CASL is a new regime, with significant administrative monetary penalties (maximum CA$10 million), and is broader in scope than the anti-spam laws of the US and other countries. If you do business in Canada, you are likely aware that Canada’s Anti-Spam Law (CASL) targets unsolicited commercial electronic messages (CEMs). The provisions of the CEM “anti-spam” regime entered into force on July 1, 2014.
It is somewhat less well known that CASL includes provisions on the installation of “computer programs.” CASL generally prohibits installing an app, widget, software or other executable data on a computer system (including a computer or device) in the course of a commercial activity unless the program is installed with consent and complies with disclosure requirements. These CASL provisions will come into force on January 15, 2015.
Application outside Canada
Like CASL’s anti-spam provisions, the ”computer program installation” provisions apply to persons outside Canada. A person contravenes the computer program provisions if the computer system (computer, device) is located in Canada at the relevant time (or if the person is in Canada or is acting under the direction of a person in Canada).
The principal regulator, the Canadian Radio-television Telecommunications Regulator (CRTC) has a number of enforcement options. The maximum administrative monetary penalty under CASL is CA$10 million for a violation of the Act by a corporation. In certain circumstances, a person may enter into an “undertaking” to avoid a Notice of Violation. There are also provisions for directors’ and officers’ liability. Moreover, a private right of action is available to individuals as of July 1, 2017.
CASL’s broad scope
The broad legal terms “computer program,” “computer system,” “install or cause to be installed,” and others, have raised many fundamental questions with industry stakeholders about just how the CASL provisions apply. A further complicating factor is that “implied consent” – which is available in various circumstances for anti-spam compliance – is available only in very narrow circumstances for the installation of computer programs. The CRTC recently responded to a number of industry questions by issuing Guidelines entitled, CASL Requirements for Installing Computer Programs.
The CRTC has clarified some, but not all of the questions that industry stakeholders have raised. CRTC Guidance does clarify the following.
- Self-installed software is not covered under CASL. CASL does not apply to owners or authorized users who are installing software on their own computer systems – for example, personal devices such as computers, mobile devices or tablets. Another example would be an installation on an employer-owned device.
- CASL does not apply to “offline installations,“for example, where a person installs a CD or DVD that is purchased at a store.
- Where consent is required, it may be obtained from an employee (in an employment context); from the lessee of a computer (in a lease context); or from an individual (e.g. in a family context) where that individual has the “sole use” of the computer. However, consent would not be required for the employer or the lessor to install software on the employer’s or lessor’s own device.
- An “update or upgrade” – which benefits from blanket consent in certain cases under CASL – is “generally a replacement of software with a newer or better version,” or a version change.
- Grandfathering – if a program (software, app, etc.) was installed on a person’s computer system before January 15, 2015, then you have implied consent until January 15, 2018, unless the person opts out of future updates or upgrades.