From Canadian legal firm Borden Ladner Gervais LLP: Expected to come into place this fall, Canada’s new Anti-Spam and Online Fraud ActB (Bill C-28) is one of the most rigid in the world, and will have serious implications for any business that sends commercial electronic messages, including e-mails, texts, instant messages, or social media messages, to customers or suppliers in Canada.
Also affected are businesses that route data through Canadian servers, whether or not that information is intended for Canadian consumers. The new act, which is designed to prohibit unsolicited and misleading electronic communication and online fraud, outlines a number of new offences, enforcement mechanisms, and severe penalties of up to $1 million for individuals and $10 million for organizations. Businesses must move swiftly to ensure compliance and reduce risk.
“This new legislation will impact any American business that communicates with Canadian customers or transmits data through Canadian servers. For most organizations, the key part of the act is the new rules of consent around almost every commercial e-mail, text or social media message a business sends,” said Barbara McIsaac, counsel in BLG’s Ottawa office who specializes in privacy and access to information law. “Unless the recipient has given consent – or opted-in – to receive the communication, and the message complies with very specific formalities, businesses are going to find it much more difficult to send electronic messages with commercial content. Businesses, including directors and officers, are facing much greater risk.”
In many countries, including the U.S., recipients are offered the option to “opt-out” once an e-mail message is received. When e-mailing Canadian customers, businesses will be required to obtain recipient consent prior to sending the message. What may prove challenging for many businesses is the need to obtain consent without the ability to send a message requesting consent.
To reduce risk once the act comes into place, BLG recommends that businesses begin preparations now, and offers the following tips:
1. Conduct an internal audit to account for all external-facing electronic communications distributed by the organization. Consider relevant third parties such as distributors or marketing agencies, and the location of any external servers.
2. Establish procedures to ensure that all customer or supplier-facing messages are accurate and comply with new requirements, including information disclosure language and an unsubscribe mechanism that is promptly implemented.
3. Obtain and maintain an accurate and current list of recipients’ consent to receive messages. Instances of express and implied consent should be handled separately to ensure clarity and compliance.
4. Revise contracts with any relevant third parties that distribute electronic messages on behalf of the organization to require compliance with the act.
5. Clearly communicate and educate relevant employees on policies that need to be implemented as a result of the act. Consider holding staff training programs to ensure everyone is clear on both the guidelines and the risks.
6. Put into place a gate keeping process to ensure that established procedures for monitoring compliance are being followed.
7. Obtain insurance to protect the business, corporate directors and officers from liability.