BACKGROUND

In 2010, Parliament enacted An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio‑television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act (the Act).

More commonly known as Canada’s Anti-Spam Legislation or CASL, the Act prohibits commercial conduct that would, notably, impair the reliability and optimal use of electronic means of carrying out commercial activities. The Canadian Radio-television and Telecommunications Commission (CRTC), the Competition Bureau and the Office of the Privacy Commissioner of Canada (OPC) share the duty of enforcing the Act.

Most components of the Act came into force by order of council PC 2013-1323 in July 2014. The sections that have yet to come into force – sections 47 to 51 and 55 – pertain to the private right of action (PRA). The PRA provisions were scheduled to come into force on 1 July 2017, but the Governor in Council ordered the suspension of their commencement under the recommendation of the Minister of Innovation, Science and Economic Development.

On 14 June 2017, the House of Commons referred the Standing Committee on Industry, Science and Technology (the Committee) to review the provisions and operation of the Act in accordance with section 65 of the Act. This review consisted of thirteen meetings that took place between September 26 and November 9, 2017, and included 63 oral and written submissions.

COMPLIANCE AND APPLICATION

A. Cost and effectiveness

Witnesses disagree on how the Act impacted electronic communications. Spam continues to be a key vector for the dissemination of malware and so far accounts for more than 50% of all email communications in 2017.[1] Nevertheless, since the Act came into force in 2014, Innovation, Science and Economic Development Canada (ISED) observes that the amount of spam originating from Canada has decreased by more than a third. Moreover, while Canada figured among the top five spam-producing countries before the Act came into force, it now no longer appears among the top 10 or even top 20.[2]

Whether the Act effectively reduced spam originating from Canada is difficult to ascertain.[3] Some witnesses take it as evidence of the Act’s effectiveness.[4] Others attribute most, if not all, the decrease to the increasing performance of anti-spam technologies,[5] while others still attribute it to a combination of  technology and regulatory measures.[6] Although debatable, witnesses questioned the degree to which the Act affected malware, phishing and other cyber-threats, which they consider just as prevalent today as they were before the legislation came into force.[7]

The Committee observes that the legislation has given Canadian enforcement agencies the authority and means to collaborate with their international counterparts in order to tackle spam abroad, [8] addressing at least some concerns about the challenge of regulating activities occurring outside the jurisdiction of Canada. CRTC staff indicated that although the Act allows them to share information and coordinate enforcement with the Competition Bureau, the OPC and international partners, it does not allow them to do the same with domestic law enforcement and cybersecurity partners.[9]

The Executive Director and General Counsel of the Public Interest Advocacy Centre, John Lawford, advised amending the Act in order to require enforcement agencies to collect and publish data on spam. Such requirements would help inform policymakers on the effectiveness of the legislation:

If one thing has not been done right since CASL was introduced, it has been information gathering. Since CASL does not require spam volume to be reported by [Internet service providers], although they may report it to the CRTC, Competition Bureau, or Privacy Commissioner, nor by the spam reporting centre, and CASL does not require that any of this information be made public or provided to Parliament directly, we are today largely in the dark regarding evidence of the effect of CASL on spam and other electronic messaging. … a more robust and public spam reporting mechanism … would allow all parties and academic researchers to evaluate the effect of CASL upon objective evidence.[10]

According to some witnesses, the Act had a chilling effect on electronic messaging. Indeed, it was stated that – because of the cost of complying to such a prescriptive and, in many cases, unclear legislation – businesses and non-profit organizations would increasingly refrain from using this channel of communications to reach current and new customers and donors, and to communicate between themselves by fear of infringing the legislation or to avoid compliance costs.[11]

In contrast, others argued that the Act had a positive impact on electronic communications by reducing spam and encouraging effective marketing practices.[12] Between 2014 and 2017, the proportion of commercial electronic messages (CEMs) reaching their designated recipient went from 79% to 90% in Canada, compared to 80% worldwide. The proportion of commercial emails opened and read also increased from 26% to 32%, compared to 21% in the United States.[13]

Witnesses expressed concern over the cost of complying with the Act. Many among them illustrated this point with its record-keeping requirements. Not only must senders of CEMs document consents and un-subscriptions, they must also keep track of the durations of different instances of implied consent, which can be either six months or two years. While some witnesses pointed to technological solutions that can reduce those costs,[14] Kim Arsenault, Senior Director at Inbox Marketing, argued for removing durations for implied consent:

