It has now been over four years since Canada’s Anti-Spam Law, commonly known as “CASL”, was first introduced as proposed legislation. Nevertheless, it has been in sharp focus this year as the provisions against sending unwanted commercial electronic messages came into force on July 1, 2014.
On January 15, 2015, further provisions under CASL will come into effect. These provisions relate to the installation of computer programs. More particularly, section 8 of CASL will come into force on that date, and this section provides that without the express consent of the owner or an authorized user1, or a court order2, it is prohibited for any person to:
- Install a computer program on another person’s computer system; or
- Cause an electronic message to be sent from a computer system where a computer program has previously been installed.3
Curiously, this prohibition does not distinguish between spyware, malicious software (“malware”) and software used for legitimate business purposes – the prohibition relates to the installation of any computer program. It is, however, limited to events that occur in the course of a commercial activity. “Commercial activity” is broadly defined, being any conduct that is commercial in character – whether profit is expected or not – other than any conduct carried out for law enforcement or public safety, the protection or defence of Canada or the conduct of international affairs.4 This means that the installation of all computer programs in the course of commercial activity must be in compliance with CASL and its regulations.
The Act provides for significant fines for individuals (up to $1 million) and businesses (up to $10 million) that violate these provisions of the Act. It is therefore important for any business involved in the development, support or installation of software to familiarize itself with the provisions of the Act, and its obligations under it, in anticipation of its entry into force.
Express Consent Requirements
While there are three main exceptions under which consent may be implied or is simply not required, the default position under CASL is that consent must be obtained before taking any action which would otherwise be prohibited. Because any person alleging to have obtained consent bears the evidentiary burden of proving such consent5, it is important for any company that installs computer programs to implement clear policies that provide for the proper documentation of customer consent for any computer programs that are installed.
To obtain express consent, certain information must be set out clearly and simply by the person seeking consent and installing the computer program. This information includes the purpose for which the consent is being sought, information identifying the person seeking consent6, their mailing address and either a telephone number, an email address or a webpage7, and a statement that the person whose consent is sought can withdraw their consent8. Although the consent may be given orally or in writing, it must be sought separately for each act described under CASL9 – that is, consent to receive a commercial electronic message is not also consent to the installation of a computer program.
However, for the installation of computer programs, there are two additional consent requirements that don’t apply to commercial electronic messages. The first of these is that the person seeking consent must also clearly and simply describe, in general terms, the function and purpose of the computer program that is to be installed if the consent is given.10 The second of these relates to specific functions of the computer program, and is discussed below.
Additional Consent Requirements
The second consent requirement relates only to computer programs that perform particular functions, and for these computer programs, more detailed disclosure is required for any consent to be considered “express”. If the computer program:
- collects personal information;
- interferes with the control of the computer system;
- changes or interferes with settings, preferences or commands on the computer system without the knowledge of the owner or authorized user;
- obstructs, interrupts or interferes with access to or use of data;
- installs a computer program that may be activated by a third party without the knowledge of the owner or authorized user,
then the person who seeks the express consent must, when requesting consent, clearly and prominently, and separately and apart from the licence agreement11, describe the program’s material elements that perform the above function. This must include the nature and purpose of those elements and their reasonably foreseeable impact on the operation of the computer system.12
Furthermore, these elements must be brought to the attention of the person from whom consent is being sought13, separate from any other information provided in a request for consent14, and the person seeking consent must obtain an acknowledgement in writing from the person from whom consent is being sought that they understand and agree that the program performs the specified functions.15 Compliance and Enforcement Information Bulletin CRTC 2012-548 states that “in writing” in this context includes both paper and electronic forms of writing.16
The only exceptions to this additional requirement are computer programs that perform one of these functions, but only to collect, use or communicate transmission data.17
Lastly, where a computer program performs one of the above functions, the obligations of the person who installed the computer program with express consent do not stop when that additional consent is received. Rather, the person who has this express consent must, for a period of one year after installation, ensure that the owner or authorized user is provided with an electronic address to which they may, if they believe the function was not accurately described when consent was requested, send a request to remove or disable the computer program. Furthermore, if consent was based on an inaccurate description of the material elements of the function, the person who has the consent must, without cost to the owner or authorized user, assist that person to remove or disable the program as soon as feasible at no cost.18
Exemptions
There are three exemptions to the above rules, where consent is deemed to have been obtained or is simply not required. These exemptions apply to upgrades, cookies and telecommunication service providers.
