Electronic Commerce Protection Act

Electronic Commerce Protection Act (Bill C-27)

Introduction
F.A.Q.
Resources

Introduction

Spam and related online threats such as spyware and phishing are not just a nuisance, they are a drag on online commerce and a menace for consumers. Canada is a major contributor to this problem; it recently ranked fourth worldwide in terms of level of spam originating from within our borders in Cisco's 2008 Annual Security Report and remains the only G-8 country without anti-spam legislation.

And the problem is growing. According to Symantec's MessageLabs monthly report, the percentage of emails that are spam jumped 5.1 percent to 90.4 percent in May 2009. Furthermore, the report finds that one in 279 emails in May comprised a phishing attack and one in 317.8 contained malware.

The explanation is that spam is profitable. A 2008 study from the University of California San Diego and UC Berkeley shows that spamming can generate profits of millions of dollars per year, even though only one in 12, 500, 000 pharmacy spams, for instance, leads to a purchase.

### F.A.Q.s

[Enforcement Generally](#Enforcement Generally)

What is the Electronic Commerce Protection Act(“ECPA” or “Act”)?
Who will enforce the provisions of the ECPA?
To whom does the ECPA apply?
How does the ECPA deal with international violators of its provisions?

[Anti-Spam Provisions](#Anti-Spam Provisions)

What is “spam”?
Why is spam a problem?
How does the ECPA address spam?
What is a “commercial electronic message”?
What does “consent” require?
Are there requirements in addition to consent?
What are the exceptions to this anti-spam provision?
What can I do if I receive spam?

[Anti-Phishing Provisions](#Anti-Phishing Provisions)

What is phishing?
Why is phishing a problem?
How does the ECPA address phishing?
What does consent require?
Can intermediaries be held liable for phishing activities?
What can I do if I am a victim of phishing?

[Anti-Spyware Provisions](#Anti-Spyware Provisions)

What is spyware?
Why is spyware a problem?
How does the ECPA address spyware?
What does consent require?
Can intermediaries be held liable for security failures leading to the installation of spyware?
What can I do if I have been infected by spyware?

[False or Misleading Representations in the Online Marketplace](#False or Misleading)

How does the ECPA address false representations in electronic messages?
What can I do if I am affected by false or misleading representations online?

[Do-Not-Call Registry](#Do-Not-Call Registry)

Does the Bill repeal the Do-Not-Call Registry?

Enforcement Generally What is the Electronic Commerce Protection Act (“ECPA” or “Act”)?

The ECPA is Canada’s long-awaited legislative response to spam and other threats to confidence in online commerce. It was introduced in Parliament as Bill C-27 on April 24th, 2009. The ECPA addresses the following subject areas:

Spam
Phishing
Spyware
Misleading or false representations in the online marketplace

Who will enforce the provisions of the ECPA? The ECPA takes a multi-faceted approach to enforcing its provisions. Briefly, it establishes a private right of action against violators for damages, administrative fines levied by the Canadian Radio-Television Telecommunications Commission (“CRTC”) and some penal offences, as well as offering recourses under the Personal Information Protection and Electronic Documents Act (“PIPEDA”) and the Competition Act. The ECPA requires cooperation between the CRTC, the Office of the Privacy Commissioner (“OPC”) and the Competition Bureau since there is overlap between the online activities each agency targets under this legislation.

To whom does the ECPA apply?

Section 12 of the ECPA describes the jurisdiction for the main anti-spam provisions of the Act (sections 6-9). The computer system “used to send, route or access the electronic message” must be in Canada. In other words, the Act covers situations in which the violator or the victim is present in Canada. Section 9 of the ECPA ensures that procuring a violation under the Act is equally actionable as directly committing the violation. In other words, a person in Canada who pays a spammer outside of our borders to send spam to Canadians can be held liable under this act. It is a “follow the money” approach. How does the ECPA deal with international violators of its provisions? The ECPA allows for the CRTC, the OPC and the Competition Bureau to share information with their counterparts in foreign states and international organizations that enforce similar legislation so that violators outside of Canada do not avoid responsibility. Anti-Spam Provisions

What is “spam”?

