Effective January 15, 2015, Canada’s anti-spam law (commonly known as “CASL”) will impose onerous restrictions and requirements for the commercial installation and use of computer programs on another person’s computer system. The rules apply to almost any computer program (not just malware/spyware/harmful programs) installed on almost any computing device (including mobile phones) as part of a commercial activity (regardless of expectation of profit). The rules have potentially serious implications for Canadian businesses that distribute computer programs and for foreign businesses that distribute computer programs to computersystems located in Canada. Unfortunately, the rules are challenging to interpret and apply, and regulators have provided limited guidance.
Summary Of CASL Rules
Following is a summary of some key elements of CASL’s rules for the installation and use of computer programs.
- General Prohibition: CASL provides that, subject to important but limited exceptions, a person must not, in the course of a commercial activity, either install or cause to be installed a computer program on any other person’s computer system, or cause an electronic message to be sent from any other person’s computer system on which the person installed, or caused to be installed, a computer program, unless the person has obtained the express consent of the owner or an authorized user of the computer system. CASL also prohibits aiding, inducing, procuring or causing to be procured a violation of the rules regarding the installation and use of computer programs.
- Broad Definitions: CASL broadly defines “computer program” (data representing instructions or statements that, when executed in a computer system, causes the computer system to perform a function), “computer system” (one or more devices that contain computer programs or other data and perform logic and control functions pursuant to computer programs), “commercial activity” (any transaction, act or conduct of a commercial character, regardless of expectation of profit) and “electronic message” (a message sent by any means of telecommunication). CASL’s rules are not limited to malware/spyware or other kinds of fraudulent or harmful computer programs.
- Geographic Scope: CASL’s rules apply if the computer system is located in Canada at the relevant time, or if the person installing or directing the installation or use of the computer program is in Canada at the relevant time.
- Express Consent: CASL requires express consent to the installation of a computer program on another person’s computer system or the sending of messages from another person’s computer system. Subject to limited exceptions, implied consent is not sufficient. Regulatory guidance explains that CASL requires that express consent be obtained through an opt-in mechanism. Accordingly, an individual must take a positive action to indicate express consent; silence or inaction cannot be construed as providing express consent.
- Request for Consent - Standard Computer Programs: CASL requires that a request for express consent must clearly and simply: (1) set out the purpose for which the consent is sought; (2) describe, in general terms, the function and purpose of the computer program that is to be installed if consent is given; and (3) specify prescribed information regarding the identity and contact details of the person seeking consent and any other person on whose behalf the consent is sought. A request for consent must also contain a statement indicating that the person whose consent is sought can withdraw their consent.
- Consent for Updates/Upgrades: CASL’s rules apply to the installation of updates and upgrades to a computer program. However, a person does not have to obtain an additional express consent for a non-invasive update or upgrade to a computer program if: (1) the computer program was installed with express consent in accordance with CASL; (2) the person who gave the consent is entitled to receive the update/ upgrade under the terms of the express consent; and (3) the update/upgrade is installed in accordance with those terms. Regulatory guidance confirms that consent to the installation of future updates/upgrades to a computer program may be obtained at the same time that consent is obtained for the original installation of the computer program. CASL provides a time-limited transition provision for updates/upgrades - a person’s consent to the installation of an update/upgrade to a computer program that was installed on the person’s computer system before January 15, 2015, is implied until the person gives notice that the person no longer consents to the installation of updates/upgrades or until January 15, 2018.
- Deemed Consent for Certain Programs: CASL provides that a person is considered to expressly consent to the installation of certain kinds of computer programs (e.g. a cookie, HTML code, Java Scripts, an operating system or a program that is necessary to correct a failure in the operation of a computer system or program and is installed for that sole purpose) if the person’s conduct is such that it is reasonable to believe that the person consents to the program’s installation. Regulatory guidance indicates that certain kinds of cookies might not be considered to be a computer program for the purposes of CASL.
