Case highlights CRTC commitment to sanction companies for violating lesser-known provisions of CASL
On September 30 the Canadian Radio-television and Telecommunications Commission (CRTC), which is tasked with enforcing Canada's Anti-Spam Legislation (CASL), announced that it had reached a voluntary undertaking with Notesolution Inc. (doing business as OneClass) to resolve several alleged violations of the Act. As part of its agreement with the CRTC, OneClass agreed to pay a monetary payment of $100,000 to the Receiver General of Canada and implement a compliance program.
OneClass primarily operates an online platform for students to share notes and materials. Postsecondary school students can access student-created exam study guides, lecture notes and video tutorials.
In response to complaints from recipients, the CRTC investigated allegations that OneClass had sent commercial electronic messages (CEMs) without consent between October 31, 2016 and March 25, 2020 to promote its business through one-time and monthly purchases of varying subscription lengths in Canada as well as globally, in violation of paragraph 6(1)(a) of the Act and section 4 of the Electronic Commerce Protection Regulations (CRTC) SOR/2012-36 (the Regulations).
The CRTC's Chief Compliance and Enforcement Officer also alleged that OneClass installed a computer program, known as the "OneClass Easy Invite Chrome Extension," on the computer systems of postsecondary students between October and November 2016, without their express consent or setting out the purpose for which consent was being sought. The CCEO further alleged that OneClass should have been aware that the "OneClass Easy Invite Chrome Extension would cause the computer system to operate in a manner contrary to the reasonable expectations of the owners or authorized users of those computer systems" as it collected personal information stored on the students' computer systems, including usernames and password credentials, in violation of sections 8(1)(a), 10(1)(a), 10(3), 10(4), and 10(5)(a) of the Act as well as section 5 of the Regulations.
The case is interesting as it highlights the CRTC's commitment to sanction companies for violating the lesser-known provisions of the Act relating to the installation of computer programs. In addition to its focus on email, section 8 of CASL expressly prohibits organizations from installing, during the course of a commercial activity, computer programs (software) on other persons' computer systems (or to cause an electronic message to be sent from that computer system) without the express consent of the owner or authorized user of the computer system.
This prohibition covers all computer devices, including laptops, smartphones, desktops, gaming consoles or other connected devices. In the absence of a court order, the Act also requires organizations that wish to lawfully install computer programs ('installing organization') to meet additional technical requirements to the standard CASL consent requirements set out in the Act.
Subject to limited exceptions in the Act — i.e. for programs such as cookies, html, or bug fixes/patches — when requesting consent, the installing organization must clearly and simply describe, in general terms, the function and purpose of the computer program that is to be installed if the consent is given.
CASL also sets out additional requirements. If the computer program that is to be installed performs one or more of the functions described in the paragraph below, the installing organization must, clearly and prominently, (a) describe the software program's material elements that perform the function or functions, including (i) the nature and (ii) purpose of those elements and (iii) their reasonably foreseeable impact on the operation of the computer system; and (b) clearly bring those elements to the attention of the person from whom consent is being requested. Significantly, this must be provided in a transparent fashion, separate and apart from the terms and conditions, document or end-user licensing agreement.
The list of functions that trigger these additional notification requirements is lengthy and encompasses any function that will cause the computer system to "operate in a manner that is contrary to the reasonable expectations of the owner or an authorized user of the computer system." This includes (a) collecting personal information stored on the user's computer system; (b) interfering with the owner's or an authorized user's control of the computer system; (c) changing or interfering with settings, preferences or commands already installed or stored on the computer system without the knowledge of the owner or an authorized user of the computer system; (d) changing or interfering with data that is stored on the user's computer system in a manner that obstructs, interrupts or interferes with lawful access to or use of that data by the owner/authorized user of the computer system; (e) causing the computer system to communicate with another computer system, or other device, without the authorization of the owner/authorized user of the computer system; (f) installing a computer program that may be activated by a third party without the knowledge of the owner/authorized user of the computer system; etc. Limited exemptions exist, such as for computer programs that only collect, use or communicate transmission data. Critically, all of the above must be done prior to the installation of the computer program.
Lastly, section 11(5) of the CASL also requires an installing organization to provide the individual who gave their consent with an electronic address to which s/he can send a request to remove or disable that computer program for a period of one year from the date of installation, if s/he believes that the function, purpose or impact of the computer program installed under the consent was inaccurately described by the installing organization when consent was requested.
If the installing organization receives a request during that year to remove or disable that computer program from a recipient alleging that his/her consent was based on an inaccurate information, the organization must assist that person in removing or disabling the computer program as soon as feasible without cost to the person who gave the initial consent. Based on the facts of the investigation, OneClass failed to meet any of the foregoing requirements to lawfully install computer programs on third-party computer systems.
The undertaking noted that during the course of the investigation, OneClass had cooperated with the CRTC and had voluntarily agreed to resolve the CCEO's outstanding concerns regarding its compliance with the Act and the Regulations. This no doubt led to the CRTC agreeing to a lesser monetary payment from OneClass, as the Act provides for administrative monetary penalties for a violation of Sections 6-9 of the Act of $1,000,000 in the case of an individual, and $10,000,000 in the case of an organization.
In addition to a $100,000 monetary payment, OneClass also consented in the undertaking to develop and implement a compliance program addressing the sending of CEMs, which will include (i) corporate compliance policies and procedures; (ii) training and education for employees of OneClass; and, (iii) monitoring, auditing and reporting mechanisms. The undertaking also requires OneClass to monitor and review its policies and procedures to determine whether any have the effect of providing financial or other incentives for employees to violate the Act and the Regulations and, if so, OneClass assented to eliminate such incentives.
OneClass also agreed to register and track CEM complaints and the subsequent resolution of those complaints. Overall, it confirmed that it would implement effective and necessary corrective measures for its compliance failures, and it is obliged to maintain regular communication with the CRTC from time to time to determine compliance with the Act and the Regulations.
It is also worth noting that in connection with this decision, the Commission advised that it updated its Requirements for Installing Computer Programs guidelines to provide clearer guidance in this area, underscoring that Canadian organizations subject to CASL must be mindful of complying not only with the commercial electronic message requirements of CASL, but with other requirements of the Act as well.
This article originally appeared in Canadian Lawyer.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.