On the 15th of December the Canadian Fighting Internet and Wireless Spam Act (FISA), Bill C-28, was passed as law by the Federal Parliament and has received Royal Assent. This means that Canada finally has an actual and up-to-date spam law, which is quite strict too (that’s a good thing). The main purpose is to cut down the amount of spam people receive: the way to achieve this is by creating a comprehensive regulatory regime of offences, enforcement mechanisms, and severe penalties.
The basics involved in the new law are as follows:
– it is prohibited to send or cause or permit to be sent to an electronic address a commercial electronic message unless the person to whom the message is sent has consented to receiving it, whether the consent is express or implied.
– Address harvesting and dictionary attacks to gather email addresses are completely forbidden.
– The sender must be identified, and contact information must be included.
– Unsubscribe should be simple and completely processed within 10 days of unsubscribing.
Anti-phishing and anti-malware is also included in the law:
FISA contains an anti-phishing provision that would prohibit a person, in the course of commercial activity, from altering the transmission data in an electronic message so that the message is delivered to a destination other than or in addition to the destination specified by the sender, without the sender’s express consent. The consent must be informed, and an effective and timely consent withdrawal mechanism must be provided as well.
Lastly, the anti-malware provision under FISA prohibits a person, in the course of commercial activity, from installing any computer program on any other person’s computer system, or causing that computer program to send an electronic message from the computer system, without the consent of the owner or authorized user of the computer system. In most circumstances, the required consent must be express and informed, and an effective and timely consent withdrawal mechanism must also be provided. There are limited exceptions that permit implied consent to the installation of legitimate computer software. There is also a three-year transition provision that provides for implied consent to the installation of a software update or upgrade in limited circumstances.