U.S. businesses operating in Canada might assume that Canadian anti-spam legislation would resemble the U.S. CAN-SPAM Act of 2003, and that they comply with Canadian law if they have procedures in place that comply with American law.

But they would be wrong.

As it turns out, Canada is currently the only G-8 country and one of only four members of the Organisation for Economic Co-operation and Development without anti-spam legislation. It's not that spam isn't a problem in the country: Cisco's 2008 Annual Security Report estimated that 4.7 percent of the world's spam originated from Canada. That puts Canada near the top globally, not far behind the U.S., Turkey, Russia and China.

But change is in the air. In April, the federal government introduced Bill C-27, the Electronic Commerce Protection Act (ECPA), which aims to regulate spam, phishing, counterfeit Web sites and spyware.

“There are very significant differences between the ECPA as currently drafted and the U.S. legislation,” says Charles Morgan, a partner with McCarthy Tetrault. “The ECPA is far more comprehensive.”

Unlike any other countries' anti-spam legislation, the relevant provisions of the ECPA, which encompasses any telecommunication including text, sound, voice or image, are not limited to messages that may be harmful in the sense that they contain some element of fraud or deceit. Rather, the ECPA prohibits the sending of any “commercial electronic message” that aims to encourage participation in a commercial activity to an electronic address without the recipient's prior consent.

“The bill assumes that all electronic communications are unwanted spam and prohibits all commercial electronic messages, except in limited circumstances,” Morgan says. “It thus imposes significant restrictions on commercial speech that could violate the freedom of speech guarantees under the Canadian Charter of Rights and Freedoms.”

Consensual Text

All of this is not to say the U.S. law would be completely at odds with the one proposed in Canada.

“There are important similarities between the Canadian draft bill and CAN-SPAM in the sense that the laws' purposes are the same,” says Tricia Kuhl of Blake, Cassels & Graydon. “Both seek to prevent consumers from being misled, both give consumers the right to decline receipt of unwanted e-mails, and both seek to reduce the costs for businesses that have to manage an influx of spam.”

But the fact remains that CAN-SPAM is opt-out legislation whereas Canada's bill is premised on an opt-in principle. And the ECPA applies not only to business-to-consumer messages, but also business-to-business messages. It also covers all forms of electronic messaging including voicemail, SMS, instant messaging and chat.

The core difficulty for businesses involved in electronic marketing, however, is that the recipient consent provisions are quite rigid.

“The ECPA is very clear that consent is required before a commercial electronic message can be sent, which means that you can't even send an e-mail asking for consent. CAN-SPAM allows an initial mailing, as long as it contains the required information and has a simple unsubscribe function,” says Barbara Johnston, a partner at Stikeman Elliott.

Consent under the ECPA is implied when the sender and the recipient have in the past 18 months had an existing business or nonbusiness relationship, both of which the statute defines. Where no such relationship exists, the sender must obtain the express consent of the recipient by setting out the purpose for which consent is sought, identifying the person seeking consent and disclosing other information that may be required by regulation.

“Unlike Canada, the U.S. doesn't have private sector privacy rules, so the requirement for consent before you send even one e-mail may be a bit shocking to the U.S. business community,” says Stephen Burns, a Bennett Jones partner.

Morgan believes the ECPA's consent provisions are far too limiting, noting that the bill would ban many reasonable business communications, even if a recipient has published his or her e-mail address.

Eric Smith of Fraser Milner Casgrain is of similar mind.

“The consent requirements will have a huge impact on how legitimate companies conduct their electronic messaging marketing,” he says.

Paying Up

Putting aside EPCA's practicality or efficacy, what's clear is that the legislation has teeth.

Offenders would be liable for administrative monetary penalties of up to $1 million for individuals and up to
$10 million for corporations. Officers, directors and agents would be liable if they directed, authorized or participated in the violation. A due diligence defense is available.

The Canadian Radio-Television Telecommunications Commission (CRTC) will determine whether a violation has occurred and, if so, the amount of the penalty. The legislation provides for appeals to the Federal Court of Appeal.

In addition, the ECPA provides for a private right of action for affected individuals. Individuals may apply for a compensation order for actual loss, as well as a maximum of $200 daily for each contravention of the breached provisions, with a limit of $1 million for each day on which a contravention occurred. Officers, directors and agents of a corporation are subject to the private right of action if they directed, authorized or participated in the contravention.

Cross-border Cahoots

As for prohibited activities that originate outside Canada, the ECPA gives Canada's privacy commissioner the power to disclose and share information with foreign states. There is a similar provision in the U.S. SAFE WEB Act, aimed at fighting spam-based and other types of cross-border fraud.

“Although Canadian regulators can't enforce the ECPA extraterritorially, the international cooperation provisions that exist means they'll be able to put some pressure on regulators in the U.S.,” Kuhl says.

At press time, Bill C-27 had been given second reading in Parliament and referred to the Standing Committee on Industry, Science and Technology. While quick passage was originally predicted by many observers, concerns that business interests have raised about the legislation's impact on legitimate business have made it likely that the committee's review will continue into the fall.

“The legislation will certainly benefit from commentary and input,” Burns says. “But regardless of the revisions that emerge, it comes down to the fact that Canada will now have a legislative regime that tries to control how electronic devices and communications are used for commercial purposes–and U.S. concerns operating here need to understand it.”