In preparation for the January 15th, 2015, coming into force of section 8 of Canada’s Anti-Spam Legislation (“CASL”), and associated regulations, the Canadian Radio-television and Telecommunications Commission (“CRTC”) has provided an interpretation bulletin, entitled “CASL Requirements for Installing Computer Programs”.

The bulletin provides guidance on the applicability of CASL to software or computer program installations in the course of commercial activity, including requirements of disclosure and consent, and specific guidance on updates or upgrades to software.

If your business installs software or other computer programs on other people’s connected devices in Canada, including any installation of mobile apps as promotional tools, you should be aware of these significant new requirements coming in 2015.

Covers “Commercial Activity” Broadly. The legislation covers a broad range of installations of a commercial character. Limited exceptions are created for installations in support of law enforcement, protection of public safety, and national defence.

Self-Installations Excluded. In general, CASL does not apply to self-installed software. Therefore, any time an individual knowlingly downloads and installs an app or program, or loads software from a CD, or accepts a prompt to update an existing program, CASL will not apply. Similarly, if an employer installs software on its own network, CASL will not apply.

However, this exclusion will only apply if the scope of installation is consistent with the program functionalities the consumer expects. In other words, unexpected functionalities may not “tag along” with a consumer’s self-installation, as discussed below.

Disclosure & Consent Required. An organization or individual must have the express consent, in writing or given orally, of the owner or authorized user of the device for each act of software installation, including (as of January 15, 2018) for updates or upgrades to the consumer’s programs that were self-installed before January 15, 2015.

This initial consent may encompass the consumer’s consent to any future updates or upgrades to the program.

Informed consent generally requires that the installer disclose to the owner / authorized user of the device the following information: the identity of the installer, the function and purpose of the computer program, that consent may be withdrawn at any time, and an email address to which requests to remove the program may be directed.

The CRTC bulletin advises that this information is required to be provided separate and apart from any terms and conditions listed in a contract or end-user licensing agreement, and that valid consent cannot be obtained using pre-checked boxes or other forms of opt-out consent.

Enhanced Disclosure & Consent. If the program interferes with the owner / authorized user’s control of and access to the device, or causes the device to communicate with other devices, or performs certain functions such as the collection of personal information stored on the device, the installer will also be required under CASL to share information about that functionality’s purpose, the impact of that functionality on the device’s operation, and seek explicit acknowledgement from the owner / authorized user that they understand and agree that the program will perform these functions.

Implied Consent. For the first three years, computer programs that were installed before January 15, 2015 will benefit from implied consent until January 15, 2018, unless the owner / authorized user gives notification that they no longer consent to the original installation.

Deemed Consent. If the person’s conduct is such that it is reasonable to believe that they consent to the program’s installation, consent is deemed to have been provided for certain types of installations, including cookies, HTML code, Javascript, operating systems, and all programs executable through another program that was already consented to. However, if the owner / authorized user has, for example, disabled cookies or Javascript, or activated “do not track” functionality, this is sufficient (according to the CRTC) to negate deemed consent.

Penalties associated with non-compliance are significant, up to $10M for corporations and other organizations for an offence under CASL. A private right of action will become effective as of July 1st, 2017, allowing individual claims for damages. Class actions are expected.