doors to problematic spammers as theysend many more messages than 1000 per month. It is also unlikely to change the approach oflarger Canadian businesses as they will want to design their messaging programs for largergroups of contacts. But it will allow start-up business, such as the ones noted above, someflexibility to launch their businesses without bearing the extra costs that arise from full CASLcompliance.23. Ideally, this “new business exemption” should be implemented under section 6(6) as thiswould preserve the format and unsubscribe requirements for the commercial electronicmessages, while allowing an exemption from the consent requirements. Unfortunately, section6(6)(d), contemplates that a “purpose” for the communication be specified in order to fit underthe exemption language. Yet this is not a purpose-oriented exemption, so fitting into theexemption will be a challenge. Accordingly, one option is to utilize section 10(9)(d) which9 A similar approach was adopted by Singapore. The 1000 per month limit is used by Singapore to define commercial electronic messages sent in “bulk”. Only “bulk” messaging is subject to regulatory supervision. (Singapore also imposes daily and annual limits.) See http://www.spamcontrol.org.sg/
-7-contemplates expansion of the implied consent category. Another option is to utilize the“circumstances” exemption in section 6(5)(c). Both options are set out below. Recommendation 1: The regulations should exempt from the consent requirements of the Act up to 1000 messages per month for a sender and its affiliates, where the messages contain the same or substantially similar content, by means of one of the following options: For the purposes of section 10(9)(d) of the Act, consent is implied for the purposes of section 6 of the Act where the person who sends or causes to be sent the commercial electronic message, together with its affiliates10, send or cause to be sent no more than 1000 messages in any calendar month with the same or substantially similar content. -- or-- Pursuant to section 6(5)(c) of the Act, section 6 of the Act does not apply to a commercial electronic message in the following circumstances: (a) the person who sends or causes to be sent the commercial electronic message, together with its affiliates, send or cause to be sent no more than 1000 messages in any calendar month with the same or substantially similar content, and (b) the commercial electronic message complies with section 2(b) of the Act.Opt-In Messaging Networks Contain Sufficient Protections to Operate Outside CASL24. Although CASL is supposed to be technologically neutral, applying broadly to allelectronic means of sending electronic messages, the CASL regulatory regime is modelled onregulating electronic messages that are sent as emails. This focus on emails means that otherforms of electronic messaging, such as those through social networks, do not easily fit within theCASL framework. As a result, Canadian businesses that wish to exploit new and developingalternative electronic messaging systems will be impeded by CASL.25. Consider a business model where a virtual gaming site allows members to offer to buyand sell virtual objects amongst themselves. Does each member have to obtain consent fromthe other members before the messages are sent? Can the social network site request consentin advance for all such messages among members? Bear in mind that the members onlydisclose game-playing aliases and not their real identities. How then can the identificationrequirements of CASL be satisfied? How practical is it for each game-player to include an10 The term “affiliate” will need to be defined. The definition in the Canada Business Corporations Act should be suitable.
-8-unsubscribe mechanism in every buy-sell offer? If members fail to comply with theseidentification or unsubscribe mechanisms, will be social network operator have to enforce theserequirements in order to avoid liability for aiding in a contravention of CASL? Will the operatorsof such sites be concerned that they could face accessorial liability for not designingmechanisms to enable their players to comply with FISA? Will they make necessary changes totheir games or simply exclude Canadians from being able to join their networks?26. Consider next a business model where a social network operator offers businesscoupons to members and encourages the members to pass the coupons on to friends andsocial media contacts. As an incentive, the operator grants a modest incentive to the memberfor every person that uses such a passed-on coupon. The passing on of the coupon with anexpress or implied suggestion as its use may well be the sending of a commercial electronicmessage. While some recipients in these models may fit into the personal or family relationshipexemption in CASL, others will not. And how many members are likely to include unsubscribemechanisms when sending such messages to their contacts? Although one might be temptedto say that no-one will pursue the members for such trivial transgressions of CASL, the operatorthat knowingly permits such conduct might well worry if it will be at risk of being accused ofaiding, inducing, procuring or causing to be procured the doing of any act contrary to the anti-spam provisions of CASL.27. Faced with the risks of offending CASL and the attendant possibilities of very largeadministrative monetary penalties or class