Canada's Anti-Spam Legislation (CASL), which came into force in July this year and targets unsolicited commercial electronic messages, also aims to curtail malicious software such as malware and spyware. CASL achieves this objective by requiring express consent for the installation of computer programs on another person's computer system and mandating enhanced disclosure and consent if the software performs certain prescribed functions. These provisions, contained in section 8 of CASL, will come into force on January 15, 2015, and have been extensively discussed in both the legal and the tech communities, because section 8 applies to far more than the software conventionally understood to be spyware or malware.
On November 10, 2014, the Canadian Radio-television and Telecommunications Commission (CRTC) released guidance on its interpretation of section 8 of CASL. This interpretation appears to limit the otherwise broad scope of the section. Most significantly, the CRTC has provided guidance on who will be considered to "install or cause to be installed" software and appears to limit application of the section to software that is pushed to the user rather than pulled by the user.
The following are key points from the CRTC’s guidance:
- An owner or authorized user includes anyone who has permission to use a particular device or computer system, such as an employee, a child, a spouse or other family member.
- CASL does not apply to owners or authorized users who install software on their own electronic devices. For instance, if owners or authorized users download an app on their mobile devices or install software from a CD on the user's computer, CASL will not apply. However, if another program is concurrently and surreptitiously installed or the program itself, unbeknown to the user, performs certain functions that would otherwise require enhanced disclosure and are not reasonably expected by the user, CASL will apply. These functions include collecting personal information, interfering with the user's control of the device and causing the device to communicate with other devices, in each case without the user's authorization or knowledge.
- If a computer program performs a prescribed function that the user would not expect, a description of the function and its impact on the computer system must be disclosed and express consent obtained prior to installation. That consent must be separate from the terms and conditions of the user-licence agreement. However, the mere inclusion of these functions on self-installed programs does not require disclosure and consent unless the functions are not reasonably expected by the user.
Although the CRTC guidance is welcome, because the application of section 8 of CASL may depend on the reasonable expectations of a user, much uncertainty remains. The boundaries of section 8 may therefore not become clear until enforcement actions start and the first cases hit the courts.