On July 1, 2014, most provisions of Canada’s new anti-spam law (commonly known as “CASL”) came into force. These provisions create new rules for email marketing and other e-communications by requiring that recipients consent to receiving commercial electronic messages (or “CEMs”), and by requiring the messages to contain certain content, including a mechanism to unsubscribe. In the months leading up to July 1, Canadian and foreign organizations alike have been updating their e-communication practices to comply with CASL. Please see our website blg.com/antispam for more details.
CASL Applies To Computer Programs
Although CASL focuses on the sending of “spam”, it also has rules dealing with the installation of
computer programs and the alteration of transmission data in an electronic message. These provisions come into force on January 15, 2015. The purpose of CASL is to improve the efficiency and privacy of e-communications; hence these provisions are aimed at viruses, malware and practices like “phishing” that are often perpetuated through or by products of spam. Like the provisions of CASL which deal with CEMs, however, the legislation takes a broad approach to the computer program provisions and it will affect any person or organization that provides software, mobile apps or other computer programs for purchase or download.
Failure to comply with CASL can result in significant fines, among other things. CASL has administrative monetary penalties of up to $1 million per violation (for individuals) and up to $10 million per violation (for organizations). If an employee commits an act that contravenes CASL (such as sending a CEM without the necessary consent or unsubscribe mechanism), the employer could be held liable, if the employee was acting within the scope of his or her employment. Board members and officers of a company could also be held personally liable for violations. In addition, there is a private right of action that takes effect on July 1, 2017.
Installation Of Computer Programs
Starting January 15, 2015, CASL will prohibit installing or causing to be installed, in the course of a commercial activity, a computer program on any person’s computer system, or causing an electronic message to be sent from the person’s computer, unless the express consent of the owner or an authorized user of the computer is obtained. This applies if the person installing the program (or the person directing the installation) is in Canada, or the computer on which it is installed is in Canada at the relevant time. This means these provisions apply to persons in Canada who provide the computer program, and to computer programs purchased or downloaded by users in Canada, even though the company who provides the program is not located in Canada or does not have any presence there.
CASL defines “computer program” as data that, when executed on a computer system, causes the system to perform a function. This is a very generic definition that includes all kinds of software as well as apps. “Commercial activity” is defined as any transaction, act or conduct of a commercial character, whether or not there is an expectation of profit. The fact that a profit motive is not required suggests that free downloads may be subject to CASL.
The consent for installation of a computer program must clearly and simply describe, in general terms, the function and purpose of the computer program to be installed. The request for consent must also include certain prescribed information about the sender. The CRTC (the agency responsible for enforcing CASL) has indicated that express consent needs to be “opt in”, meaning a user needs to actively do something to provide consent, such as checking off a box (that was un-checked to begin with) to consent to the installation of the program. Pre-checked boxes or “opt out” consent will not suffice for purposes of express consent under CASL. Requests for consent cannot be buried in the terms and conditions or combined with other requests, such as consents required under privacy laws.
There are additional requirements if the computer program performs one or more of certain functions that are particularly sensitive or invasive and that are contrary to the reasonable expectations of the user. These consist of the following:
- collecting personal information stored on the computer system;
- interfering with the owner’s or an authorized user’s control of the computer system;
- changing or interfering with settings or preferences already installed on the computer system without the owner’s or authorized user’s knowledge;
- changing or interfering with data that is stored on the computer system in a manner that obstructs, interrupts or interferes with lawful access to or use of that data by the owner or an authorized user;
- causing the computer system to communicate with another computer system or other device, without the authorization of the owner or authorized user; and
- installing a computer program that may be activated by a third party without the knowledge of the owner or authorized user.
In these circumstances, the consent must include more details about these functions and draw the user’s attention to them. The provider of the computer program must also provide an email address to which the user can send a request for the program to be removed or disabled, if they believe the function was not accurately described when consent was requested, and the provider must provide assistance to remove or disable the program at no cost to the user.
There is a 3-year transition period that applies to upgrades or updates to computer programs that are installed prior to January 15, 2015. There is implied consent to install upgrades or updates on such programs until January 15, 2018, subject to the user giving notice that they do not wish to receive the upgrade or update.
Altering Transmission Data
Starting January 15, 2015, CASL will prohibit altering or causing to be altered, in the course of a commercial activity, the transmission data in an electronic message so that the message is sent to a destination other than (or in addition) to the one specified by the sender, unless the express consent of the sender or the recipient is obtained and the sender provides an email address that the recipient can send a request to unsubscribe to.
The practice of altering transmission data is most likely found in malware and viruses, so it is unlikely to apply to legitimate businesses. However, if an organization’s IT system is hacked causing it to violate this prohibition, it could be liable under CASL.
The next wave of CASL will require every business and organization that offers software, apps and other computer programs to assess whether they obtain consent from users and make changes to comply with CASL, and establish ways of recording the consent to demonstrate compliance.