Email Marketing Update: Anti-Spam Legislation

As a follow up to our “Practical Guide to Email Marketing in 2012 this post analyzes and explains recent revisions to Canadian rules about how people send commercial electronic messages to and within Canada. Additionally, we provide some information on how to protect yourself from hackers, phishers and spoofers.

The US is widely known in the email industry as having relatively lax email regulations. In late 2011, our neighbor to the north implemented a new set of regulations on those sending commercial email. These rules are now in full swing, so if you sell software online, and you like to promote your product through email, you need to take note of Bill C-28 from the Canadian Parliament.

Violating these rules while sending email to Canada, Canadians, computers located in Canada, or hockey players may result in considerable fines (up to $10 million per violation for corporations).

C-28, known as the “Fighting Internet and Wireless Spam Act”, or FISA if you’re into the whole brevity thing, went into effect in September 2011. The Canadian online protection law is very similar to CAN-SPAM so as an email marketing specialist, I felt it was important to highlight some differences in the two laws that will make you think twice before sending out your Monthly Mountie Digest.

Express Consent

Under CAN-SPAM, a commercial email must provide a space to opt-out of receiving the message. Under FISA, opt-outs are not sufficient. That is to say, recipients must agree beforehand that they wish to receive the message. Without this prior agreement, the message violates the terms of the bill.

Two Year Limit for Implied Opt-ins

Hand in hand with the necessity of express consent comes “implied consent.” Implied consent means that you have had an existing business relationship with your subscriber. However, implied consent only applies to contacts that are less than two years old. 

Requiring express consent and narrowing the time frame of implied consent actually provides marketers a surprise benefit, as you can now be certain that your list is always healthy and active.

Primary Purpose

In the United States, compliance with anti-spamming regulations is only required for emails whose primary purpose is commercial. In C-28, the compliance to anti-spamming regulations is required to any email that contains commercial content, regardless of the primary purpose of the email.

The Canadian government posted a full summary of the bill and Silverpop posted a presentation on C-28 if you would like further information on the bill’s history and content.

Hackers, Spammers, Phishers, and Spoofers

In April 2011, Epsilon, a major marketing firm, was hacked, exposing a database worth of customer names and email addresses. The company issued a statement to warn customers of the stolen information and to be wary about spear phishing attacks in the coming months.

The value of the names and emails addresses lost in this breach is substantial; however the gold mine for spammers and hackers lies in the personal information that can be acquired by the recipients of the forged emails.

As an ecommerce and marketing specialist, the news of a breach of this size was alarming.  It is imperative to ensure that any promotional and transactional data is securely encrypted in your ecommerce and marketing platform, otherwise the backlash can be catastrophic.

If you don’t have a plan of action to mitigate the risks of a phishing attack, you will definitely want to have one ready for 2012. Here are some actionable items in case this breach occurs:

  • Contact your IT staff to check your server logs for evidence of spam being sent thru your systems.
  • Scan all company computers and laptops.
  • Save all the data and report the attack to the FCC.


If you play in the global software market, you need to know the rules of sending emails and that every country has their own version of them. Don’t be caught off-guard because the penalties are significant.

How do these updated regulations affect your email campaigns? Have you had to overcome challenges with foreign regulations?

As a way of helping out the entire community, we’re asking readers to share their experience and expertise in the comment section below.

1 Comment

  1. Jaime

    The Express Consent section you describe below is a huge difference from CAN-SPAM. Many companies buy targeted names from lead generators to initiate contact. Now they’ll have to look at the address and make sure that person is not in Canada.
    Thanks for this post, very useful.

Comments are closed.