≡ Menu

Canada’s anti-spam law

Bill C-28 (Canada’s Anti-Spam Law), received Royal Assent on December 15, 2010. Once in force, FISA will prohibit certain forms of spam, phishing and the use of spyware in commercial activities. More detailed regulations should have been issued for public comment in this spring and the regulations put into force in autumn 2011. This might be delayed by the upcoming federal election.  Nonetheless all of us operating online businesses in Canada should start to get ourselves geared up for this and ensure that we are squeaky clean.

The  Anti-Spam provisions include:

  • the delivery of commercial electronic messages to an electronic address unless prior consent has been obtained from the recipient. The message must be in the prescribed form.
  • electronic messages are those sent by any means of telecommunication, including a text, email, sound, voice or image message.
  • since an electronic address is defined as an address used in connection with the transmission of an electronic message to an email, instant messaging, telephone or similar account it might be interpreted that social media platforms such as Twitter and Facebook are also included. This we need to keep nan eye on and start to think how we will ensure that we are not in breach of this.

 Consent is not required in all instances

Certain exceptions to the requirement that prior consent is obtained before sending electronic messages for commercial activities are provided such as:

  • giving a quote or estimate for the supply of a product, goods or service, if it was requested by the recipient
  • facilitating, completing or confirming an existing commercial transaction
  • provide notification about an ongoing subscription, membership etc
  • deliver a product, good or service, including upgrades further to an existing relationship

 Now I assume that if you do any of the above you would be in breach of the law if you also included a pitch about another product or service.

What is meant by “consent”?

FISA creates an “opt-in” system whereby prior consent must be obtained from the recipient in order to deliver a commercial electronic message. The onus is thus clearly on the sender to demonstrate that consent was received prior to sending a commercial electronic message. So if someone signs up for your teleseminar, infoletter, free report then you are not in breach of this law.

In addition (and this I believe will be very helpful for online businesses) there are cases where consent may not be needed for example:

  • a message sent in the context of an existing business or non-business relationship between sender and recipient so I assume I could let my friends or current clients know about my upcoming social media talks for example

There are some exceptions that could have implications for your business:

  • the recipient has ‘conspicuously published’ their email address and this is not accompanied by a statement that they do not wish to receive communications and the message is relevant to the person’s business, role, functions or duties in a business or official capacity. This means that if you do not want to receive such commercial messages then you should state clearly on your website that you do not wish to receive unsolicited commercial messages
  • the same exception applies if the person receiving the commercial communication has disclosed their email contact information to the sender without indicating that they do not wish to receive communications and the message is relevant to the person’s business, role, functions or duties in a business or official capacity;  

 Form of the message

  • Other than the specific types of messages benefiting from the form and content exemption referred to above, the message must be in a prescribed form. This will be established in the pending regulations. It should identify the sender, provide their contact information, and include an “unsubscribe” mechanism.

The unsubscribe mechanism

  • The unsubscribe mechanism must enable the recipient to indicate that they no longer wish to receive future commercial messages. In addition, the sender of the message must specify an electronic address, or link to a web page that can be accessed through a web browser, where the recipient can express his or her desire to unsubscribe. The unsubscribe mechanism must enable the recipient to unsubscribe using the same electronic means by which the message was sent, or if using those means is not practical, any other effective electronic means. The electronic address or web page where the recipient can express his or her desire to unsubscribe must be valid for at least 60 days after the message is sent. On receiving notification of a desire to unsubscribe, the sender must unsubscribe the address within no more than 10 business days.


  • Penalties for non-compliance are not good news and it’s not just corporations that can take action as the FISA includes a private right of action allowing a person to bring a civil action in court thus potentially opening the door to class action proceedings.


  • Review your current Electronic Communication Practices
  • Collect Consents
  • Ensure that electronic messages satisfy the requirements such identifying the sender, and that they satisfy the unsubscribe requirements to opt-out of future messages.
  • Ensure that your staff, VAs and anyone writing in the name of your company understands and respects these requirements – especially when you VAs outside of Canada who will unlikely to have any idea about the existence of this legislation

I based this blog post on an article by Blakes. They list the following staff as being able to advise and assist.

Christine Ing 416-863-2667

Tricia Kuhl 514-982-5020

Elizabeth McNaughton 416-863-2556

Wendy Mee 416-863-3161

Dean Murray 604-631-3367

Laura Weinrib 416-863-2765

Comments on this entry are closed.