action lawsuits claiming substantial damages,Canadian businesses will be wary of developing (or continuing to offer) these innovativebusiness models or implementing similar models that are legal in other countries such as theUnited States. Or if they do wish to develop them, they will feel a strong incentive to developand launch them outside of Canada. The logical port of call for any such developers will be theUnited States, with its familiarity to Canadians, vast market, openness to innovation, and amplesources of funding. Canada, which already faces a tough time in fostering innovation inside ourborders, will now be adding one more reason for Canadians to take their digital economyinitiatives south of the border.28. Each of these social networks operates under rules enforced by contract and by anadministration that monitors and enforces compliance. As such, there is a mechanism to controlunwanted commercial electronic messages. For example, one prominent social network,LinkedIn, prohibits the following (which are more restrictive than under CASL):
-9- … any unsolicited or unauthorized advertising, promotional materials, “junk mail,” “spam,” “chain letters,” “pyramid schemes,” or any other form of solicitation. This prohibition includes but is not limited to (a) using LinkedIn invitations to send messages to people who don’t know you or who are unlikely to recognize you as a known contact; (b) using LinkedIn to connect to people who don’t know you and then sending unsolicited promotional messages to those direct connections without their permission; and (c) sending messages to distribution lists, newsgroup aliases, or group aliases;29. Even if the administrator exercises less fulsome control over messages than underCASL, it should be remembered that members voluntarily accept that lower degree of controlwhen they opt-in as members. A member who is dissatisfied can always refuse to subscribe, orresign later. However, such action is not likely to be necessary as most social networks includemechanisms whereby members can control their inflow of messages through preference andprivacy settings. No social network has achieved the ubiquity of email, and each facescompetition from other social networks. Hence they cannot afford to offend members throughmeasures that members find offensive. If the time comes that one or more social networksachieve equivalent ubiquity to email, and the manager fails to control unwanted electroniccommercial messages appropriately, it may be that the social network will need to be treated ina manner similar to email. But until that time, CASL should not apply to commercial electronicmessages carried over managed social networks that members voluntarily join. Recommendation 2: The regulations should exempt from section 6 of the Act those commercial electronic messages that are sent over a managed messaging network, as follows: Pursuant to section 6(5)(c) of the Act, section 6 of the Act does not apply to a commercial electronic message that is sent to a recipient over a messaging network where (a) the messaging network requires that, before a user is permitted to send or receive electronic messages over the messaging network, the user enters into an agreement that establishes rules for messaging activities, (b) users are able to readily report violations of the rules to an enforcement authority, and (c) the enforcement authority regularly undertakes enforcement action against such violations.30. In the same vein, the regulations under CASL should allow for the operation of rules-based messaging networks that are designed to allow for electronic communications among alimited group of users where the recipient defines the allowed senders of electronic messages.This type of messaging network is less managed than discussed above, but protections against
- 10 -unwanted commercial electronic messages are very much in place. An example would be theBlackberry Messenger, or BBM, service. With networks of this sort, control over unwantedcommercial electronic messages is exercised by the design of the network. Only permittedsenders are allowed to communicate with a recipient. In such circumstances, thecommunication should not be considered unwanted. And, in any event, the recipient retains theability to terminate the sending rights of a sending party should the messaging (or other)activities of the sending party warrant such action. Thus the user retains the right to perform itsown enforcement activities to address unwanted messaging, whether commercial or otherwise. Recommendation 3: The regulations should exempt from section 6 of the Act those commercial electronic messages that are sent over a messaging network, as follows: Pursuant to section 6(5)(c) of the Act, section 6 of the Act does not apply to a commercial electronic message that is sent to a recipient over a messaging network where (a) a commercial electronic message can only be sent from a sender to a recipient if the recipient has given its prior consent to the receipt of messages from that sender, and (b) the messaging network allows the recipient to readily discontinue the receipt of messages from senders that are specified by the recipient.31. The foregoing recommendation will also exempt from CASL, common short code(“CSC”) applications such as those administered by the Canadian WirelessTelecommunications Association (“CWTA”). These applications have become very popular,and there is no indication that the current rules are leading to an undue volume of unwantedcommercial electronic messages. Moreover, it is difficult to see how such applications will beable to comply as a practical matter with the formality requirements under CASL, given thatlimits on message size (typically no more than 140 characters), thus making the need for anexemption all the more pressing.32. It is counter-productive and unnecessary to regulate under CASL a CSC applicationsuch as the one administered by CWTA. This messaging application is used productively byCanadians and does not lead to undue amounts of unwanted commercial electronic messages.Applying the full rigour of CASL can only imperil its functionality and utility. If, at some futuretime, experience shows that more protection is needed from unwanted commercial electronicmessages over such networks, the regulations can then be changed to bring them under CASL.33. We note that the draft CRTC regulations purport to make it easier for short messaging tocomply with CASL’s message form requirements by enabling users to provide prescribed
- 11 -information by using a “link to a web page on the World Wide Web that is clearly andprominently set out and that can be accessed by a single click or another method of equivalentefficiency at no cost to the person to whom the message is sent.”11 There is however noequivalent mechanism in Section 4 of the draft CRTC regulations to enable users of socialnetworks to use a link to a web page to make the necessary disclosures to obtain consentsunder Section 10(1) or 10(3) of CASL. But even assuming there were, how practical is it toimpose these requirements on users of social networks? Even if assuming these messagingtypes had sufficient real estate length to include such links (which many may notaccommodate), it is not realistic to impose on users of these social network the requirement to:disclose all of the substantial information required to obtain consent to send commercialelectronic messages; obtain express consents; have each message link to the detailedinformation prescribed by CASL and the regulations; have a physical address, email address, awebsite, and a phone number to receive consents and to address requests to unsubscribe; andto maintain records of consents and unsubscribe requests and to give effect to them.1234. Further, despite the single-click-to-a-website feature in the draft regulations, a user of amobile phone that does not have web browsing capability simply has no means of accessing theinformation on that device. A message sender, who is unlikely to know what sort of mobiledevice the recipient is using, or whether the recipient’s wireless services plan permits “no-cost”web access, will thus have to carefully consider if it has complied with the regulations when itsends its messages to mobile devices. The need for an exemption from CASL’s strictures isthus apparent.CASL’s Disincentives to Computer Processing in Canada Should be Eliminated35. Section 6 of CASL applies to commercial electronic messages that are sent fromcomputer systems in Canada to recipients outside of Canada. As such CASL imposes theCanadian standards of disclosure, consent and unsubscribe to non-Canadians. At first blush,this sounds desirable. Canada should not be a haven for spammers who send their unwelcomemessages outside the country, even if Canadians are protected. But there is a downside to thisapproach – one that should be remedied in the regulations.36. The problem is that such an approach will inevitable discourage the use of Canadianservers for activities that are perfectly lawful in other countries. A sender of commercial11 Section 2(2) of the draft CRTC regulations.12 See sections 2 and 4 of the draft CRTC regulations.
- 12 -electronic messages in the United States will understandably be concerned to comply with USlaw when sending messages to recipients in that country. That company will be reluctant,however, to use Canadian computer systems if doing so means that it must comply with rulesthat are more onerous, and thus more expensive to comply with, than under the US law.37. The problem is particularly troubling where companies rely on cloud computing. Undercloud computing, a company can use a variety of servers in a variety of locations to performcomputing work, including the sending of messages. The location of the server sendingparticular messages may vary, depending on demand and other factors. Under CASL, however,cloud computing activities that are undertaken in Canada must comply with the CASLrequirements. As a practical matter, companies that operate such cloud computing facilities willhave to wall off the Canadian servers from messaging activities involving other countries.Companies that use third party cloud computing services will have use contracts to ensure thattheir messaging activities to other countries do not emanate from computers in Canada.38. All of this suggests that companies will prefer to locate their servers outside Canada, orengage in cloud computing activities where none of the servers are in Canada. As such, thosecomputer activities, and the jobs and other economic spin-offs that result, will be lost to Canada.39. Once companies have located their non-Canadian activities outside of Canada, some ofthem will likely move their Canadian messaging activities there as well. They will still