The following is from CIPPIC’s “spam” FAQ: There is no single definition of spam, but everyone agrees that spam is, at a minimum, unsolicited and unwanted e-mail. Whether e-mails must be transmitted in bulk or be commercial in nature in order to be considered "spam" is the subject of debate. So is the question of whether unsolicited e-mail sent to existing customers without prior consent constitutes spam.

Definitions of spam include:

bulk unsolicited mail, most of which is of a commercial nature, promoting products or services (Industry Canada)
unsolicited bulk electronic messages, usually electronic mail messages but increasingly SMS and MMS messages (text messages and graphics/videos delivered to mobile phones) (National Office for the Information Economy (NOIE) in Australia).

Characteristics typical of spam include:

untargeted and indiscriminate distribution;
disguised identity and address of the originator;
no valid or functional address to which recipients can respond in order to opt out of receiving further unsolicited messages OR failure to respect recipients' requests to stop sending unsolicited messages; and
illegal or offensive content.

Why is spam a problem?

The following is from CIPPIC’s “spam” FAQ: Spam is not just an inconvenience and annoyance to recipients. It shifts the costs of marketing from marketers to consumers, displaces legitimate e-mail, wastes resources, and reduces the productivity of those who have to deal with it. In particular, spam:

increases the cost of internet service, as ISPs are forced to deal with increased transmission flows, filter e-mail messages and respond to customer complaints, as consumers are forced to spend more time online in order to download unsolicited messages;
causes slower Internet service when servers are overburdened by bulk transmissions;
causes consumers to miss legitimate e-mail messages because they are either lost in the flood of spam, mistaken for spam, or filtered out in the effort to manage spam;
reduces the ability of businesses to rely on e-mail as a communications tool given the likelihood of their messages being filtered out, mistaken for spam, or simply lost in the flood of spam; and
costs businesses millions of dollars per year in lost productivity.

The volume of spam has now reached the point at which it threatens the viability of e-mail as a reliable communications medium for businesses and consumers.

How does the ECPA address spam?

The ECPA creates an opt-in approach for receiving unsolicited commercial electronic messages whereby a person must give consent to receiving such messages. The approach is intended to be technology neutral; it applies equally to emails and text messages (“cell phone spam”). The ECPA’s opt-in approach is similar to that in Australia’s Spam Act of 2003 (and in France and the UK) but differs from the US’s CAN-SPAM Act of 2003, which uses an opt-out mechanism. Even where the sender has consent, the ECPA creates further requirements for commercial messages so that recipients can easily put a stop to them. The message must include:

the identity of the person who sent the message and the person—if different—on whose behalf it was sent;
information allowing the recipient to readily contact the sender;
an unsubscribe mechanism allowing the recipient to indicate, using the same electronic means by which the message was sent, that they do not wish to receive any commercial electronic messages from the sender; and
an electronic address or hyperlink for this purpose that is valid for a minimum of 60 days after the message is sent.

The ECPA also attacks spammers’ tools. It targets:

email address harvesting done through the use of computer programs and without consent (e.g., dictionary attacks would be prohibited by subsection 7.1(2) of PIPEDA); and
botnets (a collection of compromised computers to which a spammer can purchase access in order to send spam). Section 8 of the ECPA prohibits causing an electronic message to be sent from a computer system accessed through a program installed without authorization.

What is a “commercial electronic message”? According to subsection 2(2) of the ECPA, a “commercial electronic message” is a message from whose content—including the content of websites for which the message contains hyperlinks*—or contact information it would be reasonable to conclude that it has as one* of its purposes “to encourage participation in a commercial activity”. Examples include a message that:

offers to purchase/sell a product or service;
offers a business, investment or gaming opportunity; or
promotes a person as being someone who does any of the above.

*It appears that even if its primary purpose is non-commercial, a message would still be considered “commercial” under this legislation if it has any commercial purpose, unlike under US legislation, which only prohibits commercial messages that have a primarily commercial purpose. (Note: In 2005, the FCC exercised its rule-making powers under the U.S. anti-spam statute in order to define ‘primary purpose’: http://www.ftc.gov/os/2005/01/050112canspamfrn.pdf p. 12ff.) One issue with the above definition is the use of the term “hyperlink”, which is fairly narrow. The definition of this term usually requires that it be a “clickable” link. Of course, if the provision were limited to these sorts of clickable links, a spammer could get away with sending a commercial message by simply including a website address, rather than a (clickable) hyperlink. Considering the purpose of the ECPA, it is unlikely that this provision is supposed to have such a narrow application, and those reviewing the legislation would do well to choose a broader term than “hyperlink”. The broad definition of “commercial” will likely capture most instances of spam, including the familiar Nigerian 419-type scam wherein, for example, a foreign prince offers you his inheritance, land and title, or something similar in exchange for your personal information. On the other hand, these provisions are unlikely to capture donation requests from legitimate charities or political organizations, so long as the messages are not selling or promoting a product. It remains to be seen whether spam evolves to escape this “commercial” criterion. An electronic message that contains a request for consent to send a message is also considered a commercial message. There is an exception for messages connected to public safety and law enforcement.

What does “consent” require?

Consent can be express or implied. Express consent requires the consent seeker to lay out clearly the following information:

the purpose for which the consent is sought;
the identity of the person seeking consent and that of the person on behalf of whom consent is sought, if different; and
any other information prescribed in the regulations.

Implied consent requires that the person who sends or causes to be sent a message has an existing business relationship or non-business relationship with the person to whom the message is sent. A business relationship arises from a number of circumstances, such as:

the purchase of a product or service in the 18-month period preceding the day on which the message was sent;
the acceptance of an investment opportunity within the 18-month period preceding the message;
a written contract between the parties that currently exists or expired within the 18-months preceding the message; or
an inquiry or application about any of the above made by the person to whom the message is sent within 6 months before the commercial electronic message is sent.

A non-business relationship arises from circumstances such as:

where a receiver has provided a donation, volunteer work or attendance at a meeting for the sender, within the 18-month period preceding the message, and where the sender is a charity, political party, candidate or organization; or
where the sender is a club, association or voluntary organization of which the recipient is a member or within the 18-months preceding the message.

Are there requirements in addition to consent?

In addition to consent, the message must include the following:

the identity of the person who sent the message and the person—if different—on whose behalf it was sent;
information allowing the recipient to readily contact the sender;
an unsubscribe mechanism allowing the recipient to indicate, using the same electronic means by which the message was sent, that they do not wish to receive any commercial electronic messages from the sender; and
an electronic address or hyperlink for this purpose that is valid for a minimum of 60 days after the message is sent.

What are the exceptions to this anti-spam provision? The ECPA’s prohibition against unsolicited commercial electronic messages does not apply if:

the message is between individuals with a personal or family relationship;
the message is solely an inquiry or application related to the commercial activity that a particular person engages in; or
the message is of a sort specified in the regulations.

Note again that the ECPA does not apply to non-commercial activity, so it will not interfere with communications from political parties or charities so long as they are not selling or promoting a product. The anti-spam provision also does not apply to telecommunication service providers when merely providing a service that enables the transmission of a message. Further, depending on whether the Government enacts section 84 of the Bill or not, the anti-spam provision may not apply to the following kinds of communications, the regulation of which would be left to the CRTC:

Two-way voice communications between individuals
Faxes
Voice recordings sent to a telephone account

This exception is linked to the future of the Do-Not-Call List. See “Does the ECPA repeal the Do-Not-Call List?”, below, for more information. What can I do if I receive spam? The ECPA takes a multi-faceted approach to combating spam. It creates two new actions: 1. Administrative Monetary Penalty: A contravention of section 6 of the ECPA (sending or causing to be sent a commercial electronic message without consent) can lead to a fine of up to $1,000,000 in the case of an individual and $10,000,000 in the case of any other person. Such a contravention can be brought to the attention of the CRTC, which can notify the potential violator and then decide, on a balance of probabilities, whether there has been a contravention and how big the monetary penalty should be.

2. Civil Remedy: A contravention of section 6 also gives rise to a private right of action available to affected persons. If you receive unsolicited commercial electronic messages, you can apply to a court of competent jurisdiction for an order against one or more persons you believe are responsible for the act. After hearing your application, a court can then choose to order the person or persons to pay you:

compensation for the loss or damage you have suffered or expenses you have incurred; and
a maximum of $200 per contravention per day, not exceeding $1,000,000 per day

The latter raises the possibility of collective action in jurisdictions where class actions are an option. Also, pre-ECPA recourses are still available to you. See CIPPIC's FAQ on "spam" for more information.

Anti-Phishing Provisions

What is phishing?

The following is from CIPPIC’s FAQ on “phishing”: Phishing is a method of luring individuals into providing their personal information by masquerading as a trustworthy person or organization, via an apparently official electronic communication such as an email. This communication will be used for two purposes: 1) to lure the unsuspecting user to a spoofed website which resembles the site of the real organization, usually containing copied logos and other identifying information. The domain name of the fraudulent sites often contains spelling mistakes or they use an alternate but similar name, but these differences can be hard to spot. 2) to get the user to provide personal information or account information by entering it using the fake web site or by replying to the fake message. By responding, the victims are providing their personal information directly to the identity thieves. The message usually contains an alert that something is wrong with the victim's account, such as a security breach, or asks that personal information and passwords be updated, corrected or verified. Some messages even come in the form of a fraud alert. The message is written in a language similar to that used by the organization; it will also use the same colors and logos - this is known as "spoofing". There is a sense of urgency to the message. The urgent nature of the message may dupe even those who are not clients of the organization being impersonated to respond. These sites also count on the lack of awareness by the average user of details which distinguish legitimate web sites from unlawful duplicates. For example, a closed padlock symbol indicates that a site was issued a secure certificate. A user must look at the details of the certificate to ensure the site actually belongs to the organization. The domain name of spoofed sites will be slight variations of the real site's domain name; for example, www.amaazon.ca instead of www.amazon.ca. Any site accessed via a numeric internet protocol (IP) address, such as http://10.3.45.67, instead of textual domain name should be considered suspicious. By responding directly to the email or via the spoofed website, the victim inadvertently sends personal information directly to the criminal. This may include ATM card numbers, PIN codes, credit card numbers and expiry information, passwords, account information, and so forth. Worms and viruses may spread the phishing email further, via victims' address books. Why is phishing a problem?

Phishing can lead to identity theft and other forms of fraud. This in turn can lead to financial losses, poor credit ratings, damage to reputation, in addition to the sense of loss that comes with a violation of your privacy. It can also have a chilling effect on activity in the online marketplace by causing consumers to mistrust online commerce opportunities offered by legitimate businesses.

How does the ECPA address phishing? First of all, by targeting spam, the ECPA takes aim at a major vehicle for phishing, spyware and malware threats. Secondly, section 7 of the ECPA prohibits altering, in the course of commercial activity, transmission data in an electronic message so that the message is delivered to a different or additional destination than that specified in the original message, unless the alteration is done with the express consent of the sender. This could protect against phishing emails that seek to deceive recipients or internet access service about the source of the message (i.e., “spoofing”) through a “man-in-the-middle” approach. It may also cover situations where a packet in an electronic transmission is altered so that a person enters an address or clicks a hyperlink and is sent to a different destination than that specified in the locator. This sort of activity is often linked to phishing—or, more specifically, pharming—since a person will generally be asked for personal information upon arriving at this second destination. There is an exception for telecommunications service providers conducting “network management”. The requirement in section 7 that the transmission data be changed “in the course of a commercial activity” could mean that some phishing activities are not captured by the provision. For instance, would it cover an email that appears to come from your university and asks you to provide your email or “webinfo” password? Of course, this sort of activity will generally be caught by existing provisions in PIPEDA or the Criminal Code, but the additional enforcement mechanisms provided by the ECPA would be lacking were it to fall outside of section 7. Finally, the ECPA amends the Competition Act to give a private right of action as well as administrative and criminal penalties for sending false or misleading information in an electronic message, its sender identification data, or its subject line, if the message promotes—directly or indirectly—a business interest or supply or use of a product. This can cover phishing emails from sources that pose as trustworthy organizations. Furthermore, the same provision prohibits false or misleading representations in locators (such as URLs)—targeting the practice of luring consumers to counterfeit websites in order to elicit personal information. The Bill also gives the Competition Bureau the ability to apply for an injunction against third party suppliers of products that are likely to be used to commit one of the offences under the Competition Act. This would include software products that can capture email addresses, for instance, and even hardware such as mass diallers.

What does consent require?

Express consent requires the consent seeker to lay out clearly the following information:

the purpose for which the consent is sought;
the identity of the person seeking consent and that of the person on behalf of whom consent is sought, if different; and
any other information prescribed in the regulations.

Where a sender has consent, he or she must also provide a means of withdrawing that consent via a hyperlink or electronic address. The sender must also ensure that he or she gives effect to this withdrawal of consent within 10 days of receiving it. Can intermediaries be held liable for phishing activities? It is not clear whether web hosts and other intermediaries could be held liable under this Bill if cyber-offenders exploit weaknesses in their security measures to co-opt their domain name so that it maps to a different IP address, for example, in order to engage in phishing. However, section 33 of the ECPA provides a defence: a person shall not be held liable for a violation if she can establish that she exercised “due diligence” to prevent it.

What can I do if I am a victim of phishing? The ECPA takes a multi-faceted approach to combating spam. It creates two new actions: 1. Administrative Monetary Penalty: A contravention of section 7 of the ECPA (see “How does the ECPA address phishing” for more information on how this is linked to phishing) can lead to a fine of up to $1,000,000 in the case of an individual and $10,000,000 in the case of any other person. Such a contravention can be brought to the attention of the CRTC, which can notify the potential violator and then decide, on a balance of probabilities, whether there has been a contravention and how big the monetary penalty should be.

2. Civil Remedy: A contravention of section 7 also gives rise to a private right of action available to affected persons. Furthermore, a violation of the Competition Act amendments prohibiting false or misleading representations (which can be linked to phishing) also gives rise to such an action. If you are affected by this conduct, you can apply to a court of competent jurisdiction for an order against one or more persons you believe are responsible. After hearing your application, a court can then choose to order the person or persons to pay you:

compensation for the loss or damage you have suffered or expenses you have incurred; and
a maximum of $200 per contravention per day, not exceeding $1,000,000 per day

The latter raises the possibility of collective action in jurisdictions where class actions are an option. Also, pre-ECPA recourses are still available to you. For instance, there are provisions in the Criminal Code and under consumer protection legislation that combat identity theft. See CIPPIC’s FAQ “What Canadian laws currently exist to combat and reduce the risk of identity theft?” for more information. Anti-Spyware Provisions

What is spyware?

The following is from CIPPIC’s FAQs on “spyware”: There is an ongoing debate and confusion about the definition of spyware. The term spyware has been used broadly and narrowly. In its broader sense, spyware refers to a variety of potentially unwanted technologies. These technologies can be defined as, Technologies implemented in ways that impair users' control over:

collection, use, and distribution of their personal information.
material changes that affect their desktop experience, privacy, or system security; or
use of their system resources

These are items that users will want to be informed about, and which they should be able to easily remove or disable. In its narrower sense, spyware is a term for executable applications, deployed without adequate notice, consent, or control for the user that track and report the user's computer or the user's activities, including collecting and disclosing personal information. . . . Technologies that spyware might use include:

Tracking Technologies that monitor user behaviour or gather personal information about the user.
Advertising Display Technologies that display advertising content.
Remote Control Technologies that allow remote access or control of computer systems.
Dialing Technologies that make calls or access services through a modem or Internet connection.
System Modifying Technologies that modify system and change user's browser and desktop experience.
Security Analysis Technologies used by a computer user to analyze or circumvent security protections.
Automatic Download Technologies that download and install software without user interaction.

These technologies are valid and not considered spyware if all of the following three requirements are met: adequate notice, consent, and control. Currently, there is a debate as to what these three elements should entail. However, at the minimum, adequate notice should include notice written in a clear language that describes all the software that will be installed and their functions. Consent means that the user has assented to the notice, by clicking "I agree" to the notice or through some other affirmative action. Control means that the user can start, stop, or uninstall the software when the user pleases. For more information on spyware—what it is and how it gets on your computer—see CIPPIC’s FAQs on “spyware”. Why is spyware a problem?

Spyware can compromise your privacy. It can be used to commit fraud, such as identity theft, and allow others to access your banking information, passwords and personal documents. It is also linked to behavioural targeting wherein advertisers use profile and taste information obtained through spyware to tailor their marketing to you. Furthermore, spyware affects the proper functioning of your computer system by using your resources, generally slowing functioning and causing system crashes. In the context of the ECPA, spyware is of particular concern because it undermines Canadians’ confidence in the security of participating in commerce online, since spyware can surreptitiously be installed when you click on a pop-up ad or hyperlink in a commercial email. For more information on the threats from spyware, see CIPPIC’s FAQ (link). How does the ECPA address spyware?

Section 8 of the ECPA prohibits installing a computer program on anyone else’s computer in the course of a commercial activity, unless one has the express consent of the owner or authorized user of the computer. This would cover spyware—in its broadest definition—if it is installed in the course of a commercial activity. According to Michael Geist, this provision would encompass software companies installing program updates without consent and “music companies that surreptitiously install anti-copying technologies”. <http://thetyee.ca/Mediacheck/2009/05/19/WarOnSpam/?utm\_source=mondayheadline > There is some concern that this provision could make it illegal to install Java or Flash applets on a computer when a user visits a website, a common and legitimate practice, but this is an issue that could be fixed without overhauling the legislation. If a program is installed, section 8 further prohibits sending an email from that computer without express consent. This provision takes aim at a major source of spam: botnets. A botnet, in this instance, would be a collection of compromised computer systems that a spammer can purchase access to in order to send out spam. Based on the definition of “commercial activity”, we can wonder whether this provision will capture surreptitious installation of spyware or other malware when downloading from a free file sharing site. Given the purpose of the ECPA (increasing confidence in online commerce), we suggest that the provision should catch this activity since the average consumer may not make a distinction between these sites and commercial ones when deciding whether she feels confident enough in the security of online commerce in order to participate. Sections 78ff of the Bill also amend PIPEDA to make collecting and/or using personal information obtained by accessing a computer system without authorization actionable conduct. This provision would cover the collection of information such as pin numbers or passwords when this is done by installing spyware on your computer, for instance. Furthermore, a court can order a person, on application by the Privacy Commissioner, to refrain from supplying a product that appears likely to be used to engage in this activity. This prohibition is purposive and technology neutral. It appears broad enough to encompass not only current products used to facilitate such activities, but also any future innovations that may emerge. Exactly which products—and at what stage of development—are captured remains to be seen and may only become clear in the future on a case-by-case basis. It seems certain it will at the least capture tracking technologies and other software aimed at finding and infiltrating computer systems.

What does consent require? Express consent requires the consent seeker to lay out clearly the following information:

the purpose for which the consent is sought;
the identity of the person seeking consent and that of the person on behalf consent is sought, if different; and
any other information prescribed in the regulations.

The ECPA requires that the person who gave consent be given an electronic address to which she may send a request to remove the program, if she feels that the purpose and impact of the program was not accurately described to her.

