Vol. 147, No. 26 — December 18, 2013

Registration

SOR/2013-221 December 4, 2013

AN ACT TO PROMOTE EFFICIENCY AND ADAPTABILITY OF THE CANADIAN ECONOMY BY REGULATING CERTAIN ACTIVITIES THAT DISCOURAGE RELIANCE ON ELECTRONIC MEANS OF CARRYING OUT COMMERCIAL ACTIVITIES, AND TO AMEND THE CANADIAN RADIO-TELEVISION AND TELECOMMUNICATIONS COMMISSION ACT, THE COMPETITION ACT, THE PERSONAL INFORMATION PROTECTION AND ELECTRONIC DOCUMENTS ACT AND THE TELECOMMUNICATIONS ACT

Electronic Commerce Protection Regulations

P.C. 2013-1324 December 3, 2013

His Excellency the Governor General in Council, on the recommendation of the Minister of Industry, pursuant to subsection 64(1) of An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act (see footnote a), makes the annexed Electronic Commerce Protection Regulations.

ELECTRONIC COMMERCE PROTECTION REGULATIONS

DEFINITION

Definition of “Act”

1. In these Regulations, “Act” means An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act.

FAMILY RELATIONSHIP AND PERSONAL RELATIONSHIP

Family and personal relationships

2. For the purposes of paragraph 6(5)(a) of the Act,

EXCLUDED COMMERCIAL ELECTRONIC MESSAGES

Excluded messages — Section 6 of Act

3. Section 6 of the Act does not apply to a commercial electronic message

Excluded messages — Paragraph 6(1)(a) of Act

4. (1) Paragraph 6(1)(a) of the Act does not apply to the first commercial electronic message that is sent by a person for the purpose of contacting the individual to whom the message is sent following a referral by any individual who has an existing business relationship, an existing non-business relationship, a family relationship or a personal relationship with the person who sends the message as well as any of those relationships with the individual to whom the message is sent and that discloses the full name of the individual or individuals who made the referral and states that the message is sent as a result of the referral.

Existing business or non-business relationship

(2) An existing business relationship or an existing non-business relationship has the same meaning as in subsection 10(10) or (13) of the Act, respectively.

CONDITIONS FOR USE OF CONSENT

Person whose identity is unknown

5. (1) For the purposes of paragraph 10(2)(b) of the Act, a person who obtained express consent on behalf of a person whose identity was unknown may authorize any person to use the consent on the condition that the person who obtained it ensures that, in any commercial electronic message sent to the person from whom consent was obtained,

Person who obtained consent

(2) The person who obtained consent must ensure that, on receipt of an indication of withdrawal of consent by the authorized person who sent the commercial electronic message, the authorized person notifies the person who obtained consent that consent has been withdrawn from, as the case may be,

Notification of other authorized person

(3) The person who obtained consent must without delay inform a person referred to in paragraph (2)(c) of the withdrawal of consent on receipt of a notification of withdrawal of consent from the person referred to in that paragraph.

Give effect to withdrawal of consent

(4) The person who obtained consent must give effect to a withdrawal of consent in accordance with subsection 11(3) of the Act, and, if applicable, ensure that a person referred to in paragraph (2)(c) also gives effect to the withdrawal in accordance with that subsection.

SPECIFIED COMPUTER PROGRAMS

Specified programs

6. The following programs are specified for the purposes of subparagraph 10(8)(a)(vi) of the Act:

MEMBERSHIP, CLUB, ASSOCIATION AND VOLUNTARY ORGANIZATION

Membership

7. (1) For the purposes of paragraph 10(13)(c) of the Act, membership is the status of having been accepted as a member of a club, association or voluntary organization in accordance with its membership requirements.

Club, association or voluntary organization

(2) For the purposes of paragraph 10(13)(c) of the Act, a club, association or voluntary organization is a non-profit organization that is organized and operated exclusively for social welfare, civic improvement, pleasure or recreation or for any purpose other than personal profit, if no part of its income is payable to, or otherwise available for the personal benefit of, any proprietor, member or shareholder of that organization unless the proprietor, member or shareholder is an organization whose primary purpose is the promotion of amateur athletics in Canada.

COMING INTO FORCE

S.C. 2010, c. 23

8. (1) These Regulations, except section 6, come into force on the day on which sections 6, 7, 9 to 11 and subsection 64(1) of An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radiotelevision and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act (“the Act”), chapter 23 of the Statutes of Canada, come into force, but if they are registered after that day, they come into force on the day on which they are registered.

Section 6

(2) Section 6 comes into force on the day on which section 8 of the Act, referred to in subsection (1), comes into force.

SCHEDULE

(Paragraph 3(f))

LIST OF FOREIGN STATES

Albania

France

Peru

Antigua and Barbuda

Gambia

Philippines

Argentina

Georgia

Poland

Armenia

Germany

Portugal

Australia

Ghana

Puerto Rico

Austria

Greece

Qatar

Azerbaijan

Grenada

Romania

Bahamas

Guatemala

Russia

Bahrain

Hong Kong

Saint Lucia

Bangladesh

Hungary

Saint Vincent and the Grenadines

Barbados

Iceland

Saudi Arabia

Belarus

India

Serbia

Belgium

Indonesia

Sierra Leone

Belize

Ireland

Singapore

Bhutan

Israel

Slovakia

Bosnia

Italy

Slovenia

Botswana

Jamaica

South Africa

Brazil

Japan

South Korea

British Virgin Islands

Jordan

Spain

Bulgaria

Kazakhstan

Sri Lanka

Burkina Faso

Kenya

Sweden

Burma (Myanmar)

Latvia

Switzerland

Cambodia

Liechtenstein

Tanzania

Cameroon

Lithuania

Thailand

Cayman Islands

Luxembourg

Tonga

Central African Republic

Macedonia

Trinidad and Tobago

Chile

Malaysia

Tunisia

China

Malta

Turkey

Colombia

Mauritius

Turks and Caicos

Costa Rica

Moldova

Uganda

Croatia

Montenegro

Ukraine

Cyprus

Morocco

United Arab Emirates

Czech Republic

Mozambique

United Kingdom

Denmark

Namibia

United States of America

Dominica

Nepal

United States Virgin Islands

Dominican Republic

Netherlands

Venezuela

Ecuador

New Zealand

Vietnam

Estonia

Norway

Zambia

Finland

Pakistan

 

REGULATORY IMPACT ANALYSIS STATEMENT

(This statement is not part of the Regulations.)

1. Issue

Key terms used in Canada’s Anti-spam Legislation (see footnote 1) (CASL) need to be defined in order to provide clarity and legal certainty to effectively combat spam and other related electronic threats in Canada, and to provide relief to businesses through targeted exclusions where the broad application of the Act would otherwise discourage reliance on electronic means of carrying out commercial activities.

2. Background

Unsolicited commercial electronic messages — known as “spam” — have become a significant social and economic issue, and a drain on the business and personal productivity of Canadians. Spam now makes up over 80% of global email traffic, imposing significant costs on businesses and consumers. Spam impedes the efficient use of electronic messages for personal and business communications and threatens the growth and acceptance of legitimate e-commerce. In addition, related electronic threats such as phishing, malware, botnets, identity theft, and online scams have become more sophisticated and widespread, giving rise to a new generation of electronic threats that engage activities such as the installation of computer programs and altering transmission data.

Canada’s Anti-spam Legislation was tabled as Bill C-28 on May 25, 2010, and was granted Royal Assent on December 15, 2010. With passage of CASL and its regulations, Canada will become a leader in anti-spam legislation among member countries of the Organisation for Economic Co-operation and Development (OECD).

3. Objectives

The general purpose of Canada’s Anti-spam Legislation (CASL) is to encourage the growth of electronic commerce by ensuring confidence and trust in the online marketplace. To do so, the Act prohibits damaging and deceptive spam, spyware, malicious code, botnets, and other related network threats.

Subsection 64(1) of CASL identifies matters to be addressed by the Governor in Council through regulations. The objective of these Regulations is to avoid legal uncertainty when interpreting key terms in the anti-spam provisions of the Act and to provide exclusions for certain business activities outside the intended scope of the Act.

4. Description

The Electronic Commerce Protection Regulations include regulations under six regulatory powers in the Act.

Phasing in Canada’s Anti-spam Legislation

In order to permit a reasonable amount of time for businesses and consumers to become both aware of and compliant with these Regulations, most of CASL and these Regulations will come into effect on July 1, 2014. To facilitate compliance with the provisions in CASL related to computer programs, these sections of the Act and the provision related to computer programs in the Regulations will come into force on January 15, 2015. To further reduce uncertainty for Canadian business regarding how CASL will be interpreted, the private right of action will be enacted three years from the initial scheduled enactment of CASL, on July 1, 2017.

Family or personal relationships

The Act requires that the meaning of “personal relationship” and “family relationship” be set out in Regulations to provide legal certainty as to which relationships will be excepted from the anti-spam provisions of the act. The terms are defined in order to establish limits and to prevent potential spammers from exploiting these concepts in order to send electronic messages without consent.

The Regulations define “family relationship” for the purposes of CASL in a broad manner that is in keeping with Canadian law. The definition is a relationship between two people related through a marriage, a common-law partnership, or any legal parent-child relationship, who have had direct, voluntary two-way communications.

The Regulations define “personal relationship” for the purposes of CASL. The definition is a relationship between two people who have had direct, voluntary two-way communications where it would be reasonable to conclude that the relationship is personal. Determining whether the relationship is personal would be based on a non-exhaustive list of factors provided in the Regulations.

Limited exclusions for certain types of messages

Since it applies broadly to all commercial electronic messages (CEMs), the Act could capture a significant portion of business-to-business communications. Under the Act, Regulations can be created to exclude certain types of messages from the requirements of the Act. To ensure regular business communications are not unnecessarily regulated under the Act, the Regulations provide exclusions from all requirements of the Act for commercial electronic messages that are

In addition, the Regulations provide exclusions from all requirements of the Act for commercial electronic messages that are

The provision of CASL that addresses sending CEMs only applies where the CEM is sent from Canada or accessed in Canada. It does not apply when the CEM is simply routed through Canada. To reduce regulatory duplication in situations where CEMs are sent from Canada to other states that have their own regulatory requirements, the Regulations exempt messages sent from Canada to any of the states listed in Schedule 1 of the Regulations that have their own anti-spam legislation, as long as the commercial electronic messages comply with those laws which address conduct that is substantially similar to conduct prohibited under section 6 of the Act. The exemption applies where the person who sends the message or causes or permits it to be sent reasonably believes the message will be accessed in a foreign state that is listed in the schedule to the Regulations.

Third-party referrals

The Regulations provide an exclusion for “third-party referrals.” These are situations where there is an existing relationship (personal, family, business, or non-business) between a person (such as an agent or business), and an individual (such as an existing client), and the existing client refers a prospective client to the agent or person by providing the prospective client’s electronic address information. The existing client making the referral must have an existing relationship (personal, family, business, or non-business) with the prospective client that they are referring to the agent. The Regulation permits the agent or business to send a single message to the prospective client, as long as the agent has both provided the prospective client with the full name of the individual who made the referral, and has included the identification and unsubscribe requirements as set out in the Act.

There are a variety of other ways referral marketing can continue to occur under CASL without the use of the exclusion. For example, the individual making the referral may provide the agent’s contact information to the prospective client, so they can contact the agent themselves, or the person making the referral may ask the prospective client for their consent to have the agent contact them directly.

Membership in a club, association or voluntary organization

The Act indicates that an “existing non-business relationship” includes membership, as defined in the Regulations, in a club, association or voluntary organization, as defined in the Regulations. The Regulations define “membership” as having been accepted as a member in accordance with the membership requirements of the organization. The Regulations also define “club,” “association” or “voluntary organization” as a non-profit organization that is organized and operated exclusively for social welfare, civic improvement, pleasure or recreation or for any other purpose than profit, if no part of the income of which was payable to, or otherwise available for the personal benefit of any proprietor, member or shareholder of that organization unless the proprietor, member or shareholder is an organization the primary purpose of which is the promotion of amateur athletics in Canada.

Sharing contact lists with unknown third parties

In addition to requiring the collection of consent for sending CEMs, CASL also allows businesses to seek consent to allow other businesses to send CEMs, even where those other businesses are not yet identified when the consent is sought. The “unknown third party” regulation establishes requirements for the collection, and use of consent to allow such unidentified third parties to send CEMs. For example, a gym might seek consent from a client to send them CEMs and, in addition, it might seek consent from that client to allow other businesses to send their own CEMs to that client, such as local clothing or health food stores.

The basic principle for the use of an unknown third party consent is that any time a third-party business uses that consent, they must provide the opportunity for the recipient to withdraw consent from all third parties. Specifically, the Regulations require that the recipient (i.e. the individual who provided consent) must have the ability to unsubscribe from third-party messages, and the mechanism allowing them to do so must be within the CEMs they receive from those third parties. This requires that businesses using this form of consent to send CEMs must be able to alert the original requester that the recipient’s consent to receive messages from unidentified third parties is withdrawn. The Regulations further provide that when consent to receive messages from a third party has been withdrawn by the individual, the original requestor must notify each third party to whom the consent was provided that the consent has been withdrawn.

To extend the above example, suppose a gym seeks the consent of a client to have some local businesses send messages to her, but does not identify those businesses when seeking consent. Later, the gym provides the client’s contact information to a local food store and allows it to send a CEM to the client. The Act requires that the store identify itself and provide an unsubscribe mechanism, as required when sending any CEM. In addition, since the message is sent with consent obtained by the gym, these Regulations require that the food store also identify the gym and provide an unsubscribe mechanism that allows the client to withdraw the consent they provided to the gym allowing third parties to send them CEMs. If the client contacts the food store to completely withdraw their original consent, given to the gym, to receive CEMs from unidentified third parties, the food store must advise the gym of the withdrawal of consent, and then the gym is required to notify each of the businesses to which they already provided consent of that withdrawal of consent.

Specifying the conditions under which consent to receive unsolicited commercial electronic messages can be provided to third parties provides individuals with further control over the use of their electronic addresses. The purpose of these provisions is to ensure that the person who obtains consent on behalf of an unidentified third party remains responsible for ensuring that the person who gave consent has an effective and simple means of withdrawing their consent to receive messages from unidentified third parties. Some stakeholders expressed concern that these Regulations would require third parties to allow the recipient to withdraw their consent to receive messages directly from the person who acquired the third-party consent. To be clear, there is no requirement for the third parties to provide the opportunity to withdraw consent from all commercial messages directly from the person who acquired consent; the requirement is limited to removal of consent to receive messages from third parties.

In the context of the above example, the gym has an existing business relationship with the client as well as their express consent to send them CEMs from the gym. In its electronic messages, the food store is not required to provide an unsubscribe mechanism that would allow the client to stop receiving CEMs from the gym, although they could choose to do so. They are only required to provide mechanisms allowing the client to unsubscribe from further CEMs flowing from the consent that allowed messages from unknown third parties, i.e. from the food store and from further CEMs from other unidentified third parties associated with the gym.

Installation of computer programs

The Act introduces requirements when installing software on another person’s computer system, but only in the course of commercial activity, a defined term that excludes public safety and other purposes. Specifically, the Act requires the express consent of the owner or authorized user of a computer system before a computer program is installed, and specifies the form that consent must take in different circumstances.

The Act further provides that a person is considered to consent to the installation of certain listed types of programs. The Regulations add to this list of programs, creating a limited exclusion from the requirement to seek express consent. This form of deemed consent applies as long as a person’s conduct is such that it is reasonable to believe that they consent to the program’s installation.

