A second significant portion of Canada's Anti-Spam Legislation ("CASL"), which is designed to combat the distribution of malware, is now in effect. Malware, which is also known as malicious software that infects computing devices and systems and which takes a variety of forms including computer viruses, worms, Trojans, spyware and adware, negatively impacts consumers, governments and businesses alike. The provisions may, however, also impact the legitimate business activities of software providers. Therefore, a careful review of the new rules under CASL should be a priority for any business that provides software for installation on the computers of others.
The CASL prohibition
Subject to several exceptions, CASL prohibits the installation of, or causing the installation of, a computer program (software) to another person’s computing system (e.g., laptop, smartphone, PCs, gaming consoles, industrial machines and appliances, automobile computer systems) in the course of commercial activity without the express consent of the system’s owner or an authorized user.
- Installation or causing the installation of a computer program to another person’s computer system
The newly enacted provisions of CASL prohibit the installation of a computer program on another person’scomputer system without that person’s express consent. Thus, where the system’s owner or authorized user installs the computer program on his or her own device, CASL does not apply.
The Canadian Radio-television and Telecommunications Commission (“CRTC”) - the federal agency with primary responsibility for the enforcement of the CASL software installation prohibitions – provides several examples on the interpretation of the new prohibition.
For example, when a smartphone owner downloads a new application onto the owner’s smartphone, CASL does not apply. However, if concealed malware is installed in conjunction with the application, CASL would apply to the installation of the malware. In this case, the malware was “caused to be installed” on the computer system of another person. A further prohibited example involves the automatic execution of concealed computer software from an audio CD.
CASL applies if the person installing or directing the installation of the computer program is in Canada, or if the computer system is in Canada regardless of the origin of the programs. Notably, CRTC has indicated that arrangements have been made with foreign authorities to enforce the CASL abroad.
- The exceptions to the consent requirement
If CASL applies, the user’s express consent must be sought and obtained prior to the installation of the computer program on the user’s computer system, subject to several exceptions.
The majority of the exceptions relate to certain classes of computer code, listed below:
- HTML code;
- an operating system;
- any other program that is executable only through the use of another computer program whose installation or use the person has previously expressly consented to;
- a computer program installed by a telecommunications service provider for the purpose of protecting the security of its network from a current and identifiable threat;
- a computer program to update or upgrade the network installed by a telecommunications service provider who owns or operates the network; and
- a computer program necessary to correct a failure in the operation of a computer system or program (i.e. the system or program does not function properly and is not consistent with consumer expectations) and is installed solely for that purpose.
If the code falls within one of the above classes then consent is deemed unless the conduct of the user suggests otherwise. An example provided by the CRTC involves the user’s disabling of cookies in a browser: in this case, the user would not be deemed to have consented to the installation of cookies on their computer system.
A further exception to the requirement for express consent also exists where the installation of the computer program on another person’s computer system is done in accordance with a court order.
- Seeking consent: clear and simple consent requests
If the consent requirements of CASL are applicable, then either the owner or authorized user of a computer system must provide express consent prior to installation of the program. Express consent requires the owner or authorized user to take an active step in giving consent, for example by checking a previously unchecked box.
CASL stipulates that in requesting consent, the requestor must clearly and simply present the user with the following information:
- the reason for seeking consent;
- the identity of the requestor seeking consent (e.g., name of the company; or if consent is sought on behalf of another person, that person’s name);
- if consent is sought on behalf of another person, a statement indicating which person is seeking consent and which person on whose behalf consent is being sought;
- the mailing address and one other piece of contact information such as an email address;
- a statement indicating that the person whose consent is sought can withdraw their consent; and
- a description in general terms of the functions and purpose of the computer program to be installed.
Once obtained, a record of the consent should be kept in a manner that makes it easily accessible in the event that a user’s prior consent is questioned. The consent requestor bears the burden of proving that a user consented to a program’s installation.
- Additional disclosure and uninstall obligations
In certain circumstances, CASL requires a heightened level of disclosure when seeking consent. The heightened level of disclosure is required when a program does something that would not normally be expected of the program. Specifically, the additional disclosure obligations apply where a program performs any of the following functions:
- collecting personal information;
- interfering with the user’s control of the device;
- changing or interfering with the user’s settings, preferences or commands without the user’s knowledge;
- changing or interfering with the data stored on the device in a way that obstructs, interrupts or interferes with the user’s access to the data;
- causing the computer system to connect to or send messages to other computer systems without the user’s authorization; and
- installing a program that may be activated by a third party without the user’s knowledge.
If the computer program to be installed performs any of these functions, then the request for consent must also clearly and prominently set out, separately from the terms of the computer program’s license agreement, the following information:
- a description of what the program does in relation to the above listed functions and why it does it; and
- a description of the impact of those functions on the operation of the computer system.
The owner or authorized user of the computer system must then provide written acknowledgement that they understand and agree to the program’s functions.
In addition to heightened disclosure obligations, CASL also imposes an obligation to assist users in disabling or removing the program if a user comes to believe that the function or impact of the program on its computer system was inaccurately described at the time of installation. This assistance with disabling or removing the program must be performed at no cost to the user and the user must be provided with an electronic address through which they can request the program’s removal or disabling at any time. The obligation to provide assistance with the program’s removal or disabling exists for up to one year after installation.
- The special case of updates and upgrades
An update or upgrade which makes changes to or replaces previously installed programs is treated the same as any other program: unless the update or upgrade falls under one of the exceptions to consent (e.g., is an update to a cookie or an HTML code), the express consent of the user must be obtained prior to the installation of the update or upgrade. The consent of an owner or authorized user must be obtained even if (a) the original program was self-installed by the user or (b) the user consented to the original installation of the program being updated or upgraded. However, a user may consent to the installation of updates or upgrades released in the future at the same time as consenting to the original installation.
CASL does provide for a transition period for upgrades and updates of computer programs installed prior to January 15, 2015. If a program was installed prior to January 15, 2015, a user’s consent to the installation of upgrades and updates will be implied until January 15, 2018, unless the user has indicated otherwise.
Penalties and enforcement
Breach of the CASL software installation provisions can result in fines of up to $10,000,000 for organizations (legal persons), or $1,000,000 for individuals. The CASL also imposes liability on employers for their employees’ actions as well as on Directors and Officers who directed, authorized, assented to, acquiesced in, or participated in their company’s non-compliance CASL. All liability under CASL is subject to a due diligence defense and CASL makes clear that penalties will be imposed for the purpose of promoting compliance with CASL and not to punish.
Beginning on July 1, 2017, CASL will provide a private right of action for anyone affected by a breach of the CASL software installation provisions to seek actual and statutory damages, but the right to bring a private action is removed where the alleged violator has entered into an undertaking with the CRTC or has been served with a Notice of Violation.
Subject to limited exceptions, the newly enacted provisions of CASL prohibit the installation of software on another person’s computer system or device without their express consent. Breach of the CASL software installation provisions can result in stiff penalties and enforcement actions. While the new CASL provisions are intended to protect Canadians, they may also impact the legitimate business activities of software providers. A careful review of the new requirements under CASL should be a priority for any business that provides software for installation on other people's computer systems.