Questions and Answers

Bill C-28: Canada's Anti-Spam Legislation

  1. What is spam?
  2. What is the intent of the legislation?
  3. Spam is a nuisance, but how is it harmful?
  4. Can you expand on the threats that the bill addresses?
  5. What can individuals and businesses do to protect themselves against spam and related online threats?
  6. How long will it take before Canadians can expect to see a real difference in the amount of spam received?
  7. Will the new legislation eliminate spam in Canada? If not, by how much will it be reduced?
  8. Has anti-spam legislation been effective in other countries?
  9. I am a legitimate business owner who uses bulk email to reach my customers. How will I be affected by these new anti-spam measures?
  10. What about text messages or "cellphone spam"? Is it covered?
  11. What if I buy email lists? How will I be affected by these measures?
  12. Are there exceptions, as with the National Do Not Call List (DNCL), for political parties and charities?
  13. Why is there a transitional or "grandfather" clause for existing business relationships in effect prior to the Act coming into force?
  14. Why is the government not exempting surveys and market research?
  15. What purpose is served by the clause governing product updates?
  16. What impact will this legislation have on self-governing professions?
  17. How does this bill address the collection of personal information by accessing a computer system or by causing a computer system to be accessed without authorization?
  18. What other amendments have been made?

What is spam?

Spam can be defined as any electronic commercial message sent without the express or implied consent of the recipient(s). Spam is also used as the vehicle for the delivery of other online threats such as spyware, phishing and malware.

What is the intent of the legislation?

The intent of the legislation is to deter the most damaging and deceptive forms of spam from occurring in Canada, creating a more secure online environment. It does this by addressing the sending of spam, the undesired installation of spyware and malware on the computers of businesses and individuals, and the alteration of transmission data. The bill also extends the provisions of the Competition Act concerning false and misleading marketing to electronic messages, and restricts the scope of certain exceptions under the Personal Information Protection and Electronic Documents Act.

Spam is a nuisance, but how is it harmful?

Spam includes more than unsolicited commercial messages. It has become the vehicle for a wide range of threats to online commerce affecting individuals, businesses and network providers.

For individuals, spam can lead to the theft of personal data to rob bank and credit card accounts (identity theft); online fraud luring individuals to counterfeit websites (phishing); the collection of personal information through illicit access to computer systems (spyware); and false or misleading representations in the online marketplace.

Businesses are victimized by the counterfeiting of business websites to defraud individuals and businesses (spoofing). Recognizing that spam represents nearly 90 percent of worldwide email traffic, network providers are forced to invest ever-increasing resources to prevent spam from entering their networks. Once established, spam slows networks down, and spam-borne viruses and other malicious software (malware) are used to operate networks of "zombie" computers (botnets) without their owners' knowledge. These network attacks threaten the stability of the Internet and online services as well as the confidence of Canadians to participate in the digital economy by conducting commerce online.

Can you expand on the threats that the bill addresses?

While spam is harmful in itself, it has become the primary vehicle for the delivery of other online threats, such as spyware, malware and phishing. Spyware is software that collects information about a user and/or modifies the operation of a user's computer without the user's knowledge or consent. Malware is a general term for all forms of harmful and malicious content, especially hostile software such as viruses, worms and Trojan horses. Phishing involves impersonating a trusted person or organization in order to steal someone's personal information, generally for the purpose of identity theft.

Collectively, these online threats disrupt online commerce and reduce business and consumer confidence in the online marketplace, congest networks, impose heavy costs on network operators and users, threaten network reliability and security, and undermine personal privacy.

What can individuals and businesses do to protect themselves against spam and related online threats?

Education and awareness are key to ensuring that individuals and businesses are taking the right steps in proactively combating spam. Network security programs, spam filters and anti-virus software are also helpful in this regard.

To serve Canadians, this legislation will provide for a national coordinating body, which will coordinate public education and awareness efforts and lead policy oversight and coordination.

This initiative will also facilitate the establishment of a non-government agency, a spam reporting centre, which will receive reports of spam and related threats, allowing it to collect evidence and gather intelligence to assist the three enforcement agencies (the Canadian Radio-television and Telecommunications Commission, Competition Bureau Canada and the Office of the Privacy Commissioner) with investigations. The spam reporting centre will track and analyze statistics and trends in spam and other related online threats.

How long will it take before Canadians can expect to see a real difference in the amount of spam received?

Based on the experience of other countries with similar legislation, noticeable results are expected to occur quickly. The year after Australia passed similar legislation in 2004, it dropped out of the world's top 10 spam originating countries.

Will the new legislation eliminate spam in Canada? If not, by how much will it be reduced?

While it is not expected that the new legislation will eliminate spam altogether, businesses and consumers will see a reduction in the amount of spam received. The intent of the law is to deter the most damaging and deceptive forms of spam from occurring in Canada and help drive spammers out of Canada.

Has anti-spam legislation been effective in other countries?

Several of Canada's global partners, such as Australia, the U.K. and the U.S., have passed strong domestic laws to combat spam and related online threats. After the Australian Spam Act came into effect, the proportion of global spam originating from Australia was greatly reduced. Some major spammers, particularly pornographic spammers, closed their Australian operations altogether.

I am a legitimate business owner who uses bulk email to reach my customers. How will I be affected by these new anti-spam measures?

Legitimate businesses that use email to market their products to Canadians should not be negatively impacted by this legislation. The consent regime is based on existing marketplace best practices and uses a consumer opt-in approach, which stipulates that businesses must get express consent or implied consent prior to sending commercial electronic messages. Apart from express consent, consent to receive commercial messages is implied:

  1. where an existing business relationship exists with a customer or client, or
  2. the electronic messages are relevant to the recipient's business, role, function or duties, and the electronic address has been conspicuously published or disclosed, without a statement that the person does not wish to receive unsolicited commercial electronic messages.

What about text messages or "cellphone spam"? Is it covered?

Yes. The legislation takes a technology-neutral approach, so that all forms of commercial electronic messages can be treated the same way. That means that unsolicited text messages, or cellphone spam, is addressed.

What if I buy email lists? How will I be affected by these measures?

The Act does not prohibit the legitimate collection and compiling of lists of email addresses, provided the activity follows the rules regarding consent in the legislation and other principles that apply within federal and provincial privacy laws. Federal privacy legislation, the Personal Information Protection and Electronic Documents Act (PIPEDA), sets out the rules for the collection, use and disclosure of such personal information, and these continue to apply under the new Act. Under PIPEDA, an organization may not collect personal information without the knowledge or consent of an individual unless the information is publicly available (according to regulations). In addition, the organization must state the purpose of the collection of that information.

Are there exceptions, as with the National Do Not Call List (DNCL), for political parties and charities?

The legislation does not apply to non-commercial activity. Political parties and charities that engage Canadians through email are not subject to the legislation if these communications do not involve selling or promoting a product.

There are also further exemptions for situations where such organizations engage in commercial activities with people who have made a donation or gift in the last 24 months, volunteered or performed volunteer work in the last 24 months, or were a member of the organization in the last 24 months. These exceptions apply to registered charities, political parties and candidates in federal, provincial, territorial or municipal elections.

If you are raising funds for charitable or other non-profit purposes, you must ensure that your messages are truthful and accurate in order to avoid potential concerns under the Competition Act.

Why is there a transitional or "grandfather" clause for existing business relationships in effect prior to the Act coming into force?

The government understands that some small businesses and not-for-profit organizations do not have the technological sophistication to automate their email lists, for example. This clause gives these entities a 36-month transition period, so they are not caught off-guard by the legislation.

Why is the government not exempting surveys and market research?

Those doing surveys and market research are not affected by the legislation as long as they are not trying to sell something, so the electronic message is not considered to be a commercial message. The government is concerned that an explicit exemption for surveys and marketing research would easily be abused.

What purpose is served by the clause governing product updates?

This clause was included to allow for automatic updates and program upgrades to be installed without requiring the installer of the computer program to seek express consent for each subsequent installation. This would allow for daily or weekly updates to anti-virus, anti-spam and other computer programs as long as they fall within the original express consent that was given when the program was initially purchased or installed.

What impact will this legislation have on self-governing professions?

Self-regulating industries should not be affected by the legislation if they are not trying to sell something, since their electronic messages would not be considered as commercial messages. If a self-governing profession wishes to contact its clients or members regarding a commercial matter, it is not unreasonable for them to get express consent from their membership in advance. Once that consent is obtained, it remains valid until it is explicitly withdrawn.

How does this bill address the collection of personal information by accessing a computer system or by causing a computer system to be accessed without authorization?

The bill includes an amendment to PIPEDA that will enhance privacy protections in some circumstances. PIPEDA generally requires knowledge and consent for the collection and use of personal information. PIPEDA includes a list of exemptions from this requirement in certain circumstances, including where the information is publicly available, for journalistic purposes, or the purposes of private investigations. In these circumstances, it is not necessary under PIPEDA to get consent for the collection of personal information, regardless of whether access to the computer system holding that personal information was otherwise legal or illegal.

The legislation includes an amendment that will make these exemptions unavailable when a computer system is accessed in contravention of an Act of Parliament in order to collect personal information. To enforce this protection against collection without consent, the legislation attaches a private right of action to such privacy violations.

In Bill C–27, tabled in the last session of Parliament, this provision applied where access to a computer system was "without authorization". Industry associations raised concerns with the uncertainty of this language, pointing out that, as drafted, persons could post a "Terms of Use" page on a website stating that the collection of information from that site was "unauthorized" under PIPEDA.

To address these concerns, the provision now applies where access to a computer system is "in contravention of an Act of Parliament." This clarifies the intended scope of the provision, addresses the uncertainty that concerned industry associations, and yet elevates privacy protections to levels consistent with the intent and purpose of the legislation.

What other amendments have been made?

A number of technical and coordinating amendments were made to ensure the smooth functioning of the legislation. These amendments will ensure effective coordination with other Acts of Parliament.