On January 15, 2015, the software provisions in Canada’s Anti-Spam Legislation (CASL) will come into force, creating significant prohibitions and requiring consent to, among other things, install software, change device settings, collect personal information and update existing software.
In a corporate environment, bring-your-own-device (BYOD) policies and IT use policies will need to be re-visited given the nexus of CASL prohibitions and industry practices in managing enterprise technology and communication infrastructure. Broadly speaking, under CASL, the authorized user or owner of a device (for example, a laptop, smart phone, tablet, etc.) must consent to software installations that are not self-initiated. In certain circumstances, consent will be required even where an installation is self-initiated. Further, the law imposes specific notification and disclosure obligations. Failure to comply with CASL could result in fines of up to $10,000,000 for organizations, or $1,000,000 for individuals, with employers being held liable for actions of employees.
Where a program is capable of certain “special functions”, defined in CASL to include:
- collecting personal information;
- changing or interfering with settings, preferences or commands of the computer system without knowledge of the user;
- restricting or interfering with access of data;
- causing a computer system to communicate with any other device without consent of the owner or authorized user; or
- installing a computer program that can be activated by a third party,
consent and notification requirements are more onerous.
What is noteworthy is that these functions need not be malicious. In fact many such functions are carried out by many computer programs.
In light of these notification and consent requirements under CASL, most organizations will need to review and update their IT policies. Many corporations operate remote help desk type assistance services, offer laptop loaners, or allow users to download content on their computers. Accordingly, IT policies must account for corporations installing programs, modifying or controlling data, or accessing computer systems belonging to employees; all contemplated as “special functions” under CASL. Organizations must notify users of the program functions, the impact of such programs or policies, and whether an employee’s ability to uninstall programs has been limited. We advise organizations to ensure that consents should contemplate future program updates that may include special functions under the legislation.
Additionally, BYOD policies will need to be reviewed and revised to ensure BYOD participants are formally consenting to, among other things, the organization installing security policies, encryption keys, remote-assistance software and automatic program updates on their mobile devices. In addition, CASL may require an acknowledgement that such programs include one or more of the “special functions” described above, along with an explanation of how these special functions may work on the user’s device. Policies should allow for BYOD participants to revoke consents, and organizations should be mindful of tracking consents in light of the complex nature of employment matters and uncertainties surrounding enforcement of CASL to corporate actions on employees’ computer systems.