Spam in Canada goes “strictly opt-in” in one week – with a grace period of only THREE YEARS

A few days ago, a Naked Security reader sent us a spammy-looking email that he assumed was some sort of phish, or at least the start of some kind of social engineering exercise intended to induce him to visit an unwanted website.

You may have received something much like it yourself:


You rely on Xxxxxxx for direct-from-source news, product announcements, media advisories and other relevant communications sent on behalf of companies across Canada, the US and worldwide. Canadian e-communications laws are changing on July 1, and we want to ensure your uninterrupted receipt of the news and information that is important to you.

New Canadian legislation requires you to take immediate action.

Please click the 'Say Yes Now' button below and confirm your consent to continue receiving news releases and communications from Xxxxxxx. If you do not take this step before June 30, you will no longer receive company information and breaking news from us.

It was from a Canadian company he didn’t recall ever having done business with, or having agreed to receive emails from, and it was leaning on him pretty heavily to SAY YES NOW.

We didn’t think too much more about it until a couple of days later, when we received our very own copy of this message.

It seems that the message is legal and true, if mightily unconvincing. (How do they know we “rely on” their service when we have never interacted with them in any way we can recall?)

Canada goes opt-in

Canada is indeed finally switching over to opt-in spam laws, as we wrote about in upbeat hope back at the end of 2010, and again with mild dismay last year.

It’s been a long, long, long time coming, but Canada really does go “strictly opt-in” on this year’s Canada Day, 01 July 2014.

Eleven years after Australia led the way, Canada will finally require that consent in respect of spam actually means consent in some meaningful way, so that:

  • You can spam me only if I give you permission to do so first.
  • You have to identify yourself, and the company on whose behalf you are sending your spam.
  • You have to give me reliable way to withdraw my consent (i.e. to unsubscribe).

Notably, as the Canadian government’s FAQ makes abundantly clear, consent means “express consent,” so that you can’t be sucked into consenting as some kind of default:

Silence or inaction on the part of the end-user also cannot be construed as providing express consent. For example, a pre-checked box cannot be used, as it assumes consent.

Rather, express consent must be obtained through an opt-in mechanism, as opposed to opt-out.

Not that the Canadians are in any real hurry now that this regulatory change has finally worked its way through the Canadian legislative system.

“Knowing that people and businesses may need to change their practices,” the Canadian public service cheerily reminds us, “the legislation includes a transitional provision that relates to the consent requirement.”

In short, at least by our reading (please correct us in the comments if we have misinterpreted this part of the law), if you already have someone on your email list…

…you have three more years to get their express consent before you actually have to take them off your list.

Unless they opt out within that three year period, of course.

So the new spam law doesn’t get any real teeth until 01 July 2017, as we lamented might happen exactly a year ago today.