List of FAQs as written on the Government of Canada’s website. All customers, including not for profit associations and those in both the public and private sector, should be aware of the new legislation. Whether you are soliciting new members for your organization, or promoting a new product or service you offer, your commercial electronic message (CEM) could be considered spam which is equally malicious as a virus attack under this legislation. The Canadian Government is cracking down and individuals who violate the law could face fines up to $1,000,000.00.
If you want to send out “email blasts” you must ensure that those on your list have already consenting to receiving your CEM. The information below includes guidelines that must be followed to ensure that you are abiding by the new regulations. More information can be found at www.fightspam.gc.ca so please take the time to get informed. It is advisable for companies to create a communications policy so that employees don’t inadvertently breach the law. Corporations found to be in violation of the law could face fines as much as $10,000,000.00 so it is something to be taken seriously.
At GridWay, we host customers’ email through our Hosted Exchange Service. As an email Service Provider, GridWay is fully abiding by CASL in an effort to reduce spam, reduce the incidences of customer domains being blacklisted, and provide greater bandwidth for legitimate emails. Our managed anti-spam solution has proven to be an extremely valuable tool and has been instrumental in reducing the amount of spam that reaches our end users. We are advising our Hosted Exchange customers that we will not tolerate any breach of the new law that comes into force July 1, 2014. Please be informed so that your organization can make the necessary changes in how you reach your customers or membership base. We think that this list of FAQs is a good place to start.
Who needs to know about the law?
Anyone who makes use of commercial electronic messages, is involved with the alteration of transmission data, or produces or installs computer programs needs to be aware of this law.
Does Canada’s anti-spam law deal only with spam?
No. It also deals with other electronic threats to commerce, such as the installation of computer programs and the alteration of transmission data, without express consent. These threats also include the installation of malware, such as computer viruses.
What does “spam and other electronic threats” mean?
Under Canada’s anti-spam legislation, there are various types of violations including the sending of unsolicited commercial electronic messages, the unauthorized alteration of transmission data, the installation of computer programs without consent, false and misleading electronic representations (including websites), the unauthorized collection of electronic addresses and the collection of personal information by accessing a computer system in contravention of an Act of Parliament.
These violations include, but are not limited to, spam, malware, spyware, address harvesting and false and misleading representations involving the use of any means of telecommunications, Short Message Services (SMS), social networking, websites, URL’s and other locators, applications, blogs, Voice over Internet Protocol (VoIP), and any other current and future internet and wireless telecommunication threats prohibited by Canada’s anti-spam legislation.
Coming Into Force
When does the legislation come into force?
The majority of the legislation comes into force on July 1, 2014. This includes Section 6, which relates to the sending of commercial electronic messages (CEMs). Section 8, the section that deals with the installation of computer programs, will come into force on January 15, 2015. The sections that deal with the private right of action will come into force on July, 1 2017. Read the order related to the coming into force dates.
Please note that some parts of the law came into force on April 15, 2011, with respect to some amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA). For more information, please see the Office of the Privacy Commissioner of Canada’s Website and the related Order.
For more information on CASL, please refer to fightspam.gc.ca. Read Canada’s Anti-Spam Legislation and its regulations.
Will the coming-into-force dates and the compliance date be different?
No, there is no difference. Once a particular section of CASL comes into force, it is enforceable and compliance is required. Keep in mind that different sections of CASL come into force at different times.
What should I do with the spam I receive now?
At the present time, we recommend that you simply delete the spam messages you receive.
For information on how to protect yourself from spam and other electronic threats, visit How to Protect Yourself Online and While Mobile.
Once the law comes into force, how does it affect consent?
Knowing that people and businesses may need to change their practices when it comes to sending commercial electronic messages (CEMs), the legislation includes a transitional provision that relates to the consent requirement. There are two types of consent – express and implied. The transitional provision set out in section 66 of CASL applies to implied consent.
Under section 66, consent to send commercial electronic messages (CEMs) is implied for a period of 36 months beginning July 1, 2014, where there is an existing business or non-business relationship that includes the communication of CEMs. Note however, that this three-year period of implied consent will end if the recipient indicates that they no longer consent to receiving CEMs. During the transitional period, the definitions of existing business and non-business relationships are not subject to the limitation periods that would otherwise be applicable under section 10 of CASL. Businesses and people may take advantage of this transitional period to seek express consent for the continued sending of CEMs.
In contrast, express consent does not expire after a certain period of time has passed. If you obtain valid express consent before July 1, 2014, then that express consent remains valid after the legislation comes into force. It does not expire, until the recipient withdraws their consent.
What are the penalties for committing a violation under CASL?
If you commit a violation under any of sections 6 to 9 of CASL, then you may be required to pay an administrative monetary penalty (AMP). The maximum amount of an AMP, per violation, for an individual is $1 million, and for a business, it is $10 million. CASL sets out a list of factors considered in the determination the amount of the AMP.
Can directors and officers be liable too?
Yes, directors, officers, agents and mandataries of a corporation can be liable, if they directed, authorized, assented to, acquiesced in, or participated in the commission of the violation.
What is a commercial electronic message?
A key question to ask yourself is the following: Is the message I am sending a CEM? Is one of the purposes to encourage the recipient to participate in commercial activity?
When determining whether a purpose is to encourage participation in commercial activity, some parts of the message to look at are:
- the content of the message
- any hyperlinks in the message to website content or a database, and
- contact information in the message.
These parts of the message are not determinative. For example, the simple inclusion of a logo, a hyperlink or contact information in an email signature does not necessarily make an email a CEM. Conversely, a tagline in a message that promotes a product or service that encourages the recipient to purchase that product or service would make the message a CEM.
Some examples of CEMs include:
- offers to purchase, sell, barter or lease a product, goods, a service, land or an interest or right in land;
- offers to provide a business, investment or gaming opportunity;
- promoting a person, including the public image of a person, as being a person who does anything referred to above, or who intends to do so.
Does the legislation prohibit me from sending marketing messages?
No. Rather, it sets out some requirements for sending a certain type of message, called a commercial electronic message (CEM), to an electronic address.
If you are sending a CEM to an electronic address, then you need to comply with three requirements. You need to: (1) obtain consent, (2) provide identification information, and (3) provide an unsubscribe mechanism.
When does section 6 of CASL apply?
Section 6 of CASL applies to a commercial electronic message (CEM) that is sent to an electronic address. If both of these elements exist, then section 6 applies.
Section 6 does not apply if the CEM is not sent to an electronic address, as defined in the legislation. Also, section 6 of CASL does not apply to interactive two-way voice communication between individuals, nor does it apply to faxes or voice recordings sent to a telephone account. However, other requirements outside of CASL may apply in situations like these, such as the Unsolicited Telecommunications Rules.
Also, a computer system located in Canada must be used to send or access the CEM for section 6 to apply. Simply routing a CEM through Canada is not enough to engage section 6.
To read section 6 of CASL in its entirety, please visit the full text of the law.
What is an electronic address?
An electronic address is defined in CASL as being: an email account, a telephone account, an instant messaging account, and any other similar account.
Some social media accounts may constitute a ‘similar account’. Whether a “similar account” is an electronic address depends on the specific circumstances of the account in question. For example, a typical advertisement placed on a website or blog post would not be captured. In addition, whether communication using social media fits the definition of “electronic address,” must be determined on a case-by-case basis, depending upon, for example, how the specific social media platform in question functions and is used. For example, a Facebook wall post would not be captured. However, messages sent to other users using a social media messaging system (e.g., Facebook messaging and LinkedIn messaging), would qualify as sending messages to “electronic addresses.”
Websites, blogs and micro-blogging would typically not be considered to be electronic addresses.
Does section 6 of CASL apply to messages sent outside of Canada?
For section 6 of CASL to apply, a computer system located in Canada must be used to send or access the CEM. Simply routing a CEM through Canada is not enough to engage section 6.
However, there is an exemption in the Governor-in-Council Regulations that is intended for CEMs sent from Canada to foreign countries. Paragraph 3(f) of the Regulations excludes such CEMs, if certain conditions are met:
- The foreign country must be listed in Schedule 1 of the Regulations;
- The CEM must be sent in compliance with the foreign law, which addresses conduct that is substantially similar to the conduct prohibited in section 6 of CASL; and
- The sender (or person who causes or permits the CEM to be sent) must reasonably believe that the CEM will be accessed in a foreign state listed in Schedule 1.
Does section 6 of CASL apply to messages sent by non-profit organizations?
Yes, CASL applies to activities of non-profit organizations, such as sending commercial electronic messages (CEMs) and installing computer programs. However, there is an exemption under the Governor-in-Council Regulations for CEMs sent by or on behalf of a registered charity, as defined under the Income Tax Act, where the primary purpose of the CEMs is to raise funds for the charity.
Does section 6 of CASL apply to messages sent by political parties and candidates?
No. Pursuant to the Governor-in-Council Regulations, commercial electronic messages (CEMs) sent by or on behalf of a political party or a person who is a candidate for publicly elected office, are excluded from section 6 of CASL, if the primary purpose of the CEM is to solicit a contribution.
“Contribution” is defined in subsection 2(1) of the Canada Elections Act, and means a monetary contribution or a non-monetary contribution. Certain other terms are also defined in the Canada Elections Act, such as “political party” and “candidate.”
Does section 6 of CASL apply to messages sent by friends or family members?
Section 6 of CASL does not apply to a commercial electronic message (CEM) sent to an individual with whom the sender has a personal or family relationship, as defined the Governor-in-Council (GiC) Regulations.
A “personal relationship” involves direct, voluntary, 2-way communication. The GiC Regulations set out a non-exhaustive list of factors that should be used to determine whether the relationship is personal (e.g. the sharing of interests, experiences, opinions and information evidenced in the communications; the frequency of the communication, etc.). It is important to note that the definition of “personal relationship” should remain limited to close relationships. This will help prevent potential spammers from exploiting this concept in order to send CEMs without consent.
Also, a “personal relationship” is one that exists between individuals. Legal entities, such as corporations, cannot have a personal relationship. Someone who sends a CEM on behalf of a corporation may not claim to have a personal relationship with the recipient.
Does a “personal relationship” apply to social media contacts?
A “personal relationship” requires that the real identity of the individual who alleges a personal relationship is known by the other individual involved in such a relationship (as opposed to instances where a virtual identity or an alias is used). Using social media or sharing the same network does not necessarily reveal a personal relationship between individuals. The mere use of buttons available on social media websites – such as clicking “like”, voting for or against a link or post, accepting someone as a “Friend”, or clicking “Follow” – will generally be insufficient to constitute a personal relationship.
Does section 6 of CASL apply to commercial electronic messages (CEMs) sent between persons within an organization or sent between organizations?
No, there is an exemption for persons sending CEMs to other persons within their organization, where the CEMs concern the activities of the organization. Similarly, there is an exemption for persons sending CEMs to persons at another organization, where the CEMs concern the activities of that other organization. If the CEM does not concern the activities of the organization, then the requirements under section 6 of the legislation apply.
There is also an exemption for persons who send CEMs to other persons with whom they have a personal or family relationship, as defined in the Governor-in-Council Regulations. See the question – Does section 6 of CASL apply to messages sent by friends or family members?
Do the CRTC information bulletins create new legal requirements?
For the purpose of providing guidance, the CRTC issued two information bulletins, namely Compliance and Enforcement Information Bulletin CRTC 2012-548 and Compliance and Enforcement Information Bulletin CRTC 2012-549. These information bulletins are merely guidelines and do not impose binding obligations. They clarify requirements already contained in CASL and its regulations.
Also, the examples provided in these information bulletins are not exhaustive. They are simply examples of recommended or best practices that, in the view of the CRTC, clearly meet the requirements in CASL. Other practices may satisfy legal requirements imposed by CASL. However, their adequacy will be evaluated on a case-by-case basis in light of the specific circumstances of a given situation.
There are three general requirements for sending the CEM to an electronic address. You need (1) consent, (2) identification information and (3) an unsubscribe mechanism. The questions under this heading relate to the first requirement, namely consent. There are two types of consent under CASL – express and implied.
How can I obtain express consent?
Consent can be obtained either in writing or orally. In either case, the onus is on the person who is sending the message to prove they have obtained consent to send the message.
The CRTC has issued information bulletins to provide guidance and examples of recommended or best practices. Compliance and Enforcement Information Bulletin CRTC 2012-548, among other things, helps explain what information is to be included in a request for consent. The Bulletin also suggests some key considerations that may make tracking or recording consent easier, and therefore, may make it easier to prove consent. They are:
- whether consent was obtained in writing or orally,
- when it was obtained,
- why it was obtained, and
- the manner in which it was obtained.
The examples provided in the information bulletin are not exhaustive. They are simply examples of recommended or best practices. They may not necessarily be appropriate in every situation. Compliance will be examined on a case-by-case basis in light of the specific circumstances of a given situation.
Can I use pre-checked boxes in order to obtain express consent?
The manner in which you request express consent cannot presume consent on the part of the end-user. Silence or inaction on the part of the end-user also cannot be construed as providing express consent. For example, a pre-checked box cannot be used, as it assumes consent.
Rather, express consent must be obtained through an opt-in mechanism, as opposed to opt-out. The end-user must take a positive action to indicate their consent. For example, this can be done by providing a blank box which a user can check off to indicate consent.
For more information, please see Compliance and Enforcement Information BulletinCRTC 2012-549 on the use of toggling to obtain express consent.
How do I show that I have consent to send a commercial electronic message?
The onus is on the person who claims that they have consent to prove that they have such consent. Compliance and Enforcement Information Bulletin CRTC 2012-548 provides a few examples on how one can prove they have obtained express consent. Note that the examples provided are not exhaustive; they are simply practices that the Commission considers to be compliant with the legislation. Other practices may satisfy legal requirements imposed by CASL. However, their adequacy will be evaluated on a case-by-case basis in light of the specific circumstances of a given situation.
Do I need consent to send a commercial electronic message following a referral?
There is an exception to the consent requirement for commercial electronic messages (CEMs) sent following a referral, if certain conditions are met. The referral must be made by an individual who has an existing business relationship, an existing non-business relationship, a family relationship or a personal relationship with the sender and the recipient of the CEM. Also, the full name of the individual who made the referral and a statement that the CEM is sent as a result of a referral must be in the CEM.
The CEM must still respect the other two requirements – it must contain the identification information and an unsubscribe mechanism.
Someone gives me a business card: Is that clear consent to add them to my distribution list?
You may have their implied consent to send them CEMs, as long as:
- the message relates to the recipient’s role, functions or duties in an official or business capacity; and
- the recipient has not made a statement when handing you the business card that they do not wish to receive promotional or marketing messages (CEMs) at that address.
It is important to remember that the onus is on the sender to prove they received consent.
Recall that consent under CASL is also implied if you have an existing business relationship, existing non-business relationship with the person.
Compliance will be examined on a case-by-case basis in light of the specific circumstances of a given situation.
Does section 6 of CASL apply to messages sent to my membership?
Yes, section 6 of CASL applies, but consent may be implied where CEMs are sent to members of an association, club or voluntary organization. When sending CEMs to your membership based on implied consent, you should ensure that you are only sending to members.
“Membership” means the status of having been accepted as a member of a club, association or voluntary organization in accordance with its membership requirements. You should also ensure that your organization is a club, association, or voluntary organization that is:
- a non-profit organization,
- organized and operated exclusively for social welfare, civic improvement, pleasure or recreation or for any purpose other than personal profit, and
- no part of its income is payable for the personal benefit of any member, proprietor or shareholder unless that entity is an organization whose primary purpose is the promotion of amateur athletics in Canada.
The CEM must still respect the other two requirements – it must contain the identification information and unsubscribe mechanism.
There are three general requirements for sending a commercial electronic message (CEM) to an electronic address. You need (1) consent, (2) identification information and (3) an unsubscribe mechanism. The questions under this heading relate to the second requirement – identification information.
What if I am sending messages on behalf of someone else, including affiliates?
You must identify yourself and the persons on whose behalf a commercial electronic message (CEM) is sent. When a CEM is sent on behalf of multiple persons, then all of these persons must be identified in the CEM.
However, where it is not practicable to include this information in the body of a CEM, then a hyperlink to a webpage containing this information is acceptable as long as the webpage is readily accessible at no cost to the recipient of the CEM. The link to the webpage must be clearly and prominently set out in the CEM.
Also, not every person who is involved in the sending of a CEM must be identified. Rather, only the persons who play a material role in the content of the CEM and/or the choice of the recipients must be identified. For example, an email service provider that provides a service to its clients to send emails, where the email service provider has no input on the content of the message, nor on the recipient list, does not need to be identified in the CEMs sent by clients using its service. Bear in mind however, that though the email service provider does not need to be identified in this scenario, it still shares its responsibilities with its clients in terms of ensuring that the CEMs are sent with valid consent (either express or implied) and contain an unsubscribe mechanism. Both the email service provider and its clients are sending, causing or permitting to send CEMs, and as such, they both have obligations under CASL.
What is an example of altering transmission data?
An example is when an individual causes an electronic message to be sent to a destination that is different from that which the sender intended. For instance, a user clicks on a link in an email believing it will take them to a certain website, but the link re-directs them to another.
I conduct my business from home. Do I need to disclose my home address to fulfill the identification requirements?
No, you do not need to provide your home address. You can provide another valid mailing address as long as you can be contacted at that address. Please refer to paragraph 9 of Compliance and Enforcement Information Bulletin CRTC 2012-548 for more information. Of note, that Information Bulletin explains that a mailing address includes not only a street address, but also a P.O. Box, rural route address, or general delivery address.
I have a limited amount of characters that I can use when sending a message using a given messaging service (e.g., SMS text message). What should I do if I cannot include all the required information in the commercial electronic message (CEM)?
Where it is not practicable to include this information in the body of a CEM, then a hyperlink to a webpage containing this information is an acceptable practice as long as the webpage is readily accessible at no cost to the recipient of the CEM. The link to the webpage must be clearly and prominently set out in the CEM.
For more information, refer to sections 2 and 3 of the Electronic Commerce Protection Regulations (CRTC) and Compliance and Enforcement Information Bulletin CRTC 2012-548.
There are three general requirements for sending a commercial electronic message (CEM) to an electronic address. You need (1) consent, (2) identification information and (3) an unsubscribe mechanism. The question under this heading relates to the third requirement – unsubscribe mechanism.
What is an unsubscribe mechanism?
Under CASL, you must include an unsubscribe mechanism in the commercial electronic messages (CEMs) that you send. For example, a CEM sent via SMS may state that an end-user can unsubscribe by texting the word “STOP.” Another possibility is a hyperlink that is included clearly and prominently in an email that allows the end-user to unsubscribe by simply clicking it. The hyperlink may also be to a webpage that is readily accessible without delay and is at no cost to the recipient.
You can set up your unsubscribe mechanism in many different ways. It can be broad or very granular. For example, you can offer a choice to the recipient, allowing them to unsubscribe from all or just some types of CEMs your organization sends.
A key aspect is that an unsubscribe mechanism must be “readily performed.” It should be simple, quick and easy for the end-user.
For examples of acceptable unsubscribe mechanisms under CASL, please see Compliance and Enforcement Information Bulletin CRTC 2012-548.
Installing Computer Programs
When does section 8 of CASL apply?
Section 8 applies when a computer program is installed on another person’s computer system. The definitions of computer program and computer system come from the Criminal Code(section 342.1).
Also, for section 8 to apply, the person installing or directing the installation of the computer program must be in Canada, or the computer system must be in Canada.
You must have express consent in order to install a computer program on another person’s computer system.
What must I do to obtain valid express consent to install a computer program?
When you seek express consent to install a computer program, you must set out clearly and simply:
- the purpose(s) for which consent is being sought,
- information that identifies the person seeking consent (including any person on whose behalf consent is sought), and
- the function and purpose of the computer program.
However, you may need to disclose more information when seeking express consent if the computer program will do certain functions, such as:
- collecting personal information,
- interfering with the user’s control of the computer system,
- changing or interfering with settings, preferences or commands already installed or stored on the computer system without the knowledge of the user,
- changing or interfering with data that is stored on the computer system in a manner that obstructs, interrupts or interferes with lawful access to or use of the computer system,
- causing the computer system to communicate with another computer system without authorization,
- installing a computer program that may be activated by a third party without the knowledge of the user, and
- performing any other function listed in the GiC Regulations.
If the computer program does any of these specified functions when installed, then you clearly and prominently, and separately and apart from the licence agreement, must:
- describe the program’s material elements that perform the specified function(s), including the nature and purpose of those elements, as well as their foreseeable impact, and
- bring those elements to the attention of the user separate from other information provided in a request for consent.
What is “address harvesting”?
This refers to the collection of email addresses through the use of things such as:
- “Web crawlers,” which are computer programs that scan websites, usenet groups and social networking sites, trolling for posted electronic addresses; and
- “Dictionary attacks,” in which a computer program guesses live email addresses by methodically trying multiple name variations within a particular group of common email domains, such as Hotmail or Gmail.
Once collected, email addresses are often sold to spammers as destinations for unsolicited electronic messages.
How can I know if my email address has been harvested?
It may be very hard for you to determine if your address has been harvested. However, you can still help in the effort to fight back against this activity by reporting suspicious electronic messages to the Spam Reporting Centre when it opens.
What is meant by “collection of personal information through access to computer systems contrary to an Act of Parliament”?
Generally, this refers to the collection of people’s personal information from a computer through illicit means such as criminal hacking or spyware.
How can I know if my computer has been infected with malware such as spyware which can collect my personal information? And if it has been, what should I do about it?
Here are a few common signs that your computer may be infected:
- It is functioning far more slowly than usual;
- Your Internet homepage has been reset without you having done anything;
- When examining your file system, you notice a program there which you have not installed yourself.
If you notice any of these signs, you should get in touch with an information technology expert for necessary cleaning or repairs.
Do these requirements have to be met every time a computer program is installed?
Not necessarily. For example, updates or upgrades will not trigger these requirements when express consent has already been obtained.
What about cookies?
CASL deems a person to have provided express consent for the installation of a computer program, if it is reasonable to believe that the person consented to the installation based on the person’s conduct, and the computer program is:
- a cookie,
- an operating system,
- a program that is executable only though another computer program to which the user has already expressly consented, or
- specified in the regulations.
Can you provide more information about the specified computer programs addressed in section 6 of the Governor-in-Council Regulations?
As noted in the question “What about cookies?”, CASL deems a person to have provided express consent for the installation of certain computer programs, including those programs specified in the GiC regulations. Section 6 of the GiC Regulations identifies three computer programs for which express consent is deemed:
- where a telecommunications service provider (TSP) installs a computer program solely to protect the security of its network from a current and identifiable threat;
- where a TSP who owns or operates the network installs a computer program to update or upgrade the network; and
- where the program is necessary to correct a failure in the operation of a computer system or program, and is installed solely for that purpose.
If a program is installed for any purpose other than protecting the security of the network, or correcting a failure in the operation of a computer system or program, then subsections 6(a) and (c), respectively, will not apply.
In subsection 6(c), a failure of a computer system or program means that the system or program does not function properly and is not consistent with consumer expectations.
Enforcement Agencies Roles and Responsibilities
What are the activities that fall under the CRTC’s mandate pursuant to Canada’s anti-spam law?
There are three broad activities that will engage the CRTC. They are:
- sending of commercial electronic messages without consent;
- alteration of transmission data in an electronic message without express consent; and
- installation of computer programs without express consent.
The underlying principle is that these activities can only be carried out with prior consent and that such consent may be withdrawn.
For further information about the CRTC’s mandate pursuant to Canada’s anti-spam law, please see their Frequently Asked Questions.
What compliance tools will be available to the CRTC?
The CRTC will have a number of compliance tools; one such being administrative monetary penalties (AMPs). The maximum AMP is $1 million per violation for an individual and $10 million per violation for entities, such as corporations.
Where can I get more information on my responsibilities with respect to the Competition Act?
For more information on ensuring compliance with the false or misleading representations provisions of the Competition Act, please consult the Competition Bureau’s website at www.competitionbureau.gc.ca.
What is the Competition Bureau’s role with respect to Canada’s anti-spam law?
The Competition Bureau will investigate and take action where appropriate against false or misleading representations and deceptive marketing practices in the electronic marketplace. The Competition Bureau, as an independent law enforcement agency, ensures that Canadian businesses and consumers prosper in a competitive and innovative marketplace.
What changes have been made to the Competition Act?
The new law amends the Competition Act in two key areas.
First, new provisions have been added and others modified so that the Bureau can more effectively address false or misleading representations and deceptive marketing practices in the electronic marketplace, including false or misleading sender or subject matter information, electronic messages, and locator information such as URLs and metadata.
Second, it includes technology-neutral language that catches emerging technologies. This will assist the Bureau in enforcing provisions in the Competition Act as technological threats evolve.
What is the Office of the Privacy Commissioner’s role with respect to Canada’s anti-spam law?
The Office of the Privacy Commissioner of Canada protects the personal information of Canadians. The new law will allow the Commissioner to enforce the legislation with respect to two types of conduct:
- the collection of personal information through access to computer systems contrary to an act of parliament;
- electronic address harvesting where bulk email lists are compiled through mechanisms; including the use of computer programs that automatically mine the Internet for addresses.