McCarthy Tétrault Webinar: Bill C-27, the Electronic Commerce Protection Act
Charles S. Morgan Lorne P. Salzman Barry B. Sookman May 25, 2009
3718132
Introduction
Bill C-27 Highlights and Introduction Bill C-27 is intended to: sending of •Deter unsolicited commercial electronic mail by prohibiting the commercial electronic messages without consent (Spam). •Protect the integrity of transmission data and prohibit unwanted installation of computer programs (Spyware). •Prohibit false and misleading commercial representations online. computer •Prohibit the collection of personal information through access to systems without consent. •Provide for a private right of action for breaches. •Allow the imposition of administrative monetary penalties on violators •Amends: Telecommunications Act, Competition Act, PIPEDA. •The Bill provides for regulations that could modify the impacts of the ECPA. The regulations will probably be ready in September. •Bill C-27 will have significant and serious consequences.
Background: Special Task Force on Spam • On May 11, 2004, the Minister of Industry established the Special Task Force on Spam to oversee an action plan to reduce the volume of unsolicited commercial e-mail. • In its 2005 Report, the Task Force recommended “new legislation as required to fill any gaps identified in existing laws”. See http://www.ic.gc.ca/eic/site/ecic-ceac.nsf/eng/h_gv00317.html • This Bill addresses the legislative recommendations of the Task Force on Spam. See Backgrounder, Government of Canada Introduces the Electronic Commerce Protection Act, http://www.ic.gc.ca/eic/site/ic1.nsf/eng/04595.html • View the ECPA online at: http:// www2.parl.gc.ca/HousePublications/Publication.aspx?Docid =3832885&file=4
Introduction
Status of Bill C-27, the Electronic Commerce Protection Act: • 1st Reading: April 24, 2009 • Debates: May 7-8, 2009 • 2nd Reading: May 7, 2009 • Next steps: Committee: Industry, Science and Technology
Anti-Spam Provisions
Anti-Spam Provisions – Key Sections The main anti-spam provision in Bill C-27 is found in s.6: 6. (1) No person shall send an electronic address a commercial electronic message unless (a) the person to whom the message is sent has consented to receiving it; and (b) the message complies with subsection (2). (2) The message must (a) set out prescribed information that identifies the person who sent the message; (b) set out information enabling the person to whom the message is sent to readily contact the sender; and (c) set out an unsubscribe mechanism.
Anti-Spam Provisions The sweep of the anti-spam prohibition is very wide. “Electronic address” includes electronic messages sent by e-mail; Instant messaging; mobile phones (SMS); social networks, chat groups, Internet forums, business networks, twitter, RSS feeds, and possibly web sites where users have an account. “Commercial electronic message” is an electronic message … “it would be reasonable to conclude has as its purpose, or one of its purposes, to encourage participation in a commercial activity…”. Examples are offers to purchase, sell, or lease a product, good, a service, or land; offers to provide a business, or investment opportunity; or a message that advertises or promotes the forgoing.
Anti-Spam Provisions – Consent The consent requirements are stringent: 10. (1) A person who seeks express consent must set out clearly and simply the following information: (a) the purpose or purposes for which the consent is being sought; (b) prescribed information that identifies the person seeking consent. (3) Consent is implied only where the person who sends the message has an existing narrowly defined business or non-business relationship with the person to whom it is sent. “Existing business relationships” are limited to (i) business transactions completed within last 18 months, (ii) contracts concerning some other subject matter in existence or which have expired within 18 months, or (3) an inquiry or application within the last 6 months. “Existing non-business relationships” are limited to (i) persons who have made donations or gifts to a registered charity, political party, or candidate for Federal or Provincial office within the last 18 months, (ii) volunteers to these above organizations within the last 18 months, and (iii) membership in an organizations that is listed in regulations within the last 18 months.
