Compliance and Enforcement Information Bulletin CRTC 2012-548
Additional reference: Telecom Regulatory Policy 2012-183
Ottawa, 10 October 2012
Guidelines on the interpretation of the Electronic Commerce Protection Regulations (CRTC)
In this information bulletin, the Commission sets out guidelines on the interpretation of several provisions of the Electronic Commerce Protection Regulations (CRTC) and provides examples of what it considers to be compliant behaviour.
Introduction
1. On 15 December 2010, Royal Assent was given to An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act, S.C. 2010, c. 23 (the Act).
2. The Act gives the Commission the authority to regulate certain forms of electronic contact, consisting of, the sending of commercial electronic messages (CEMs), the alteration of transmission data in electronic messages, and the installation of computer programs on another person’s computer system, in the course of a commercial activity. The fundamental underlying principle is that such activities may only be carried out with consent.
3. Under subsection 64(2) of the Act, the Commission may make regulations, among other things, prescribing the form and certain information to be included in CEMs, and requests for consent with respect to the sending of CEMs, the alteration of transmission data in electronic messages, and the installation of computer programs.
4. In Telecom Regulatory Policy 2012-183, the Commission made the Electronic Commerce Protection Regulations (CRTC) [the Regulations]. The Regulations prescribe the form and certain information to be included in CEMs and requests for consent with respect to the sending of CEMs, the alteration of transmission data in electronic messages, and the installation of computer programs. The Regulations will come into force on the day on which sections 6 to 11 and subsection 64(2) of the Act come into force.
Information to be included in CEMs (section 2 of the Regulations)
a. Whom to identify
5. Section 2 of the Regulations requires that each CEM set out information that identifies the sender of the message and, if applicable, the person on whose behalf the message is sent, and include contact information for such persons.
6. The Commission considers that section 2 of the Regulations does not require that persons situated between the person sending the message and the person on whose behalf the message is sent need necessarily be identified. For example, persons so situated may facilitate the distribution of a CEM but have no role in its content or choice of the recipients. In that event, the Commission considers that they do not need to be identified.
7. However, the Commission emphasizes that when a CEM is sent on behalf of multiple persons, such as affiliates, all of these persons must be identified in a CEM.
b. Mailing addresses
8. The Regulations require that a CEM set out, among other things, the mailing address of the person sending the message or, if different, the mailing address of the person on whose behalf the message is sent [paragraph 2(1)(d)]. This contact information is also to be included in a request for consent [paragraph 4(d)].
9. The Commission considers that, for the purposes of the above-noted paragraphs of the Regulations, “mailing address” consists of the sender’s valid, current street (or civic) address, postal box address, rural route address, or general delivery address. Pursuant to subsection 6(3) of the Act, this address must be valid for a minimum of 60 days after the message has been sent.
Form of CEMs (unsubscribe mechanism) (section 3 of the Regulations)
10. Section 3 of the Regulations requires that the information to be included in a CEM and the unsubscribe mechanism referred to in paragraph 6(2)(c) of the Act must be set out clearly and prominently. Section 3 also requires that the unsubscribe mechanism must be able to be “readily performed.”
11. In Telecom Regulatory Policy 2012-183, the Commission stated, among other things, that in prescribing an unsubscribe mechanism that is less prescriptive and more technology neutral than what was originally proposed, the mechanism must be consumer-friendly. Accordingly, the Commission considers that in order for an unsubscribe mechanism to be “readily performed,” it must be accessed without difficulty or delay, and should be simple, quick, and easy for the consumer to use.
12. The Commission considers that an example of an unsubscribe mechanism that can be readily performed is a link in an email that takes the user to a web page where he or she can unsubscribe from receiving all or some types of CEMs from the sender. In the case of a short message service (SMS), the user should have the choice between replying to the SMS message with the word “STOP” or “Unsubscribe” and clicking on a link that will take the user to a web page where he or she can unsubscribe from receiving all or some types of CEMs from the sender.
Information to be included in a request for consent (section 4 of the Regulations)
Meaning of “sought separately”
13. Section 4 of the Regulations requires that express consent be sought separately for each of the following acts:
- the sending of CEMs (section 6 of the Act);
- the alteration of transmission data in electronic messages in the course of a commercial activity (section 7 of the Act); and
- the installation of a computer program on another person’s computer in the course of a commercial activity (section 8 of the Act).
a. What does “sought separately” mean?
14. The Commission considers that in order to meet the requirement of seeking consent separately, the person seeking consent must identify and obtain specific and separate consent for each act contemplated by the sections of the Act described in paragraph 13 above. Accordingly, consent for each act above must be sought separately from any other act captured by sections 6 to 8 of the Act. The Commission also considers that the activities captured by each of the above acts are distinct, as are the consequences.
15. For example, the Commission considers that persons must be able to grant their consent for the installation of a computer program while refusing to grant their consent for receiving CEMs. However, the Commission does not consider it necessary for consent to be sought separately for each instance of the acts listed in paragraph 13 above, as long as the consent request is in accordance with subsections 10(1), 10(2), 10(3), and 10(4) of the Act, where applicable.
b. Requests for consent
16. The Commission considers that requests for consent contemplated above must not be subsumed in, or bundled with, requests for consent to the general terms and conditions of use or sale. The underlying objective is that the specific requests for consent in question must be clearly identified to the persons from whom the consent is being sought. For example, persons must be able to grant their consent to the terms and conditions of use or sale while, for instance, refusing to grant their consent for receiving CEMs.
17. The Commission considers that if the acts listed in section 8 of the Act (installation of a computer program) are necessary for the use or proper functioning of a product or service, and consent is not otherwise exempted or deemed by the Act or its associated regulations, the necessary nature of the act (e.g. collecting personal information stored on the computer system) must be indicated in the consent request. Consent for the necessary acts must be obtained before the product or service is used or sold.
18. The Commission regards the following means as compliant:
- a separate tick-box for each of sections 6 to 8 of the Act, which must be proactively checked by the person whose consent is being sought in order to indicate consent (see Compliance and Enforcement Information Bulletin 2012-549);
- a separate icon for each of sections 6 to 8 of the Act, which must be proactively clicked by the person from whom consent is being sought; or
- any combination of the above.
19. The Commission notes that paragraph 11(5)(a) of the Act must also be complied with. This paragraph provides that a person who has the express consent of an owner or authorized user to do any act described in section 8 of the Act (installation of a computer program) must
i) for a period of one year after any computer program that performs one or more of the functions described in subsection 10(5) of the Act (e.g. collect personal information stored on the computer system) is installed under consent,
ii) ensure that the person who gave their consent is provided with an electronic address to which that person may send the request to remove or disable that computer program, if they believe that the function, purpose, or impact of that computer program was not accurately described when consent was requested.
The foregoing does not apply if the function of the computer program is one that is referred to in subsection 10(6) of the Act.
20. The Commission also notes paragraph 4(e) of the Regulations, which requires that a request for consent must contain a statement indicating that the person whose consent is sought can withdraw their consent.
Consent obtained orally or in writing
21. Section 4 of the Regulations requires that, for the purposes of subsections 10(1) and 10(3) of the Act, a request for consent may be obtained orally or in writing, or a combination thereof.
a) Consent obtained orally
22. The Commission notes that oral requests for consent are consistent with the Personal Information Protection and Electronic Documents Act (PIPEDA) (see section 4.3.7 of Schedule 1 of PIPEDA) and the Commission’s Unsolicited Telecommunications Rules (see Part V: Express Consent).
23. The Commission considers the following forms as sufficient to discharge the onus of demonstrating oral consent:
- where oral consent can be verified by an independent third party; or
- where a complete and unedited audio recording of the consent is retained by the person seeking consent or a client of the person seeking consent.
For example, a person may request and obtain oral consent in situations where information is collected over the phone (e.g. call centres) or consent may be given at the time that individuals use a product or service (e.g. point of sale purchases).
b) Consent obtained “in writing”
24. The Commission notes that for the purposes of section 4 of the Regulations, the term “in writing” includes both paper and electronic forms of writing.
25. The Commission considers that the requirement for consent in writing is satisfied by information in electronic form if the information can subsequently be verified.
26. Examples of acceptable means of obtaining consent in writing include checking a box on a web page to indicate consent where a record of the date, time, purpose, and manner of that consent is stored in a database; and filling out a consent form at a point of purchase.
c) Onus of proof for validly requesting consent orally or in writing
27. The Commission notes that, pursuant to section 13 of the Act, persons who allege that they have consent to do an act captured by sections 6 to 8 of the Act have the onus of proving it.
Specified functions of computer programs (section 5 of the Regulations)
28. Section 5 of the Regulations requires that a computer program’s material elements that perform one or more of the functions listed in subsection 10(5) of the Act must be brought to the attention of the persons from whom consent is being sought separately from any other information provided in a request for consent. This section also requires that the person seeking consent must obtain an acknowledgement in writing from the person from whom consent is being sought that he or she understands and agrees that the program performs the specified functions.
29. Examples of the functions listed in subsection 10(5) of the Act are as follows:
- collecting personal information stored on the computer system;
- interfering with the owner’s or an authorized user’s control of the computer system; and
- changing or interfering with settings, preferences, or commands already installed or stored on the computer system without the knowledge of the owner or an authorized user of the computer system.
Means of obtaining consent
30. The Commission considers that for the purposes of section 5 of the Regulations, consistent with its statement with respect to subsection 10(4) of the Act, the use of “in writing” includes both paper and electronic forms of writing.
31. The Commission considers that an example of an acceptable means of obtaining consent pursuant to section 5 of the Regulations would be an icon or an empty toggle box, separate from the licence agreement and other requests for consent, that would need to be actively clicked or checked, as applicable, in order to indicate consent to one, several, or all of the functions listed in subsection 10(5) of the Act, as applicable, provided that the date, time, purpose, and manner of that consent is stored in a database.
32. As stated in paragraphs 19 and 20, above, the Commission notes that paragraph 11(5)(a) of the Act and paragraph 4(e) of the Regulations must also be complied with.
Secretary General
Related documents
- Guidelines on the use of toggling as a means of obtaining express consent under Canada’s anti-spam legislation, Compliance and Enforcement Information Bulletin CRTC 2012-549, 10 October 2012
- Electronic Commerce Protection Regulations (CRTC), Telecom Regulatory Policy CRTC 2012-183, 28 March 2012
- Date modified: