In the December 2009 issue of the Miller Thomson Charities newsletter, we reported about Bill C-27 which had been introduced by Parliament to address the issue of spam proliferation and the use of malware. That bill was re-introduced by Parliament after the last election as Bill C-28, also known as the “Fighting Internet and Wireless Spam Act” (FISA), and received Royal Assent at the end of last year. Although the appearance of yet another election has delayed FISA from coming into force, Canada now has a framework for regulating spam and malware. Below are some of the issues that will affect charities and not-for-profit organizations, and some recommendations on how you can prepare your organization for FISA.
FISA regulates a broad range of activities, including altering the transmission of data, use of spyware, and the sending of commercial electronic messages. The focus of this article is on the latter.
“Commercial Electronic Message”
The anti-spam portion of FISA prohibits a sender from transmitting a commercial electronic message to an electronic address, unless the receiver of the message consents to receiving it, and the message is sent in accordance with a prescribed form. The anti-spam provisions affect a wide variety of “electronic messages”, including a message sent by email, text, instant messenger, telephone or any other similar means of telecommunication.
In addition, what constitutes a “commercial” message is broad. The term “commercial” refers to anything that “encourages participation in commercial activity”, including an offer to purchase goods or services, to provide a business, investment or gaming opportunity, and the advertising or promotion of these activities or a person who does any of these activities. Thus, an email containing a request for donations or promotion of a fundraising activity may be considered a “commercial electronic message”.
Commercial electronic messages can be sent if the sender has the recipient’s express or implied consent to receiving such messages. Express consent is evidenced by the receipt of a response to a sender’s request for consent, which sets out what the recipient has consented to.
Implied consent is based on the relationship between the sender and recipient. For instance, consent will be implied where there is an “existing non-business relationship” between the recipient and a sender that is a registered charity, club, association, voluntary organization, political party or political candidate. An existing non-business relationship would exist if, in the last two years prior to the sending of the commercial electronic message, the recipient had made a donation or gift to the sender, had worked as its volunteer, was its member, or had attended one of its meetings. FISA contains a transitional provision where implied consent is presumed until the sender is otherwise notified, or until three years after FISA has come into force.
If there is consent, a commercial electronic message can be sent if it is in a “prescribed form”. The government has not yet set out the full list of requirements for the prescribed form, but FISA indicates that the message must at least make available the sender’s identity or identity of the person on whose behalf the message is sent, and the contact information of the sender must remain valid for at least sixty days from the date the message was sent. The message must also give the recipient a method to opt out or unsubscribe from receiving messages.
The means to unsubscribe must be effective for sixty days, and each opt-out request must be put into effect by the sender within ten business days after the request was submitted. In addition, the unsubscribe mechanism must be free to the recipient.
There are a number of exceptions that would not be prohibited by FISA as spam, such as messages sent by individuals to a recipient with whom he or she has a personal or family relationship, and interactive two-way voice communications between individuals.
FISA sets out some significant penalties. Individuals may be fined up to $1 million and corporations may be fined up to $10 million for a breach of the anti-spam provisions. FISA also allows for a right of action by individuals who receive commercial electronic messages from a sender who did not have the appropriate consents to seek statutory damages to a maximum of $1,000,000, or $200 for each electronic message sent per day in contravention of the anti-spam provisions.
Many organizations have already developed consent mechanisms for their electronic communications. However, before FISA comes into force, we recommend that you and your organization review your policies and procedures for electronic communications, and ensure that you have a mechanism in place for recipients to opt-out of receiving electronic communications from you, and that this unsubscribe mechanism can be effected within ten days of the request. For example, an unsubscribe mechanism can be an electronic address or hyperlink by which the recipient’s opt-out request can be submitted. In addition, we recommend that organizations update their email or communications lists on a regular basis, to ensure that those who have submitted an opt-out request, and those whose two-year period of implied consent have expired, are removed from the lists.