ecpa webinar slides

8/14/2019 ECPA Webinar Slides

1/44

McCarthy Ttrault Webinar:

Bill C-27, the Electronic Commerce ProtectionAct

Charles S. MorganLorne P. Salzman

Barry B. Sookman

May 25, 2009

3718132


2/44

Introduction


3/44

Bill C-27 Highlights and Introduction

Bill C-27 is intended to:

Deter unsolicited commercial electronic mail by prohibiting the sending ofcommercial electronic messages without consent (Spam).

Protect the integrity of transmission data and prohibit unwantedinstallation of computer programs (Spyware).

Prohibit false and misleading commercial representations online.

Prohibit the collection of personal information through access to computer

systems without consent.Provide for a private right of action for breaches.

Allow the imposition of administrative monetary penalties on violators

Amends: Telecommunications Act, Competition Act, PIPEDA.

The Bill provides for regulations that could modify the impacts of theECPA. The regulations will probably be ready in September.

Bill C-27 will have significant and serious consequences.


4/44

Background: Special Task Force on Spam

On May 11, 2004, the Minister of Industry established theSpecial Task Force on Spam to oversee an action plan toreduce the volume of unsolicited commercial e-mail.

In its 2005 Report, the Task Force recommended newlegislation as required to fill any gaps identified in existinglaws. Seehttp://www.ic.gc.ca/eic/site/ecic-ceac.nsf/eng/h_gv00317.html

This Bill addresses the legislative recommendations of theTask Force on Spam. See Backgrounder, Government ofCanada Introduces the Electronic Commerce Protection

Act, http://www.ic.gc.ca/eic/site/ic1.nsf/eng/04595.html View the ECPA online at:

http://www2.parl.gc.ca/HousePublications/Publication.aspx?Docid=3832885&file=4
http://www.ic.gc.ca/eic/site/ecic-ceac.nsf/eng/h_gv00317.htmlhttp://www.ic.gc.ca/eic/site/ic1.nsf/eng/04595.htmlhttp://www2.parl.gc.ca/HousePublications/Publication.aspx?Docid=3832885&file=4http://www2.parl.gc.ca/HousePublications/Publication.aspx?Docid=3832885&file=4http://www2.parl.gc.ca/HousePublications/Publication.aspx?Docid=3832885&file=4http://www2.parl.gc.ca/HousePublications/Publication.aspx?Docid=3832885&file=4http://www2.parl.gc.ca/HousePublications/Publication.aspx?Docid=3832885&file=4http://www2.parl.gc.ca/HousePublications/Publication.aspx?Docid=3832885&file=4http://www2.parl.gc.ca/HousePublications/Publication.aspx?Docid=3832885&file=4http://www2.parl.gc.ca/HousePublications/Publication.aspx?Docid=3832885&file=4http://www.ic.gc.ca/eic/site/ic1.nsf/eng/04595.htmlhttp://www.ic.gc.ca/eic/site/ic1.nsf/eng/04595.htmlhttp://www.ic.gc.ca/eic/site/ecic-ceac.nsf/eng/h_gv00317.html


5/44

Introduction

Status of Bill C-27, the ElectronicCommerce Protection Act:

1st Reading: April 24, 2009

Debates: May 7-8, 2009 2nd Reading: May 7, 2009

Next steps: Committee: Industry, Science andTechnology


6/44

Anti-Spam Provisions


7/44

Anti-Spam Provisions Key Sections

The main anti-spam provision in Bill C-27 is found in s.6:

6. (1) No person shall send an electronic address a commercialelectronic message unless

(a) the person to whom the message is sent has consentedto receiving it; and(b) the message complies with subsection (2).

(2) The message must

(a) set out prescribed information that identifies the personwho sent the message;(b) set out information enabling the person to whom themessage is sent to readily contact the sender; and(c) set out an unsubscribe mechanism.


8/44

Anti-Spam Provisions

The sweep of the anti-spam prohibition is very wide.Electronic address includes electronic messages sent by e-mail;Instant messaging; mobile phones (SMS); social networks, chatgroups, Internet forums, business networks, twitter, RSS feeds, andpossibly web sites where users have an account.

Commercial electronic message is an electronic message itwould be reasonable to conclude has as its purpose, or one of itspurposes, to encourage participation in a commercial activity.Examples are offers to purchase, sell, or lease a product, good, aservice, or land; offers to provide a business, or investmentopportunity; or a message that advertises or promotes the forgoing.


