Boffin + Wonk

Generally speaking, the Electronic Commerce Protection Act (ECPA) has provisions against sending electronic messages without consent, although there are exceptions I'll get to in a moment. It also introduces laws against phishing (by amending Canada's personal information privacy law, PIPEDA); making fraudulent commercial representations (by amending the Competition Act); and installation of malware.

Jump straight to section 6 of the ECPA to read the main provision against spam. Here's what it says:

6. (1) No person shall send or cause or permit to be sent to an electronic address a commercial electronic message unless

(a) the person to whom the message is sent has consented to receiving it, whether the consent is express or implied; and

(b) the message complies with subsection (2).

(2) The message must be in a form that conforms to the prescribed requirements and must

(a) set out prescribed information that identifies the person who sent the message and the person — if different — on whose behalf it is sent;

(b) set out information enabling the person to whom the message is sent to readily contact one of the persons referred to in paragraph (a); and

(c) set out an unsubscribe mechanism in accordance with subsection 11(1).

So, the ECPA starts with an outright prohibition against sending commercial electronic messages unless there is consent and the message identifies the sender, has valid contact information for the sender, and includes the means for the recipient to revoke consent.

Michael Geist has a blog post with more detail, but here are the points I find most salient:

• The Act defines "electronic messages" broadly so it will include SMS spam and any other text, sound, voice or image message sent by any means of telecommunication. What isn't included? In section 6(7), we see that phone calls, phone messages, and fax messages are excluded.
  
• Whether a message is commercial is judged by the Act based not only on the content of the message but also by the hyperlinks and the websites they link to. Also, a message asking for consent to send a commercial message is itself a commercial message under the Act.
  
• ISPs are protected from liability for transmitting spam.
• There is a prohibition against changing the delivery information in commercial messages, redirecting them or adding recipients (except for ISPs -- they can redirect messages as part of their network management).
• The Act prohibits malware -- installing (or causing to install) any software without consent.
• Consent to receive commercial messages can be explicit or implied. Implied consent requires an existing relationship, which is also defined in the Act.

• The CRTC can require an ISP to preserve information for 21 days, which can be extended by another 21 days (Section 16)
  
• The CRTC can also require an ISP to produce information, or even to apply for a warrant to secure information itself.
• Fines can be imposed by the CRTC, specifically not for punitive purposes but in order to promote compliance with the Act. The size a fine depends on many factors, but they're big: up to $1million for an individual and up to $10million for organizations.
• Importantly, the Act includes a private right of action, allowing individuals affected by spam to bring perpetrators to court for compensation up to $200 per item, up to $1million per day.