Canada's Anti-Spam Legislation (CASL), which came into force
in July this year and targets unsolicited commercial electronic
messages, also aims to curtail malicious software such as malware
and spyware. CASL achieves this objective by requiring express
consent for the installation of computer programs on another
person's computer system and mandating enhanced disclosure and
consent if the software performs certain prescribed functions.
These provisions, contained in section 8 of CASL, will come into
force on January 15, 2015, and have been extensively discussed in
both the legal and the tech communities, because section 8 applies
to far more than the software conventionally understood to be
spyware or malware.
On November 10, 2014, the Canadian Radio-television and
Telecommunications Commission (CRTC) released guidance on its interpretation of section 8 of
CASL. This interpretation appears to limit the otherwise broad
scope of the section. Most significantly, the CRTC has provided
guidance on who will be considered to "install or cause to be
installed" software and appears to limit application of the
section to software that is pushed to the user rather than pulled
by the user.
The following are key points from the CRTC's guidance:
An owner or authorized user includes anyone who has permission
to use a particular device or computer system, such as an employee,
a child, a spouse or other family member.
CASL does not apply to owners or authorized users who install
software on their own electronic devices. For instance, if owners
or authorized users download an app on their mobile devices or
install software from a CD on the user's computer, CASL will
not apply. However, if another program is concurrently and
surreptitiously installed or the program itself, unbeknown to the
user, performs certain functions that would otherwise require
enhanced disclosure and are not reasonably expected by the user,
CASL will apply. These functions include collecting personal
information, interfering with the user's control of the device
and causing the device to communicate with other devices, in each
case without the user's authorization or knowledge.
If a computer program performs a prescribed function that the
user would not expect, a description of the function and its impact
on the computer system must be disclosed and express consent
obtained prior to installation. That consent must be separate from
the terms and conditions of the user-licence agreement. However,
the mere inclusion of these functions on self-installed programs
does not require disclosure and consent unless the functions are
not reasonably expected by the user.
Although the CRTC guidance is welcome, because the application
of section 8 of CASL may depend on the reasonable expectations of a
user, much uncertainty remains. The boundaries of section 8 may
therefore not become clear until enforcement actions start and the
first cases hit the courts.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).