[The] regulators should remove the confusion and requirement around six-months versus two-year implied consent. They should clearly define what express versus implied is and remove the time frame of six months and two years. It’s a big challenge for many companies, both small and large, to properly maintain this level of detail that can be constantly changing and updating. Not all technology solutions out there are equipped to properly document this.[15]

Few witnesses could provide a precise assessment of the costs of complying with the Act.[16] Evidently, compliance costs vary depending on the size of an organization and the extent of its electronic communications.[17] The Committee nonetheless heard figures amounting to $700 for individuals, and ranging between $1,300 and $25,000 for small and medium-sized businesses, $25,000 and $100,000 for large businesses, and reaching millions of dollars for the largest organizations.[18] One witness noted that some marketing companies offer inexpensive electronic communication services designed to be compliant with the Act.[19]

B. Understanding of the Act and its requirements

The evidence provided to the Committee reveals that many Canadians engaging in commercial electronic messaging are not aware of the Act, let alone understand how to comply with its requirements. Businesses often fail to realise that the Act applies to them because their personnel do not think of their communications as “spam.”[20] By underlining spam rather than electronic commerce and communications, the name under which the Act is commonly known exacerbates this problem. Philip Palmer suggested restoring the Act’s short title – the “Electronic Commerce Protection Act” – to reflect the broader aim of the legislation.[21]

Most witnesses argued that key provisions of the Act lack clarity.[22] The definition of “commercial electronic message,” for example, leaves many puzzled:[23] does it extend to messages that, while they do not encourage the recipient to transact with the sender per se, do include the logo of an organization that engages in commercial activities? Does it extend to a newsletter? Or to an email offering monetary incentives to attract participants to a study? How does the definition of CEM apply to the diverse activities of charities or non-profit organizations? More generally, what sort of content would support the conclusion that a message has as its purpose, or one of its purposes, to encourage participation in a commercial activity?

Witnesses admitted having difficulty understanding many other aspects of the Act, including its consent provisions, record-keeping requirements, the definitions of “electronic address” and “computer program,” and the determination of administrative monetary penalties (AMP), along with the application of the Act to the issues of fundraising, social media, the Internet of things, and loyalty programs.[24] The fact that so many witnesses requested to add provisions the legislation already includes is evidence enough of a lack of awareness of both the principle and specifics of the Act.

Aspects of the organization and promotion of the Act increase the difficulty of understanding it. The Act led to the enactment of not one, but two Electronic Commerce Protection Regulations (one from the Governor in Council and another from the CRTC).[25] Its main promotion tool – fightspam.gc.ca – does not provide guidance pertaining to the interpretation of the legislation, but instead redirects visitors towards different enforcement and administrative agencies with their own sets of guidance materials.[26] Scott Smith, Director of the Canadian Chamber of Commerce, explains how the dispersion of information about the Act makes it more onerous for Canadians to understand its requirements and maintain compliance:

[You] have multiple layers of text that you need to be able to follow .The act is very prescriptive, so you need to follow it very closely. Then you need to follow the regulations that came through [ISED]. You need to pay attention to the CRTC regulations, to what the Competition Bureau has put out in guidance. You need to read the regulatory impact statement to get some understanding or context of why the law is there in the first place. Then you need to read the guidance from the CRTC, which in many cases hasn’t been that helpful, because it doesn’t give you a lot of guidance.[27]

As Steve Harroun, CRTC’s Chief Compliance and Enforcement Officer, noted, it is critical “that businesses are aware of the rules … and understand what’s necessary with respect to following the rules.”[28] The CRTC has indeed published guidance documents on many elements on which witnesses expressed uncertainty.[29] The Commission also leads outreach activities to educate stakeholders on the content of the Act.[30]

However, the evidence submitted to the Committee suggests that there is much to improve, as illustrated by the testimony of Barry Sookman, partner at McCarthy Tétrault LLP and advisor to Lighten CASL Inc.:

I’ve been in rooms where businesses have tried to figure it all out … You have 25 people in a room, including five lawyers, going through every kind of email that’s sent and trying to figure out if it’s a CEM, trying to figure out how you get consent, and trying to figure out if you have the right to unsubscribe. It takes that many people to try to figure it out, and you still can’t get it right. To impose that on a small business, where it’s not understandable … it’s so complex that the average small business cannot figure out what they need to do.[31]

Proponents and opponents of the Act agree that the CRTC must review the sufficiency and effectiveness of their guidance materials and activities.[32] Suzanne Morin, Chair of the Privacy and Access Law Section of the Canadian Bar Association, spoke of available guidance in the following terms:

The limited guidance currently available to address the confusion and uncertainty in CASL increases the possibility … of inadvertent non-compliance. The guidance that does exist is incomplete, out of date, inconsistent, and overly simplistic even at times. For example the guidelines on the interpretation of electronic commerce protection regulations read obligations into CASL that are not supported by the legislation itself. The guidelines state that consent must be sought separately from general terms of use or sale, but CASL speaks only to keeping … consents separate. That’s an additional obligation not found in the act.[33]

Access to guidance materials is also an area of concern. Philippe Le Roux, Executive Officer at Certimail, illustrated difficulties Canadians face in obtaining even existing guidance on key provisions of the Act:

In May 2014, the CRTC published a newsletter that outlined specific requirements that had to be met in order to be able to use the due diligence defence, as set out in subsection 33(1) of the [Act]. That provision stipulates that any business that establishes that they did what was necessary to comply with the legislation is safe from penalties in case of violation. In that newsletter, the CRTC specifies that, by “necessary measures,” it means a compliance program with eight requirement categories. The problem is that the newsletter was buried deep within the CRTC's website. It took most lawyers who specialize in the area two years to discover it. Fightspam.ca, the website that explains the legislation, makes no mention of that newsletter, and neither do the CRTC's public communications.[34]

Uncertainty makes it difficult to assess what is permissible under the legislation. Most witnesses agree that the lack of proper understanding of the Act raises compliance costs by increasing the risk of violation in some cases and prompting an overcautious approach in others.[35] Without denying the fact that every Canadian has a responsibility to know the law, the Act cannot realise its purpose without effective guidance from enforcement agencies.

C. Enforcement by the Canadian Radio-television and Telecommunications Commission

Most of the CRTC’s investigations are triggered by a complaint filed to the “spam reporting centre” (SRC), a centralized website. The SRC receives a weekly amount of approximately 4,000 complaints, and has collected more than a million complaints since 2014.[36] CRTC’s intelligence analysts examine the information submitted through the SRC and, when possible, identify trends and relationships between complaints to identify which ones belong to the same sending campaigns. Enforcement officers review the analyses to identify viable cases and target potential violators. [37]

The Committee heard much testimony on how the CRTC selects cases it investigates and how it enforces the Act. Members of the CRTC enforcement staff testified that they select cases on the basis of the probability of establishing a violation to the Act and the potential to promote compliance.[38] The Act provides the CRTC with a broad suite of compliance and enforcement instruments, including warning letters, undertakings and AMPs. In a given case, the CRTC staff select enforcement instruments on the basis of the ones most likely to ensure compliance.[39]

In contrast, a number of witnesses claimed that the CRTC only targets legitimate businesses attempting to reach customers and prospects in good faith, as opposed to “real” spammers, and imposes disproportionally high AMPs on small enterprises for unintentional violations.

The CRTC conducted over 30 investigations under the Act since it came into force.[40] These investigations led to the delivery of 22 warning letters, the conclusion of five undertakings resulting in the payment of penalties amounting to $468,000, and the issuance of three notices of violation. These three notices of violation led to as many decisions from the Commission. In two of these decisions, the CRTC reduced the AMP originally imposed from $640,000 to $50,000 and from $1.1 million to $200,000, while the third AMP stood at $15,000. Canadians can consult the Commission’s website to get information on the circumstances of each case and the violations involved.[41]

Some witnesses proposed to limit the discretion the CRTC enjoys over the selection of enforcement actions against offenders by adopting a mandatory scale. Such a scale would require the Commission to only issue a warning letter to first-time offenders, and progressively increase the severity of further measures for additional violations, including amounts of AMPs, in proportion with their gravity.[42] CRTC representatives replied that such a scale would reduce their capacity to adjust enforcement actions on a case-by-case basis, notably in order to promote compliance and discourage recidivism.[43]

The Committee takes note of testimony highlighting that the fact that the Commission has discretionary power does not prevent its staff from exercising it with transparency.[44] One witness suggested indeed that CRTC officers be required to provide reasons for the amount of any penalty imposed.[45]

The Committee further notes that, on two of three occasions, the CRTC significantly reduced the amount of AMPs recommended by its enforcement staff. The Committee also notes that these recommended amounts were still very far from the maximal sanctions available in these particular cases.

