more draft regulations to canadian anti-spam legislation published

A while back I had posted an entry on some draft regulations under Canada’s Anti-Spam Legis­la­tion which were published by the CRTC for public comment.  Those regulations related primarily to consent mechanisms and what information must be provided in e-mails.

Late last week, another round of draft regulations were released. This time, by the Governor in Counsel rather than the CRTC. For what it’s worth, here’s a compressed version of same. I’ve taken the liberty of appending the full wording at the end of the post, which can also be found in the Canada Gazette (with the added bonus of a regulatory impact analysis statement). This summary is a bit wordier as the regulations need a bit of background in order to be properly understood, and are a bit more complicated. Anyway, here it is FWIW:

  1. Section 6(5) of CASL exempts certain types of messages from the requirements to get prior consent and provide certain information before sending e-mails. These include messages to individuals with whom the sender has “personal or family relationships”. The regulations define both of these:
    • a family relationship  means:
      • a blood relationship (children, grandchildren, parents, grandparents, brothers, sisters or others of common or “collateral” descent);
      • relationship by marriage or common-law partnership (including in-laws in either case); or
      • adoption (including blood relations of the person doing the adopting).
    • a personal relationship means a relationship with someone who the sender has:
      • met in person at some point in the past;
      • had a two way communication within the past two years; and
      • the meeting and communication were not related to a “commercial activity”.
  2. Section 10(2) of CASL allows someone  (let’s call that someone the “Original Consentee”) to get consent from a person (let’s call them the “Target”) to send or alter messages or install software on behalf of third parties (let’s call those third parties “Additional Consentees”) whose identities are not known. To do so, there are two requirements: First, the Original Consentee must disclose specific information about itself (see my earlier post). Second, the Original Consentee must comply with the regulations. The regulations basically try to ensure there are seamless links between the Original Consentee and Additional Consentees from the Target’s perspective, as follows:
    • Requirements to send messages:
      • any message sent to the Target must identify the Original Consentee; and
      • each Additional Consentee must provide an unsubscribe mechanism that complies with CASL and which also allows the Target to withdraw consent from the Original Consentee and any other Additional Consentee;
    • Requirements related to withdrawal of consent by a Target:
      • the Original Consentee must ensure that any Additional Consentee who receives withdrawal of consent from a Target notifies the Original Consentee of those for whom consent has been withdrawn (i.e. the Original Consentee, the Additional Consentee receiving the notice of withdrawal, and any other Additional Consentees); and
      • the Original Consentee must:
        • give effect to the withdrawal of consent;
        • promptly notify any other Additional Consentees for whom consent has been withdrawn (other than of course the Additional Consentee who received the withdrawal); and
        • ensure that each other Additional Consentee for whom consent has been withdrawn also gives effect to the withdrawal of consent
  3. Section 6 of the Act provides that consent for messages can be express or implied. However, consent is only implied in certain situations. One of those situations is an existing “non-business relationship”. In turn, there are different categories of “non-business relationship”, one of which membership with a club, association or voluntary organization within two years immediately before the day the message is sent. The regulations clarify what is meant by membership and what constitutes a club, association or voluntary organization:
    • membership means being accepted as a member; and
    • club, association or voluntary organization basically means a non-profit. To drive home the point, the regulation specifies that it can be operated for any purpose other than profit, and that no proprietor, member or shareholder can personally benefit from any income of the organization, except for organizations promoting amateur athletics in Canada.

The concepts are a bit convoluted, particularly those summarized in paragraph 2 above (which, as an aside, I think leave open some questions of interpretation, which I might address in a later post). Perhaps at a later time I’ll try to come up with an illustrative example of how 2 works (or at least my best guess as to how it’s supposed to work). Also, I believe in my previous post I referred to “e-mail”. Just to be clear, the Act applies not only to e-mail, but to any “commercial electronic messages”, which is fairly broad and could include SMS messages, messages through websites, IM, etc.

As with the last set, open for comments for 60 days following the publication date (July 9, 2011).

Full regulation to save you a click:



1. In these Regulations “Act” means AnAct to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act.


2. For the purposes of paragraph 6(5)(a) of the Act

  1. (a) “family relationship” means the relationship between individuals who are connected by
    1. (i) a blood relationship, if one individual is the child or other descendant of the other individual, the parent or grandparent of the other individual, the brother or sister of the other individual or of collateral descent from the other individual’s grandparent,
    2. (ii) marriage, if one individual is married to the other individual or to an individual connected by a blood relationship to that other individual,
    3. (iii) a common-law partnership, if one individual is in a common-law partnership with the other individual or with an individual who is connected by a blood relationship to that other individual; and
    4. (iv) adoption, if one individual has been adopted, either legally or in fact, as the child of the other individual or as the child of an individual who is connected by a blood relationship to that other individual; and
  2. (b) “personal relationship” means the relationship, other than in relation to a commercial activity, between an individual who sends the message and the individual to whom the message is sent, if they have had an in-person meeting and, within the previous two years, a two-way communication.


