The entry into force of the first group of provisions of Canada’s anti-spam act1 (CASL) on July 1, 2014, (the Spam Provisions) generated considerable attention. Now that businesses have (hopefully) determined and deployed their compliance strategy for the Spam Provisions, another set of articles from CASL is about to come into force on January 15, 2015. These provisions will prohibit the installation of computer programs on another person’s computer absent express consent.
The government’s communications regarding the new set of provisions rightly focus on the fact that its immediate objective is to fight malware and viruses and, as such, most businesses would not feel immediately preoccupied (or at least concerned) by the new provisions. However, the drafting of the provisions is very broad and could apply to numerous “legitimate” businesses. This is not unlike the Spam Provisions, which had a much broader reach than would be expected under the common conception of what spam is, as these provisions covered a wide range of “commercial electronic messages.”
Subject to specific exceptions (discussed below), CASL’s section 8 makes it illegal, in the course of a commercial activity, to install “computer software” (this term includes software, apps, etc.) on another person’s “computer system” absent express consent or, likely only rarely, a court order.
CASL uses the Criminal Code’s broad definition of computer system and this definition includes not only desktops and laptops, but also other systems such as a mobile device or a car’s computer system.
As with the Spam Provisions, businesses seeking consent to install “computer programs” need to clearly explain the purposes for which consent is sought and provide contact information (along with other information prescribed by regulations). In addition, businesses must also clearly and simply describe the function and purpose of the computer program to be installed if the consent is given.
The rule is also stricter when the to-be-installed computer program, contrary to the reasonable expectations of the user:
- collects personal information;
- interferes with the user’s control of the computer system;
- changes the computer system’s settings without the user’s knowledge;
- interrupts access to data stored on the computer system;
- causes the computer system to communicate with other devices without user authorization; or
- installs software that can be activated by another party without the knowledge of the computer system’s user.
As an illustration of computer programs that are subject to the enhanced disclosure requirements, one may think of a user that installs on his or her mobile device an app that he or she believes to be purely informational (an app that provides opening hours for a certain chain of stores, for example), without knowing the app in fact collects personal information and geolocation information about its users.
When a computer program is subject to this enhanced disclosure requirement, the person who seeks express consent to install such a computer program must, when requesting consent, describe these functions clearly and prominently and ensure such description is:
- separate from the licence agreement; and
- separate from any other information provided in the request for consent.
Moreover, for such computer programs, the person seeking consent must obtain acknowledgement in writing from the person from whom consent is being sought that he or she understands and agrees that the program performs the specified functions.
The following types of computer programs benefit from an “exception to consent requirement” when the user’s conduct is such that it is reasonable to believe he or she consents to the program’s installation:
- Updates and upgrades, in limited cases, namely when (1) the person who gave the consent to the original installation is entitled to receive the update or upgrade under the terms of the original consent and (2) the update or upgrade is installed in accordance with those terms.
- Operating software.
As more and more businesses (whether or not they see themselves as being in the business of distributing computer programs) that used to only operate “traditional” non-interactive websites try to move their users to websites or apps with enhanced functionalities, the new provisions are of interest for most B2C businesses, regardless of the nature of their core activities.
The enhanced disclosure provisions could be applicable more often than not considering that businesses often roll out apps specifically to collect data about their clients, whatever the app’s purpose is from the user’s point of view.