The electronic communications provisions of Canada's
Anti-Spam Law (CASL) came into force on July 1, 2014. CASL is
generally known for its sweeping regulation of "commercial
electronic messaging." However, in addition to the above
provisions, a number of CASL provisions set to come into force on
January 15, 2015, will impose new compliance burdens on businesses
that create, distribute or utilize computer systems in the course
of business – in other words, most of the businesses in
Broadly speaking, CASL prohibits a person from installing a
computer program on a computer system of another without the prior
express consent of the owner of the system, or an authorized user.
CASL defines a computer program to include any data or symbols
capable of causing a computer system to perform some function. CASL
further requires a person who installs a program capable of certain
specified functions – including functions that track or
record personal information – to give notice of and obtain a
separate express consent in respect of each individual specified
We anticipate that large enterprises will face a number of
compliance issues under the new CASL software provisions. To that
end, we suggest enterprises consider all of the implications of
this new compliance effort. Among those considerations, the
following six questions may be helpful when developing a corporate
Who owns and manages your IT assets? Many
large enterprises lease or license a range of IT assets from
various service providers. Others outsource IT functions to
specialized providers that can take advantage of economies of
scale, or use cloud-based services. CASL may create special
compliance obligations for such organizations, particularly where
IT assets are remotely controlled or updated.
Does your IT policy contemplate and harmonize with the
new provisions of CASL? Most large organizations already
utilize policies and processes to mediate employee interactions
with firm IT assets. If your business already has such policies in
place, you will need to reassess them to satisfy yourself that they
contemplate the effects of CASL – this is not only important
from a compliance perspective, it may also be important to help
support a due diligence defence to liability.
Do you permit employees to use their own smart phones
(e.g., bring your own device or BYOD)? Firms increasingly
permit their employees and managers to use "outside"
devices behind the corporate fence. If your business allows or
encourages employees to use outside devices, you will face special
considerations with respect to the application of CASL. As a
result, BYOD policies and practices should be reconsidered in light
of the information disclosure and other requirements of CASL.
Do you distribute, sell or license software to the
public? Businesses in the software sector may face
different application of the legislation, depending on the
distribution and implementation of the software. If you provide
traditionally-installed software, you may face different compliance
burdens from a business that provides software-as-a-service
(cloud-based services) (see Canada's Anti-Spam Legislation: An Advantage
for Cloud Computing?), and vice versa.
Does your business model rely on software functionality
included as a CASL "specified function"? CASL
provides for particularly onerous compliance burdens in respect of
specified functions – however, some businesses rely on some
of such functionality as a part of a legitimate business model,
such as, for example, remote help desk functions. If your business
relies on software functionality that could be characterized as one
of these "specified functions" under CASL, you will face
additional, difficult and new compliance obligations in
Does the grace period provided for in CASL apply to
software used, distributed or controlled by your
enterprise? CASL provides that software installed on a
person's computer system prior to January 15, 2015, is subject
to a grace period, under which the person is deemed to consent to
updates and upgrades until the person revokes such consent, or
until January 15, 2018, whichever comes first. As January 15, 2015,
is fast approaching, businesses will need to determine an
appropriate course of action in light of this grace period.
Our wide-ranging experience with the CASL prohibition on
commercial electronic messaging suggests that most large
organizations can meet their compliance obligations in respect of
software without materially affecting the bottom line.
A thoughtful assessment of the interface between the new CASL
software provisions suggests that early proactive action by
software vendors and enterprise users can minimize the risks of
non-compliance on January 15, 2015, when these provisions are in
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).