This week on Security Levity... spam laws around the world.
Many of us know about the U.S. federal law regulating spam, known as the CAN-SPAM Act (or at least we think we do). But what about the laws internationally?
First: a disclaimer: IANAL (I am not a lawyer). If you use this blog post as a substitute for legal advice, you're probably not thinking straight!
That said, here are a few notable international spam laws.
Australia: Australians are famously a plain-speaking culture, so it's no surprise that their spam act, enacted in 2003, is called the Spam Act 2003. With few exceptions, the act outlaws unsolicited commercial email. Commercial mail must include information about the sender, and must allow unsubscribing. Address?harvesting software is outlawed, as are lists of email addresses created by harvesting software. So if you're spidering the Web for email addresses, stop it and delete any lists you might already have.
Canada: The proposed Electronic Commerce Protection Act (ECPA or Bill C-27) has just exited the committee stage and is expected to come into force next year. It sets out to define "consent" more clearly than does CAN-SPAM, referring to the question of implicit or implied consent. It also applies a time limit to consent, which it seems will force marketers to ask recipients for consent again after 18 months. The Act is expected to define a maximum penalty of CA$1 million for individuals or CA$10 million for businesses. It also prohibits false or misleading commercial email. Enforcement will be via three separate agencies: the Canadian Radio-television and Telecommunications Commission, the Competition Bureau, and the Office of the Privacy Commissioner. Both civil and criminal actions will be possible.
China: On March 30th, 2006, The People's Republic enacted the Regulations on Internet E-Mail Services via the Ministry of Information Industry. Again, this is an opt-in regime, and all commercial advertisements should be prefaced with the abbreviation "AD" in the message's subject. Harvesting is also outlawed. The law also puts the onus on service providers to do their part in fighting spam, including logging user complaints and retaining evidence of spammer activity on their networks.
Europe: The European Union (EU) is different from a federal system such as in the U.S., in that the EU doesn't make laws, as such. The various countries that make up the EU -- the Member States -- continue to maintain their sovereignty. However, the EU does pass "directives", which instruct the member states to pass laws, by a certain deadline, which meet at least the minimum standard laid down in the directive. In the case of spam, we're talking about Directive 2002/58/EC on Privacy and Electronic Communications (AKA the E-Privacy Directive). It's not just about spam, but also covers cookies and other data confidentiality issues. Article 13 deals with spam, and says that email recipients must have given informed consent to receive email -- consent is implicit in the case of an existing customer relationship, but only relating to a similar product or service.
Israel: Here in my home, our law is quite similar to the EU directive. It's officially called Amendment 40 to the Communications (Bezeq and Broadcasting) Act, and provides for criminal fines of up to 202,000? (about $54,000). Interestingly, an Israeli private individual can sue a spammer in small claims court for 1,000? ($280) per message, without needing to prove that the spam caused any "damage". However, the law does allow political or charity messages without an opt-in. The Israeli Chapter of the Internet Society helped the Knesset formulate the legislation.
In a future blog post, I'll talk more about the CAN-SPAM Act and explode a few myths and misconceptions.
I want to make this an interactive place: where I can answer questions and cover topics that you suggest. Feel free to add comments and ask Amir!