Problems with the Anti-Spam Provisions – Too Broad and Encompassing • The Bill assumes that all electronic communications are unwanted spam and prohibits all commercial electronic messages, except in limited circumstances. • It departs from other international anti-spam legislation as it is not limited to messages that are somehow harmful such as messages: that contain some element of fraud or misleading information; that are sent in violation of an individual’s opt-out request; that are sent with an “intent to deceive or mislead”; that are sent to addresses that were gathered using “automated means”; or that are sent in bulk. • It thus imposes significant restrictions on commercial speech. These could violate the right to freedom of speech under the Canadian Charter of Rights and Freedoms.
Problems with the Anti-Spam – The Consent Provisions are Far Too Limiting • The ECPA would prohibit sending electronic messages without either express or implied consent from the intended recipient. • The ECPA does not permit consent for a solicitation to be inferred from publication of an e-mail address if it would be reasonable to assume the message would be of interest to the individual or their organization, or more generally from the conduct of the individual or organizations concerned. • It also prohibits seeking consent electronically and treats even a request as a prohibited electronic message.
Problems with the Anti-Spam – The Formalities for Messages are Too Onerous • The formalities apply to each means of communication and treat them as if they were the same. • However, the technologies related to electronic communications that exist today or which may be created in the future may be vastly different e.g., e-mail, IM, SMS messages, voice mail, twitter, blogs, RSS feeds, social networks, future communication means etc are not the same. • Some electronic technologies may not be able to (a) set out prescribed information that identifies the person who sent the message; (b) set out information enabling the recipient to readily contact the message sender; or (c) set out an unsubscribe mechanism in accordance with subsection 11(1). 12
Examples of “spam” The following would be considered “spam” under the ECPA, unless the sender has obtained the prior express consent from the recipient: • A business sending an e-mail to a new potential supplier or customer proposing a possible business arrangement after reviewing its website, even if email contact information is displayed on its websites. • A business sending a person an email with a link to the business` web site, if the website describes the goods or services of the business, outside of the narrowly defined situations described above. • The amendments would significantly advantage established businesses at the expense of newer businesses or businesses seeking to expand into new markets. Established companies could continue to make use of existing contacts for the period permitted by the ECPA. New businesses would be unable to use the Internet to establish new business relationships. • A customer or client who hasn't purchased goods or services from a business for 18 months, or who has never bought goods or services, could not send an email asking to buy products or obtain services, see a catalogue or ask for price list, quotation or estimate. • Law firm or other professional firm sending out e-alerts and electronic newsletters to clients they have not provided services for in the last 18 months that contains a link to the firm’s website or promotes any of the firm’s professionals, services or expertise. • E-mailing an existing customer or supplier with whom the sender has a long term contract entered into more than 18 months before the communication with a proposal to do more business under the contract or that includes an updated price list, catalogue of products, or services or to suggest a meeting. • Sending e-newsletters that have advertisements to persons that have been receiving them without objection for years, unless the sender has done business with the receiver in the last 18 months.
Examples of “spam” More examples: • Headhunting using email; applying for a job by sending a resume to the head of HR of an organization, even if in response to a published advertisement. • Soliciting freelance or consulting services to prospective clients in your field, no matter how targeted your emails are. • Proposing cross industry partnerships or initiatives with others in your field if you've never had contact with them. • Sending newsletters, business publications, or company information from anyone who has made an inquiry about a company`s products or services more than 6 months before. • Asking for donations or volunteers by any organization that is not a registered charity, political party or federal or provincial candidate. • Sending University alumni e-newsletters with advertisements or asking for support. • Sending e-mails to former members of clubs after 18 months. • Adding a business or professional acquaintance to your Facebook/Linked-in account if you haven't contacted with the person in the last 18 months. • Sending any messages using SMS (or like means of communication) that cannot comply with the message formalities e.g., does not contain a means to send unsubscribe requests. • Any commercial e-mail that does not contain a footer enabling the recipient to unsubscribe to further e-mails.
