ANTI-SPAM ACT: Penalties are in the millions but even one e-mail has potential to be spam

For the London Free Press – January 21, 2013

Read this on Canoe

Industry Canada recently released its second attempt at regulations under the Anti-spam Act. These regulations are important for the practical application of the act because they help define what is and is not spam.

The regulations are subject to a 30-day commentary period, but because they’re a second draft, significant changes are unlikely.

Though most people will welcome the thought of legislation that reduces spam, the legislation has a dark side.

The act defines spam so broadly that it will affect how businesses and charities operate. Its definition of spam goes far beyond what the average person would consider to be spam. Indeed, one e-mail or text message or Twitter direct message sent from one person to another has the potential to be spam.

The act’s biggest impact may not be on the amount of spam we receive, but rather the compliance headache it will cause to the average business or charity.

Any electronic message with any kind of commercial purpose is caught, subject to a myriad of complex provisions setting out exceptions and consent requirements. And because the onus is on the sender to show compliance with the act, all this will somehow have to be tracked and recorded.

In other words, if an allegation is made that you sent spam, you will have to prove that it was not spam — which could be by showing an exemption under the act, or showing that permission was obtained that follows the requirements of the act.

Certain commercial electronic messages are simply prohibited as spam. Commercial electronic messages that are allowed must contain specified sender information, and an unsubscribe mechanism. That mechanism of course has to be created and tied in to a system that tracks consents and exceptions.

Consents that are in place now and adequate under privacy legislation will not be adequate consent under the act unless the requirements of the act were followed when it was obtained. So we can expect a deluge of e-mails requesting consent to send things that we already thought we had consented to.

Penalties for non-compliance of the act are significant, so ignoring the act is not an option. Remedies include fines of up to $1 million for individuals,

$10 million for others, and private rights of action. Private rights of action allow lawsuits by individuals, including class actions.

Some things are “reviewable conduct,” meaning they’re subject to the investigatory and order-making powers of the privacy or competition commissioners.

Directors and officers can be personally liable if they authorized or acquiesced in the offence. Employers are vicariously liable for actions of employees acting within their authority. It is not certain when the act will come into force — probably no sooner than the second half of the year.

For more detailed information on the act, see a series of articles that I will be posting shortly on my blog at .

Leave a Reply

Your email address will not be published.