Can intermediaries be held liable for security failures leading to the installation of spyware? It is not clear whether web hosts and other intermediaries could be held liable under this Bill for things like “drive-by downloads” where visiting a website causes spyware to be downloaded without your knowledge or consent. In this situation, cyber-offenders exploit known security holes in order to write spyware into the code for the site. Perhaps a web host could be held liable for failing to patch such security weaknesses. There is also the question of whether a person can be held liable if his or her computer system is co-opted into a botnet that distributes malware, spam, etc. Often, individuals have no idea that their computers are operating as ‘zombies’. Section 33 of the ECPA provides that a person will not be held liable for a violation if they can establish that they exercised “due diligence” to prevent it. The question will be what is required to fulfill this due diligence criterion. It could involve anything from a duty to address problems once they are brought to one’s attention to positive obligations to install security programs, or more. The content of this defence will likely depend on the context: the amount of due diligence required of a private user is likely to be much lower than that required of the operator of a commercial site.

What can I do if I have been infected by spyware? The Bill creates two new actions: 1. Administrative Monetary Penalty: A contravention of section 8 of the ECPA (installing computer programs without consent and/or sending an electronic message from a computer system on which such a program has been installed) can lead to a fine of up to $1,000,000 in the case of an individual and $10,000,000 in the case of any other person. Such a contravention can be brought to the attention of the CRTC, which can notify the potential violator and then decide, on a balance of probabilities, whether there has been a contravention and how big the monetary penalty should be.

2. Civil Remedy: A contravention of section 8 also gives rise to a private right of action available to affected persons. In addition to section 8, a contravention of sections 78ff of the Bill (collecting and/or using personal information (including email addresses) obtained through unauthorized access to your computer system) also gives you a private right of action. If you are affected by such conduct, you can apply to a court of competent jurisdiction for an order against one or more persons you believe are responsible for the act. After hearing your application, a court can then choose to order the person or persons to pay you:

compensation for the loss or damage you have suffered or expenses you have incurred; and
a maximum of $200 per contravention per day, not exceeding $1,000,000 per day

The latter raises the possibility of collective action in jurisdictions where class actions are an option.

Also, pre-ECPA recources are still available to you. See CIPPIC's FAQ "Is spyware illegal in Canada?" for more information.

Furthermore, get in touch with us:

Spyware Snitchline

Help us get a handle on the scope of the scourge in Canada! CIPPIC is calling on Canadians to send us your spyware horror stories! Here's what we need:

What is the name of the spyware program (if you know it)?
What website infected you (again, if you know where you got it)?
What does the spyware do to your computer?
What does your anti-spyware software report about the spyware?

Send an email to document.write(nospam("uottawa.ca", "spyware", "cippic")); cippic@uottawa.ca

cippic at uottawa dot ca

with "Stop Spyware" in the subject line, and your name, location and affiliation (if any) in the message. We won't disclose your personal information without your consent. We plan on using these stories to help us better inform the Canadian government on the scope of Canada's spyware, and in appropriate cases and with your permission, to file complaints with Canadian authorities.

False or Misleading Representations in the Online Marketplace How does the ECPA address false representations in electronic messages?

The ECPA adds some new provisions to the Competition Act that prohibit knowingly or recklessly making false representations in the online market place. Under section 52.01, “no person shall, for the purpose of promoting, directly or indirectly, any business interest or the supply or use of a product”:

send an electronic message with false or misleading representations in the sender or subject matter information;
send an electronic message with content that is false or misleading in a material way; or
make a false or misleading representation in a “locator” (“locator” meaning a name or information used to identify a source of data on a computer system—including a URL).

These new provisions also prohibit causing such messages to be sent or representations to be made, thereby taking into account those that procure the violation of these provisions. Furthermore, enforcers consider the “general impression” of a representation, as well as its literal meaning, when deciding if it is false or misleading, so no one need actually be deceived or misled for a contravention to occur.

As discussed under “How does the ECPA address phishing?”, above, these provisions can target phishing practices. They also cover deceptive marketing practices online more generally. What can I do if I am affected by false or misleading representations online? You can bring this information to the attention of the Competition Bureau. The Bureau will then have a choice as to how to proceed:

1. Penal Remedy: A person who contravenes one or more of these provisions is guilty of an offence and if convicted on indictment could receive up to 14 years imprisonment and/or a fine based on the court’s discretion. Upon summary conviction, the maximum term would be one year and the maximum fine $200,000. Or: 2. Administrative Remedy: Alternatively, the Commissioner of Competition can pursue administrative remedies, including an administrative monetary penalty of up to $750,000 per contravention by an individual and $10,000,000 per contravention by a corporation. Also, the ECPA now gives you a private right of action through which you can receive damages: Civil Remedy: Under the Bill, this conduct gives rise to a private right of action available to affected persons. If you are affected by false or misleading representations online, you can apply to a court of competent jurisdiction for an order against one or more persons you believe are responsible for the act. After hearing your application, a court can then choose to order the person or persons to pay you:

compensation for the loss or damage you have suffered or expenses you have incurred; and
a maximum of $200 per contravention per day, not exceeding $1,000,000 per day

The latter brings to mind the possibility of collective action in jurisdictions where class actions are an option. Do-Not-Call Registry

Does the Bill repeal the Do-Not-Call Registry? Subsections 41.1-41.7 of the Telecommunications Act currently create a legislative framework for the Do-Not-Call Registry. This Registry prevents companies from making unsolicited telemarketing calls to anyone on the list with the purpose of greatly reducing the amount of telemarketing spam Canadians are subjected to. For this reason, section 6(7) of the ECPA currently exempts telephone spam from the anti-spam prohibitions contained in section 7 of the ECPA. The House of Commons debates suggest that this issue is not settled, but the Bill could eventually repeal the Do-Not-Call Registry. Michael Geist, professor of e-commerce law at the University of Ottawa, suggests that the Bill opens the door to reform of this registry and that such reform cannot come too soon.< Michael Geist, “Government Quietly Lays Groundwork for Overhaul of the Do-Not-Call List” (27 April 2009), online: < http://www.michaelgeist.ca/content/view/3897/159/>> The Government has indicated it does not currently intend to exercise this option, but will retain the option of enacting section 86 in the future. The current scheme of the Bill provides the Government with a number of options. Section 86, if enacted, would repeal the Registry. In addition, section 64 of the Bill would—in an unusual move—effectively “repeal” section 6(7) of the ECPA and as such expanding the protections in section 7 to cover telemarketing spam as well. The Government has indicated its intention to enact the Bill without repealing the Registry, suggesting that it will delay the enactment of section 86. In addition, it seems likely the Government will delay the enactment of section 64 when enacting the Bill. This will provide the Government with the following options: 1. The Government could choose not to enact either section 86 or 64 of the Bill. This would maintain the status quo, with the Registry continuing to operate as the primary vehicle for protecting Canadians from telemarketing spam and section 7 of the ECPA applying mostly to internet and SMS communications. However, since the current Registry has been roundly criticized, it is hoped that some reform to its operation would be on the horizon if this option were pursued. 2. The Government could choose to enact section 86 of the Bill, thereby repealing the List. It could at the same time enact section 64 of the Bill, which expands the application of section 7 of the ECPA to include telemarketing spam as well. Telemarketing spam would then be subject to the same opt-in consent requirements as commercial text messages, emails, etc., rather than continuing to follow the opt-out approach embodied in the current Registry. 3. Alternatively, the Government could enact section 86 of the Bill but decide not to enact section 64. This approach will repeal the List but and replace it with nothing, as it will retain the exceptions found in section 6(7) of the ECPA, which ensure that the protections against spam found in section 7 of the Act do not apply to telemarketing but only to commercial text messages, emails, etc. What, if anything, the Government decides to do in order to fill the subsequent gap in its approach to spam is anyone’s guess. ### Resources

Canadian Legislation

Electronic Commerce Protection Act (Bill C-27) Personal Information Protection and Electronic Documents Act Competition Act Telecommunications Act Canadian Radio-Television and Communications Act Canadian Government Resources -House of Commons Backgrounder -Industry Canada, Executive Summary of the ECPA -Parliament od Canada, Legislative Summary of the ECPA -E-Commerce Branch of Industry Canada, FAQs on the ECPA