The period for public comment on Canada’s new Anti-Spam and Online Fraud Act recently ended, and the new legislation is expected to become law this fall. It will be among the world’s strictest anti-spam laws, and many businesses will need to change their e-mailing practices.
Bill C-28, as it is also known, is tougher than many other countries’ anti-spam laws in that it requires recipients explicitly to opt in to receiving e-mails and other electronic communications rather than simply requiring that they be given an opportunity to opt out, says Barbara McIsaac, counsel at law firm Borden Ladner Gervais in Ottawa.
The law has teeth: An individual can be fined up to $1 million for violations, an organization up to $10 million.
- Video Rewind: What you need to know about the anti-spam law
- No exceptions for new anti-spam bill
- Spam levels rebound as Rustock awakes
No exceptions for new anti-spam bill
- Canadian Pharmacy spam returns with ‘wiki’ spin
If the sender of the message has done business with the recipient in the past two years, consent to receive commercial e-mail is implied. But since that implied consent now expires after two years, businesses that rely on it will now need a way of tracking their business dealings with people on their mailing lists and either removing their names from the list or obtaining their explicit consent to keep sending them messages before the two years are up.
Asking first is the best policy
Businesses should review their procedures to ensure they know how they obtained contact information and when they last did business with each customer on their lists, says Robert Percival, partner and co-chair of the Canadian technology team at international law firm Norton Rose in Toronto.
McIsaac says Borden Ladner Gervais is advising clients to seek explicit consent from everyone on their lists before the law comes into effect, and start asking all new customers for explicit consent to e-mail them.
Asking first has always been the best policy, says Lisa Kember, regional development director in southern Ontario for Constant Contact, a Waltham, Mass., company that sells software for e-mail marketing.
Even though recipients have agreed to receive commercial e-mail or other communications, the new law says each message must offer an easy way to unsubscribe from future mailings. It also requires that the sender’s physical address – not just electronic contact information – be included in the e-mail. And McIsaac says it’s not quite clear whether a business that uses a third party to send marketing e-mail must include that third-party’s contact information as well as its own.
Percival notes that Canadian businesses using third parties outside Canada shouldn’t assume their contractors will be aware of the new law.
Verbal consent may not be enough
While much of what the law requires is simply good business practice, it could make seemingly innocuous activities illegal. For instance, if a sales representative exchanges business cards with a prospective customer at a conference or trade show and then e-mails the prospect later, it may not be easy to show that the prospect consented, McIsaac says.
The law provides that consent is implied if the recipient of e-mail has published his or her e-mail address prominently without asking not to receive unsolicited messages. Handing someone your business card would probably qualify, Percival says. However, if challenged the onus would be on the e-mail sender to prove the recipient didn’t ask not to receive messages, McIsaac says – and even a verbal “send me an e-mail” would be hard to prove.
Businesses may want to avoid ambiguity by having trade-show visitors fill out a form requesting information rather than just collecting cards, she says.
The law has exceptions where the sender and recipient have a family or personal relationship. Personal relationships could include non-business contact like playing golf together or belonging to the same service club, if they involve reqular contact within the last two years.
Businesses should be reviewing procedures and training staff on the new requirements, and McIsaac suggests they talk to their insurers about coverage for possible inadvertent violations.