9/44

Anti-Spam Provisions Consent

The consent requirements are stringent:

10. (1) A person who seeks express consent must set out clearly andsimply the following information:

(a) the purpose or purposes for which the consent is being sought;(b) prescribed information that identifies the person seeking

consent.

(3) Consent is implied only where the person who sends the message hasan existing narrowly defined business or non-business relationship with

the person to whom it is sent.Existing business relationships are limited to (i) business transactionscompleted within last 18 months, (ii) contracts concerning some othersubject matter in existence or which have expired within 18 months, or(3) an inquiry or application within the last 6 months.

Existing non-business relationships are limited to (i) persons who havemade donations or gifts to a registered charity, political party, or

candidate for Federal or Provincial office within the last 18 months, (ii)volunteers to these above organizations within the last 18 months, and(iii) membership in an organizations that is listed in regulations within thelast 18 months.


10/44

Problems with the Anti-Spam Provisions TooBroad and Encompassing

The Bill assumes that all electronic communications are unwantedspam and prohibits all commercial electronic messages, except inlimited circumstances.

It departs from other international anti-spam legislation as it isnot limited to messages that are somehow harmful such asmessages:

that contain some element of fraud or misleading information;

that are sent in violation of an individuals opt-out request;

that are sent with an intent to deceive or mislead;

that are sent to addresses that were gathered usingautomated means; or

that are sent in bulk.

It thus imposes significant restrictions on commercial speech.These could violate the right to freedom of speech under theCanadian Charter of Rights and Freedoms.


11/44

Problems with the Anti-Spam TheConsent Provisions are Far Too Limiting

The ECPA would prohibit sending electronicmessages without either express or impliedconsent from the intended recipient.

The ECPA does not permit consent for asolicitation to be inferred from publication of ane-mail address if it would be reasonable toassume the message would be of interest to theindividual or their organization, or moregenerally from the conduct of the individual ororganizations concerned.

It also prohibits seeking consent electronicallyand treats even a request as a prohibitedelectronic message.


12/44

Problems with the Anti-Spam TheFormalities for Messages are Too Onerous

The formalities apply to each means of communication andtreat them as if they were the same.

However, the technologies related to electroniccommunications that exist today or which may be createdin the future may be vastly different e.g., e-mail, IM, SMS

messages, voice mail, twitter, blogs, RSS feeds, socialnetworks, future communication means etc are not thesame.

Some electronic technologies may not be able to (a) setout prescribed information that identifies the person who

sent the message; (b) set out information enabling therecipient to readily contact the message sender; or (c) setout an unsubscribe mechanism in accordance withsubsection 11(1).

12


13/44

Examples of spam

The following would be considered spam under the ECPA, unless the sender has obtained the priorexpress consent from the recipient:

A business sending an e-mail to a new potential supplier or customer proposing a possiblebusiness arrangement after reviewing its website, even if email contact information is displayedon its websites.

A business sending a person an email with a link to the business` web site, if the websitedescribes the goods or services of the business, outside of the narrowly defined situationsdescribed above.

The amendments would significantly advantage established businesses at the expense of newerbusinesses or businesses seeking to expand into new markets. Established companies could

continue to make use of existing contacts for the period permitted by the ECPA. New businesseswould be unable to use the Internet to establish new business relationships.

A customer or client who hasn't purchased goods or services from a business for 18 months, orwho has never bought goods or services, could not send an email asking to buy products orobtain services, see a catalogue or ask for price list, quotation or estimate.

Law firm or other professional firm sending out e-alerts and electronic newsletters to clients theyhave not provided services for in the last 18 months that contains a link to the firms website orpromotes any of the firms professionals, services or expertise.

E-mailing an existing customer or supplier with whom the sender has a long term contractentered into more than 18 months before the communication with a proposal to do more businessunder the contract or that includes an updated price list, catalogue of products, or services or tosuggest a meeting.

Sending e-newsletters that have advertisements to persons that have been receiving themwithout objection for years, unless the sender has done business with the receiver in the last 18months.


14/44

Examples of spam

More examples:

Headhunting using email; applying for a job by sending a resume to the head of HR ofan organization, even if in response to a published advertisement.

