On Jan. 15, 2015, new provisions in Canada’s Anti-Spam Legislation, CASL, will come into force and will require express consent to the installation of many forms of “computer programs” onto a person’s “computer system” such as a computer or mobile device. In anticipation of these new requirements, the Canadian Radio-television and Telecommunications Commission (CRTC) has released a guidance document indicating its interpretation of these provisions.
Of particular note, the CRTC has indicated that it does not consider CASL to apply to programs or software that the owner or authorized user themselves downloads to install on their computer or device- instead, the CRTC considers CASL to apply to programs that are pushed to the owner or authorized user by another person. By way of example, the guide suggests that CASL would not apply to the purchase and installation of an App from an App store, where a consumer purchases software on a CD and then installs it on their computer, or where a consumer downloads and installs software from a website. However, the guide suggests that if a second program or function is automatically installed or executed when a person deliberately installs a program, CASL would be triggered by the second installation. The CRTC gives the examples of installing a game application that also installs malware, or a music CD that surreptitiously executes concealed software. While there may be public policy reasons to target the surreptitious installation of programs contrasted with self initiated installation, a clear statutory basis for this distinction is not given in the guide, nor is it evident on a reading of CASL.
The guidelines also seek to provide clarity on whom is considered the owner or “authorized user” of a computer system, indicating that an authorized user is anyone who has permission to use a computer or device. For example, in the employment context, the employer would be considered the owner of the computer, whereas the employees would be authorised users. Likewise, where an individual owns a computer, but provides it to their spouse or child for their sole use, the spouse or child would be the authorized user. Problematically, the guide lacks an indication of how an entity installing a computer program can establish whether the person purporting to consent to the installation is the owner or authorized user of the computer system. Organizations may consider including a representation to that effect in their requests for consent.
Finally, the guidelines provide further clarity regarding some of the exceptions to CASL’s requirement for express consent. CASL deems a person to expressly consent to the installation of a program that is a Cookie, HTML Code, Java Script, or Operating system, that is executable only through the use of another program the person previously agreed to install, that is installed by a Telecommunications Service Provider (TSP) to protect network security or to update their network, or that is installed solely to correct a failure in the operation of the computer system or a program installed on it, where the person’s behaviour makes it reasonable to believe they consent. Helpfully, the guide indicates that TSPs will include any business that provides telecommunications services, including automobile manufacturers in respect of vehicles that include wireless telecommunications functions. Additionally, the guide recognizes that correcting a “failure” in a system or program can include both reactive and proactive corrections.
In many respects, these guidelines appear to signal a pragmatic approach to the interpretation of these provisions of CASL, suggesting the CRTC will seek to interpret it in a manner that targets them to objectionable practices such as malware and the surreptitious installation of computer software. However, in many cases it is difficult to determine how the CRTC is able to derive them from the actual text of CASL, which is extremely broad, stating express consent is required in cases where a person installs, or “causes to be installed” a computer program on another person’s computer system. The requirement in CASL as drafted does not appear to consider the actions or involvement of the owner of the computer system in installing the program, but rather the role of the person offering the program or “causing” it to be installed. Further, as CASL requires express consent, in a prescribed form, before an entity “causes” a computer program to be installed (subject to certain exceptions), it may be difficult as a practical matter to distinguish a non-compliant request for consent to install a program (for example, a pushed installation that requests express consent, but does not meet the technical disclosure requirements under CASL) from an instance where the owner of the computer program is themselves installing the program, and the CRTC would not consider the regulatory disclosure requirement to apply.
Given these uncertainties, organizations may consider drafting both push type installations and self initiated program installations to comply with the requirements of CASL, and specifically drafting such requests to contemplate the installation of future updates to the program. These are to state:
- The purpose of the request, and a simple description of the function and purpose of the program;
- The name of the person requesting consent;
- If different, the name of any person on whose behalf consent is sought and who is asking for whom;
- The mailing address, and either a telephone number, email address, or web address for one of those persons; and
- A statement consent can be withdrawn
If the program performs any of the functions listed in section 10(5) of CASL in a manner that will cause the computer to operate in a manner contrary to the expectations of its owner or authorized user, those functions, their nature, purpose and impact on the computer system must be brought to the attention of the owner or authorized user separately from any other information in the request for consent or the end user licence agreement, and the owner or authorized user must acknowledge they understand and agree to them in writing. These functions are:
- Collecting personal information stored on the computer;
- Interfering with the owner’s or authorized user’s control of the computer;
- Changing or interfering with data on the computer in a manner that obstructs or interferes with the access to that data by the owner or authorized user;
- Programs that have the capability of causing the computer to communicate with another computer or device without the owner’s or authorized user’s consent; or
- Installing a program that may be activated by a third party without knowledge of the owner or authorized user of the computer.