Uh O Canada: 5 ways a new anti-spam law may be different than CAN-SPAM
Posted by Rob Ropars on June 1st, 2009
By now you’ve probably heard that on April 24, the Canadian government introduced a bill that would serve as Canada’s answer to the US CAN-SPAM Act. Known officially as the “Electronic Commerce Protection Act” (herein ECPA), it strives to establish new legislation around commercial email communications, including rules for opt-in and opt-out procedures, sender identification, and consumer privacy. This process is still in flux so it’s best to monitor the situation and wait for the final provisions before acting. That said, the early details do highlight at least five key differences between ECPA and CAN-SPAM.
Taken at first glance, this bill is both potentially stricter than CAN-SPAM and somewhat ambiguous in some of the areas it covers. Let’s take a look…
Requires advance permission to send commercial email
One area of ambiguity is a reference to allowing messages to be sent if “implied consent” exists between the sender and the recipient during the 18 months prior to the email. If you’re maintaining a strict opt-in/permission list, then this shouldn’t be an issue. Otherwise there may be some question about whether you can email specific people.
CAN-SPAM differs in that technically the law doesn’t outlaw one unsolicited message. It essentially allows anyone to mail anyone else at least once (as long as you include and honor any opt-out requests). Some ESPs (including SubscriberMail) take a more stringent stance (more in line with ECPA) requiring clients to only send to permission lists. Assuming you and/or your ESP are following best practices and only sending permission-based emails, then you’re ECPA-compliant already.
Opt-outs must be processed within “10 days”
That timeframe should be familiar to email marketers in the US. Except ambiguity has raised its head. CAN-SPAM specifies that you have ten “business” days to honor an opt-out. The ECPA references “ten days” without any qualifier. Unless this is clarified, it’s possible that Canadian email marketers will have a shorter timeframe to handle opt-outs. If your ESP is able to process these immediately (as SubscriberMail does), this isn’t an issue. But it’s definitely one specific item to watchi closely.
Your opt-out links must be “live” for a minimum of 60 days
The ECPA bill requires email messages to include an email address and/or hyperlink so recipients can quickly and easily opt-out (just like CAN-SPAM). Unlike CAN-SPAM, the ECPA would require the opt-out link to be live for a 60-day period (CAN-SPAM only requires 30 days). Your ESP should be able to handle this without issue. However, if you manage your email program in-house, this could mean some extra technical/hosting work added to your current efforts.
SMS messages need to be permission-only
The ECPA covers more than just emails. There are provisions about “malware,” but in defining an “electronic message,” the ECPA appears to be including SMS and other text messages under this umbrella. You’ll want to ensure that your SMS recipients are 100% permission-based to avoid any entanglements.
Individuals can sue those they consider to be spammers
Another critical difference between CAN-SPAM and the ECPA involves the right of individuals to sue. CAN-SPAM contains a right-to-sue provision. However, this is reserved solely for ISPs, not individuals. The compensation would be limited to $200 per item, which is probably assumed to be low enough to discourage abuse of this provision (class action suits appear to be a possibility). Additionally, Canada’s Radio-television and Telecommunications Commission would be given power to impose fines of up to $10 million on organizations that violate ECPA.
SubscriberMail will continue to monitor this evolving process and keep everyone updated once the bill becomes a law. Until then, be aware but don’t worry or panic. Noting also that I’m not a lawyer and neither SubscriberMail nor I can render legal advice (and this blog post should not be construed as such). Please consult with your designated legal resources as necessary to clarify anything related to compliance.