Canada is currently considering a new anti-spam bill, touted as the Canadian equivalent of the US CAN-SPAM Act. The Electronic Commerce Protection Act (ECPA) is not yet law, but if it does pass without too much modification, it may offer Canadians better protection against spam than their neighbors south of the border currently enjoy, at least in theory.
There's a thoughtful analysis of the ECPA by Marketing Sherpa, which reviews five essential differences between ECPA and CAN-SPAM. Two of the differences seem essentially minor to me — unsubscribe links are required to remain active for 60 days, rather than the 30 days required by CAN-SPAM, and removal requests must be processed within 10 calendar days, rather than 10 business days. A third difference is that ECPA applies to SMS messages, something not covered by CAN-SPAM.
It's the two other differences that are perhaps the most interesting, and which suggest that this bill didn't emerge from the kind of “give the direct marketing industry everything it wants” mindset that shaped CAN-SPAM.
One key difference is that ECPA, at least in its present form, would allow individuals the right to sue spammers. CAN-SPAM — arbitrarily and unjustly in my view — denied this right to individuals. In order to sue a spammer under CAN-SPAM, it's necessary to be an 'Internet Access Provider'. ECPA thus raises the possibility that individual lawsuits — or class actions — could have a useful deterrent effect. Of course, allowing individual lawsuits does also open the door to frivolous or malicious actions, but the fact that ECPA has taken this approach does suggest that it's coming from a different place than CAN-SPAM.
The most important difference may be that advanced permission is required before sending email. In other words, ECPA mandates an opt-in approach. Other national laws, such as CAN-SPAM or Peru's Law 28493, allow any sender to send at least one advertising message to any recipient, requiring the recipient to explicitly opt-out. This was probably the biggest single factor that led to CAN-SPAM being dubbed the “(Yes You) Can Spam Act”. By enshrining opt-out as the standard, it allowed every marketer ‘one bite at the apple’ . It also condemned recipients to an endless game of whack-a-mole as they try to opt out of mailshots from nominally CAN-SPAM-compliant senders who change their identity every week or from mom'n'pop outfits eager to advertise dog-walking services in Pocatello to every single person on the planet. Moreover, as I've argued in the past, 'just hit unsubscribe' is a lousy idea on every level.
To email users, (confirmed) opt-in is the only acceptable approach. It has also been convincingly argued that confirmed opt-in is better for business as well: better to have your message go to people who want to receive it than to hurt your brand by blasting unwilling recipients with unsolicited ads. But CAN-SPAM was dictated by people who think like spammers. From their point of view, getting their ad under the eyes of one person who might buy outweighs all the frustration felt by the millions who won't.
The rock on which all anti-spam measures founder is enforceability. CAN-SPAM and ECPA will do nothing to stem the flood of penis enlargement and pirated software spams, because the senders are effectively unfindable. Moreover, if they could be found, there would be better grounds to prosecute them on than simple spamming. Pretty much all the high-volume spam is effectively a scam of one kind or another. Penalties for fraud and malicious hacking are — or should be — heavier than penalties for sending spam. But don't expect to see Canadian Health & Care Mall or DS Team prosecuted under CAN-SPAM any time soon.
ECPA, like CAN-SPAM, is aimed at so-called ‘legitimate’ marketers. In this sphere, ECPA's opt-in requirement is a marked improvement over CAN-SPAM. However, it raises the question of how confirmation can really be proven. After all, it's not vastly more difficult to create a database entry and forge supporting records saying that I have 'confirmed' my willingness to receive messages than it is to simply add my address to a mailing list. If it comes to a court case, it's my word against theirs. Similarly, a malicious recipient could sign up, respond to the confirmation, and then swear up and down that they had never done so. Few courts are going to want to get entangled in the business of sorting that one out.
The proposed law, incidentally, makes it clear that it's up to the sender to demonstrate consent. Here's what section 13 says:
A person who alleges that they have consent to do an act that would otherwise be prohibited under any of sections 6 to 8 has the onus of proving it.
This may create an opportunity for third-party services. Instead of Senders sending their confirmation request directly to Recipients, they could provide a list of addresses, accompanied by a mailing list id and a brief description to a third party. The third party then sends out the confirmation request, accepts the responses, and lets the original sender know which addresses they can legitimately send mail to. If it comes to a court case, the third party — who is assumed to be independent and trustworthy — vouches for the accuracy of the confirmations.
There are some other differences from CAN-SPAM that the Marketing Sherpa review doesn't cover, relating to some of the more flagrant types of spammer bad behavior. These include hijacking PCs to turn them into spam relays or address collectors, and the collection of addresses by various 'scraping' techniques. Section 8 of the proposed law prohibits the unauthorized installation of spam-sending software on someone else's computer, while an amendment of the existing Personal Information Protection and Electronic Documents Act does the same for address-collecting viruses and spyware. Another amendment appears to prohibit the use of address collecting software (and addresses thus collected) in general.
Like CAN-SPAM, the proposed law sets out a 'prescribed form' for messages that stipulates the inclusion of identifying and contact information for the sender (and for the entity on whose behalf the message was sent, if different), and the inclusion of unsubscribe links. It doesn't appear to mandate any kind of message labeling, nor does it discuss do-not-email registries (CAN-SPAM mandated the FTC to consider setting up such a registry; the FTC duly pondered the idea and, probably correctly, concluded that it wouldn't work).
I've always felt that the CAN-SPAM Act was a disappointment, serving the interests of the direct marketing industry much more than the interests of computer and email users. The Canadian law addresses at least some of the core failings of CAN-SPAM. However, it's worth remembering that private right of action and the requirement for proveable consent necessarily raise some practical and legal questions. There's at least a possibility that CAN-SPAM's position on those issues wasn't the result of pressure from the direct marketing industry so much as the fact that the bill's authors recognized the can of worms implied by those issues and — perhaps understandably — decided they wanted no part in opening it. The real test of the new Canadian law, if it is implemented without significant alteration, may lie in the way that those particular provisions are managed and enforced.