The Spamhaus Project’s Register of Known Spam Operations (ROKSO) currently identifies over seventy of the world’s largest spamming operations. When the Act came into force in 2014, Canada was home to seven of these operations.[46] The ROKSO list now shows that only two of them remain in our country.[47] Representatives of the CRTC’s enforcement staff testified being aware of these two operations and “looking at how we can tackle those malicious actors.”[48] The Committee looks forward to seeing progress on this front.

D. Private right of action

Should the Act’s PRA come into force, any person “affected by an act or omission that constitutes a contravention of any of sections 6 to 9 of this Act,”[49] along with specific sections of the Personal Information Protection and Electronic Documents Act (PIPEDA) and the Competition Act, will be able to apply to a court of law and seek statutory and compensatory damages from the perpetrator.

Numerous witnesses expressed concerns over the PRA. According to Charles Taillefer, Director of the Privacy and Data Protection Policy Directorate, ISED, of particular concern is the fact that a demonstration of harm is not required and that “statutory damages could be awarded simply from having received a commercial electronic message that [a person] didn’t consent to.”[50] Other witnesses argued that the PRA is too onerous and ambiguous, fearing that businesses could be drawn into frivolous and class-action lawsuits even if they largely comply with the Act, for example if they experience information system errors.[51] According to the Canadian Bankers Association, fear of class-action lawsuits could potentially discourage some businesses from operating in Canada.[52]

Another concern raised by some witnesses pertains to the fact that charities and not-for-profit organizations might be targeted by the PRA. Because managers and directors could be held personally responsible if their organizations fail to have sufficient assets to pay for damages ordered under the PRA, these organizations might face difficulty in recruiting and keeping individuals willing to expose themselves to that level of liability.[53] The fact that the Act’s due diligence defence appears not to appease these concerns reveals yet another area where the legislation requires clarification.[54]

A few witnesses commented that the application of the PRA under false or misleading representation falls under the provisions of the Competition Act and noted, more specifically, that certain subsections of its section 74.011 contain no materiality thresholds, which could potentially lead to legal action over a trivial misrepresentation or inaccuracy found in CEMs.[55]

Conversely, several witnesses defended the PRA, advocating for its coming into force. Alysia Lau, External Counsel for the Public Interest Advocacy Centre, commented that suspending the PRA deprives consumers of an instrument to use against aggressive spammers. As a result, spammers “face little prospect of any significant AMPs or other sanctions.”[56] Some witnesses shared the view that fighting spammers requires tough anti-spam legislation that includes a PRA to supplement the efforts of enforcement agencies in protecting citizens against illegal practices. The PRA would also allow individuals who have been personally impacted by spam to obtain financial compensation.[57]

MapleGrow Capital Inc. representatives advocated for the inclusion of the PRA provision in anti-spam legislation because it “moves the majority of the cost, decision and risk of enforcement off the regulators and onto the free market.”[58] They added that in order to avoid being the target of class action litigation, companies will be motivated into compliance.[59] MapleGrow Capital representatives concluded that omitting the PRA from the legislation would render the latter “hollow and unfair” and “would only punish those companies that in good faith incurred the costs of compliance while allowing scofflaws to continue with their breaches.”[60]

Several witnesses proposed instead to modify the Act’s PRA before its coming into force. For example, the Committee heard that suing under the disposition should be restricted to organizations directly impacted by spam, spyware and other online threats and suffer from damages to their networks, such as Internet services providers, similar to American legislation.[61]

Michael Fekete, partner at Osler, Hoskin & Harcourt LLP, suggested that “rather than having standing to sue left with anyone who receives a message that doesn't comply, [the legislation] should provide the companies that are in a position to go after the bad actors the opportunity to supplement the efforts of the CRTC and place standing to sue in their hands.”[62]

Other witnesses held the view that the PRA should only apply against “bad actors” – those who disseminate malware and false advertising, and harvest email addresses[63] – and cases of violations of the Act where proof of harm can be clearly demonstrated.[64] In the same line, some witnesses suggested eliminating statutory damages from the PRA.[65]