Soliciting freelance or consulting services to prospective clients in your field, no matterhow targeted your emails are.

Proposing cross industry partnerships or initiatives with others in your field if you'venever had contact with them.

Sending newsletters, business publications, or company information from anyone whohas made an inquiry about a company`s products or services more than 6 monthsbefore.

Asking for donations or volunteers by any organization that is not a registered charity,political party or federal or provincial candidate.

Sending University alumni e-newsletters with advertisements or asking for support.

Sending e-mails to former members of clubs after 18 months.

Adding a business or professional acquaintance to your Facebook/Linked-in account ifyou haven't contacted with the person in the last 18 months.

Sending any messages using SMS (or like means of communication) that cannotcomply with the message formalities e.g., does not contain a means to sendunsubscribe requests.

Any commercial e-mail that does not contain a footer enabling the recipient tounsubscribe to further e-mails.


15/44

Anti-Spam Provisions International Comparisons

Country Applies To Notes

Canada(Bill C-27, the ElectronicCommerce Protection Act)

any electronic message that, having regard to the contentof the message, it would be reasonable to conclude has asits purpose, or one of its purposes, to encourageparticipation in a commercial activity

Consent to receive the message can only beimplied where there is an existing relationship(within the last 18 months)

U.S.(CAN-SPAM Act of 2003)

any electronic message the primary purpose of which is thecommercial advertisement or promotion of a commercialproduct or service

Prohibitions on unsolicited messages are limited tomessages that are fraudulent or misleading (s.4),those that do not contain prescribed information(s.5) or those sent in violation of an opt outrequest.

Australia(Spam Act 2003)

a commercial electronic message is an electronic message,where it would be concluded that the purpose, or one ofthe purposes, of the message is [among an exclusive list ofpurposes related to advertising and offering goods andservices]

Consent can be implied where the electronicaddress has been published and the message isrelevant to the individual.

New Zealand(Unsolicited ElectronicMessages Act 2007)

commercial electronic message means an electronicmessage that markets or promotes [goods or services], orassists or enables a person to obtain dishonestly a financialadvantage or gain from another person

Consent can be implied from the conduct,business and relationships of the personsconcerned.

Singapore(Spam Control Act 2007) a commercial electronic message is an electronic message,where it would be concluded that the primary purpose ofthe message is [among an exclusive list of purposes relatedto advertising and offering goods and services]

Prohibitions on unsolicited messages are limited tomessages that are sent in bulk (s.6 & 11)

Hong Kong(Unsolicited CommercialMessages Ordinance)

commercial electronic message means an electronicmessage the purpose, or one of the purposes, of which is[among an exclusive list of purposes related to advertisingand offering goods and services]

Prohibitions on unsolicited messages are limited tothose that are sent using automated means(s.18 & 19) or with the intent to deceive ormislead (s.20)


16/44

Anti-Spyware Provisions


17/44

Anti-Spyware Provisions

The main anti-spyware provision is found in s.8(1) of the Bill:

8(1): No person shall, in the course of a commercial activity,install a computer program or cause an electronic messageto be sent from a computer system, unless the person hasobtained the express consent of the owner or an authorizeduser of that computer system.


18/44

Anti-Spyware Provisions - Consent

The provisions contain stringent disclosure and consentrequirements:

10. (1) A person who seeks express consent for the doing of anact described in any of sections 6 to 8 must set out clearly andsimply:

(a) the purpose or purposes for which the consent is beingsought; and

(b) information that identifies the person seeking consent;

(2) A person who seeks express consent for the doing of any actdescribed in section 8 must also describe clearly and simply thefunction, purpose and impact of every computer program that isto be installed.


19/44

Anti-Spyware Provisions - Definitions

computer system means a device that (a)contains computer programs or other data, and(b) pursuant to computer programs, (i) performslogic and control, and (ii) may perform any otherfunction.

computer program means data representinginstructions or statements that, when executedin a computer system, causes the computer

system to perform a function.


20/44

Anti-Spyware Provisions Implications

Prohibition on any program, patch, upgradeor add-on installed without express consent.

How practical is consent for automatic updatesgiven need for prior disclosure of function,purpose and impact of every program to beinstalled?

This provision could make it illegal to useapplications written in popular computerlanguages like Java, without such disclosure and

consent.


21/44

Anti-Spyware Provisions Implications

Developers of anti-virus and anti-spywaresoftware would have to obtain consent fromusers to include each latest virus and spywaredefinition in the programs and disclose to usersthe effects of these updates. This disclosure could help the creators of viruses and

spyware to circumvent the protection programs.

The provisions in the ECPA would apply not onlyto personal computers but to a whole host ofdevices from iPhones and Blackberries tomainframe computers. Many of these devices do not have the capability of

displaying consent forms and relaying consent.


22/44

Examples of spyware

The following would be consideredspyware under the ECPA, without obtainconsent from the recipient:

Embedded browser-based applets (Flash,

javascript), including routine functions like are-direct

Anti-virus and anti-spyware updates and latestvirus/spyware definitions

Hardware driver updates Other routine software patches (operating

system security patches, bug fixes, etc.)


23/44

Examples of spyware

More examples: DRM/TPM technologies

Software code embedded in media files

Software updates to wireless devices (Possibly) HTML code


24/44

Anti-Spyware Provisions International Comparison

The ECPA goes much further than any trading partner in itsprohibitions against installing software.

Some U.S. states have passed laws prohibiting spyware, but thelaws only apply to programs that perform a limited set offunctions, such as:

Modifying settings of other programs (like default browser

settings), Collecting personal or financial information of the computers

owner,

Activating keystroke logging software to collect personalinformation,

Attempting to block or uninstall existing anti-spyware andanti-virus programs,

Collecting browser history and bookmark lists, or

Preventing the user from removing the spyware program.


25/44

Message Tampering

Bill C-27 also prohibits altering e-mails:

7. (1) No person shall alter or cause to be altered thetransmission data in an electronic message so that themessage is delivered to a destination other than or inaddition to that specified by the sender, unless thealteration is made with the express consent of the sender

(2) Subsection (1) does not apply if the alteration is madeby a telecommunications service provider for the purposesof network management.


26/44

Deceptive Marketing Provisions


27/44

False and Misleading Messages

Bill C-27 amends the Competition Act tocriminalize false or misleading representations inelectronic messages

The Competition Bureau will have the power toinvestigate and take action against the use offalse headers, false locator information, or thepresence of false or misleading content inelectronic messages.

Two options for proceeding:

prosecution under new s. 52.01 and related provisions

reviewable practice under new s. 74.011


28/44

False/Misleading Messages Criminal Offence

The Competition Act is amended by adding the followingsection:

s.52.01 No person shall knowingly or recklessly:

(1) send or cause to be sent a false or misleadingrepresentation in the sender information or subject matterinformation of an electronic message

(2) send or cause to be sent in an electronic message arepresentation that is false or misleading in a material

respect

(3) make or cause to be made a false or misleadingrepresentation in a locator


29/44

Key Definitions

locator means a name or information used to identify asource of data on a computer system, and includes aURL;

sender information means the part of an electronic

message including the data relating to source, routing,addressing or signalling that identifies or purports toidentify the sender or the origin of the message;

subject matter information means the part of anelectronic message that purports to summarize thecontents of the message or to give an indication of them;


30/44

Prosecution Issues

It is not necessary to prove that any person wasactually deceived or misled.

The general impression conveyed by a representationas well as its literal meaning are to be taken intoaccount.

Any person who contravenes this provision is guilty ofan offence and liable If on indictment, to a fine in the discretion of the court or to

imprisonment up to 14 years, or to both, or

If on summary conviction, to a fine of up to $200,000 andimprisonment up to 1 year, or to both

Contravention can also trigger civil liability fordamages (s. 36)


31/44

New Reviewable Deceptive Marketing Practices

74.011 A person engages in reviewable conduct who:

(1) sends or causes to be sent a false or misleadingrepresentation in the sender information or subject matterinformation of an electronic message.

(2) sends or causes to be sent in an electronic message a

representation that is false or misleading in a material respect.

(3) makes or causes to be made a false or misleadingrepresentation in a locator.

Contravention results in administrative monetary penalty of up to: individual - $750,000 1st offence, $1 million 2nd +

corporation - $10 million 1st offence, $15 million 2nd +


32/44

Sender information, subject matter or locatorcould be found false or misleadingnotwithstanding other content in an electronicmessage.

Consider teaser subject lines: An important message from ABC

Our best sale of the year

The best vacation ever

New Reviewable Deceptive Marketing Practices


33/44

Enforcement Mechanisms


34/44

ECPA Civil Liabilities and Offences Summary

Civil Liability Enforced by Penalty

s.20: Contravention of spam and spywareprovisions of ECPA

CRTC Maximum of $1,000,000for individuals and$10,000,000 for others

s.47(1): Private right of action for people whoallege they are affected by:a contravention of the spam and spyware

provisions of the Bill,certain contraventions of s.5 of PIPEDA orconduct reviewable under s.74.011 of theCompetition Act

Courts Actual damages, plus a upto $200 for eachcontravention, not to

exceed $1,000,000 for perday

Offence

s.42: non-compliance with preservation

demand or notice to produce

s.43: Providing false or misleading informationto person performing ECPA duties

Prosecution Up to $25,000 for

individuals and $250,000for others


35/44

New Civil Liabilities Administrative Monetary Penalties

Violation of the spam or spyware provisions leadsto administrative monetary penalties (s. 20) individuals up to $1 million

others up to $10 million

Factors for determining the fine include (s. 20(3)): the purpose of promoting compliance, not punishment

the scope of the contravention

the persons history with respect to prior spam/spywareviolations

financial benefit received the persons ability to pay

any other relevant factor


36/44


24. (1) A person who is served with a notice ofviolation shall pay the penalty or makerepresentations with respect acts or omissionsthat constitute the alleged violation.

(2) A person is deemed to have committed theviolation if they either pay the penalty or do notpay the penalty, or do not make representations,in accordance with the notice of violation.

25. (1) If a person makes representations inaccordance with the notice, the CRTC shalldecide, on a balance of probabilities, whether theperson committed the violation


37/44


Liability under ECPA extends to officers, directors or agents of a company, if they

authorized, participated, etc. in the violation (s.31)

employer where violation by an employee (s.32)

Due diligence defence (s. 33) importance of compliance training

No proceeding against an offender that entersinto a (confession-infused) undertaking (s. 21) may specify conditions and payments presumably

negotiated with CRTC Uncertain limitation period

3 years after becoming known to CRTC


38/44


39/44


40/44

Private Right of Action Recovery (s. 51)

Proving contravention results in recovery of:

S.51(1)(a) actual damages, plus

S.51(1)(b) additional amount

up to $200 per contravention

maximum of $1 million per contravention day

Factors for the court to determine any additional amount unders.51(1)(b):

Same as in s. 20(3) violation re AMP liability

No s.51(1)(b) ECPA recovery where s.20 AMPS action or s.21undertaking with CRTC

This exemption not applicable to

PIPEDA claim or

Competition Act s. 74.011 claim, but award deducted from AMP fine Class action implications


41/44

Repeal of the Do-Not-Call List


42/44

Repeal of the Do-Not-Call List

Bill C-27 contains (confusing) provisions to abolish theCRTCs recently established National Do-Not-Call List(DNCL) and replace it by the ECPA, which will be expandedso spam provisions (s.6) apply to voice calls.

This would change from the DNCLs current opt-outapproach to the ECPAs opt-in approach

Compliance with electronic message requirements in s.6(2),including set out unsubscribe mechanism

The DNCL exemption for business to business calling will, ineffect, be repealed and replaced by ECPAs implied consentprovisions

Thus cold calling, or contacting business relationships thathave been inactive for greater than 18 months, will be

restricted DNCL-to-ECPA trigger not specified: Govt decides

No guarantee of public consultation


43/44

Summary of Concerns

The ECPA is very complex and goes farbeyond what is seen in other jurisdictions.

It has the potential to deter legitimateforms of commercial speech.

Given the Governments acceleratedtimeframe, the opportunity to voiceconcerns over this Bill is now.

The House of Commons committee onIndustry, Science and Technology will bedeliberating the ECPA very soon.


44/44

Summary of Concerns

These slides and the accompanying videowill be made available in French andEnglish at http://www.mccarthy.ca

(French version of presentation availableat http://www.mccarthy.ca)

Questions?
http://www.mccarthy.ca/http://www.mccarthy.ca/http://www.mccarthy.ca/http://www.mccarthy.ca/http://www.mccarthy.ca/http://www.mccarthy.ca/

ecpa webinar slides

Documents