The electronic communications provisions of Canada’s Anti-Spam Law (CASL) came into force on July 1, 2014. CASL is generally known for its sweeping regulation of “commercial electronic messaging.” However, in addition to the above provisions, a number of CASL provisions set to come into force on January 15, 2015, will impose new compliance burdens on businesses that create, distribute or utilize computer systems in the course of business – in other words, most of the businesses in Canada.
Broadly speaking, CASL prohibits a person from installing a computer program on a computer system of another without the prior express consent of the owner of the system, or an authorized user. CASL defines a computer program to include any data or symbols capable of causing a computer system to perform some function. CASL further requires a person who installs a program capable of certain specified functions – including functions that track or record personal information – to give notice of and obtain a separate express consent in respect of each individual specified function.
We anticipate that large enterprises will face a number of compliance issues under the new CASL software provisions. To that end, we suggest enterprises consider all of the implications of this new compliance effort. Among those considerations, the following six questions may be helpful when developing a corporate compliance program.
- Who owns and manages your IT assets? Many large enterprises lease or license a range of IT assets from various service providers. Others outsource IT functions to specialized providers that can take advantage of economies of scale, or use cloud-based services. CASL may create special compliance obligations for such organizations, particularly where IT assets are remotely controlled or updated.
- Does your IT policy contemplate and harmonize with the new provisions of CASL? Most large organizations already utilize policies and processes to mediate employee interactions with firm IT assets. If your business already has such policies in place, you will need to reassess them to satisfy yourself that they contemplate the effects of CASL – this is not only important from a compliance perspective, it may also be important to help support a due diligence defence to liability.
- Do you permit employees to use their own smart phones (e.g., bring your own device or BYOD)?Firms increasingly permit their employees and managers to use “outside” devices behind the corporate fence. If your business allows or encourages employees to use outside devices, you will face special considerations with respect to the application of CASL. As a result, BYOD policies and practices should be reconsidered in light of the information disclosure and other requirements of CASL.
- Do you distribute, sell or license software to the public? Businesses in the software sector may face different application of the legislation, depending on the distribution and implementation of the software. If you provide traditionally-installed software, you may face different compliance burdens from a business that provides software-as-a-service (cloud-based services) (see Canada’s Anti-Spam Legislation: An Advantage for Cloud Computing?), and vice versa.
- Does your business model rely on software functionality included as a CASL “specified function”?CASL provides for particularly onerous compliance burdens in respect of specified functions – however, some businesses rely on some of such functionality as a part of a legitimate business model, such as, for example, remote help desk functions. If your business relies on software functionality that could be characterized as one of these “specified functions” under CASL, you will face additional, difficult and new compliance obligations in Canada.
- Does the grace period provided for in CASL apply to software used, distributed or controlled by your enterprise? CASL provides that software installed on a person’s computer system prior to January 15, 2015, is subject to a grace period, under which the person is deemed to consent to updates and upgrades until the person revokes such consent, or until January 15, 2018, whichever comes first. As January 15, 2015, is fast approaching, businesses will need to determine an appropriate course of action in light of this grace period.
Our wide-ranging experience with the CASL prohibition on commercial electronic messaging suggests that most large organizations can meet their compliance obligations in respect of software without materially affecting the bottom line.
A thoughtful assessment of the interface between the new CASL software provisions suggests that early proactive action by software vendors and enterprise users can minimize the risks of non-compliance on January 15, 2015, when these provisions are in force.