The Canadian Bankers Association encouraged the government to amend the relevant provisions to ensure that it is not used to penalize legitimate businesses who would have violated the Act unintentionally.[66] In order to avoid subjecting charities and not-for-profit organizations to high financial penalties, a few witnesses suggested that these organizations should not be liable to private seizure or personal liability, and that they should be exempted from the PRA.[67]

For other witnesses, maintaining the PRA would require even more extensive amendments. For example, Barry Sookman told the Committee that recalibrating the Act to only target cyber-threats would reduce concerns around the PRA.[68]

A number of witnesses suggested that the PRA be entirely eliminated from the legislation, noting that the PRA seemed superfluous considering three enforcement agencies already enforce the Act.[69] The Canadian Bar Association supported the suspension of the PRA until a thorough analysis of its appropriateness in the context of the Act as a whole.[70] The chief scientist of Spamhaus Technology Ltd., Chris Lewis, suggested rolling out the provision in stages.

Finally, numerous witnesses were of the opinion that the Act should be clarified or amended before enforcing the PRA. Mark Schaan, Director General, Marketplace Framework Policy Branch, ISED, explained that concerns over the PRA provisions are primarily related to the possibility of class action suits and legal liability that may arise from compliance. He added that the notion of consent would require clarification before they come into force.[71] A few witnesses agreed that, because of the complexity of the Act, the PRA could lead to heavy costs on businesses that unintentionally breach its requirements.[72]

DEFINITIONS AND EXCEPTIONS

A. Consent

The provisions of the Act regarding consent constituted an important matter of debate before the Committee. A number of witnesses suggested that an “opt-in” approach to the regulation of commercial electronic communications was too strict, and advocated in favour of reforming the Act under an “opt-out” approach supplemented by strict un-subscription requirements. Under such a model, senders would be free to send unsolicited CEMs until their recipient unsubscribes. According to these witnesses, businesses would have an interest in limiting the number of messages they send in order to better serve current and prospective customers. An opt-out approach would also reduce compliance costs associated with managing express and implied consents, facilitate entry to the market for new businesses, and thus increase competition.[73]

Without urging for a redraft of the Act on the basis of an opt-out model, some witnesses asked for the simplification and easing of its consent provisions. They complained indeed that the consent provisions of the legislation are too strict.[74] Michael Fekete spoke to this point in the following terms:

The law tells you how you must request express consent.

…

You have to say this is my business name, and this is my mailing address and either my email address, my web address, or my telephone number. And it must say that you have the right to withdraw consent, or you can withhold your consent, or pull it back later.

If I don’t ask it in that specific way, with that information, the consent is not valid …

Another example is on implied consent. … we need a strong consent regime, but there has to be a willingness to look at the circumstances and ask whether it makes sense for this small business to send a message to a customer based a prior relationship.

…

If I’ve made a purchase within the last two years, you can send me a message, but if I’ve subscribed for a free service – I didn’t buy anything – maybe you can’t send me a message. I say “maybe” because we’re left scrambling to interpret the law. It’s too prescriptive to make sense to business, let alone to the legal community who have to interpret it.[75]

The Information Technology Association of Canada recommended to replace the notion of “implied consent” by the more flexible notion of “inferred consent,” as established under the Australian anti-spam legislation.[76]

Witnesses also cited PIPEDA as a source of inspiration to reform the consent provisions of the Act into a set of principles rather than prescriptive and technical requirements.[77] Wally Hill, Vice-President of the Canadian Marketing Association, argued: “CASL should have used the PIPEDA approach to consent, with express consent required in relation to sensitive matters of communication and backed up, forcefully, with the unsubscribe offer on every message.”[78]

Michael Geist, Professor at the Faculty of Law of the University of Ottawa as well a member of the Task Force on Spam that championed the adoption of the Act back in 2005, urged against redrafting the legislation on the basis of PIPEDA. Doing so, he argued, would not only prove ineffective, but would also contradict the very principle of the Act. Indeed, the provisions on implied consent would have been purposefully drafted in order to limit unsolicited CEMs and encourage senders to favour securing express consent over relying on implied consent:

I don’t doubt for a moment that Rogers, my carrier, is not a bad actor, but I will say that if you are sending me messages when you have not obtained my consent that is a bad act. I think we have to recognize that there are lots of legitimate businesses that may even still want to comply but that are, I would argue, misusing our personal information without obtaining appropriate consent. That’s a bad act, and that’s what the law’s designed to target. If we contemplate moving back to implied consent, then we’re right back to where we started from. The task force looked at whether or not PIPEDA was effective in dealing with spam, and the conclusion was that it was not. … implied consent just doesn’t work in this context.[79]