have tocomply with CASL, but there are likely efficiencies in undertaking their Canadian messagingactivities outside Canada, rather than maintaining a small Canadian-only facility for Canadianpurposes. Again, Canada loses out.40. A simple fix to this problem is to exempt from section 6 of CASL those messagingactivities to other countries that comply with the anti-spam laws of those countries. In that way,Canada will protect non-Canadians to the same extent as their local laws do, but not more so.The location of the server sending the messages, whether in Canada or otherwise, thenbecomes immaterial. Rather, the sender must ensure that its messages comply with the laws ofthe country where the messages will be received, which presumably the legitimate senders willwant to do in any event.41. It might be argued that such an exemption will allow Canada to operate as a spamhaven for countries that do not have local spam-reducing laws. However, if local countries donot consider spam a problem, should Canada stand on guard for them? If there were no
- 13 -downside, the answer might well be yes. But, as explained above, there is indeed a downsidein terms of reduced attractiveness of Canada as a host for computer systems. On balance, theproposal we have stated, that is exempting from CASL those commercial electronic messagessent to non-Canadians that comply with the anti-spam laws of the countries of the recipients,strikes an appropriate balance between these various factors. Recommendation 4: The regulations should exempt from section 6 of the Act those commercial electronic messages that are sent to non-Canadian recipients where the message complies with the ant-spam laws of the recipient’s country, as follows: Pursuant to section 6(5)(c) of the Act, section 6 of the Act does not apply to a commercial electronic message sent to a recipient in a country other than Canada where the message, if it had been sent by a sender in that country, would comply with the laws of that country relating to protection against commercial electronic messages sent in bulk, protection against false or misleading commercial electronic messages, requiring commercial electronic messages to disclose information about their senders or requiring senders of commercial electronic messages to allow recipients to unsubscribe from receiving further such messages.PIPEDA Consents Should be Respected Under CASL42. Many companies have previously determined that they had consent to send commercialelectronic messages, either because express consent had been given or because it was areasonable expectation of the recipients. Indeed, making such determinations would have beenpart of their compliance with PIPEDA.13 These companies now face the need to check that thenames on their list of consenting recipients all either comply with the express consentrequirements of CASL, or fit under one of the few implied consent categories. This can be adaunting and expensive task, given that these lists were assembled over time and they may bequite extensive.43. We question if such effort is necessary. The consent regime established by PIPEDAhas been in place for years, and it is adequate to achieve the Government’s objective ofdeterring the most damaging forms of spam. PIPEDA permits organizations to collect and usepersonal information “only for purposes that a reasonable person would consider appropriate inthe circumstances”. As well, under Principle 3 of Schedule 1 of PIPEDA, consent must still beexpress or implied. Problem spammers will have difficulty meeting either of these PIPEDArequirements.13 Personal Information Protection and Electronic Documents Act
- 14 -44. We acknowledge that using the PIPEDA consent standard could potentially create greyareas where legitimate businesses might still be able to send some unwanted commercialelectronic messages. We also acknowledge that the concept of implied consent can raisequestions in tough cases. However, it should be remembered that Canadians reached aconsensus that consents based on the CSA Model Code would achieve the desired balancebetween protecting privacy and enabling businesses to use personal information for legitimatepurposes including the sending of commercial messages. Moreover, Canadians will still havethe protection of CASL’s unsubscribe capability to block future commercial electronic messagesfrom unwelcome senders.45. CASL should build on PIPEDA’s balanced standards, rather than attempt to achieve theimpossible goal of a “100% spam-free Canada”. Canadian businesses have spent millions ofdollars to comply with PIPEDA, and there is much to be said for not requiring businesses toadhere to two separate consent regimes with overlapping goals. Exempting PIPEDA consentsfrom the CASL consent requirements can be accomplished by adding a category of impliedconsent pursuant to section 10(9)(d) of the regulations. Recommendation 5: Consent should be implied where a consent under PIPEDA is obtained, as follows: For the purposes of section 10(9)(d) of the Act, consent is implied where the sender has obtained consent in accordance with requirements of PIPEDA.46. The approach above is consistent with the inferred consent rule adopted in Australia inthe Spam Act 2003.14 Under the Australian law, consent is implied where consent canreasonably be inferred from (i) the conduct; and (ii) the business and other relationships, of theperson concerned. If Canada not had over 10 years experience with PIPEDA, we would haverecommended this approach in the first instance. Although, it has drawbacks similar to thosediscussed above in connection with using the PIPEDA consent regime, this standard would stilldeter the most damaging and deceptive forms of spam and it would therefore achieve a morebalanced approach to regulating spam. Accordingly, in the event that our recommendation 5 isnot accepted, an alternate approach would be to add an exception for inferred consent using themodel developed in Australia.14 See section 2 of Schedule 2 to the Australian law http://www.comlaw.gov.au/Details/C2011C00080 and the discussion at http://www.acma.gov.au/WEB/STANDARD/pc=PC_310572