- Request for Consent - Invasive Computer Programs: CASL imposes additional requirements for valid consent to the installation of a computer program that performs certain specified invasive functions (e.g. collecting personal information stored on the computer system or causing the computer system to communicate with another computer system or device without the authorization of the owner or an authorized user of the computer system) that a person knows and intends will cause a computer system to operate in a manner that is contrary to the reasonable expectations of the owner or authorized user of the computer system. A request for consent to the installation of an invasive computer program must be separate and apart from a license agreement and must include additional, separate disclosures of prescribed information about the computer program’s invasive functions. A valid consent to the installation of an invasive computer program must be confirmed in writing (paper or electronic forms that satisfy specified requirements) with express acknowledgement of the program’s invasive functions. In addition, a person who obtains express consent to the installation of an invasive computer program must, for a period of one year after the computer program is installed, provide a procedure for removing or disabling the computer program if the consent was based on an inaccurate description of the material elements of the computer program.
- Separate/Discrete Consent: Regulatory guidance explains that a consent to the installation or use of a computer program on another person’s computer system must be specific and separate from consents to other kinds of CASL-regulated conduct (e.g. the sending of commercial electronic messages), and must not be subsumed in, or bundled with, requests for consent to the general terms and conditions of use or sale.
- Burden of Proof: CASL provides that a person who alleges they have consent to the installation or use of a computer program on another person’s computer system has the onus of proving the consent.
- Extended Liability: CASL provides that employers are liable for a contravention of CASL’s rules for the installation and use of computer programs committed by their employees and agents within the scope of their employment or authority, and corporate directors and officers are personally liable if they direct, authorize or assent to, or acquiesce or participate in, a contravention of CASL’s rules for the installation and use of computer programs committed by their corporation. Employers, directors and officers can avoid liability if they establish that they exercised “due diligence” to prevent the contravention.
- Penalties for Non-Compliance: Failure to comply with CASL’s rules for the installation and use of computer programs can result in significant administrative monetary penalties (up to $10,000,000 for organizations and $1,000,000 for individuals). In addition, beginning in July 2017 a private right of action will allow persons affected by a contravention of CASL’s rules for the installation and use of computer programs to commence enforcement proceedings and recover compensatory damages and statutory penalties (a maximum of $1,000,000 for each day on which a contravention occurred).
Interpretation And Application
CASL’s rules for the installation and use of computer programs are challenging to interpret because CASL uses broad and ambiguous terminology (e.g. “install or cause to be installed”, “cause an electronic message to be sent”, “update or upgrade” and “operating system”). As a result, the scope and application of the rules are uncertain. By way of example only:
- Online Software Distribution: Do the rules apply when software is downloaded and installed using an automated online process (e.g. online stores for mobile device apps) that is initiated by the computer system user? If so, who is responsible for CASL compliance - the software vendor/ distributor, the app store operator or both of them?
- Automated Messages: Do the rules apply to the transmission of data (e.g. diagnostic data or queries for software updates) that is sent automatically by a computer program without human intervention?
- Updates: Do the rules apply to minor bug fixes or to updates to ancillary databases?
- Firmware: Is firmware a computer program or part of an operating system that is exempted from the rules?
CASL’s rules for the installation and use of computer programs are challenging to apply because in many situations it is either difficult or impossible for a software vendor/distributor to request and obtain the express consent required by CASL. For example, popular software distribution websites (including online stores for mobile device apps) currently do not have processes to request, obtain and record express consents for the downloading and installation of each program. As another example, many devices that qualify as a computer system do not have the user interfaces necessary to request, obtain and record express consents to the installation of updates/upgrades to firmware on the device or the automated sending of electronic messages from the device.
Industry Canada and the CRTC have issued limited guidance that does not address some of the most challenging aspects of CASL’s rules for the installation and use of computer programs. The CRTC has indicated that additional guidance will be provided in the future.
CASL’s rules for the installation and use of computer programs come into force on January 15, 2015. In the absence of additional regulations or regulatory guidance, businesses that directly or indirectly distribute computer software (including mobile apps distributed through app stores and automated firmware updates) or receive messages from installed software (including diagnostic data and automated update queries) should now be considering the impact of CASL’s rules on their business activities and planning for compliance with those rules.