Businesses that send unsolicited e-mails or other digital messages could face fines as high as $10 million when Canada’s new anti-spam law starts being enforced later this year.
Bill C-28 received royal assent Dec. 15, giving Canada the legislation against spam that many experts say is long overdue. Canada joins other countries such as Australia and the U.S. in creating a legal framework for penalizing spammers with fines. Individuals violating the law could be fined a maximum penalty of $1 million, while organizations could be on the hook for $10 million. Spammers could also be taken to civil court by private citizens.
A trio of arm’s-length government organizations will work together to enforce the law under Industry Canada’s supervision. The Canadian Radio-television and Telecommunications Commission will handle basic complaints about spam, the Competition Bureau will enforce against fraud and misleading commercial messages, and the Office of the Privacy Commissioner of Canada will ensure e-mail addresses are not collected without consent.
The new law is well balanced and has a wide definition of spam that requires prior consent to the receipt of all commercial messages, the Ottawa-based Public Interest Advocacy Group writes in a report.
“The Conservatives said they want to force spammers out of Canada,” says John Lawford, author of the report and counsel for PIAC. “I don’t know if they’ll do that, but they’ll make it less enticing to spam here.”
Related Story: No exceptions for new anti-spam bill
Businesses will need to have explicit consent before sending commercial messages to an e-mail address, social networking account, or a mobile phone. Exceptions to the rule are made if there’s an existing business relationship, meaning some transaction within two years of the message being sent.
The law may be effective at preventing businesses from sending unwanted e-mails, says Matt Sergeant, senior anti-spam technologist from Symantec Hosted Services. But it is unlikely to be effective at stopping botnet spam driven by hackers – the vast majority of spam and the source of almost all malware related to spam.
“This isn’t necessarily about the botnet spammers, but the people who aren’t using totally legitimate practices in sending out their e-mails,” he says. “It’s really about setting down the ground rules for those companies.”
Even if botnet spam is not affected, consumers will still likely notice a reduction of spam making it to their inboxes. Security solutions installed on endpoint machines or deployed by e-mail providers are good at blocking malicious spam, while grey-area spam from legitimate businesses squeaks by.
Bill C-28 does set aside money for the enforcement agencies, allowing them to put together teams and effectively penalize spammers, Sergeant says.
The CRTC will wasn’t able to tell ITBusiness.ca what resources it will receive by time of press. But it expects to begin enforcing the law in about eight months. The CRTC will be responsible for enforcing the law against spam that contains malware.
Anti-spam enforcers should act swiftly and dole out some fines to offenders in order to send a message that the new law is serious, Lawford recommends.
“I think they can fairly quickly identify some or many marketers that might not immediately follow all the rules,” he says. “That will get marketing firms to put procedures in place to stop spam.”
The Competition Bureau will be given $1.3 million to begin the enforcement program, according to Gabrielle Tasse, senior communications adviser at the Bureau. It will have two enforcement units, each with five officers tasked with investigating misleading commercial messages related to spam. The Bureau’s existing forensic analysis team will also be used to assist with investigations.
“Anything that are false or misleading solicitations online will be covered,” she says. “Things should be up and running six to eight months from now.”
The Privacy Commissioner of Canada will receive $700,000 this year and $2 million future years to hold up its end of the enforcement regime, says Anne-Marie Hayden, communications director with the office. It will hire six full-time staff and focus on educating the public about the new law.
Eventually, Industry Canada could have a one-stop shop where consumers make complaints about any unwanted commercial communications, Lawford says. The government body is already mandated to put a stop to unethical telemarketing practices with the Do Not Call List, which is enforced by the CRTC.
Death of e-mail lists
While the practice of purchasing lists of e-mails was always a dubious practice, it is now almost certainly illegal, according to Sergeant. Now that businesses must be certain they have consent from those they e-mail, it’s just not worth the risk to use them.
“Make sure you’re not buying lists of e-mail addresses, or you do have the potential to be taken to court,” he says. “There’s no purchased list that’s considered 100 per cent clean and safe to e-mail too.”
Canada’s anti-spam law is one of the best on the international scene, the security researcher says. It will give its enforcement bodies the power and resources to prosecute foreign organizations spamming Canadians as well.