It's mid-October. Like many businesses in Canada, you may be
weary of hearing about CASL compliance. Hopefully that weariness is
due to all the hard work you did 3 months ago to bring your
organization into compliance for the July 1st start-date.
If you're a software vendor, then you should gird yourself
for round two: Yes, there are additional provisions
in CASL which deal with the installation of software, and those
rules come on stream in 3 months on January 15,
Section 8 of CASL ostensibly deals with spyware and malware.
Hackers are not the only problem; think of the Sony Rootkit case
(See our earlier post here) as another
example of the kind of thing that this law was designed to
This is the essence of Section 8: "A person must not, in
the course of a commercial activity, install ...a computer program
on any other person's computer system... unless the person has
obtained the express consent of the owner ..." This applies
only if the computer system is located in Canada, or if the person
either is in Canada at the relevant time or is acting under the
direction of a person who is in Canada at the time when they give
This relatively simple idea - get consent if you
want to install an application on someone else's system in
Canada - has far-reaching implications due to
the way the legislation draws the definitions of "computer
program" and "computer system" from the Criminal
Code. As you can guess, the Criminal Code definitions are
extremely broad. So, what does this mean in real life?
Certain types of specified programs require "enhanced
disclosure" by the software vendor. (I am saying 'software
vendors' as those are the entities most likely to bring
themselves into compliance. Of course, hackers and organized crime
syndicates should also take note of the enhanced disclosure
Express consent, under this law, means that the consent must be
requested clearly and simply, and the purpose of the
consent must be described;
The software vendor requesting consent must describe the
function and purpose of the computer program that
is to be installed;
The software vendor requesting consent must provide an
electronic address so that the user can request, within a period of
one year, that the program be removed or disabled;
Note that if a computer program is installed before
January 15, 2015, then the person's consent is implied. This
implied consent lasts until the user gives notice that they
don't want the installation anymore. Or until January 15, 2018,
whichever comes first. I'm not making this stuff up, that's
what the Act says.
One more thing: Enhanced disclosure does not apply if
the computer program only collects, uses or communicates
"transmission data". Transmission data is what you might
call envelope information. The Act defines it as data that
deals with "dialling, routing, addressing or
signalling" and although it might show info like
"type, direction, date, time, duration, size, origin,
destination or termination of the communication", it does not
reveal "the substance, meaning or purpose of the
communication". So there is effectively a carve-out for
the tracking of this category info.
Don't worry, Canadian anti-spam laws are kind of like Lord
of the Rings: Sequels will keep coming whether you like it or not.
Once we're past January 15, 2015, you can look forward to July
1, 2017, which is the day on which sections 47 to 51, 55 of
CASL come into force. These provisions institute a private right of
action for any breach of the Act.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).