Anti-Spam Provisions – International Comparisons Country
Applies To
Notes
Canada “any electronic message that, having regard to the content Consent to receive the message can only be (Bill C-27, the Electronic of the message, … it would be reasonable to conclude has as implied where there is an existing relationship Commerce Protection Act) its purpose, or one of its purposes, to encourage (within the last 18 months) participation in a commercial activity” U.S. (CAN-SPAM Act of 2003)
“any electronic message the primary purpose of which is the Prohibitions on unsolicited messages are limited to commercial advertisement or promotion of a commercial messages that are fraudulent or misleading (s.4), product or service” those that do not contain prescribed information (s.5) or those sent in violation of an opt out request.
Australia (Spam Act 2003)
“a commercial electronic message is an electronic message, Consent can be implied where the electronic where … it would be concluded that the purpose, or one of address has been published and the message is the purposes, of the message is [among an exclusive list of relevant to the individual. purposes related to advertising and offering goods and services]”
New Zealand (Unsolicited Electronic Messages Act 2007)
“commercial electronic message means an electronic Consent can be implied from the conduct, message that markets or promotes [goods or services], or business and relationships of the persons assists or enables a person to obtain dishonestly a financial concerned. advantage or gain from another person…”
Singapore (Spam Control Act 2007)
“a commercial electronic message is an electronic message, Prohibitions on unsolicited messages are limited to where … it would be concluded that the primary purpose of messages that are “sent in bulk” (s.6 & 11) the message is [among an exclusive list of purposes related to advertising and offering goods and services]”
Hong Kong (Unsolicited Commercial Messages Ordinance)
“commercial electronic message means an electronic message the purpose, or one of the purposes, of which is [among an exclusive list of purposes related to advertising and offering goods and services]”
Prohibitions on unsolicited messages are limited to those that are sent using “automated means” (s.18 & 19) or “with the intent to deceive or mislead” (s.20)
Anti-Spyware Provisions
Anti-Spyware Provisions
The main anti-spyware provision is found in s.8(1) of the Bill: 8(1): No person shall, in the course of a commercial activity, install a computer program or cause an electronic message to be sent from a computer system, unless the person has obtained the express consent of the owner or an authorized user of that computer system.
Anti-Spyware Provisions - Consent The provisions contain stringent disclosure and consent requirements: 10. (1) A person who seeks express consent for the doing of an act described in any of sections 6 to 8 must set out clearly and simply: (a) the purpose or purposes for which the consent is being sought; and (b) information that identifies the person seeking consent; (2) A person who seeks express consent for the doing of any act described in section 8 must also describe clearly and simply the function, purpose and impact of every computer program that is to be installed.
Anti-Spyware Provisions - Definitions “computer system” means a device that (a) contains computer programs or other data, and (b) pursuant to computer programs, (i) performs logic and control, and (ii) may perform any other function. “computer program” means data representing instructions or statements that, when executed in a computer system, causes the computer system to perform a function.
Anti-Spyware Provisions – Implications
Prohibition on any program, patch, upgrade or add-on installed without express consent. • How practical is consent for automatic updates given need for prior disclosure of “function, purpose and impact” of “every” program to be installed? • This provision could make it illegal to use applications written in popular computer languages like Java, without such disclosure and consent.
Anti-Spyware Provisions – Implications • Developers of anti-virus and anti-spyware software would have to obtain consent from users to include each latest virus and spyware definition in the programs and disclose to users the effects of these updates. • This disclosure could help the creators of viruses and spyware to circumvent the protection programs.
• The provisions in the ECPA would apply not only to personal computers but to a whole host of devices from iPhones and Blackberries to mainframe computers. • Many of these devices do not have the capability of displaying consent forms and relaying consent.
Examples of “spyware”
The following would be considered “spyware” under the ECPA, without obtain consent from the recipient: • Embedded browser-based applets (Flash, javascript), including routine functions like a re-direct • Anti-virus and anti-spyware updates and latest virus/spyware definitions • Hardware driver updates • Other routine software patches (operating system security patches, bug fixes, etc.)
