Leaders in privacy, compliance & information governance solutions

Welcome. Log in or create an account for AccessPrivacy.com

Canada Introduces New Anti-Spam Legislation

May 25, 2010

The Government of Canada introduced the Fighting Internet and Wireless Spam Act (FISA) on May 25, 2010.  FISA is the re-introduction of the former Electronic Commerce Protection Act (ECPA), which had previously received Third Reading in the House of Commons but died in the Senate when Parliament was prorogued in December 2009.  For the most part, FISA mirrors the ECPA as it had been tabled in the Senate prior to prorogation.

The centre-piece of the Act are prohibitions aimed at preventing spam. FISA specifically regulates the sending of commercial “electronic messages," defined to include text, sound, voice and image messages sent to an email, instant messaging, telephone or similar account.

The Act also contains prohibitions on the unauthorized installation of computer programs (for example, spyware and other surreptitiously installed software) and the alteration of transmission data without prior consent.  In order to combat phishing, the Act amends the Competition Act to create new prohibitions against sending false sender or subject matter information or false or misleading content in an electronic message.  By addressing a broad range of Internet issues, FISA goes beyond anti-spam legislation in the U.S. that focuses only on e-mail spam.

The Act requires express consent to the delivery of electronic messages, subject to limited exceptions.  Most notably, businesses, charities and political parties with an established relationship with a recipient are generally permitted to rely on implied consent for the delivery of electronic messages for a period of two years after a purchase, donation or termination of the relationship, at which point express consent must be sought. The Act also sets out a number of exceptions to the consent requirement such as for commercial inquiries, applications, quotes, confirmations of transactions, warranty or product recall information, messages between those who have personal or family relationships, and messages that provide notification of factual information about an existing product, goods or a service.

Electronic messages sent must identify the sender and provide accurate contact information as well as a working unsubscribe mechanism.

The penalties for FISA violators are significant. The Act would allow the Canadian Radio-television and Telecommunications Commission (CRTC) to impose administrative monetary penalties of up to $1 million per violation for individuals and $10 million for businesses. There is also a private right of action that would allow consumers and businesses to take civil action against anyone who violates the FISA, including statutory damages of $200 for each violation of the unsolicited electronic message provision of the Act, up to a maximum of $1 million each day.

FISA, once passed, will impose new compliance requirements, and organizations that send electronic messages should consider starting to plan for these changes now.  In particular, organizations that are sending commercial electronic messages should consider whether express consent is required or whether they can rely on a prescribed form of implied consent or one of the exceptions to the consent requirement. 

Organizations must also confirm their electronic messages and consent notices meet the Act’s form and content requirements. A review of privacy policies and related consent procedures is also advisable.

In addition, organizations that install computer programs on another person’s computer-based device (in the course of their commercial activities) should review their consent and disclosure practices to confirm compliance with the Act. 

For additional information download our full briefing note here.

Anti-Spam; Legislation; Share This