The Regulations provide deemed consent for any companies or individuals who together or independently provide a telecommunications service, defined in the Act as a telecommunications service provider (TSP), to install a computer program for the limited purposes of protecting the security of all or part of its network from a current and identifiable threat to its availability, reliability, efficiency, or optimal use.

The Regulations also provide deemed consent for TSPs to install software on devices across all or part of a network for update and upgrade purposes.

As noted above, CASL defines TSPs to be any persons who together or independently provide telecommunications services. These services include features of services delivered by means of telecommunications facilities including network routers and servers, regardless of whether the provider owns, leases or has any interest in or right to the equipment and software used to provide the telecommunications service.

The Regulations also provide deemed consent for any company or person to install programs that are necessary to correct a failure in the operation of a computer system or a computer program that is already installed. This will allow software providers to take positive steps to ensure the safe and proper functioning of their computer programs and the systems they operate on, consistent with consumer expectations.

5. Regulatory and non-regulatory options considered

Regulations are required in order to bring the Act into force. The Regulations are necessary to provide legal certainty in interpreting key terms in the provisions of the Act and to provide exclusions for certain business activities that would otherwise be prohibited by the Act. No non-regulatory options have been considered for defining these terms for the purposes of implementing the Act. Industry Canada and the Canadian Radio-television Telecommunications Commission (CRTC) have issued guidelines and other guidance material to provide clarity where appropriate; see crtc.gc.ca and fightspam.gc.ca for details.

6. “One-for-One” Rule

The “One-for-One” Rule does not apply to this proposal, as there is no change in administrative costs to business. The Regulations define key terms and do not impose any reporting or other administrative requirements on businesses.

7. Small business lens

The small business lens does not apply to this proposal as the Regulations would not increase administrative or compliance burden on small business. The Regulations provide exclusions to the compliance requirements of the CASL.

8. Consultation

Regulations are necessary to enact Canada’s Anti-spam Legislations, which was the subject of extensive consultations and debate. Hearings were held with interested stakeholders by the House of Commons Standing Committee on Industry, Science and Technology and by the Senate Standing Committee on Transport and Communications during their review of the legislation from when it was tabled as C-27 in 2009 to when it was passed in the next session of Parliament, as Bill C-28, in December 2010. Overall, consultations that have taken place over the past six years surrounding the legislation and the policy on which it is built have shown strong support for anti-spam regulation from consumers, Internet service providers, marketers, businesses, educators, the financial sector, legal and consumer groups, and enforcement agencies.

The Regulations provide clarity and legal certainty to key terms and concepts contained in the legislation. Proposed Regulations were published for consultation in Part I of the Canada Gazette from July 9, 2011, to September 7, 2011. (see footnote 2) Fifty-five submissions were received, leading to a second consultation process on revised Regulations from January 5, 2013, to February 4, 2013. (see footnote 3) During that time, Industry Canada received another 150 submissions responding to the proposed Regulations. In addition to providing submissions during the regulatory consultation, several stakeholders requested bilateral and multilateral meetings to further discuss their concerns. Industry Canada officials met with all organizations that requested a meeting. Stakeholders who participated in these consultations included representatives of the retail, financial services, legal services, real estate, telecommunications, information technology, and general business sectors as well as public interest groups and private citizens. These meetings and written submissions provided input to the process of developing and refining the Regulations.

Phasing in Canada’s Anti-spam Legislation

In order to permit a reasonable amount of time for businesses and consumers to become both aware of and compliant with these Regulations, most of CASL and these Regulations will come into effect on July 1, 2014. To facilitate compliance with the provisions in CASL related to computer programs, these sections of the Act and the provision related to computer programs in the Regulations will come into force on January 15, 2015.

Stakeholders expressed concern regarding the private right of action (PRA), citing concerns with the potential of class action lawsuits combined with the possibility of administrative monetary penalties and a general uncertainty as to how the legislation will be interpreted and applied by the courts. In order to foster better understanding of how the Act will be interpreted and enforced, a longer transition period is provided for the PRA. Accordingly, the sections of the Act that provide for the PRA will come into force on July 1, 2017, three years after the rest of the anti-spam provisions of the Act come into force. During that period, the enforcement agencies will enforce the Act.

Definition of “family and personal relationships”

The Regulations address stakeholder concerns about the definitions of “family relationship” and “personal relationship” in earlier versions of the proposed Regulations. In the consultation, some stakeholders argued that the definition of “family” was too limited and may not include modern conceptions of family without arbitrary limitations. The challenge in addressing these concerns is to ensure the definition is consistent with Canadian law and remains limited to close family or personal relationships, as intended under the Act. These Regulations eliminate the arbitrary requirements and limitations and include factors to be considered in determining if a relationship is a “personal relationship” for the purposes of the Act. In addition, other than being considered as a factor, the Regulation does not provide for the recipient to opt out of the exemption, since the regulatory authority refers to defining such relationships, which does not include adding conditions.

Exclusions to address stakeholder concerns

The key issues and concerns that were raised by stakeholders are addressed in the exclusions and revised definitions in these Regulations. The requests for new exclusions to consent provisions of the legislation were carefully weighed against the objectives of the Act. The requirement for consent (either express or implied) is fundamental to the Act. Any exclusions must be clearly targeted towards specific activity not intended to be captured in order to maintain the integrity of the legislative regime. As a result, not all requests for exclusions are accommodated in these Regulations.

Since it applies broadly to all commercial electronic messages, the Act could capture a significant portion of business-to-business or non-business communications. To ensure these and other regular business and non-business communications that do not discourage the use of electronic means to carry out commercial activities are not unnecessarily regulated under the Act, the Regulations provide exclusions for commercial electronic messages that are sent within organizations or sent between organizations that already have a relationship, where the messages are sent by an employee, representative, contractor or franchisee and are relevant to the activities of the organization who receives the message. These exclusions address many of the most serious concerns raised in the consultations about the unintended application of CASL to ordinary, transactional business communications. These exclusions would also address confusion as to whether organizations can send CEMs to their employees if the subject matter of those CEMs is not related to the core business. For example, if a business is hosting a pancake breakfast for employees and sends an email selling tickets, that message is a CEM that may be sent without consent because the message relates to an activity of the organization.

Stakeholders, namely the financial and banking industries, have argued that CEMs sent over closed messaging systems (e.g. banking Web sites) should be exempted from CASL because these platforms pose no risk of abuse to consumers and were developed to avoid threats that are similar to the goals of CASL. In many cases, there will be an existing business relationship between the customer and the person operating the messaging system. To address this concern, an exclusion from CASL is introduced for messages that are sent to limited access and confidential accounts where only the person who provides the account to the recipient can send messages.

Companies in the telecommunications sector also argued that the ID and unsubscribe requirements in CASL are unnecessarily redundant on certain platforms, where the ID and unsubscribe requirements can be conspicuously published and readily available on the user interface of the platform when a message is received, but not necessarily in every message sent. To address this concern, an exemption from these requirements under CASL is introduced where the required identification and unsubscribe information is conspicuously published and readily available to the recipient through the interface itself.

Stakeholders were concerned that they could not directly act upon referrals from friends, family and clients without first garnering consent. The “third-party referral” exclusion provided strikes a balance by allowing third-party referrals without undermining the requirements that are laid out in the Act. The condition permitting the sending of only one message means the agent or business could only send more messages if the recipient indicated that they wished to receive them. To the recipient, the fact that the sender has to identify the individual who has provided the referral by full name allows the recipient to distinguish these messages from typical spam messages. It also permits the recipient to contact the person providing the referral directly to notify them that they do not wish to be referred by that individual in the future. In addition to providing this exclusion, Industry Canada is working with the CRTC to explore the use of interpretational guidelines and other guidance material to provide clarity regarding how referral marketing can occur under CASL.

Industry stakeholders raised concerns that the Act captures non-transactional business communications that are required by law or that are sent to enforce a legal right. For instance, in some circumstances, businesses are required to send messages that may be seen as commercial electronic messages, such as electronic bank statements. In other cases, businesses may choose to use electronic communications to enforce legal rights, such as sending notification of violations of copyright. To ensure that CASL does not interfere with these business practices, the Regulations include exclusions for messages sent due to a legal obligation or to enforce a pending or existing legal right. Of course, as a general principle, the legal obligation referred to above would not be contrary to CASL.

Another exclusion concerns responses to inquiries. While the legislation provides an exclusion for individuals to contact businesses to inquire about their business, no exclusion is provided for businesses to respond to such inquiries. Furthermore, since consent is defined in the Act, there is no existing mechanism to infer consent for these communications. Requiring unsubscribe mechanisms or consent in these circumstances would impede legitimate business, would not be consistent with consumer expectations, and would not advance the goals of the legislation. To address these concerns, the Regulations provide an exclusion for messages sent in response to requests. If a person is replying to a customer inquiry, the person can send them a CEM related to their inquiry, and extra information (such as price lists and a link to a Web site) may be included if the customer could reasonably expect to receive such information as a result of their inquiry.

Charitable organizations argued that the Act would have a disproportionate impact on their activities since it would be more difficult for them to train volunteers, including directors and officers, on compliance with the Act and to implement internal controls. In addition, their activities as charities are already regulated. CASL provides that registered charities have implied consent to send messages to those who have volunteered or donated to them within the past two years, but they argued the Act would still restrict their fundraising abilities. To address these concerns, an exemption is introduced in these Regulations for fundraising messages sent by or on behalf of registered charities, regardless of whether the recipient previously donated to or volunteered for the organization.

A similar exemption is introduced in these Regulations for commercial electronic messages sent by or on behalf of a political party or organization, or a person who is a candidate — as defined in an Act of Parliament or the legislature of a province — for publicly elected office and the message has as its primary purpose soliciting a contribution as defined in subsection 2(1) of the Canada Elections Act.

Another issue concerns the ability for businesses in Canada to send CEMs to recipients outside of the country. Some stakeholders argued in their submissions that CASL would put Canadian businesses at a competitive disadvantage sending commercial electronic messages outside of Canada on behalf of foreign businesses. They also argue that it would create regulatory burden by requiring businesses to comply with both the foreign laws and CASL. In order to address this issue, an exclusion is provided in these Regulations for messages sent from Canada to foreign states and in compliance with local laws that regulate essentially the same conduct that is prohibited under section 6, notably, the United States, the United Kingdom, the European Union, Japan, China, Korea, Australia and New Zealand. For additional information on which countries have laws that cover conduct substantially similar to section 6 of CASL, refer to Schedule 1 of the Regulations.

Specified computer programs

Under CASL, express consent is required for software installed on another person’s computer system in the course of a commercial activity. There are requirements for the form of the request for consent, additional descriptions for certain software functions, special conditions for updates and upgrades to software, and deemed consent for certain specified programs. In addition, there is a three-year transitional period allowing updates and upgrades to programs installed prior to the coming into force of CASL. Finally, note that the requirements under CASL for the installation of computer programs only apply to the installation of computer programs on another person’s computer system. CASL will not apply to installations carried out by persons on their own computing devices.

Stakeholders, especially those that offer a telecommunications service as defined by the Act, expressed concern that CASL would impair their ability to take action to address threats to the security of their networks, which would be counter to the purpose of the Act. Note that CASL provides a broad definition of a telecommunications service provider (TSP), which includes any persons who, together or independently, provide a telecommunications service. These services include features of services delivered by means of telecommunications facilities including network routers and servers, regardless of whether the provider owns, leases or has any interest in or right to the equipment and software used to provide the telecommunications service.

To address the concern raised with respect to network security, the Regulations provide for deemed consent for TSPs (as defined by CASL) to install computer programs to protect the security of the network from a current and identifiable threat to the availability, reliability, efficiency or optimal use of its network.

Stakeholders also argued that it is reasonable to assume that a person would consent to the installation of computer programs to update or upgrade a TSP’s network. To address this concern, the Regulations provide for deemed consent for TSPs to install computer programs to update or upgrade their networks.

Stakeholders expressed concern that CASL would hamper their ability to install software updates or upgrades necessary for the safe or proper operation of computer programs and systems. Note that the Act only applies to computer programs installed in the course of commercial activity, a defined term that excludes public safety and other purposes, and therefore issues of public safety. However, for software issues that are not matters of public safety, the Regulations provide for deemed consent for the installation of computer programs that are necessary to correct a failure in the operation of a computer system or program that is already installed. This will allow software providers to take positive steps to ensure the safe and proper functioning of their computer programs and the systems they operate on, consistent with consumer expectations.

Some stakeholders argued that they should not be required to get consent every time they install an update or upgrade. CASL provides a three-year transitional period to continue updates and upgrades to existing computer programs, after which they will be required to get express consent to continue updates in the future if they do not fall under one of the exemptions.

For updates and upgrades to computer programs installed after CASL comes into force, the Act allows companies to get the consent of the owner or authorized user for future updates or upgrades to the computer program at the same time they obtain consent for the original installation, or when the user is downloading. That is, when a computer program is installed, consent must in general be requested in accordance with the Act, but there are no requirements for the form of a request for consent to install updates and upgrades, whether that consent is requested in advance or when the update or upgrade is installed.

Note that the reasonability test that is built in to the deemed consent provision of CASL also applies as a mechanism to reduce the risk of abuse of deemed consent in these Regulations. In addition, the requirements of subsection 10(4) of the Act to describe functions in subsection 10(5) only come into play when consent has to be requested. Furthermore, the notice requirements in subsection 10(4) only apply when the person seeking consent knows and intends for the function listed in subsection 10(5) to cause the computer system to operate in a manner that is contrary to the reasonable expectations of the owner or authorized user of the computer system.

Issues to be addressed in compliance guidelines

To clarify the intended scope of the Act, guidelines are more appropriate than Regulations. Industry Canada and the CRTC have issued interpretational guidelines and other guidance material to provide clarity where appropriate. It should also be noted that the previous guidance issued by the CRTC on October 10, 2012, are not legally binding. Furthermore, the examples provided in the information bulletins are not meant to be exhaustive. They are examples of mechanisms and, in many cases, recommended or best practices that clearly meet the requirements set out in CASL. Other mechanisms may satisfy the legal requirements imposed by CASL.

Together, the CRTC and Industry Canada will issue new Frequently Asked Questions and Responses on the CRTC and Fightspam.gc.ca Web sites.

Stakeholders have expressed concern about what does and does not constitute a “commercial electronic message.” In particular, some have interpreted the term to include any messages sent in the course of a commercial activity, leading to concerns that it includes messages such as confirmations of successful unsubscribes or courtesy short message service (SMS) messages sent to roaming customers. Stakeholders, primarily from the telecommunications sector, are concerned that certain limited transactional and service messages are unintentionally captured by CASL.

Under the Act, a message is only a CEM if it would be reasonable to conclude that it has as its purpose or one of its purposes to encourage participation in a commercial activity. To the extent that a message is sent in a pre-existing commercial context but does not fall within the definition of a CEM provided in subsection 1(2) and subsection 1(3) of CASL, it is not a commercial electronic message for the purposes of the Act. The mere fact that a message involves commercial activity, hyperlinks to a person’s Web site, or business-related electronic addressing information does not make it a CEM under the Act if none of its purposes is to encourage the recipient in additional commercial activity. If the message involves a pre-existing commercial relationship or activity and provides additional information, clarification or completes the transaction involving a commercial activity that is already underway, it would not be considered a CEM since, rather than promoting commercial activity, it carries out that activity. Moreover, surveys, polling, newsletters, and messages soliciting charitable donations, political contributions, or other political activities that do not encourage participation in a commercial activity would not be included in the definition.

However, electronic messages may come within the definition of a CEM if it would be reasonable to conclude that one of the purposes is to encourage the recipient to engage in additional commercial activities, based on, for example, the prevalence and amount of commercial content, hyperlinks or contact information. To be clear, if the purpose or one of the purposes is to advertise, promote, market or otherwise offer a product, good, service, business or gaming opportunity or interest in land, these messages are clearly CEMs. Most notably, the Act aims to limit the opportunity to advertise, market, promote, or otherwise offer products or services under the guise of a non-commercial electronic message. If it is reasonable to conclude that the message has one of those purposes, then the message would be considered to be a CEM and, subject to exclusions, the requirements of the Act would apply.

Stakeholders also expressed concern that it would be difficult to satisfy identification and unsubscribe requirements proposed by the CRTC to identify all their business affiliates in a single CEM. To address this, only persons who play a material role in the content of the message or the list to whom the message is sent are required to be identified as “senders” or “affiliates” under section 6 of CASL. However, when a CEM is sent on behalf of multiple persons, such as affiliates, all of these persons must be identified in a CEM. Where it is not practicable to include this information in the body of a CEM, a hyperlink to a page on the World Wide Web containing this information that is readily accessible at no cost to the recipient may be included in the CEM.

Companies in the telecommunications sector also expressed concern regarding the requirements when sending SMS or common short code (CSC) messages. To clarify, as provided in the CRTC Regulations, these messages can incorporate required information, such as identification and contact information, and the unsubscribe mechanism in a text message by including a clear and prominent hyperlink to the required information on a Web site that is readily accessible at no additional cost to the recipient.

Another concern is how CASL might apply to CEMs on popular social networking services or instant messaging services. Where they are not sent to electronic addresses, the publication of blog posts or other publications on microblogging and social media sites does not fall within the intended scope of the Act.

There has also been concern from some businesses, such as auto manufacturers, that are often in touch with former employees after the employment relationships ends, to offer discounts or promotions on products. If the employer has a contract with its employees, then they have implied consent to send CEMs due to an existing business relationship (EBR) with their current and recent former employees. If the employment contract is currently in existence or it expired or terminated within the two-year period immediately before the day on which the message was sent, then the sender has implied consent to send CEMs during employment and for a period beginning two years from the end of the employment. In addition, since the contract creates an existing business relationship, the transitional provision in section 66 will apply to former employees when CASL is enacted.

Auto manufacturers were also concerned that the three-year transitional period in section 67 would limit their ability to continue to install updates or upgrades to computer programs on automobiles. To address this concern, these Regulations specify that express consent of an individual is deemed for updates and upgrades to computer programs that are installed across all or part of the auto manufacturer’s network, and the installation of computer programs to correct failures in the operation of the computer system or an existing program. It should also be noted that auto manufacturers may be TSPs for the purposes of CASL when they run computing networks such as GM’s OnStar or Ford’s Sync. In addition, the software on some computer dedicated systems in automobiles may be “operating systems,” such as computers that operate specific functions like braking. There is deemed consent to update that as operating systems under the Act. In addition, the Act only regulates the installation of software in the course of a commercial activity, the definition of which excludes public safety, among other purposes.

Some stakeholders have argued that express consents obtained under the Personal Information Protection and Electronic Documents Act (PIPEDA) should be valid as consent under CASL. In some cases, where there is neither an exclusion nor any form of consent under CASL, some businesses that may have been compliant with PIPEDA when seeking consent to collect or to use electronic addresses to send commercial electronic messages may no longer be able to contact those addresses under CASL. Express consents, obtained before CASL comes into force, to collect or to use electronic addresses to send commercial electronic messages will be recognized as being compliant with CASL.

Some stakeholders argue that CASL would have a negative impact on their ability to engage in electronic commerce as they have developed recipient lists that have been lawfully assembled in recent years, but would effectively be nullified under the CASL regime. In fact, under CASL, certain forms of consent previously obtained in accordance with privacy law could meet CASL requirements and, in other circumstances captured under subsections 10(10) and (13), businesses have three years after the coming into force of the Act to verify and confirm consent. The intent of the three-year transitional period is to obtain consent. This will be reinforced through compliance guidelines.

Some stakeholders were concerned that although CASL denotes that existing business relationships transfer to the purchaser upon the sale of a business, no such expression exists for express consents. For the purposes of CASL, express consents will transfer upon the sale of a business, should the contract of sale include a provision transferring these as a business asset. Note that compliance with the Personal Information Protection and Electronic Documents Act continues to be required where personal information is transferred between organizations.

Stakeholders also expressed concern that once a person unsubscribed from a mailing list, the business would not be permitted to send commercial electronic messages to the person, even following a subsequent transaction. For the purposes of CASL, implied consent due to an existing business relationship is reinstated with every new or subsequent transaction that would qualify them under subsection 10(10) of CASL.

Some stakeholders were also concerned that they would be unable to contact former business clients outside the 24-month period for existing business relationships. If your former business or non-business contact disclosed their email address or other electronic address to you, or they conspicuously published their address, then you may have implied consent to contact them as long as the message is relevant to their work, and they did not indicate that they do not want to receive commercial electronic messages at that address. In addition, note the three-year transitional period provided for in section 66 of CASL.