Examples of “spyware”
More examples: • DRM/TPM technologies • Software code embedded in media files • Software updates to wireless devices • (Possibly) HTML code
Anti-Spyware Provisions – International Comparison • The ECPA goes much further than any trading partner in its prohibitions against installing software. • Some U.S. states have passed laws prohibiting spyware, but the laws only apply to programs that perform a limited set of functions, such as: Modifying settings of other programs (like default browser settings), Collecting personal or financial information of the computer’s owner, Activating keystroke logging software to collect personal information, Attempting to block or uninstall existing anti-spyware and anti-virus programs, Collecting browser history and bookmark lists, or Preventing the user from removing the spyware program.
Message Tampering
Bill C-27 also prohibits altering e-mails: 7. (1) No person shall alter or cause to be altered the transmission data in an electronic message so that the message is delivered to a destination other than or in addition to that specified by the sender, unless the alteration is made with the express consent of the sender (2) Subsection (1) does not apply if the alteration is made by a telecommunications service provider for the purposes of network management.
Deceptive Marketing Provisions
False and Misleading Messages • Bill C-27 amends the Competition Act to criminalize false or misleading representations in electronic messages • The Competition Bureau will have the power to investigate and take action against the use of false headers, false locator information, or the presence of false or misleading content in electronic messages. • Two options for proceeding: • prosecution under new s. 52.01 and related provisions • reviewable practice under new s. 74.011
False/Misleading Messages Criminal Offence The Competition Act is amended by adding the following section: s.52.01 No person shall knowingly or recklessly: (1) send or cause to be sent a false or misleading representation in the sender information or subject matter information of an electronic message (2) send or cause to be sent in an electronic message a representation that is false or misleading in a material respect (3) make or cause to be made a false or misleading representation in a locator
Key Definitions • “locator” means a name or information used to identify a source of data on a computer system, and includes a URL; • “sender information” means the part of an electronic message — including the data relating to source, routing, addressing or signalling — that identifies or purports to identify the sender or the origin of the message; • “subject matter information” means the part of an electronic message that purports to summarize the contents of the message or to give an indication of them;
Prosecution Issues • It is not necessary to prove that any person was actually deceived or misled. • The general impression conveyed by a representation as well as its literal meaning are to be taken into account. • Any person who contravenes this provision is guilty of an offence and liable • If on indictment, to a fine in the discretion of the court or to imprisonment up to 14 years, or to both, or • If on summary conviction, to a fine of up to $200,000 and imprisonment up to 1 year, or to both
• Contravention can also trigger civil liability for damages (s. 36)
New Reviewable Deceptive Marketing Practices • 74.011 A person engages in reviewable conduct who: (1) sends or causes to be sent a false or misleading representation in the sender information or subject matter information of an electronic message. (2) sends or causes to be sent in an electronic message a representation that is false or misleading in a material respect. (3) makes or causes to be made a false or misleading representation in a locator. • Contravention results in administrative monetary penalty of up to: • individual - $750,000 1st offence, $1 million 2nd + • corporation - $10 million 1st offence, $15 million 2nd +
New Reviewable Deceptive Marketing Practices
• Sender information, subject matter or locator could be found false or misleading notwithstanding other content in an electronic message. • Consider teaser subject lines: • An important message from ABC • Our best sale of the year • The best vacation ever
Enforcement Mechanisms
ECPA Civil Liabilities and Offences – Summary Civil Liability
Enforced by
Penalty
s.20: Contravention of spam and spyware provisions of ECPA
CRTC
Maximum of $1,000,000 for individuals and $10,000,000 for others
s.47(1): Private right of action for people who Courts allege they are affected by: •a contravention of the spam and spyware provisions of the Bill, •certain contraventions of s.5 of PIPEDA or •conduct reviewable under s.74.011 of the Competition Act
