Compliance and Enforcement Information Bulletin CRTC 2012-548

PDF version

Additional reference: Telecom Regulatory Policy 2012-183

Ottawa, 10 October 2012

Guidelines on the interpretation of the Electronic Commerce Protection Regulations (CRTC)

In this information bulletin, the Commission sets out guidelines on the interpretation of several provisions of the Electronic Commerce Protection Regulations (CRTC) and provides examples of what it considers to be compliant behaviour.

Introduction

1. On 15 December 2010, Royal Assent was given to An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act, S.C. 2010, c. 23 (the Act).

2. The Act gives the Commission the authority to regulate certain forms of electronic contact, consisting of, the sending of commercial electronic messages (CEMs), the alteration of transmission data in electronic messages, and the installation of computer programs on another person’s computer system, in the course of a commercial activity. The fundamental underlying principle is that such activities may only be carried out with consent.

3. Under subsection 64(2) of the Act, the Commission may make regulations, among other things, prescribing the form and certain information to be included in CEMs, and requests for consent with respect to the sending of CEMs, the alteration of transmission data in electronic messages, and the installation of computer programs.

4. In Telecom Regulatory Policy 2012-183, the Commission made the Electronic Commerce Protection Regulations (CRTC) [the Regulations]. The Regulations prescribe the form and certain information to be included in CEMs and requests for consent with respect to the sending of CEMs, the alteration of transmission data in electronic messages, and the installation of computer programs. The Regulations will come into force on the day on which sections 6 to 11 and subsection 64(2) of the Act come into force.

Information to be included in CEMs (section 2 of the Regulations)

a.   Whom to identify

5. Section 2 of the Regulations requires that each CEM set out information that identifies the sender of the message and, if applicable, the person on whose behalf the message is sent, and include contact information for such persons.

6. The Commission considers that section 2 of the Regulations does not require that persons situated between the person sending the message and the person on whose behalf the message is sent need necessarily be identified. For example, persons so situated may facilitate the distribution of a CEM but have no role in its content or choice of the recipients. In that event, the Commission considers that they do not need to be identified.

7. However, the Commission emphasizes that when a CEM is sent on behalf of multiple persons, such as affiliates, all of these persons must be identified in a CEM.

b.  Mailing addresses

8. The Regulations require that a CEM set out, among other things, the mailing address of the person sending the message or, if different, the mailing address of the person on whose behalf the message is sent [paragraph 2(1)(d)]. This contact information is also to be included in a request for consent [paragraph 4(d)].

9. The Commission considers that, for the purposes of the above-noted paragraphs of the Regulations, “mailing address” consists of the sender’s valid, current street (or civic) address, postal box address, rural route address, or general delivery address. Pursuant to subsection 6(3) of the Act, this address must be valid for a minimum of 60 days after the message has been sent.

Form of CEMs (unsubscribe mechanism) (section 3 of the Regulations)

10. Section 3 of the Regulations requires that the information to be included in a CEM and the unsubscribe mechanism referred to in paragraph 6(2)(c) of the Act must be set out clearly and prominently. Section 3 also requires that the unsubscribe mechanism must be able to be “readily performed.”

11. In Telecom Regulatory Policy 2012-183, the Commission stated, among other things, that in prescribing an unsubscribe mechanism that is less prescriptive and more technology neutral than what was originally proposed, the mechanism must be consumer-friendly. Accordingly, the Commission considers that in order for an unsubscribe mechanism to be “readily performed,” it must be accessed without difficulty or delay, and should be simple, quick, and easy for the consumer to use.

12. The Commission considers that an example of an unsubscribe mechanism that can be readily performed is a link in an email that takes the user to a web page where he or she can unsubscribe from receiving all or some types of CEMs from the sender. In the case of a short message service (SMS), the user should have the choice between replying to the SMS message with the word “STOP” or “Unsubscribe” and clicking on a link that will take the user to a web page where he or she can unsubscribe from receiving all or some types of CEMs from the sender.

 

An unsubscribe mechanism must be readily performed pursuant to s. 3(2) of the CRTC Regulations. This image shows an unsubscribe mechanism that can be readily performed on Company Inc.’s web site. The user has a choice to either check a tick box to unsubscribe from all messages from Company Inc. or to only unsubscribe from receiving promotional messages. The user can then click on “Submit,” once he or she has made a choice.

An unsubscribe mechanism must be readily performed pursuant to s. 3(2) of the CRTC Regulations. This image shows an example of a readily performed unsubscribe mechanism in the context of an SMS. The user receives a promotional message from Company Inc. that notifies the user that he or she can unsubscribe either by texting ‘STOP’ or ‘Unsubscribe’ to Company Inc. or by clicking on a link that will take the user to a web page where he or she can unsubscribe . If the user chooses the latter option, he will be directed to a web site that resembles image 3.1.

Information to be included in a request for consent (section 4 of the Regulations)

Meaning of “sought separately”

13. Section 4 of the Regulations requires that express consent be sought separately for each of the following acts:

a.  What does “sought separately” mean?

14. The Commission considers that in order to meet the requirement of seeking consent separately, the person seeking consent must identify and obtain specific and separate consent for each act contemplated by the sections of the Act described in paragraph 13 above. Accordingly, consent for each act above must be sought separately from any other act captured by sections 6 to 8 of the Act. The Commission also considers that the activities captured by each of the above acts are distinct, as are the consequences.

