Yes, you're quite right.
The phasing was essentially as I indicated: the original regulations, then the malware regulations, then the PRA. I think the concern on the PRA is particularly related to the possibility of class action suits and legal liability that may arise from compliance. While a number of organizations and entities have attempted to be as compliant as possible, I think they fear that moving from a system, where potentially they're under a CRTC-type enforcement where there's an opportunity for a helpful exchange and maybe a warning letter, that it could move very quickly to a legal dispute, where potentially there may be a significant legal risk.
I think the zones where we hear the most concern is around this notion of consent. It gets at what the Privacy Commissioner indicated, which is that, in an electronic age, where potentially you're collecting a lot of different information for different purposes, what constitutes consent can be a challenge. Also, ensuring that when the consumer or the user has consented to the receipt of the electronic message, how explicit does that have to be to be able to send the messages? I think the concern about the PRA was that this would then become a litigious action that potentially raised a compliance risk and potential legal uncertainty.