Most online marketers doing business in Canada today are already familiar with PIPEDA. But many are not aware that a new law, known in Parliament as Bill C-28 and later renamed Canada's Online Protection Legislation (COPL) was given Royal Assent on December 15, 2010. The law imposes onerous opt-in and other responsibilities on marketers doing business online in Canada. It covers items such as the sending of commercial electronic messages (CEM), prohibition of installing computer programs without consent, and sending messages with false or misleading information in the content or header. Enforcement of the law is expected to commence in September 2011, which should give marketers ample time to comply.
COPL is effectively Canada's first anti-spam law, which removes the distinction of Canada being the only G8 nation without one. The provisions of PIPEDA already covered opt-in, however, enforcement actions were limited. Under the new law, a definitive set of requirements and enforcement actions are laid out and penalties for violation of the law can be severe. Unlike CAN-SPAM, which covers only e-mail, COPL covers CEM, which is defined as any commercial "message sent by any means of telecommunication, including a text, sound, voice or image message." Effectively, this includes:
There are a number of requirements set forth in the law regarding CEM, most notably:
Exemptions to the opt-in requirement exist under certain circumstances. Consent is deemed if there is an existing business relationship, an existing non-business relationship (such as sending to a family member), conspicuous posting of an electric address such as on a "Contact Us" page (provided there is no statement near the address indicating that it should not be mailed), or where the recipient has provided the electronic address to the sender. In most cases, this implied consent is valid for two years, after which the sender must gain affirmative consent.
Computer systems located in Canada used to send or access an electronic message fall under the COPL umbrella. This means that any CEM that leaves or enters Canada is subject to the regulation. COPL is primarily enforced by the Canadian Radio-television and Telecommunications Commission (CRTC), and imposes fines of up to $1 million per violation for individuals and $10 million per violation for businesses. There is also a provision for private right of action, allowing individuals and businesses to seek actual and statutory damages.
Enforcement does take into account "honest mistakes," and for that reason, it is important to undertake clearly defined actions to comply with the law. Willful violations are the primary focus of enforcement.
Businesses will need to scrub their lists and remove any covered address for which there is no affirmative opt-in to receive e-mail and other CEM. It is expected that many e-mail lists will be significantly reduced in size as a result. Privacy policies and form collection on websites should be updated to ensure proper consent. In the case of forms, this includes moving from an opt-out (pre-checked) to an opt-in (not pre-checked) methodology.
I recommend that businesses meet with their legal, compliance, and marketing teams to determine the full scope of changes to their business practices in order to comply with the new law, as there are a number of key considerations and requirements not provided in this column which may apply. We also encourage affected parties to read the full text of the law, which can be found here.
(Note that the purpose of this post is to provide general information about Canada's Online Protection Legislation. It does not constitute legal advice. Please consult your legal counsel for full requirements and implementation recommendations.)
Dennis Dayman has more than 17 years of experience combating spam, security issues, and improving e-mail delivery through industry policy, ISP relations, and technical solutions. As Eloqua's chief privacy and security officer, Dayman leverages his experience and industry connections to help Eloqua's customers maximize their delivery rates and compliance. Previously, Dayman worked for StrongMail Systems as director of deliverability, privacy, and standards, served in the Internet Security and Legal compliance division for Verizon Online, as a senior consultant at Mail Abuse Prevention Systems (MAPS), and started his career as director of policy and legal external affairs for Southwestern Bell Global, now AT&T. As a longstanding member of several boards within the messaging industry, including serving on the Board of Directors and the Sender SIG for the Messaging Anti-Abuse Working Group (MAAWG), Secretary/Treasurer for Coalition Against Unsolicited Commercial Email (CAUCE), Certified Information Privacy Professional (CIPP) Advisory Board, Dayman is actively involved in creating current Internet and telephony regulations, privacy policies, and anti-spam legislation laws for state and federal governments.
May 22, 2013
1:00pm ET / 10:00am PT
June 5, 2013
1:00pm ET / 10:00am PT