15. For example, the Commission considers that persons must be able to grant their consent for the installation of a computer program while refusing to grant their consent for receiving CEMs. However, the Commission does not consider it necessary for consent to be sought separately for each instance of the acts listed in paragraph 13 above, as long as the consent request is in accordance with subsections 10(1), 10(2), 10(3), and 10(4) of the Act, where applicable.

b.  Requests for consent

16. The Commission considers that requests for consent contemplated above must not be subsumed in, or bundled with, requests for consent to the general terms and conditions of use or sale. The underlying objective is that the specific requests for consent in question must be clearly identified to the persons from whom the consent is being sought. For example, persons must be able to grant their consent to the terms and conditions of use or sale while, for instance, refusing to grant their consent for receiving CEMs.

17. The Commission considers that if the acts listed in section 8 of the Act (installation of a computer program) are necessary for the use or proper functioning of a product or service, and consent is not otherwise exempted or deemed by the Act or its associated regulations, the necessary nature of the act (e.g. collecting personal information stored on the computer system) must be indicated in the consent request. Consent for the necessary acts must be obtained before the product or service is used or sold.

18. The Commission regards the following means as compliant:

This image shows an example of how express consent for sections 6, 7 and 8 of CASL must be sought separately pursuant to section 4 of the CRTC Regulations. In this example, consent to download Company Inc.’s software and consent to send commercial electronic messages are sought separately from each other and from the terms and conditions.  In the image, an electronic address is provided for removal or disabling of the computer program under certain conditions, and a statement that it is possible to withdraw consent for promotional messages.

This image shows an example of how express consent for sections 6, 7 and 8 of CASL must be sought separately pursuant to section 4 of the CRTC Regulations. In this example, consent to download Company Inc.’s app on a mobile device is sought separately from the consent to receive commercial electronic messages and from the terms and conditions.  In the image, an electronic address is provided for removal or disabling of the computer program under certain conditions, and a statement that it is possible to withdraw consent for promotional messages.

19. The Commission notes that paragraph 11(5)(a) of the Act must also be complied with. This paragraph provides that a person who has the express consent of an owner or authorized user to do any act described in section 8 of the Act (installation of a computer program) must

i)    for a period of one year after any computer program that performs one or more of the functions described in subsection 10(5) of the Act (e.g. collect personal information stored on the computer system) is installed under consent,

ii)  ensure that the person who gave their consent is provided with an electronic address to which that person may send the request to remove or disable that computer program, if they believe that the function, purpose, or impact of that computer program was not accurately described when consent was requested.

The foregoing does not apply if the function of the computer program is one that is referred to in subsection 10(6) of the Act.

20. The Commission also notes paragraph 4(e) of the Regulations, which requires that a request for consent must contain a statement indicating that the person whose consent is sought can withdraw their consent.

Consent obtained orally or in writing

21. Section 4 of the Regulations requires that, for the purposes of subsections 10(1) and 10(3) of the Act, a request for consent may be obtained orally or in writing, or a combination thereof.

a)    Consent obtained orally

22. The Commission notes that oral requests for consent are consistent with the Personal Information Protection and Electronic Documents Act (PIPEDA) (see section 4.3.7 of Schedule 1 of PIPEDA) and the Commission’s Unsolicited Telecommunications Rules (see Part V: Express Consent).

23. The Commission considers the following forms as sufficient to discharge the onus of demonstrating oral consent:

For example, a person may request and obtain oral consent in situations where information is collected over the phone (e.g. call centres) or consent may be given at the time that individuals use a product or service (e.g. point of sale purchases).

b)    Consent obtained “in writing”

24. The Commission notes that for the purposes of section 4 of the Regulations, the term “in writing” includes both paper and electronic forms of writing.

25. The Commission considers that the requirement for consent in writing is satisfied by information in electronic form if the information can subsequently be verified.

26. Examples of acceptable means of obtaining consent in writing include checking a box on a web page to indicate consent where a record of the date, time, purpose, and manner of that consent is stored in a database; and filling out a consent form at a point of purchase.

c) Onus of proof for validly requesting consent orally or in writing

27. The Commission notes that, pursuant to section 13 of the Act, persons who allege that they have consent to do an act captured by sections 6 to 8 of the Act have the onus of proving it.

Specified functions of computer programs (section 5 of the Regulations)

28. Section 5 of the Regulations requires that a computer program’s material elements that perform one or more of the functions listed in subsection 10(5) of the Act must be brought to the attention of the persons from whom consent is being sought separately from any other information provided in a request for consent. This section also requires that the person seeking consent must obtain an acknowledgement in writing from the person from whom consent is being sought that he or she understands and agrees that the program performs the specified functions.

29. Examples of the functions listed in subsection 10(5) of the Act are as follows:

Means of obtaining consent

30. The Commission considers that for the purposes of section 5 of the Regulations, consistent with its statement with respect to subsection 10(4) of the Act, the use of “in writing” includes both paper and electronic forms of writing.

31. The Commission considers that an example of an acceptable means of obtaining consent pursuant to section 5 of the Regulations would be an icon or an empty toggle box, separate from the licence agreement and other requests for consent, that would need to be actively clicked or checked, as applicable, in order to indicate consent to one, several, or all of the functions listed in subsection 10(5) of the Act, as applicable, provided that the date, time, purpose, and manner of that consent is stored in a database.

This image shows how consent may be obtained pursuant to s. 5 of the CRTC Regulations, where a computer program performs one or more of the functions described in s. 10(5) of CASL. In the image, the fact that Company Inc.’s app communicates with Company Inc.’s server automatically, in order to record consent and usage metrics, is brought to the attention of the user separately from other information in the consent request window. In the image, an electronic address is provided for removal or disabling of the computer program under certain conditions, and a statement that it is possible to withdraw consent for promotional messages.

32. As stated in paragraphs 19 and 20, above, the Commission notes that paragraph 11(5)(a) of the Act and paragraph 4(e) of the Regulations must also be complied with.

Secretary General

Related documents

Date modified: