Embed Size (px)
DESCRIPTION
a
Citation preview
PROPOSED ELECTRONIC COMMERCE PROTECTION REGULATIONS
COMMENTS SUBMITTED BY
LORNE SALZMAN1 AND BARRY SOOKMAN2
7 September 2011____________________________________________________________________________
1. We submit these comments in connection with the Electronic Commerce Protection
Regulations that are proposed by both Industry Canada3 and the CRTC4.
2. We are two Canadian lawyers who have carefully followed the development of Canada’s
Anti-Spam Law in Bill C-28 (“CASL”), and the proposed regulations under that law. We have
spoken and written on these topics.5 We have also assisted clients in understanding the law
and regulations and in formulating compliance programs. Through these experiences, we have
developed our views on the proposed regulations and, of greater importance, the omissions
from the proposed regulations. We submit these comments as individuals with a view to
improving the regulatory framework of CASL. As such, these comments do not necessarily
represent the views of any client, the firm in which we practice law, or any other party.
Summary
3. CASL is intended to deter spam and encourage electronic means of engaging in
commerce, while not negatively impacting legitimate businesses. Recognizing the importance
of these objectives, we are concerned that CASL and the proposed regulations impose costs
and inefficiencies that exceed the benefits. Accordingly, we make a number of
recommendations that are intended to recalibrate CASL. We propose the addition of new
regulations, and the modification of proposed regulations, that will better target the anti-spam
provisions of CASL against undesirable conduct involving commercial electronic messages. Our
specific recommendations are summarized below.
1 [email protected] 2 [email protected] Canada Gazette, Part 1, 9 July 20114 Telecom Notice of Consultation CRTC 2011-400, 30 June 20115 See for example “Rethinking FISA” at http://www.barrysookman.com/2011/05/25/rethinking-fisa/
- 2 -
4. Start-up companies will be impacted by CASL as they do not have existing lists of
customers and contacts on which to draw. They will therefore be forced into more expensive
mechanisms to reach their intended audiences, for example, by using the post. Given the
importance of encouraging start-up businesses in Canada, a limited start-up business exception
to CASL’s consent requirements is worthwhile. This would be accomplished by exempting 1000
messages per month from CASL’s consent requirements, while still maintaining CASL’s
formality and unsubscribe requirements.
5. Opt-in messaging networks do not easily fit within the CASL framework which was
designed with emails in mind. Consequently, users who use them will face risks of offending
CASL, and operators will face risks of aiding conduct that is contrary to CASL. The presence of
such risks will deter users of messaging networks from beneficially exploiting them in Canada.
6. We make recommendations to exempt many of these messaging networks from CASL.
Most messaging networks contain protections that limit unwanted commercial electronic
messages from being carried over their networks. For example, some networks have rules that
prohibit certain types of commercial electronic messages, which rules are actively enforced. In
other cases, the networks may only permit messaging among consenting parties. Where such
protections are in place, CASL’s requirements are not needed, and can be counter-productive.
7. Because CASL applies to commercial electronic messages sent from Canadian servers,
senders of messages to non-Canadians will seek to avoid using such servers, whether they are
dedicated to one company or are accessed through cloud computing. Consequently,
companies that operate servers that are used to send commercial electronic messages to non-
Canadians will have an incentive to migrate their activities outside Canada, thereby depriving
Canada of the resulting jobs and economic spin-offs. To counter this incentive, we recommend
that commercial electronic messages to non-Canadians be exempt form CASL, provided that
the messages comply with the anti-spam laws of the destination country. This last proviso will
help ensure that Canada does not become a haven for international spammers.
8. Many companies have obtained consent to send commercial electronic messages as
part of their business activities taking into account their obligations under PIPEDA. Under
CASL, PIPEDA-compliant companies will still need to vet their existing lists and implement new
processes, a potentially expensive undertaking with little practical benefit. Accordingly, we
- 3 -
recommend that PIPEDA consents continue be recognized as implied consents under CASL.
We set out three options for implementing this recommendation.
