Legislative let-down? CRTC issues proposed anti-spam regulations
Much-anticipated new anti-spam regulations will provide some clarity for senders of text messages, but may disappoint others, as the regulations leave unanswered many other questions of interpretation and application of the new statute.
The proposed Electronic Commerce Protection Regulations, released for public comment by the CRTC, do provide some further detail to the basic requirements under Canada’s ponderously named new anti-spam legislation, (which for convenience is coming to be known unofficially as Canada’s Anti-Spam Law (CASL)); however, the details are largely what one could infer from the statute.
Information to be included in messages
As we have previously noted, the statute includes a requirement that commercial electronic messages be in a specified form, including the identity and contact information of the sender of a message and the person on whose behalf the message is sent and a clear unsubscribe mechanism. The Regulations amplify somewhat on these basic requirements, requiring that electronic messages set out the following “clearly and prominently”:
- the names of the sender and, if different, the person on whose behalf a message is sent
- if the message is sent on someone’s behalf, a statement indicating which person is sending the message and which person on whose behalf the message is sent
- if these parties carry on business by different names, the name by which those persons carry on business
- the physical and mailing address, a telephone number providing access to an agent or voice mail system, an eMail address and a web address of the person sending the message and, if different, the person on whose behalf the message is sent – and any other electronic address used by those persons
Helpfully, for senders of commercial text messages, tweets and other character-limited communications, the Regulations provide that where it is not practicable to include the foregoing information in the text of the message itself, the message may include a link to a web page that, through a single click (or equivalent), will clearly and prominently set out the required information.
Three clicks and you’re out
The Regulations further provide that the unsubscribe mechanism required by the Act, whereby message recipients may readily unsubscribe from future messages using the same electronic means by which the message was sent, must be able to be performed in no more than two clicks, or “another method of equivalent efficiency.”
Information to be included in a request for consent
The Regulations clarify that consent must be sought separately for each of the sending of a commercial electronic message, the alteration in transit of transmission data in an electronic message and the installation of a computer program on a computer system.
When seeking the consent required to carry out these activities, the Regulations require that the request for consent must include much the same information as that required to be included in a commercial electronic message (set out above), as well as a statement indicating that consent may be withdrawn by contacting the person who sought consent, or the person on whose behalf consent was sought, using the contact details required to be set out in the original request for consent.
Disclosure and consent for spyware-like functions
CASL includes a general requirement for consent in order to install or cause to be installed a computer program on any other person’s computer system, but requires a heightened disclosure requirement when seeking consent where the program in question will perform specified functions that are closely associated with spyware and malware, such as collecting personal information stored on a computer or interfering with the user’s control of the computer.
The Act currently requires that the required disclosures (which must describe the program’s material elements, its functions and the reasonably foreseeable impact of those functions) must be brought to the attention of the person from whom consent is sought separately from the program licence agreement. The proposed Regulations go a step further to require that this information must be brought to the attention of the person from whom consent is sought separately from any other information provided in a request for consent, and that the consent must indicate that the person understands and agrees that the program performs the specified functions.
Get it in writing
Somewhat ironically, given that they focus on electronic communications, the Regulations further require that the consents required under the Act to send a commercial electronic message, to alter the transmission data in an electronic message or to install a computer program on a computer system must be “in writing.”
As we understand it, these provisions were not intended to send users scrambling for quill pens and actual paper documentation; rather, they were intended to require a positive affirmation of consent, other than in oral form, that is captured in a retainable record. The Commission routinely accepts consent in electronic forms for the purposes of its own rules and tariffs that it approves, such as with respect to telemarketing, the confidentiality of customer information or the transfer process for customers switching telephone service providers. That said, the proposed anti-spam Regulations do not make this clear.
We note that s. 41 of the Personal Information Protection and Electronic Documents Act provides that a requirement under a federal law that a document be in writing can be satisfied by an electronic document, but only if the federal law or provision is listed in a schedule to that statute. CASL is not currently listed, nor are we aware of any proposed amending legislation that would accomplish this.
The CRTC is accepting comments on the proposed Regulations from interested parties until 29 August 2011. It is expected that the legislation itself will be proclaimed in force following the finalization of these Regulations, sometime in the fall of 2011.
UPDATE: On 15 August 2011, the CRTC extended the deadline for submission of comments on the Commission's draft Electronic Commerce Protection Regulations (CRTC) to 7 September 2011, to coincide with the deadline for comments respecting the related draft regulations proposed by the Governor in Council