Canada's Electronic Commerce Protection Act

NOTE: This is NOT LEGAL ADVICE – just my own personal interpretation and understanding of the proposed law. Please read this law yourself and also have your council review it for your protection. Reposted with permission from EmailKarma.net

Recently the Canadian Government introduced the Electronic Commerce Protection Act [ECPA] (aka: Bill C-27), an Anti-spam act that covers; email communications, unauthorized installed applications and the alteration of data during transmission between senders and recipients. This post will only deal with the Email portions of the Electronic Commerce Protection Act, and does not include information on installed software or data alteration.

What is the Purpose of the ECPA?

The ECPA is a law designed to promote and protect electronic communications while discouraging the abuse of these resources that threaten to; impair the reliability, efficiency of electronic activities, prevent additional costs to businesses and consumers, protect the privacy and the security of confidential information and strengthen the confidence of Canadians in the use of electronic means of communication and commercial activities. This enactment also makes several amendments to related laws; the Competition Act, Personal Information Protection and Electronic Documents Act (PIPEDA), the Canadian Radiotelevision and Telecommunications Commission Act and the Telecommunications Act.

What is considered a Commercial Electronic Message under ECPA?

The ECPA defines a commercial electronic message as an electronic messages that consists of: the content, the hyperlinks, the contact information, where the purpose is to encourage participation in a commercial activity that;

(a) offers to purchase, sell, barter or lease a product, goods, a service, land or an interest or right in land;

(b) offers to provide a business, investment or gaming opportunity;

(c) advertises or promotes anything referred to in (a) or (b);

(d) promotes a person, including the public image of a person, as being a person who does anything referred to in any of (a) to (c), or who intends to do so.

Also the ECPA clearly states that An electronic message that contains a request for consent (READ: Confirmed opt-in notices) are also considered to be a commercial electronic message. The ECPA also lists several types of excluded communications like; responses to customers service enquiries and applications, law enforcement, public safety, the protection of Canada, the conduct of international affairs or the defence of Canada and personal communications.

Who is governed by the ECPA?

After reading through the act, it looks like every corporation registered under a Federal or Provincial licence for the purposes of Commercial Activity are going to be effected by this law. I also understand this covers Non-profits, co-ops, sole proprietors and partnerships.

What are the Requirements for Marketers under the ECPA?

When sending commercial email you can only send to a recipient has consented to receiving it (express or implied – def'n below) and the message complies with the purpose of the ECPA described above.

All messages being sent must;

  • Clearly identify the person who sent the message and the person (if different) on whose behalf it is sent – Add your physical postal address and company name to all emails
  • The messages must provide a method where the recipient can readily contact the person(s) responsible for sending the message (MUST be active for 60 days after the messages was sent) – Enable replies to go to your customer service and stop using No-Reply
  • Provide a working unsubscribe mechanism (more below) that removes an address within 10 days – the faster the better.

An important thing to note is that the ECPA states that an electronic message is considered to have been sent once its transmission has been initiated (by the sender) and that it is irrelevant if the intended recipient address exists or if message reaches its intended destination. This reference makes bounce management even more important for mailers to monitor and clean from your list.

When your working with your clients/members/subscribers and asking for their consent there are several things you should remember and incorporate into the process (I've talked about these types of things before);

(a) Clearly state the purpose(s) for which the consent is being sought

(b) Clearly identify the person(s) seeking consent

(c) Clearly define any other prescribed information about how data is collected and plans to be used.

How are express or implied consent different under the ECPA?

The definition of Implied Consent when the person(s) responsible for sending the messages has an existing business relationship or an existing non-business (def'n below) relationship with the recipient. While the “existing business relationship” means a business relationship (within the 18-month period preceding the day on which the message was sent) between the person to whom the message is sent arising from;

(a) the purchase or lease of a product, goods, a service, land or an interest or right in land

(b) the acceptance by the person to whom the message is sent of a business, investment or gaming opportunity

(c) the bartering of anything mentioned in paragraph (a) between the person to whom the message is sent

(d) a written contract entered into between the person to whom the message is sent and any of those other persons in respect of a matter not referred to in any of paragraphs (a) to (c), if the contract is currently in existence or expired within the 18 month period

(e) an inquiry or application, within the six-month period immediately, made by the person to whom the message is sent

A non-business relation is clarified to include a person that made a donation, a gift or performed volunteer work with; a registered charity, a political party or organization, or a person who is a candidate for publicly elected office. This Non-business relationship also covers membership in a club, association or voluntary organization. These relationships must have occurred within an 18-month period preceding the day on which the message was sent.

What do I need to know about managing unsubscribes?

The unsubscribe mechanism must specify an electronic address to which the unsubscribe notice may be sent or provide a hyperlink by means of which the recipient can provide their opt-out notice. Providing both options an email unsubscribe and a landing page unsubscribe is highly recommended.

Are there penalties for Violating the ECPA?

Yes, significant monetary penalties have been set out within the act. The maximum penalty for a violation is $1,000,000 in the case of an individual, and $10,000,000 in the case of any other person.

Where can I get a copy of the Bill C-27?

You can find Bill C-27 here (pdf – I recommend you download the document – right click and save link as)

Tags: ,

3 Responses to “Canada's Electronic Commerce Protection Act”

  1. Frank Nasta
    April 30, 2009 at 7:59 am #

    Are you saying that Canada it is now an optin country now like some are in the EU except where there is a business relationship or can Canada still be opt-out. In regards to a business relationship, we will not always have when the relationship started or not based on a date. How strict is this. Please clarify.

  2. Matt
    April 30, 2009 at 9:06 am #

    First off, this is currently a proposed law – working it's way through parliament so it's not yet law at this time.

    However under the Personal Information Protection and Electronic
    Documents Act (PIPEDA – [1]) the collections and use of Personal information, which includes email, has always been consent based (explicit and implied)[2]. The ECPA is taking additional steps to clearly state this.

    At the same time the ECPA is also making amendments to PIPEDA that prohibit the collection of personal information by means of unauthorized access to computer systems, and the unauthorized compiling of lists of electronic addresses.

    [1] http://www.priv.gc.ca/legislation/02_06_01_01_e.cfm

    [2] http://www.priv.gc.ca/information/pub/ar-vr/pipeda_sa_tool_200807_e.cfm#principle3

    Thanks for your question.
    Matt
    @emailkarma

  3. Elisabeth Hernandez
    September 22, 2009 at 8:17 am #

    This is a great law. I feel if you are sending a email to a particular receipant no one should have access to read it or do anything with it. This is a conversation between assigned staff, companies, or people to people.

UA-9835597-1