9. The proposed CRTC regulations state the identification requirements for those who send
commercial electronic messages and those that send requests for consent under CASL. The
regulations call for a variety of contact information to be provided in each such communication,
for example, mail address, telephone number, web address and the like. By so doing, the
regulations in effect force companies to maintain mechanisms and procedures to respond to
recipients through each mode of contact. This will be unnecessarily burdensome on
companies, notably those that wish to only communicate electronically. Accordingly, we
recommend that only one means of contact be required.
10. If the foregoing recommendations are adopted, or if other significant changes are made
to the proposed regulations, there is merit in holding a second consultation before the
regulations are finalized.
Introduction
11. As a starting point, it is worthwhile to recall that the key goals of CASL are to “deter the
most damaging and deceptive forms of spam from occurring in Canada and help drive
spammers out of Canada”6 and to encourage the use of electronic means to carry of
commercial activities.7 These goals are intended to be accomplished without negatively
impacting legitimate businesses that use electronic means to market their products and services
to Canadians.8 Thus the goals of CASL imply trade-offs: discourage spam, discourage
spammers from using Canada for their activities, encourage electronic communications, but do
not negatively impact Canadian businesses.
12. Recognizing the importance of all of these objectives, we are concerned that CASL and
the proposed regulations will impose costs and inefficiencies on Canadians that exceed the
benefits. These costs and inefficiencies are significant. They are not just the substantial
6 See http://www.ic.gc.ca/eic/site/ecic-ceac.nsf/eng/gv00521.html7 See section 3 of CASL.8 For additional information on the history, goals and objectives of CASL, see Government of Canada, Backgrounder,
Questions and Answers, and Online Threats, http://www.ic.gc.ca/eic/site/ecic-ceac.nsf/eng/h_gv00567.html), Government of Canada Moves to Enhance Safety and Security in the Online Marketplacehttp://www.ic.gc.ca/eic/site/ic1.nsf/eng/05596.html
- 4 -
compliance costs that Canadian businesses must bear. They extend to impeding the use of
electronic means of communicating, putting Canadian businesses at competitive disadvantages
to their foreign competitors, retarding the growth of small and start-up businesses, and
potentially limiting the use by Canadian businesses of modern messaging platforms. In short,
CASL and the proposed regulations fail to properly recognize the trade-offs that the
Government set out for CASL, and thus they take a disproportionate approach to dealing with
the problem of spam.
13. A key source of the problem is the design of CASL. Its approach is to forbid practically
all commercial electronic communications, and then set out certain exemptions to these
strictures in both the law and the regulations. Thus, rather than targeting truly offensive conduct
in the first place, the law and proposed regulations are grounded with the sweeping proposition
that, in effect, nothing is permitted except that which is specifically allowed. This prescriptive
regulatory approach goes far beyond what any other country has implemented to address
spam. CASL’s overreach also raises questions as to whether it could survive a challenge under
the Canadian Charter of Rights and Freedom.
14. It is this design approach that makes the development of proposed regulations all the
more important. CASL contemplates that the regulations can be used to add some flexibility to
the law. The proposed regulations, however, take only very modest steps in this direction.
They offer some clarifications and refinements, but they do not address fundamental issues of
overreach that the regulations should strive to remedy. Moreover, the proposed regulations add
to the difficulty and cost of compliance with CASL.
15. In the following comments, we focus on what we consider to be the most important
areas of concern. We do not intend to address all conceivable modifications that should be
considered. We do however suggest modifications to the proposed regulations that will
recalibrate CASL so that it better meets the objectives set by the Government. With appropriate
regulations, CASL can achieve its goal of deterring the most damaging and deceptive forms of
spam and help drive spammers out of Canada. It can do so without discouraging the use of
electronic means to carry of commercial activities. And, these goals can be accomplished with
much less likelihood of negatively impacting legitimate businesses that use electronic means to
market their products and services to Canadians.
- 5 -
16. We understand that businesses, trade organizations and other commentators intend to
file submissions on the proposed regulations. Many will highlight the ways in which CASL and
the proposed regulations have failed to fully achieve the Government’s goals, and they will to
make recommendations for new or amended regulations. The breadth of the comments
underscores the implications of CASL’s prescriptive approach to regulating spam. It also
highlights the need to use the regulation making power to ensure that CASL better meets the
Government’s objectives.
17. Given that we (and likely other commentators) propose changes that will substantially
widen exempt activity under CASL, to the extent that any of these proposals are accepted, we
recommend that revised regulations be published and that Industry Canada and the CRTC hold
a second round of public consultations. In that way, these important regulations can benefit
from informed comment before they are finalized and implemented.
Start-Up Companies Need Increased Messaging Flexibility
18. Unlike established companies, start-up companies do not have a ready list of electronic
contacts they can approach to market their products and services. Rather, they will develop
emailing lists from a variety of sources and use them to launch their products. For example, a
newly graduated financial advisor may look up the lawyers and doctors in his/her
neighbourhood using a published professional or business directory or other publication such as
a magazine, book, or newspaper and invite them to an educational event. A newly established
orthodontist may send an announcement to dentists in her town, with the electronic addresses
derived from a conference attendance list. A university student wanting to earn some money as
a contract programmer may contact professors and lecturers using their electronic addresses
found in the university catalogue or telephone directory. A new real estate agent in search of
listings may want to contact owners of properties using information recorded in publically
available registries.
19. Although few would find these activities offensive, they will all be potentially problematic
under CASL. Rather than using electronic communications, business start-ups will therefore be
forced to send their messages using the post or other more expensive and less convenient and
efficient mechanisms, or limit the persons to whom they can send messages to the limited
exception that permits use of conspicuously published e-mail addresses. The new start-ups
could also be thwarted from relying on the alternative route of using software that is designed to
assist them in searching for relevant business or other connections because it may well be
- 6 -
problematic to use such software or electronic addresses gathered using such software given
the amendments to PIPEDA included in CASL.
20. Although it is easy to say that the impositions on small businesses are not that
important, most countries, Canada included, actively promote small business formation and
expansion. Policy-makers understand that small business is a vital part of the economy in its
own right and, as well, that all big businesses were small start-ups at one point. As such,
Canada should not want to impede start-up businesses from making effective use of digital
communications to launch and sustain their businesses. This is especially so given that start-
ups in other countries, notably the United States, do not face similar impediments.
21. Turning this recommendation into regulation language is not straight-forward. Rather
than trying to develop a suitable definition of “start-up business”, a step which will be difficult
and controversial, we propose to focus on a different and more measurable factor: namely,
allowing businesses to send a minimum number of commercial electronic messages without
consent. (The messages would still have to comply with the unsubscribe and format
requirements under CASL.) We suggest a monthly limit of 1000 messages with the same or
substantially similar content.9
22. Adopting such an approach should not open the doors to problematic spammers as they
send many more messages than 1000 per month. It is also unlikely to change the approach of
larger Canadian businesses as they will want to design their messaging programs for larger
groups of contacts. But it will allow start-up business, such as the ones noted above, some
flexibility to launch their businesses without bearing the extra costs that arise from full CASL
compliance.
23. Ideally, this “new business exemption” should be implemented under section 6(6) as this
would preserve the format and unsubscribe requirements for the commercial electronic
messages, while allowing an exemption from the consent requirements. Unfortunately, section
6(6)(d), contemplates that a “purpose” for the communication be specified in order to fit under
the exemption language. Yet this is not a purpose-oriented exemption, so fitting into the
exemption will be a challenge. Accordingly, one option is to utilize section 10(9)(d) which
9 A similar approach was adopted by Singapore. The 1000 per month limit is used by Singapore to define commercial
electronic messages sent in “bulk”. Only “bulk” messaging is subject to regulatory supervision. (Singapore also imposes daily and annual limits.) See http://www.spamcontrol.org.sg/
- 7 -
contemplates expansion of the implied consent category. Another option is to utilize the
“circumstances” exemption in section 6(5)(c). Both options are set out below.