Daniel Therrien, Privacy Commissioner of Canada, provided the following on the same matter:

PIPEDA allows for implicit consent and requires explicit consent based on criteria that generally makes sense. Does it work? It all depends on whether meaningful consent is obtained, and people do come to us frequently to say, “Maybe the law allows for implicit consent, but I never understood that I was giving implicit consent for this or that conduct by the organization.” …It’s a very open question, and I think many improvements would be required.

If I understand the question posed to me in terms of comparing CASL consent with PIPEDA consent, I concede that CASL consent is more onerous for organizations. Therefore, the PIPEDA consent regime could work if proper information was given to consumers, but in addition to that, I would suggest that you need to ask yourself, among other things, what expectation of consumers is in terms of receiving unsolicited communications from organizations? That's the first question.[80]

To the Commissioner’s last point, a number of witnesses have pleaded that the Act meets consumers’ expectations by granting them control over their electronic addresses and communications. Such control would not be achieved without a strong requirement of prior consent that can generate confidence among consumers that third parties will use their information appropriately and as agreed upon.[81]

B. Commercial electronic message and other components

A number of witnesses proposed to reduce the scope of the Act by narrowing the definition of “CEM.” According to these witnesses, the current definition would cause the Act to cover messages that have even a modicum of commercial content. The definition would therefore hinder the transmission of messages that could benefit their recipient, impose unsubscribe requirements that can prematurely terminate communications between parties, and divert enforcement resources away from harmful cyber-threats.[82]

Witnesses put forward a few ways to narrow the definition of CEM and other core components of the Act. These propositions include tailoring the definition to ensure the legislation only targets bulk message operations (and not one-time and two‑way communications), automated messages constituting harassment and, especially, harmful spam and malware.[83] In the words of David Messer, Vice-President of Information Technology Association of Canada:

[The] justification for CASL has been articulated as targeting damaging and deceptive spam, spyware, malicious code, and other threats. Amending CASL so that it targets only these harmful activities would go a long way to addressing CASL’s unintended consequences. This can be accomplished by narrowing the definitions of three terms: computer program, commercial electronic message, and electronic address.[84]

In response, Michael Geist remained suspicious of claims that the definitions of the Act cause it to overstretch its scope. He suggested instead that this impression results from an overly restrictive interpretation of exceptions to the requirements of the Act.[85] He added that open-ended definitions are essential to maintain technological neutrality and ensure the Act applies to future developments.[86] Instead of major revisions, the optimal scope of the Act might depend more on providing better education on its provisions and on the sensible allocation of enforcement resources.[87]

If there is one area of near-consensus among witnesses, it is that purely administrative and transactional electronic messages should not fall under the definition of a CEM. Adam Kardash, Advertising Bureau of Canada, provided the following:

[Consider] that CASL doesn’t just regulate marketing and promotional messages. Rather, the statute … applies even to certain administrative or transactional messages that provide solely factual information about an account, a product recall, or even safety. Stunningly, CASL requires that such messages contain an unsubscribe or opt-out mechanism. This is totally confusing for consumers and businesses. Nobody would ever consider these messages to be spam, yet companies that don’t offer an unsubscribe option for these types of administrative messages would be technically violating the statute.

CASL definitely needs to be amended to expressly exclude these and other wholly legitimate types of electronic messages from the CASL regulatory regime.[88]

Several witnesses have therefore proposed amending the Act in order to exclude from the definition of CEM the electronic messages listed in its subsection 6(6), along with of similar regulatory provisions.[89] Kelly-Anne Smith, Senior Legal Counsel, CRTC, highlighted that subsection 6(6) illustrates areas of overlap between provisions of the Act and its regulations:

In the [Governor in Council] regulations, there’s the exemption where, if you’re a business and you have a relationship, you can send to another business. But then there’s the existing business relationship exemption. If you’re a business, you already likely fall under the existing business relationship exemption, so there’s an overlap there. …

I think there is likely an opportunity to clarify with respect to subsection 6(6).