Firstly, further consent is not required where a person that has expressly consented to the installation of a computer program is entitled to receive updates or upgrades as they become available, so long as such updates or upgrades are installed in accordance with the terms of the original express consent.19
Secondly, a person is considered to expressly consent to the installation of certain computer programs if their conduct is such that it is reasonable to believe they consent.20 These programs are as follows:
- cookies;
- HTML code;
- Java Script;
- operating systems;
- any other program that is executable only through the use of another computer program whose installation or use the person has previously consented to; or
- any other program specified in the regulations.21
This last point leads to the third exemption, which is set out in the regulations: telecommunications service providers. The regulations under CASL also provide that a person is considered to expressly consent if their conduct is such that it is reasonable to believe they consent and the program is one of the following:
- a program that is installed by a telecommunications service provider solely to protect the security of its network from a current and identifiable threat to the availability, reliability, efficiency or optimal use of its network;
- a program that is installed to update or upgrade the network by the telecommunications service provider who owns or operates the network on the computer systems that constitute all or part of the network; and
- a program that is necessary to correct a failure in the operation of the computer system or a program installed on it and is installed solely for that purpose.22
Transitional Provisions
But what if a computer program was installed before January 15, 2015, and is being updated or upgraded after that date? In that instance, consent will be implied until the person gives notice that they no longer consent to receiving such an installation – or until three years after section 8 comes into force, being January 15, 2018.23
Furthermore, the Canadian Radio-television and Telecommunications Commission (CRTC) and Industry Canada are planning to publish education and outreach materials to help individuals and organizations understand section 8 of CASL.24 While these materials are not yet available and January 15, 2015 is approaching rapidly, it is nevertheless hoped that these materials will provide much needed guidance to these provisions.
Conclusion
As with the commercial electronic message provisions in CASL, the implementation of new provisions relating to computer programs has created confusion and uncertainty and may lead to unanticipated problems for legitimate software vendors. It is hoped that such confusion, uncertainty and problems will be reduced with the publication by the CRTC and Industry Canada of their materials in respect of these provisions later this year. Should you require any legal advice in this regard, do not hesitate to contact any member of Clark Wilson’s Technology and IP Groups.
1 CASL, section 8(a)
2 CASL, section 8(b)
3 CASL, section 8
4 CASL, section 1 – definition of “commercial activity”
5 CASL, section 13
6 Electronic Commerce Protection Regulations (CRTC) SOR/2012-36, section 4(a)
7 Electronic Commerce Protection Regulations (CRTC) SOR/2012-36, section 4(d)
8 Electronic Commerce Protection Regulations (CRTC) SOR/2012-36, section 4(e)
9 Electronic Commerce Protection Regulations (CRTC) SOR/2012-36, section 4
10 CASL, section 10(3)
11 CASL, section 10(4)
12 CASL, section 10(4)(a)
13 CASL, section 10(4)(b)
14 Electronic Commerce Protection Regulations (CRTC) SOR/2012-36, section 5
15 Electronic Commerce Protection Regulations (CRTC) SOR/2012-36, section 5
16 http://www.crtc.gc.ca/eng/archive/2012/2012-548.htm
17 CASL, section 10(6)
18 CASL, section 11(5)
19 CASL, section 10(7)
20 CASL, section 10(8)(b)
21 CASL, section 10(8)
22 Electronic Commerce Protection Regulations SOR/2013-221, section 6
23 CASL, section 67
24 http://www.it-can.ca/events/ A Public Affairs Forum Roundtable was held on September 9, 2014.