Recommendation 1: The regulations should exempt from the consent requirements of the Act up to 1000 messages per month for a sender and its affiliates, where the messages contain the same or substantially similar content, by means of one of the following options:
For the purposes of section 10(9)(d) of the Act, consent is implied for the purposes of section 6 of the Act where the person who sends or causes to be sent the commercial electronic message, together with its affiliates10, send or cause to be sent no more than 1000 messages in any calendar month with the same or substantially similar content.
-- or--
Pursuant to section 6(5)(c) of the Act, section 6 of the Act doesnot apply to a commercial electronic message in the following circumstances: (a) the person who sends or causes to be sent the commercial electronic message, together with its affiliates, send or cause to be sent no more than 1000 messages in any calendarmonth with the same or substantially similar content, and (b) the commercial electronic message complies with section 2(b) of the Act.
Opt-In Messaging Networks Contain Sufficient Protections to Operate Outside CASL
24. Although CASL is supposed to be technologically neutral, applying broadly to all
electronic means of sending electronic messages, the CASL regulatory regime is modelled on
regulating electronic messages that are sent as emails. This focus on emails means that other
forms of electronic messaging, such as those through social networks, do not easily fit within the
CASL framework. As a result, Canadian businesses that wish to exploit new and developing
alternative electronic messaging systems will be impeded by CASL.
25. Consider a business model where a virtual gaming site allows members to offer to buy
and sell virtual objects amongst themselves. Does each member have to obtain consent from
the other members before the messages are sent? Can the social network site request consent
in advance for all such messages among members? Bear in mind that the members only
disclose game-playing aliases and not their real identities. How then can the identification
requirements of CASL be satisfied? How practical is it for each game-player to include an
10 The term “affiliate” will need to be defined. The definition in the Canada Business Corporations Act should be
suitable.
- 8 -
unsubscribe mechanism in every buy-sell offer? If members fail to comply with these
identification or unsubscribe mechanisms, will be social network operator have to enforce these
requirements in order to avoid liability for aiding in a contravention of CASL? Will the operators
of such sites be concerned that they could face accessorial liability for not designing
mechanisms to enable their players to comply with FISA? Will they make necessary changes to
their games or simply exclude Canadians from being able to join their networks?
26. Consider next a business model where a social network operator offers business
coupons to members and encourages the members to pass the coupons on to friends and
social media contacts. As an incentive, the operator grants a modest incentive to the member
for every person that uses such a passed-on coupon. The passing on of the coupon with an
express or implied suggestion as its use may well be the sending of a commercial electronic
message. While some recipients in these models may fit into the personal or family relationship
exemption in CASL, others will not. And how many members are likely to include unsubscribe
mechanisms when sending such messages to their contacts? Although one might be tempted
to say that no-one will pursue the members for such trivial transgressions of CASL, the operator
that knowingly permits such conduct might well worry if it will be at risk of being accused of
aiding, inducing, procuring or causing to be procured the doing of any act contrary to the anti-
spam provisions of CASL.
27. Faced with the risks of offending CASL and the attendant possibilities of very large
administrative monetary penalties or class action lawsuits claiming substantial damages,
Canadian businesses will be wary of developing (or continuing to offer) these innovative
business models or implementing similar models that are legal in other countries such as the
United States. Or if they do wish to develop them, they will feel a strong incentive to develop
and launch them outside of Canada. The logical port of call for any such developers will be the
United States, with its familiarity to Canadians, vast market, openness to innovation, and ample
sources of funding. Canada, which already faces a tough time in fostering innovation inside our
borders, will now be adding one more reason for Canadians to take their digital economy
initiatives south of the border.
28. Each of these social networks operates under rules enforced by contract and by an
administration that monitors and enforces compliance. As such, there is a mechanism to control
unwanted commercial electronic messages. For example, one prominent social network,
LinkedIn, prohibits the following (which are more restrictive than under CASL):
- 9 -
… any unsolicited or unauthorized advertising, promotional materials, “junk mail,” “spam,” “chain letters,” “pyramid schemes,” or any other form of solicitation. This prohibition includes but is not limited to (a) using LinkedIn invitations to send messages to people who don’t know you or who are unlikely to recognize you as a known contact; (b) using LinkedIn to connect to people who don’t know you and then sending unsolicited promotional messages to those direct connections without their permission; and (c) sending messages to distribution lists, newsgroup aliases, or group aliases;
29. Even if the administrator exercises less fulsome control over messages than under
CASL, it should be remembered that members voluntarily accept that lower degree of control
when they opt-in as members. A member who is dissatisfied can always refuse to subscribe, or
resign later. However, such action is not likely to be necessary as most social networks include
mechanisms whereby members can control their inflow of messages through preference and
privacy settings. No social network has achieved the ubiquity of email, and each faces
competition from other social networks. Hence they cannot afford to offend members through
measures that members find offensive. If the time comes that one or more social networks
achieve equivalent ubiquity to email, and the manager fails to control unwanted electronic
commercial messages appropriately, it may be that the social network will need to be treated in
a manner similar to email. But until that time, CASL should not apply to commercial electronic
messages carried over managed social networks that members voluntarily join.
Recommendation 2: The regulations should exempt from section 6 of the Act those commercial electronic messages that are sent over a managed messaging network, as follows:
Pursuant to section 6(5)(c) of the Act, section 6 of the Act does not apply to a commercial electronic message that is sent to a recipient over a messaging network where (a) the messaging network requires that, before a user is permitted to send or receive electronic messages over the messaging network, the user enters into an agreement that establishes rules for messaging activities, (b) users are able to readily report violations of the rules to an enforcement authority, and (c) the enforcement authority regularly undertakes enforcement action against such violations.
30. In the same vein, the regulations under CASL should allow for the operation of rules-
based messaging networks that are designed to allow for electronic communications among a
limited group of users where the recipient defines the allowed senders of electronic messages.
This type of messaging network is less managed than discussed above, but protections against
- 10 -
unwanted commercial electronic messages are very much in place. An example would be the
Blackberry Messenger, or BBM, service. With networks of this sort, control over unwanted
commercial electronic messages is exercised by the design of the network. Only permitted
senders are allowed to communicate with a recipient. In such circumstances, the
communication should not be considered unwanted. And, in any event, the recipient retains the
ability to terminate the sending rights of a sending party should the messaging (or other)
activities of the sending party warrant such action. Thus the user retains the right to perform its
own enforcement activities to address unwanted messaging, whether commercial or otherwise.
Recommendation 3: The regulations should exempt from section 6 of the Act those commercial electronic messages that are sent over a messaging network, as follows:
Pursuant to section 6(5)(c) of the Act, section 6 of the Act does not apply to a commercial electronic message that is sent to a recipient over a messaging network where (a) a commercial electronic message can only be sent from a sender to a recipient if the recipient has given its prior consent to the receipt of messages from that sender, and (b) the messaging network allows the recipient to readily discontinue the receipt of messages from senders that are specified by the recipient.
31. The foregoing recommendation will also exempt from CASL, common short code
(“CSC”) applications such as those administered by the Canadian Wireless
Telecommunications Association (“CWTA”). These applications have become very popular,
and there is no indication that the current rules are leading to an undue volume of unwanted
commercial electronic messages. Moreover, it is difficult to see how such applications will be
able to comply as a practical matter with the formality requirements under CASL, given that
limits on message size (typically no more than 140 characters), thus making the need for an
exemption all the more pressing.
32. It is counter-productive and unnecessary to regulate under CASL a CSC application
such as the one administered by CWTA. This messaging application is used productively by
Canadians and does not lead to undue amounts of unwanted commercial electronic messages.
Applying the full rigour of CASL can only imperil its functionality and utility. If, at some future
time, experience shows that more protection is needed from unwanted commercial electronic
messages over such networks, the regulations can then be changed to bring them under CASL.
33. We note that the draft CRTC regulations purport to make it easier for short messaging to
comply with CASL’s message form requirements by enabling users to provide prescribed
- 11 -
information by using a “link to a web page on the World Wide Web that is clearly and
prominently set out and that can be accessed by a single click or another method of equivalent
efficiency at no cost to the person to whom the message is sent.”11 There is however no
equivalent mechanism in Section 4 of the draft CRTC regulations to enable users of social
networks to use a link to a web page to make the necessary disclosures to obtain consents
under Section 10(1) or 10(3) of CASL. But even assuming there were, how practical is it to
impose these requirements on users of social networks? Even if assuming these messaging
types had sufficient real estate length to include such links (which many may not
accommodate), it is not realistic to impose on users of these social network the requirement to:
disclose all of the substantial information required to obtain consent to send commercial
electronic messages; obtain express consents; have each message link to the detailed
information prescribed by CASL and the regulations; have a physical address, email address, a
website, and a phone number to receive consents and to address requests to unsubscribe; and
to maintain records of consents and unsubscribe requests and to give effect to them.12
34. Further, despite the single-click-to-a-website feature in the draft regulations, a user of a
mobile phone that does not have web browsing capability simply has no means of accessing the
information on that device. A message sender, who is unlikely to know what sort of mobile
device the recipient is using, or whether the recipient’s wireless services plan permits “no-cost”
web access, will thus have to carefully consider if it has complied with the regulations when it
sends its messages to mobile devices. The need for an exemption from CASL’s strictures is
thus apparent.
CASL’s Disincentives to Computer Processing in Canada Should be Eliminated
35. Section 6 of CASL applies to commercial electronic messages that are sent from
computer systems in Canada to recipients outside of Canada. As such CASL imposes the
Canadian standards of disclosure, consent and unsubscribe to non-Canadians. At first blush,
this sounds desirable. Canada should not be a haven for spammers who send their unwelcome
messages outside the country, even if Canadians are protected. But there is a downside to this
approach – one that should be remedied in the regulations.
36. The problem is that such an approach will inevitable discourage the use of Canadian
servers for activities that are perfectly lawful in other countries. A sender of commercial 11 Section 2(2) of the draft CRTC regulations.12 See sections 2 and 4 of the draft CRTC regulations.
- 12 -
electronic messages in the United States will understandably be concerned to comply with US
law when sending messages to recipients in that country. That company will be reluctant,
however, to use Canadian computer systems if doing so means that it must comply with rules
that are more onerous, and thus more expensive to comply with, than under the US law.
37. The problem is particularly troubling where companies rely on cloud computing. Under
cloud computing, a company can use a variety of servers in a variety of locations to perform
computing work, including the sending of messages. The location of the server sending
particular messages may vary, depending on demand and other factors. Under CASL, however,
cloud computing activities that are undertaken in Canada must comply with the CASL
requirements. As a practical matter, companies that operate such cloud computing facilities will
have to wall off the Canadian servers from messaging activities involving other countries.
Companies that use third party cloud computing services will have use contracts to ensure that
their messaging activities to other countries do not emanate from computers in Canada.
38. All of this suggests that companies will prefer to locate their servers outside Canada, or
engage in cloud computing activities where none of the servers are in Canada. As such, those
computer activities, and the jobs and other economic spin-offs that result, will be lost to Canada.
39. Once companies have located their non-Canadian activities outside of Canada, some of
them will likely move their Canadian messaging activities there as well. They will still have to
comply with CASL, but there are likely efficiencies in undertaking their Canadian messaging
activities outside Canada, rather than maintaining a small Canadian-only facility for Canadian
purposes. Again, Canada loses out.
40. A simple fix to this problem is to exempt from section 6 of CASL those messaging
activities to other countries that comply with the anti-spam laws of those countries. In that way,
Canada will protect non-Canadians to the same extent as their local laws do, but not more so.
The location of the server sending the messages, whether in Canada or otherwise, then
becomes immaterial. Rather, the sender must ensure that its messages comply with the laws of
the country where the messages will be received, which presumably the legitimate senders will
want to do in any event.
41. It might be argued that such an exemption will allow Canada to operate as a spam
haven for countries that do not have local spam-reducing laws. However, if local countries do
not consider spam a problem, should Canada stand on guard for them? If there were no
- 13 -
downside, the answer might well be yes. But, as explained above, there is indeed a downside
in terms of reduced attractiveness of Canada as a host for computer systems. On balance, the
proposal we have stated, that is exempting from CASL those commercial electronic messages
sent to non-Canadians that comply with the anti-spam laws of the countries of the recipients,
strikes an appropriate balance between these various factors.
Recommendation 4: The regulations should exempt from section 6 of the Act those commercial electronic messages that are sent to non-Canadian recipients where the message complies with the ant-spam laws of the recipient’s country, as follows:
Pursuant to section 6(5)(c) of the Act, section 6 of the Act does not apply to a commercial electronic message sent to a recipient in a country other than Canada where the message, if it had been sent by a sender in that country, would comply with the laws of that country relating to protection against commercial electronic messages sent in bulk, protection against false or misleading commercial electronic messages, requiring commercial electronic messages to disclose information about their senders or requiring senders of commercial electronic messages to allow recipients to unsubscribe from receiving further such messages.
PIPEDA Consents Should be Respected Under CASL
42. Many companies have previously determined that they had consent to send commercial
electronic messages, either because express consent had been given or because it was a
reasonable expectation of the recipients. Indeed, making such determinations would have been
part of their compliance with PIPEDA.13 These companies now face the need to check that the
names on their list of consenting recipients all either comply with the express consent
requirements of CASL, or fit under one of the few implied consent categories. This can be a
daunting and expensive task, given that these lists were assembled over time and they may be
quite extensive.
43. We question if such effort is necessary. The consent regime established by PIPEDA
has been in place for years, and it is adequate to achieve the Government’s objective of
deterring the most damaging forms of spam. PIPEDA permits organizations to collect and use
personal information “only for purposes that a reasonable person would consider appropriate in
the circumstances”. As well, under Principle 3 of Schedule 1 of PIPEDA, consent must still be
express or implied. Problem spammers will have difficulty meeting either of these PIPEDA
requirements.
13 Personal Information Protection and Electronic Documents Act
- 14 -
44. We acknowledge that using the PIPEDA consent standard could potentially create grey
areas where legitimate businesses might still be able to send some unwanted commercial
electronic messages. We also acknowledge that the concept of implied consent can raise
questions in tough cases. However, it should be remembered that Canadians reached a
consensus that consents based on the CSA Model Code would achieve the desired balance
between protecting privacy and enabling businesses to use personal information for legitimate
purposes including the sending of commercial messages. Moreover, Canadians will still have
the protection of CASL’s unsubscribe capability to block future commercial electronic messages
from unwelcome senders.
45. CASL should build on PIPEDA’s balanced standards, rather than attempt to achieve the
impossible goal of a “100% spam-free Canada”. Canadian businesses have spent millions of
dollars to comply with PIPEDA, and there is much to be said for not requiring businesses to
adhere to two separate consent regimes with overlapping goals. Exempting PIPEDA consents
from the CASL consent requirements can be accomplished by adding a category of implied
consent pursuant to section 10(9)(d) of the regulations.
Recommendation 5: Consent should be implied where a consent under PIPEDA is obtained, as follows:
For the purposes of section 10(9)(d) of the Act, consent is implied where the sender has obtained consent in accordance with requirements of PIPEDA.
46. The approach above is consistent with the inferred consent rule adopted in Australia in
the Spam Act 2003.14 Under the Australian law, consent is implied where consent can
reasonably be inferred from (i) the conduct; and (ii) the business and other relationships, of the
person concerned. If Canada not had over 10 years experience with PIPEDA, we would have
recommended this approach in the first instance. Although, it has drawbacks similar to those
discussed above in connection with using the PIPEDA consent regime, this standard would still
deter the most damaging and deceptive forms of spam and it would therefore achieve a more
balanced approach to regulating spam. Accordingly, in the event that our recommendation 5 is
not accepted, an alternate approach would be to add an exception for inferred consent using the
model developed in Australia.
14 See section 2 of Schedule 2 to the Australian law http://www.comlaw.gov.au/Details/C2011C00080 and the
discussion at http://www.acma.gov.au/WEB/STANDARD/pc=PC_310572
- 15 -
Alternate Recommendation 5: Consent should be implied where a consent can reasonably be inferred from the circumstances as follows:
For the purposes of section 10(9)(d) of the Act, consent is implied where consent can reasonably be inferred from (i) the conduct; and (ii) the business and other relationships, of the person concerned.
47. If neither of the foregoing exemption approaches is acceptable, we recommend a third
option, namely that the new CASL requirements only apply on a going forward basis, and that
previously obtained consents under PIPEDA be grandfathered. Such an approach allows
companies to adjust their consent practices in the future to comply with both CASL and
PIPEDA, while recognizing that there is little public benefit to requiring that companies go
through the expense of vetting lists that have been assembled in the past and which have been
PIPEDA-compliant up to now. In this way, companies will be able to continue to use consent
lists that were properly and lawfully assembled as of the date that CASL comes into force.
Alternate Recommendation 5: Consent should be implied where consent under PIPEDA was previously obtained, as follows:
For the purposes of section 10(9)(d) of the Act, as of the day that section 6 of the Act comes into force, consent is implied where the sender had previously obtained consent in accordance with requirements of PIPEDA, and that consent remained in effect as of that day.
Identification Information in Messages and Consent Requests Should be Streamlined
48. Up to now, we have focussed on additions to the proposed regulations in order to strike
a better balance between costs and benefits of CASL. In the following, we will comment on one
component of the proposed draft regulations, namely the sender identification and contact
requirements for messages and consent requests.15
49. Section 6(2) and 10(1) of CASL contemplate that the regulations will specify information
to be included in messages and consent requests to allow the sender to be identified and (in the
case of 6(2)) to permit the recipient to readily contact the sender. The CRTC’s proposed
regulations do that, but in a manner that is quite extensive. The proposed regulations would
require each commercial electronic message and each request for consent to contain the
15 See sections 2(1)(d) and 4(d) of the CRTC’s draft regulations
- 16 -
following information: the physical and the mailing address, a telephone number, an email
address, a web address and any other electronic address used by the business.
50. We question why so many forms of identification are needed. The objective of
identifying the sender and providing a means of ready contact can be satisfied with simply the
sender’s name and electronic address. Requiring more addresses means that each of these
addressing mechanisms must be prepared to deal with communications from recipients of
commercial electronic messages. Consider the case of a business that has been efficiently
designed for electronic communication with customers, and that prefers not to incur the costs of
telephonic communication. Why should that business be forced to operate in a less efficient
manner? Consider the case of a large business that must list all its electronic addresses (“any
other electronic address”) in every message. Not only will this be very burdensome to
implement, but messages will become unnecessarily long as potentially hundreds of addresses
will be listed. What public policy benefit is secured by imposing these sorts of costs on
businesses? We also question how these requirements will help consumers who may very well
be confused, rather than aided, by all of this information.
51. Accordingly, we recommend that the CRTC’s regulations only mandate the disclosure of
the name and electronic address of the sender (and person on whose behalf it is sent). As the
name information is already required under sections 2(1)(a)-(c) and 4(a)-(c), sections 2(1)(d)
and 4(d) need only stipulate a working electronic address.
Recommendation 6: Section 2(1)(d) and 4(d) should be revised to refer to only a single mandated address, namely a working electronic address, as follows:
(d) an electronic address that can readily be contacted.
To Conclude
52. CASL has the potential to significantly affect how Canadian businesses operate. While
we do not argue with the objectives of CASL, namely to reduce spam and spyware, we maintain
that these objectives can be met with a more balanced approach to costs and benefits than is
apparent from the draft regulations. We have put forward recommendations that attempt to
better strike that balance.
53. All of which is respectfully submitted this 7th day of September 2011.
***End of Document***