Section 6(6) is a little bit of an oxymoron in that it says that these commercial electronic messages are exempt for consent purposes, but if you look at what those provisions are, a lot of them are not really commercial electronic messages by their very nature. We've heard a lot of confusion from people with respect to section 6(6) and we've tried to give them comfort, but we can't change the way the legislation is worded.[90]

Limiting the definition of CEMs to communications clearly or primarily intended to engage their recipient in a new commercial activity, as some witnesses suggested,[91] would also remove administrative and transactional messages from the scope of the Act.

The legislation provides numerous exceptions to its general requirements. The Act does not apply, for example, to electronic communications between people who share a familial or personal relationship. Neither do its requirements apply to a CEM sent to a person engaged in a commercial activity and consisting “solely of an inquiry or application related to that activity.”[92] Sections 3 and 4 of the Governor in Council’s Electronic Commerce Protection Regulations provide no less than fifteen additional exceptions.[93] These exceptions potentially apply to CEMs sent between the members of the same organization; from one business to another; to raise funds for a registered charity; to solicit a contribution to a political party, organization or candidate; or to follow up on a referral.

Despite current exceptions, a few witnesses argued that more communications should be excluded from the application of the Act, including general commercial communications,[94] all business-to-business communications,[95] and communications from politicians of all levels of government.[96]

Several witnesses also suggested exempting additional CEMs from the Act’s consent requirements. For example, Scott Smith argued that businesses should be given the opportunity to send potential customers an initial, unsolicited message, as long as they provide an option to unsubscribe or opt-out from further communications.[97] Representatives from the Canadian Federation of Independent Business argued that businesses that only send a few emails per year or month should be similarly exempted.[98]

Numerous witnesses advocated for charities and non-for-profit organizations to be exempted from complying with any of the electronic messaging provisions of the Act.[99] More specifically, Universities Canada suggested that certain electronic communications by educational institutions be exempted from the consent requirement as long as the recipient meet certain criteria (e.g. being a student or a prospective student).[100] The Community Sector Council Newfoundland and Labrador also asked that no charity or non-profit organization should have to pay AMPs for violating the Act.[101] Other witnesses also suggested exempting legitimate research endeavours from consent requirements.[102]

Some witnesses criticized the existing exceptions under the Act. Stephanie Provato, associate at Buchli Goldstein LLP and advisor to Lighten CASL Inc.,[103] observed that the definitions of what constitutes family and personal relationships are too prescriptive. Barry Sookman requested that the same exceptions be broadened.[104] Scott Smith also indicated that most exceptions to the requirements of the Act are too vague.[105]

Michael Geist observed that the focus of many other witnesses on exceptions, as opposed to the principle of the Act, is misplaced:

Businesses rely on exceptions where they don't want to comply with the foundational obligation that is in the law: consent. The law is clear: if you get informed consent, there is no need to go searching for an exception to apply to your activities. When you hear complaints about narrow exceptions or calls for more, that complaint is fundamentally about the ability to use that personal information without informed consent by leveraging an exception. … [T]hat's bad policy and bad for privacy.[106]

Regarding the creation of further exceptions, Steve Harroun warned that creating exceptions “for every situation, even when well-intentioned, would only make the legislation more difficult for businesses to understand, and for the CRTC and [its] partners to enforce.”[107]

CONCLUSION

The Committee acknowledges the importance of the Act, its aim and the principles that support it. All consumers, businesses and other organizations benefit from a decrease in many forms of unsolicited commercial electronic communications. Public trust towards these means of communications and those who use personal information for commercial ends is essential to the prosperity of the Canadian economy.

The Act under review is no ordinary legislation. It makes extensive changes to the conduct of electronic commerce in Canada by requiring that individuals and organizations alter longstanding practices. While not knowing the law does not, and will never, excuse its violation, the Act cannot reach its goal without providing further guidance about its substance and its application.

The evidence presented during this statutory review reveals wide differences of opinion on the Act should be interpreted. As a result, the Committee joins its voice to that of witnesses demanding clear, effective, accessible and regularly updated guidance materials from enforcement agencies. Such materials should be designed with their end users in mind and supported by their feedback.

While improving guidance and education should be a priority moving forward, it can only achieve so much. The Act and its regulations require clarifications to reduce the cost of compliance and better focus enforcement. Provisions defining CEM, consent, and “business-to-business” messages, among others, warrant the attention of the Government of Canada. The Government will be in a better position to assess the impact of the coming into force of the private right of action once these clarifications are implemented.