3. (1) For the purposes of paragraph 10(2)(b) of the Act, a person who obtained express consent on behalf of a person whose identity was unknown may authorize any person to use the consent on the condition that the person who obtained consent ensures that, in any commercial electronic message sent to the person from whom consent was obtained,

  1. (a) the person who obtained consent is identified; and
  1. (b) the authorized person provides an unsubscribe mechanism that, in addition to meeting the requirements set out in section 11 of the Act, allows the person from whom consent was obtained to withdraw their consent from the person who obtained consent or any other person who is authorized to use the consent.

(2) The person who obtained consent must ensure that, on receipt of an indication of withdrawal of consent by the authorized person who sent the commercial electronic message, that authorized person notifies the person who obtained consent that consent has been withdrawn from, as the case may be,

  1. (a) the person who obtained consent;
  2. (b) the authorized person who sent the commercial electronic message; or
  3. (c) any other person who is authorized to use the consent.

(3) The person who obtained consent must inform, without delay, a person referred to in paragraph 2(c) of the withdrawal of consent on receipt of notification of withdrawal of consent from that person.

(4) The person who obtained consent must give effect to a withdrawal of consent and, if applicable, ensure that a person referred to in paragraph 2(c) gives effect to the withdrawal of consent, in accordance with subsection 11(3) of the Act.


4. (1) For the purposes of paragraph 10(13)(c) of the Act, membership is the status of having been accepted as a member of a club, association or voluntary organization in accordance with the membership requirements of the club, association or organization.

(2) For the purposes of paragraph 10(13)(c) of the Act, a club, association or voluntary organization is a non-profit organization that is organized and operated exclusively for social welfare, civic improvement, pleasure or recreation or for any purpose other than profit, if no part of its income is payable to, or otherwise available for the personal benefit of any proprietor, member or shareholder of that organization unless the proprietor, member or shareholder is an organization the primary purpose of which is the promotion of amateur athletics in Canada.


5. These Regulations come into force on the day on which they are registered.

new canadian privacy and anti-spam laws – updated again

Update 2: Here is a redline showing the changes from the November, 2009 version of ECPA to the May 25 version of FISA, in Word and PDF. The Word version shows the wording of some existing provisions which FISA is amending. You’ll need to scroll over to the right starting around s. 70 to see them. Not included in the PDF version. Doesn’t look like much has changed. Happy reading.

Update: Links to the bills added. See also comments and observations from Barry Sookman, Michael Geist (one on FISA and the other on SCPIA) and David Canton. Mostly just initial observations, except for Mr. Geist’s post on SCPIA. His nickname for the bill (the “Anti-Privacy Privacy Bill”) should give you an idea of his thoughts on it.

Yesterday the federal government announced the tabling of two new significant pieces of legislation. The first is the Fighting Internet and Wireless Spam Act, which has been acronymed as “FISA”. And no, I don’t know why they dropped the W. Maybe easier to pronounce? As many readers probably know, this is the rechristened Electronic Commerce Protection Act that died last year when Parliament was prorogued. In addition to the catchier name, there were a few substantive tweaks to the law. You can read the rather long winded press release though the link above. Alternatively, here’s the point form version:

  • fairly strict and comprehensive approach to unsolicited commercial e-mail (i.e. spam), described as “multi-faceted”
  • enables government agencies to share information with international counterparts to pursue foreign violators
  • sizeable fines for violations – up $1 million for individuals and $10 million for businesses ($15 million in certain cases) for each violation
  • allows businesses and consumers to sue spammers directly, modelled on U.S. laws
  • technology neutral – spam, spim, junk faxes, robocalls – all treated the same

The second piece of legislation are amendments to the existing Personal Information Protection and Electronic Documents Act (or PIPEDA). Doesn’t quite roll off the tongue as nicely as FISA. [Update: The amending act is actually nicely entitled the Safeguarding Canadians’ Personal Information Act which is somewhat sexier.] Point form summary:

  • breach notification requirement – must notify privacy commissioner for material breach and individuals if risk of harm
  • enhanced consent requirements to ensure people (particularly minors) clearly understand the consequences of sharing personal information
  • exceptions added to help people (financial abuse, missing persons, identify dead people)
  • exceptions added for business contact information and to manage employees, information produced for work purposes and due diligence in acquisitions and similar corporate transactions
  • exceptions added for private sector investigations and fraud prevention
  • prohibitions on notifying individuals in connection with disclosure of personal information to law enforcement agencies

More to come in due course.