Canada's Anti-Spam Legislation (CASL) is most widely known as the legislation which, as of July 1, 2014, prohibits the distribution of unsolicited commercial electronic messages. However, the legislation also contains provisions (as outlined in section 8 of CASL) which aim to curtail malicious software such as malware and spyware by requiring express consent for the installation of computer programs on another person's computer system and mandating enhanced disclosure if the software performs certain prescribed functions. These provisions came into force today, January 15, 2015, and because they do not clearly distinguish between malicious software and software used for legitimate business purposes have been a topic of frequent discussion among those in the legal community and technology sector looking for additional guidance on how to comply.
Generally speaking, Section 8 of CASL prohibits the installation of a computer program on another person's computer system as well as, having installed that program, causing the system to send messages, without first having obtained the express consent of the owner or authorized user of the computer system. CASL draws the definitions of "computer program" and "computer system" from the Criminal Code which capture much more than software conventionally understood to be malicious.1
Given the broad definitions for "computer programs" and "computer systems", for many companies, particularly those in the technology sector, early interpretations of this legislation have had a tendency to err on the conservative side, outlining significant process changes that would be required by software developers to secure consent. Such consent requirements could have far-reaching implications by placing onerous expectations on technology companies such as advising software application developers to increase the amount of pop-up windows prior to allowing a customer to install an application in order to ensure express consent had been obtained, which had the potential to interfere with these organizations' commercial development.
Fortunately, on November 10, 2014, the Canadian Radio-television and Telecommunications Commission (CRTC) released welcome direction on its interpretation of section 8 of CASL. This interpretation provides some relief to software developers as it places limits on this section, including clarifying the fact that self-installed software is not covered under CASL. Simply put, this clarification means that CASL does not apply to owners or authorized users of electronic devices or computer systems installing software on their own devices or computer systems. The CRTC's guidance provided several examples of where CASL will not apply and express consent will not be required, including, if a person goes to an app store to purchase and download an app on their own device, if a person installs software from a CD on to their own computer, if a person downloads software from a website and installs it on their own device, if a small business installs software on business devices used by its employees and if a previously installed app offers an update and the person installs the update (unless the app installs the update in the background, without prompting or informing the user, then CASL will apply). In addition, the CRTC also clarified that owners and authorized users extends to people who have permission to use the device or computer system such as an employee, child, spouse or other relative.
In terms of software upgrades there is a grandfathering provision which means that if a computer program was installed on a person's computer system before January 15, 2015, the person's consent to the installation of an update or upgrade is implied until January 15, 2018, unless the person advises that they no longer consent to the installation of an update. The CRTC suggests getting a user's consent to future updates at the same time that consent to install the computer program is obtained and notes that the onus of proving consent rests with the person installing the computer program.
Another key point from the CRTC's guidance was that if a computer program performs certain prescribed functions that normally would not be expected by the user (such as collecting personal information, interfering with the user's control of the device or causing the device to communicate with other devices, in each case without the user's authorization or knowledge), the installer must obtain the user's express consent prior to the installation of the program and clearly and prominently, and separate and apart from the license agreement, provide the user with a description of what the program does in relation to those functions and why it does it and the impact of those functions on the operation of the computer system.
While the CRTC guidelines discussed in this bulletin provide much needed clarity on CASL's consent requirements with respect to the installation of computer programs, the legislation will likely continue to be the subject of further interpretation. We will keep you informed on any developments with future bulletins.
1 CASL: section 9 defines "computer program" and "computer system" with reference to section 342.1(2) of the Criminal Code. "Computer system" means a device that, or a group of interconnected or related devices one or more of which, (a) contains computer programs or other data, and (b) pursuant to computer programs, (i) performs logic and control, and (ii) may perform any other function. "Computer system" means a device that, or a group of interconnected or related devices one or more of which, (a) contains computer programs or other data, and (b) pursuant to computer programs, (i) performs logic and control, and (ii) may perform any other function.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.