From November 10 to 12, 2014, the CRTC provided its interpretation of the software provisions in Canada’s anti-spam law (CASL) in several presentations to industry. The CRTC also posted a specific FAQ about their interpretation on their website (CASL Requirements for Installing Computer Programs) on Monday, November 10, 2014. As these particular provisions will come into force on January 15, 2015, the CRTC has endeavoured to provide timely guidance to those that may be affected by same. However, even with the interpretations adopted by the CRTC, many questions remain outstanding.
Broadly speaking, the CASL software provisions regulate the installation of software on a computer system. Based on its presentations, the CRTC appears to have currently interpreted the CASL software provisions as follows:
- generally speaking, the CRTC views the reasonable expectations of the consumer as the guiding principle underlying its current interpretation of CASL, and plans to take enforcement action accordingly;
- where a person self-installs software (for example, where a person downloads an app from an app store to a mobile device the person owns), CASL does not apply, with an exception – CASL will apply where, without the knowledge of the user, the software can perform one of the functions listed in s 10(5) of the legislation (e.g., where the software can collect personal information, etc.);
- if a person installs software on another person’s computer system, and the person installing the software is not an owner or “authorized user” within the meaning of the legislation, then CASL will apply;
- in most cases, and recognizing that it will be dependent on a case by case assessment, the CRTC contemplates that it is likely to assign liability for violations of CASL to the software vendor, and not to the software developer – they view the vendor as having the closest nexus to the installation and is therefore responsible, in many cases, for causing the installation of software. They did note there may be cases where all parties may bear responsibility;
- automatic software updates will be subject to the CASL software provisions – however, a person can seek to secure consent to ongoing automatic upgrades in advance provided adequate disclosure is provided; and
- a user’s action, for example disabling cookies or activating “do not track” functionality, is contemplated by the CRTC as being sufficient to negate such a user’s deemed express consent to the installation of cookies, HTML, etc. under s 10(8) of CASL.
- We note that the above interpretation is non-binding on the CRTC and that it may change its interpretation and/or policies at any time. In that respect, we note that software developers and vendors will likely face additional challenges in respect of compliance, particularly with respect to disclosure of specified functions under s 10(5), due diligence, and risk allocation. For example, it remains unclear how much disclosure is required, if generic disclosure of the existence of possible functionality might be able to be utilized in advance as protective and, practically, how foreign-based app stores will be able to comply with the enhanced consent and disclosure requirements for computers located in Canada at the time of the download.
Of course, the CRTC’s non-binding interpretation of CASL cannot replace direct consideration of the statute. Accordingly, we are of the view that a CASL compliance plan should consider both the CRTC’s most current interpretations and the legislation itself.