Canada is poised to enact new federal legislation that would impose a stringent consent regime on the installation of computer programs on another person’s PC, smart phone or other computer-based device.

Although the principal policy objective of the new rules is to deter the distribution of “spyware”, the new rules would cover virtually any computer program, regardless of whether or not it is installed for a malicious purpose.

The proposed rules are found in Bill C-28, which received first reading on May 25, 2010.

The Bill also addresses other issues concerning Internet safety, including spam, pharming and address harvesting. More information on those issues is available here.

Stiff Penalties

The new rules would be enforced with stiff penalties, including administrative monetary penalties of up to C$10,000,000 for corporations (C$1,000,000 for individuals) and statutory damages of up to $1 million a day. Significantly, the penalties would potentially apply to anyone, and not just individuals or businesses who act with a malicious intent.

As well, a private right of action would allow consumers and businesses to commence enforcement proceedings and recover damages.

When the New Rules Will Apply

Bill C-28 is identical in most respects to a predecessor Bill (Bill C-27, the Electronic Commerce Protection Act), which died on the order paper in December 2009 after being adopted by the House of Commons. As a result, it is expected that Bill C-28 will be fast-tracked through Parliament.

It is unknown if the government will delay the coming into force of Bill C-28 to afford businesses time to make the changes to their operations that the new rules will require.

Scope of the Express Consent Requirement

Any person who in the course of a commercial activity directly or indirectly installs a computer program on another person’s computer would need the prior, express consent of the other person, subject to limited exceptions.

“Computer program” would be defined very broadly to mean “data representing instructions or statements that, when executed in a computer system, causes the computer system to perform a function.”

“Basic” Disclosure Requirements

When seeking consent, businesses would be required to set out clearly and simply:

  • the function and purpose (in general terms) of the computer program that is to be installed;
  • the purposes for which the consent is being sought;
  • prescribed information identifying the person seeking consent or the person on behalf of whom consent is being sought; and
  • any other information prescribed in regulations.

“Function-Specific” Requirements

Additional “function-specific” disclosures (including reasonably foreseeable impacts on the user’s computer and email contact information) would be required if the program would cause a computer-based device to operate contrary to the reasonable expectations of the owner or user in respect of one or more enumerated functions.

Although the applicable functions are often associated with malicious code (e.g., interfering with the control of the computer-based device), it is conceivable that one or more of them would also apply to elements of software support and maintenance activities offered by legitimate businesses.

A failure to meet the function-specific disclosure requirements would give rise to an obligation to assist the owner or user of the computer-based device to remove or disable the program at no cost. As well, potential liability would also exist under the general penalty provisions described above.

Exceptions to the Express Consent Requirement

In response to concerns about the scope of the express consent requirements, Bill C-28 would “deem” express to have been given for certain classes of computer programs if it would be reasonable to believe that the individual consented to the program’s installation. The applicable classes of programs are:

  • a cookie;
  • HTML code;
  • Java Scripts;
  • an operating system;
  • any other program that is executable only through the use of another program whose installation or use the individual has previously expressly consent to; and
  • any other program specified in the regulations.

Additionally, to allow for automatic update services offered by many software publishers, the installation of an update or upgrade to a computer program would be exempted from the express consent requirement if the program was initially installed in accordance with the consent and “basic” disclosure requirements. However, no exemption is provided in respect of the “function-specific” disclosure rules.

Of note, if a computer program was installed on a person’s computer-based device before the “spyware” provisions in the Bill come into force, the person’s consent to the installation of an update or upgrade would be implied until the earlier of three years after the coming into force date and the person giving notice that he or she no longer consents to such installation.

Impacts of the New Regime

Most obviously, if enacted, the spyware provisions would impact on the consent and disclosure practices of technology and online services companies. Less obvious, however, is that these provisions also likely apply to manufacturers of electronic devices not typically thought of as “computers,” but into which computer-based technology have been embedded, and related service providers.

Any individual or business who, in the course of any commercial activity, installs a computer program on another person’s computer-based device should review their consent and disclosure practices and, if necessary, make any adjustments to bring their current operations into line with the new requirements.