Stakeholders were also concerned that some have interpreted electronic addresses in CASL to include Internet Protocol (IP) addresses. Insofar as IP addresses are not linked to an identifiable person or to an account, IP addresses are not electronic addresses for the purposes of CASL. As a result, banner advertising on Web sites is not subject to CASL.

Some stakeholders have also highlighted concerns that “cookies” might be interpreted as computer programs for the purposes of CASL. As subsection 10(8) of CASL states, a person is considered to expressly consent to the installation of a computer program if the program is a “cookie,” and the conduct of the person indicates their consent to its use. Insofar as cookies are not executable computer programs, and they cannot carry viruses and cannot install malware, and are simply lines of text or data that are read from a Web browser, they are not computer programs for the purposes of CASL.

Stakeholders also noted concerns regarding their liability in “forward-to-a-friend” (FTAF) marketing campaigns. Some stakeholders argue that they should not be held liable should they introduce a “forward-to-a-friend” (FTAF) campaign, where they ask clients, customers or people who are signing up to a contest or similar activity on their Web site to forward the CEM to friends and family. They suggest CASL would hold them liable as they are the party that is causing the CEM. A due diligence defence exists in CASL; if those who promote FTAF campaigns provide prospective clients and contestants with the limitations defined for family and personal relationships (as set out above) they can use these to reduce their liability.

Some stakeholders have also argued that CASL may create unintended consequences for self-operating home offices or businesses by requiring these to identify a physical mailing address when sending a CEM. The CRTC has since altered their original requirements, and will permit P.O. boxes or head offices to be identified rather than the home of the individual sending the CEM.

Issues that are not addressed in the Regulations or compliance guidelines

Some issues that were raised by stakeholders are not addressed in the Regulations. While a full review of these issues was undertaken and regulatory options were explored, these were issues that were within the intended scope of CASL.

One such issue raised by stakeholders concerned the application of the Act to messages sent by foreign businesses and accessed while the recipient was visiting Canada. The concern was that, pursuant to section 12, CASL would be interpreted to apply to messages sent from or received in Canada and that, as a result, the Act would apply to a message sent from a foreign country to a resident of that country even if the message was sent in compliance with their local laws, but accessed while the recipient was visiting Canada. An exemption was proposed in the draft Regulations prepublished in the Canada Gazette, Part I, to exclude messages sent when the sender could not reasonably have been expected to know they would be accessed in Canada. It was determined that this exemption is not necessary.

Some stakeholders argued that the previously prepublished proposed Regulations for CEMs sent by “unknown third parties” was too complex and would result in increased compliance costs for businesses. It has been decided not to alter the original proposed Regulation. The principle behind the original Regulations was that it must be as clear as possible who will be using a person’s consent, and a person must be able to use the unsubscribe mechanism in a CEM to withdraw the third-party consent they originally provided. While the Regulations may require businesses to track consents as they are shared among third parties, the burden is not unduly onerous, and no alternative regulatory approach was identified. In addition, sharing consents among unknown third parties is not consistent with the existing industry best practices, which encourage businesses to centralize the management of consents with the sending organization. Please see the more extended explanation above of this regulatory provision.

Some stakeholders have argued that they should be able to send messages to recruit individuals for employment opportunities. Depending on the circumstances, most employment recruitment messaging would not fall into the definition of CEM in CASL as these would not normally offer, advertise, market or promote a product or service. “Recruiting spam” is an ongoing fraud whereby scammers hire online shoppers to make purchases using their own credit card, but the incoming cheques for the online shopper bounce. These types of scams lure innocent Canadians and are also often used to launder money.

Some stakeholders sought significant alterations to the entire legislative scheme seeking a change from requiring prior consent (“opt-in”) to one where no prior consent would be required (“opt-out”). Changing this framework would be inconsistent with the purposes of the Act as approved by Parliament.

9. Rationale

These Regulations provide clarity and legal certainty regarding key terms in Canada’s Anti-spam Legislation in order to effectively combat spam and related threats in Canada, and provide relief to businesses through targeted exclusions where the broad application of the Act would otherwise impede business activities that are not within the intended scope of the legislation. While the incremental impacts of these Regulations in terms of benefits and costs are expected to be very modest, it is anticipated that the benefits of the exclusions from the legislative regime will outweigh the costs.

10. Implementation and enforcement

These Regulations and most of CASL will come into effect on July 1, 2014. To facilitate compliance with the provisions in CASL related to computer programs, these sections will come into force on January 15, 2015. To further reduce uncertainty for Canadian business regarding how CASL will be interpreted, the private right of action will be enacted three years from the initial scheduled enactment of CASL, on July 1, 2017. Information regarding obligations for businesses and individuals under CASL are available on the “Fight Spam” Web site, at http://fightspam.gc.ca. A “Spam Reporting Centre,” education and awareness campaigns, as well as training of compliance and enforcement personnel will be completed prior to enactment.

11. Contact

John Clare
Director
Privacy and Data Protection Directorate
Digital Policy Branch/Spectrum, Information Technologies and Telecommunications
Industry Canada
Telephone: 613-948-2779