- 15 - Alternate Recommendation 5: Consent should be implied where a consent can reasonably be inferred from the circumstances as follows: For the purposes of section 10(9)(d) of the Act, consent is implied where consent can reasonably be inferred from (i) the conduct; and (ii) the business and other relationships, of the person concerned.47. If neither of the foregoing exemption approaches is acceptable, we recommend a thirdoption, namely that the new CASL requirements only apply on a going forward basis, and thatpreviously obtained consents under PIPEDA be grandfathered. Such an approach allowscompanies to adjust their consent practices in the future to comply with both CASL andPIPEDA, while recognizing that there is little public benefit to requiring that companies gothrough the expense of vetting lists that have been assembled in the past and which have beenPIPEDA-compliant up to now. In this way, companies will be able to continue to use consentlists that were properly and lawfully assembled as of the date that CASL comes into force. Alternate Recommendation 5: Consent should be implied where consent under PIPEDA was previously obtained, as follows: For the purposes of section 10(9)(d) of the Act, as of the day that section 6 of the Act comes into force, consent is implied where the sender had previously obtained consent in accordance with requirements of PIPEDA, and that consent remained in effect as of that day.Identification Information in Messages and Consent Requests Should be Streamlined48. Up to now, we have focussed on additions to the proposed regulations in order to strikea better balance between costs and benefits of CASL. In the following, we will comment on onecomponent of the proposed draft regulations, namely the sender identification and contactrequirements for messages and consent requests.1549. Section 6(2) and 10(1) of CASL contemplate that the regulations will specify informationto be included in messages and consent requests to allow the sender to be identified and (in thecase of 6(2)) to permit the recipient to readily contact the sender. The CRTC’s proposedregulations do that, but in a manner that is quite extensive. The proposed regulations wouldrequire each commercial electronic message and each request for consent to contain the15 See sections 2(1)(d) and 4(d) of the CRTC’s draft regulations
- 16 -following information: the physical and the mailing address, a telephone number, an emailaddress, a web address and any other electronic address used by the business.50. We question why so many forms of identification are needed. The objective ofidentifying the sender and providing a means of ready contact can be satisfied with simply thesender’s name and electronic address. Requiring more addresses means that each of theseaddressing mechanisms must be prepared to deal with communications from recipients ofcommercial electronic messages. Consider the case of a business that has been efficientlydesigned for electronic communication with customers, and that prefers not to incur the costs oftelephonic communication. Why should that business be forced to operate in a less efficientmanner? Consider the case of a large business that must list all its electronic addresses (“anyother electronic address”) in every message. Not only will this be very burdensome toimplement, but messages will become unnecessarily long as potentially hundreds of addresseswill be listed. What public policy benefit is secured by imposing these sorts of costs onbusinesses? We also question how these requirements will help consumers who may very wellbe confused, rather than aided, by all of this information.51. Accordingly, we recommend that the CRTC’s regulations only mandate the disclosure ofthe name and electronic address of the sender (and person on whose behalf it is sent). As thename information is already required under sections 2(1)(a)-(c) and 4(a)-(c), sections 2(1)(d)and 4(d) need only stipulate a working electronic address. Recommendation 6: Section 2(1)(d) and 4(d) should be revised to refer to only a single mandated address, namely a working electronic address, as follows: (d) an electronic address that can readily be contacted.To Conclude52. CASL has the potential to significantly affect how Canadian businesses operate. Whilewe do not argue with the objectives of CASL, namely to reduce spam and spyware, we maintainthat these objectives can be met with a more balanced approach to costs and benefits than isapparent from the draft regulations. We have put forward recommendations that attempt tobetter strike that balance.53. All of which is respectfully submitted this 7th day of September 2011. ***End of Document***