Our neighbors to the north may be the last of the G8 countries to adopt an anti-spam law, but when it’s enacted later this year (as most analysts agree it will), Canada’s new law will be among the very strictest, creating penalties of up to 10-million Canadian dollars (or just under 9.87-million U.S. dollars) for businesses who send spam into or within Canada.
Bill C-28, dubbed the “Fighting Internet and Wireless Spam” Act (or “FISA”, for short) imposes new requirements on senders of just about every type of electronic messaging, including mandates that stretch well-past the minimal requirements for e-mail under the U.S. CAN SPAM Act of 2003.
Under CAN SPAM, senders are required to abide by a series of labelling requirements, provide a working unsubscribe mechanism, and honor unsubscribe requests within ten business days. CAN SPAM, however, has never required that senders obtain prior consent from recipients. FISA requires either explicit permission, or implicit permission in the form of an existing business relationship or a conspicuous publication of the recipient e-mail address. If the publication of the address is accompanied by an instruction not to send unsolicited e-mail, it doesn’t count as implicit permission. FISA creates a two-year window from the date an address was collected with implicit permission to try and convert it to explicit permission. If after two years explicit permission is not obtained, the sender must suppress the address. Both CAN SPAM and FISA explicitly preclude sending to addresses that have been automatically “harvested” from web sites.
CAN SPAM grants enforcement powers to the FTC, and gives ISPs the right to bring action against infringing senders themselves. FISA, in contrast, provides no criminal penalties, but allows both ISPs and individual recipients of spam to pursue civil action against senders.
The requirements seem to create significant new hurdles for senders, but authors of the Canadian law insist that the legislation is aimed squarely at only the worst of the worst offenders. FISA includes a “due diligence defense”, in which senders should not be held liable for violations if they can show they were making reasonable efforts to abide by the law when the offense was committed. Honest mistakes won’t count against senders.
Should U.S. senders be worried about the new Canadian law? Obviously, the law doesn’t apply if you’re not sending to recipients in Canada, but senders may not always know where (geopolitically speaking) the owner of a particular address receives their mail. However, if you’re already abiding by CAN SPAM and best common practices, you’re likely already in compliance.
The short answer is that (in theory at least) FISA is enforceable in the US, though the process is neither simple nor cheap. It takes about as much time and and money to obtain a judgement in Canada as it does in the U.S., so enforcement action is likely to be as rare, and therefore reserved only for the most egregious of offenders. Canadian plaintiffs would also have to find a U.S. court willing to enforce the judgement, which is by no means a given. However, there is an open pledge between the U.S. and Canadian governments to support law enforcement efforts across borders. Earlier this month, a Canadian court was willing to enforce a judgement obtained by Facebook in a California court against a Canadian spammer who racked up $873-million in fines for CAN SPAM violations. It will be instructive to see whether U.S. courts will be willing to reciprocate once FISA is enacted.
Within the e-mail community, the new law is regarded as further evidence of a trend in which legal requirements and best practices appear to be converging, albeit at a glacial pace. The take-away for senders, then, should sound familiar: adhere to CAN SPAM and best sender practices. Send to those who have granted permission, and try to engage with and obtain permission from any segments for whom you do not have it.