Canada’s new anti-spam law targets more than just spam. CASL also targets malware, and it has a very broad reach. CASL prohibits installing a “computer program” – including an app, software, or other executable data – on a computer system (computer, device, network) unless the program is installed with consent and complies with disclosure requirements. The provisions in CASL related to the installation of computer programs are in force as of January 15, 2015.

What follows is a snapshot of CASL’s key elements. For more information, see:  Step-by-Step: How CASL applies to software, apps and other "computer programs".

“First off, don’t panic”

Software developer and vendors have raised questions about what certain CASL terms mean, and how they work. These include “install or cause to be installed”, “basic consent” and “enhanced consent”. The CRTC – the government authority charged with administering the new regime – seems to have gotten the message. The first part of the CRTC’s response to FAQ #1 in CASL Requirements for Installing Computer Programs is “First off, don’t panic”.

What’s Excluded

Cookies, HTML, JavaScript, and an OS can be installed without consent where it’s reasonable to believe from the user’s conduct that they do consent to the installation. 

Recent Guidance 

The CRTC has also clarified some of the questions that software vendors and developers have raised:

  1. Self-installed software is not covered under CASL. CASL does not apply to owners or authorized users who are installing software on their own computer systems – for example, personal devices such as computers, mobile devices or tablets.
  2. Where consent is required, it may be obtained from an employee (in an employment context); from the lessee of a computer (in a lease context); or from an individual (e.g. in a family context) where that individual is an authorized user.
  3. An “update or upgrade” – which benefits from blanket consent in certain cases under CASL – is “generally a replacement of software with a newer or better version”, or a version change.
  4. Grandfathering – if a program (software, app, etc.) was installed on a person’s computer system before January 15, 2015, then you have implied consent to install updates and upgrades until January 15, 2018 – unless the person opts out of future updates or upgrades.


The maximum penalty under CASL is $10 million for a violation of the Act by a corporation.  A private right of action is available to individuals as of July 1, 2017.

Software developer vs. software vendor – who is liable?

CRTC has taken the position that as between the software developer and the software vendor (the “platform”), both may be liable under CASL. To determine liability, the CRTC proposes to examine the following factors, on a case-by-case basis:

  • was their action a necessary cause leading to the installation?
  • was their action reasonably proximate to the installation?
  • was their action sufficiently important toward the end result of causing the installation of   the computer program?

Among other things, this means that agreements between developers and vendors should include language to address CASL compliance and liability.