It's a good question. I would look at identifying what are harassing communications—for example, ignoring unsubscribe requests, malicious spam, and cybersecurity threats—and go through a lot of consultation to really understand that. That's on one side. On the other side, look at what would be a reasonable situation in which a business would send out a commercial electronic message given the context—for instance, if somebody provides their information to the business, which in a lot of cases might not meet the current implied consent rules. Draft provisions around that. In other words, on the latter, loosen up when implied consent would be present. Then make sure that the act is still catching the malicious stuff.
On October 19th, 2017. See this statement in context.