Actual damages, plus a up to $200 for each contravention, not to exceed $1,000,000 for per day
Offence s.42: non-compliance with preservation demand or notice to produce s.43: Providing false or misleading information to person performing ECPA duties
Prosecution
Up to $25,000 for individuals and $250,000 for others
New Civil Liabilities – Administrative Monetary Penalties
• Violation of the spam or spyware provisions leads to “administrative monetary penalties” (s. 20) • individuals – up to $1 million • others – up to $10 million
• Factors for determining the fine include (s. 20(3)): • the purpose of promoting compliance, not punishment • the scope of the contravention • the person’s history with respect to prior spam/spyware violations • financial benefit received • the person’s ability to pay • any other relevant factor
New Civil Liabilities – Administrative Monetary Penalties
24. (1) A person who is served with a notice of violation shall pay the penalty or make representations with respect acts or omissions that constitute the alleged violation. (2) A person is deemed to have committed the violation if they either pay the penalty or do not pay the penalty, or do not make representations, in accordance with the notice of violation. 25. (1) If a person makes representations in accordance with the notice, the CRTC shall decide, on a balance of probabilities, whether the person committed the violation
New Civil Liabilities – Administrative Monetary Penalties
• Liability under ECPA extends to • officers, directors or agents of a company, if they authorized, participated, etc. in the violation (s.31) • employer where violation by an employee (s.32)
• Due diligence defence (s. 33) • importance of compliance training
• No proceeding against an offender that enters into a (confession-infused) undertaking (s. 21) • may specify conditions and payments – presumably negotiated with CRTC
• Uncertain limitation period • 3 years after becoming known to CRTC
New Civil Liabilities – Private Right of Action
• s.47(1) of the ECPA creates a private right of action for people who allege they are affected by: a contravention of ECPA spam and spyware provisions a contraventions of s.5 of PIPEDA that relates to new s. 7.1(2) or (3), or conduct reviewable under s.74.011 of the Competition Act. • Officers, directors, agents, employers liability for ECPA violations (s.52,53) • Due diligence defence is available (s.54)
PIPEDA
• s.5(3): An organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances. • s.7.1(2) collecting electronic addresses by computer program without consent, or using same • s.7.1(3) collecting personal information by accessing a computer system without consent
Private Right of Action – Recovery (s. 51) Proving contravention results in recovery of: • •
S.51(1)(a) actual damages, plus S.51(1)(b) additional amount • •
up to $200 per contravention maximum of $1 million per contravention day
Factors for the court to determine any additional amount under s.51(1)(b): •
Same as in s. 20(3) violation re AMP liability
No s.51(1)(b) ECPA recovery where s.20 AMPS action or s.21 undertaking with CRTC •
This exemption not applicable to • •
•
PIPEDA claim or Competition Act s. 74.011 claim, but award deducted from AMP fine
Class action implications
Repeal of the Do-Not-Call List
Repeal of the Do-Not-Call List • Bill C-27 contains (confusing) provisions to abolish the CRTC’s recently established National Do-Not-Call List (DNCL) and replace it by the ECPA, which will be expanded so spam provisions (s.6) apply to voice calls. • This would change from the DNCL’s current “opt-out” approach to the ECPA’s “opt-in” approach • Compliance with electronic message requirements in s.6(2), including “set out unsubscribe mechanism” • The DNCL exemption for business to business calling will, in effect, be repealed and replaced by ECPA’s implied consent provisions • Thus cold calling, or contacting business relationships that have been “inactive” for greater than 18 months, will be restricted
• DNCL-to-ECPA trigger not specified: Gov’t decides • No guarantee of public consultation
Summary of Concerns
• The ECPA is very complex and goes far beyond what is seen in other jurisdictions. • It has the potential to deter legitimate forms of commercial speech. • Given the Government’s accelerated timeframe, the opportunity to voice concerns over this Bill is now. • The House of Commons committee on Industry, Science and Technology will be deliberating the ECPA very soon.
Summary of Concerns
• These slides and the accompanying video will be made available in French and English at http://www.mccarthy.ca • (French version of presentation available at http://www.mccarthy.ca) • Questions?