Canada - CASL Provisions on Installing Computer Programs Coming Into Force January 15, 2015
On January 15, 2015, the provisions of Canada's Anti-Spam Law ("CASL") that apply to the installation of computer programs will come into force. These provisions generally prohibit the installation of a program on another person's computer system in the course of a commercial activity without obtaining the express consent of the owner or authorized user of that computer system in the manner prescribed by CASL. The term “computer system” would generally cover laptops, desktops, mobile devices, gaming consoles, and other connected devices.
As with the provisions relating to the sending of commercial electronic messages, penalties for non-compliance run as high as C$10 million in potential administrative penalties for organizations. Starting on July 1, 2017, a private right of action for non-compliance with CASL will also become available, exposing organizations to the risk of class actions. Parties found to have installed programs in contravention of CASL could be subject to statutory damages of C$1 million per day on which a contravention occurred, in addition to compensatory damages.
Every organization will need to consider its compliance obligations under the detailed and complex requirements of the legislation in light of its individual circumstances. This alert is intended to provide an overview of the main issues that will need to be considered when determining whether and the extent to which the provisions relating to the installation of programs apply, based on CASL and related guidance issued in late 2014 by the Canadian Radio-television and Telecommunications Commission (“CRTC”).
When Does CASL Apply to the Installation of Computer Programs?
CASL applies when you install a program on another person's computer system. The CRTC has confirmed that CASL does not apply where the owner or authorized user of a computer system installs programs on his or her own computer system. Examples given by the CRTC of a person self-installing programs include an individual purchasing an app from an app store and subsequently installing it on his or her own personal device, and a small business installing software on business devices used by its employees. CASL may also apply to you if you are located outside of Canada. The relevant provisions apply if the computer system on which the program is installed is located in Canada, or if the person installing the program is in Canada or is acting under the direction of a person who is in Canada.
When Are You Deemed to Have Express Consent?
A person is considered to expressly consent to the installation of certain types of programs, including the following:
● a cookie (as explained below);
● HTML code;
● an operating system;
● a program that is executable only through the use of a program whose installation or use the person has previously expressly consented to;
● a program that is installed by or on behalf of a telecommunications service provider and which secures, updates or upgrades the telecommunications network in accordance with CASL; and
● a program that is necessary to correct a failure in the operation of the computer system or a computer installed on the computer system, and which is installed solely for that purpose.
You are only considered to have express consent for the installation of the above types of programs where the person's conduct is such that it is reasonable to believe that they consent to the program's installation. The CRTC has explained, for example, that if a person disables cookies in their browser, you would not be considered to have consent under CASL to place cookies on their computer.
How Do You Obtain Express Consent?
Unless an exception applies, and subject to the special requirements described below, you must request a person's consent in the manner prescribed by CASL to obtain their express consent to install a program on their computer system. In particular, your request must provide a clear and simple description of the function and purpose of the program that is to be installed on the person's computer system, and include a statement that the person can withdraw their consent. Your request must also disclose certain contact information, including your business name, mailing address, and one of your email address, telephone number or web address. Express consent may be obtained orally or in writing, but you bear the onus of proving that you obtained valid consent in all applicable circumstances.
What Special Requirements May Apply?
Special requirements may apply if you install a program on another person's computer system which causes it to operate in a manner contrary to the reasonable expectations of its owner or authorized user. These requirements, which are intended to deter unauthorized installation of malware, apply to programs that perform any of the following prescribed functions (the "Prescribed Functions"):
● collecting personal information stored on the computer system;
● interfering with the user or authorized user's control of the computer system;
● changing or interfering with settings, preferences or commands already installed or stored on the computer system without the knowledge of the owner or authorized user;
● changing or interfering with data that is stored on the computer system in a manner that interferes with the owner or authorized user's lawful access to or use of that data;
● causing the computer system to communicate with another computer system without the authorization of the owner or authorized user; or
● installing a program that may be activated by a third party without the knowledge of the owner or an authorized user of the computer system.
In summary, the special requirements that may apply to the installation of such programs include:
● prior to installing the program, describing which of the Prescribed Functions the program performs, why it performs them, and the impact of those functions on the computer system;
● providing the above description separately and apart from the program's license agreement and in a clear and prominent fashion;
● obtaining an acknowledgment in writing from the owner or authorized user that he or she understands and agrees that the program performs the applicable Prescribed Functions;
● providing an electronic address for one year following installation to which the owner or authorized user may send a request to remove or disable the program if he or she believes that the function, purpose or impact of the program was not accurately described when his or her consent was requested; and
● if the owner or authorized user's request is not without merit, assisting in removing or disabling the program as soon as feasible without cost to him or her.
How Does CASL Apply to Updates and Upgrades?
The CRTC guidance clarifies that you must generally obtain consent to install upgrades or updates to a program on another person's computer system. If the updated or upgraded program will perform any of the Prescribed Functions, then you must comply with the special requirements described above for every such update or upgrade. Otherwise, you may automatically install future updates or upgrades if you obtained the relevant owner or authorized user's express consent for doing so when he or she self-installed the program, or when you installed the original program on his or her computer system. In both situations, the person who gave express consent must be entitled to receive the update or upgrade under the terms of the consent, and the update or upgrade must be installed in accordance with those terms.
Under CASL's transitional provisions, if you installed a program on another person's computer system before January 15, 2015, then the person's consent to the installation of an update or upgrade to that program is implied until the person notifies you that they no longer consent to receiving such an installation, or January 15, 2018, whichever is earlier.
What Steps Can You Take To Ensure Compliance?
Measures to ensure your organization's compliance with the provisions under CASL relating to the installation of computer programs may include:
● an assessment of the organization's activities to identify those that involve the installation of programs in the manner covered by CASL and, if there are any, whether any exceptions are likely to apply;
● preparation of a clear and simple summary of the programs' functions and purposes to accompany requests for express consent, along with the other basic disclosure requirements;
● identification of any computer programs that perform any of the Prescribed Functions and, for such programs, implementation of a means of obtaining the user's separate and informed consent, in accordance with the special requirements under CASL, as well as a means of responding to reasonable requests in the following installation to remove or disable the program.
Baker & McKenzie Client Alert on CASL's application to the transmission of commercial electronic messages, published in December 2013, is available here.
CASL, as adopted in December 2010, is available here.
The regulations registered under CASL by the CRTC are available here. The regulations registered under CASL by Industry Canada are available here. Industry Canada’s Regulatory Impact Analysis Statement is available here. The CRTC's guidance on CASL requirements for installing computer programs is available here.
For more information, please contact Theo Ling, Arlan Gates or Eva Warden.