I want to start by saying that I don't think it's unreasonable to protect consumers. I don't think it's unreasonable to have regulations affecting business that are necessary to protect consumers. At the end of the day, it's all about a balance. It's about a balance and ensuring that the goals are clear and the goals don't go farther than are needed and impose burdens that can't be justified by the incremental benefit to consumers. It's all a balance.
When you look at this legislation, since the definition of CEM is so broad, it's not capturing the kinds of things that are of concern. It captures the malware that might come in an email message, but it covers a whole lot of other things that are not necessary.
Regarding the consents, businesses in Canada all comply with PIPEDA. PIPEDA has a very stringent new requirement for expressed consent, but this legislation requires every business, every charity, and every non-profit in the country to now comply with two disparate regimes with consent...for two different systems. There's no need to have overlapping and different systems that businesses have to comply with. Even where PIPEDA has an opt-in, there is no way that a foreign spammer that is sending these kinds of malware has any consent under any system.