Canada’s Anti-Spam Legislation (CASL) Software Installation Sections Effective January 15, 2015: 10 FAQs
December 11, 2014
By Trent Skanes, at McInnes Cooper
On January 15, 2015, the software provisions of Canada’s Anti-Spam Legislation (CASL) will take effect. CASL’s anti-spam sections, touted as the toughest in the world, came into force on July 1, 2014 – and had businesses scrambling to comply. CASL’s software provisions impose equally broad and onerous procedural requirements for companies and individuals installing computer programs on computer systems.
Here are the answers to 10 frequently asked questions about CASL’s new software provisions to help you decide whether they apply to you – and if so, what you need to do to comply:
- What do the new software provisions apply to? CASL’s software provisions only apply to “computer programs” that are “installed” on another person’s “computer systems” in the “course of commercial activity.” They apply to installations on computer systems located in Canada even if the installation originated elsewhere, and to installations on computer systems currently located outside of Canada if the installer was in Canada (or acted under the direction of a person in Canada) when she installed the program.
- What are computer “systems” and “programs”? The definitions are borrowed from the Canadian Criminal Code:
- “Computer system” means a device (or a group of interconnected or related devices one or more of which) that: contains computer programs or other data; and pursuant to computer programs, performs logic and control, and also may perform any other function besides logic and control.
- “Computer program” means data representing instructions or statements that, when executed in a computer system, causes the computer system to perform a function.
- What is “installed”? It’s not clear yet. CASL doesn’t define “install” or “installer” – and the CRTC hasn’t released anything to provide a glimpse into how it will approach it.
- What’s “in the course of commercial activity” CASL defines “commercial activity” as any course of conduct of a commercial character, whether or not it’s carried out in the expectation of profit. Computer programs installed outside of the course of commercial activity include programs designed for law enforcement and public safety purposes. CASL doesn’t apply to owners or authorized users installing software on their own computer systems (e.g. personal computers, mobile devices or tablets), but it’s not yet clear whether computer software an employer installs on employee devices (particularly in the “Bring Your Own Device” context) or its affiliate or client computer systems for internal operational reasons is caught.
- If it applies to my activities, what do I have to do? Get express consent. Under CASL’s software sections, a person (or company) can’t, in the course of commercial activity, install a computer program on another person’s computer system – or cause an electronic message to be sent from that installed computer program – unless she:
- has the “express consent” of the owner or the authorized user of the computer system; or
- acts according to a court order.
But you don’t require express consent in these cases:
- Exception. When a user consents to future updates and upgrades at the same time that she expressly consents to install the program itself, then the installer does not require any further consent when she actually installs the update.
- Deemed Consent. CASL deems users to consent to the installation of these computer programs if the user’s conduct shows it’s reasonable to believe she consented to it:
- Cookies (but it’s not entirely clear what “cookies” means; Industry Canada’s material states cookies are not executable programs while the CRTC asserted that cookies are programs but not installed so aren’t subject to CASL’s prohibitions);
- HTML code;
- Operating systems;
- Any program executable only through use of another computer program for which the user has already consented to installation; and
- Any program CASL specifies. CASL currently lists a number of such programs that focus on security, updates, and repairs: telecommunications service providers (a person who – independently or as part of a group or association – provides telecommunications services) may install computer programs to protect network security or upgrade the network; installers may install computer programs that solely correct failures in the computer system or program.
- How do I get “express consent”? Generally, the installer has to ask for the user’s consent – and must disclose this information in the consent request:
- the reason the installer is seeking consent;
- the full business name of the installer seeking consent;
- the installer’s mailing address, and one of the installer’s telephone number, email address, or web address;
- if consent is sought on behalf of another person, a statement indicating who is seeking consent and on whose behalf consent is being sought;
- a statement that the user may withdraw consent for the computer program’s installation at any time; and
- a clear and simple description, in general terms, of the computer program’s function and purposes . We don’t yet know the extent to which an installer must describe the program to satisfy CASL.
But if an installer “knows and intends” that a computer program will cause a computer system to operate in a way its owner doesn’t reasonably expect, the installer must provide a higher level of disclosure and acknowledgement to get the user’s express consent.
- What types of computer programs require the higher level of disclosure and acknowledgement? Computer programs that the installer “knows and intends” will perform one of these functions:
- collecting personal information stored on the computer system;
- interfering with the user’s control of the computer system;
- changing or interfering with settings, preferences, or commands already installed or stored on the computer system without the user’s knowledge;
- changing or interfering with data stored on the computer system in a way that obstructs, interrupts or interferes with lawful access to or use of that data by the user;
- causing the computer system to communicate with another computer system, or other device, without the user’s authorization;
- installing a computer program that may be activated by a third party without the user’s knowledge; and
- performing any other function CASL specifies (there are none as yet).
But computer programs performing one of these functions do not require heightened disclosure or user acknowledgments if the function only collects, uses, or communicates “transmission data” (which CASL defines as data that (a) relates to the telecommunications functions of dialling, routing, addressing or signalling; (b) either is transmitted to identify, activate or configure an apparatus or device, including a computer program, in order to establish or maintain a communication, or is generated during the creation, transmission or reception of a communication and identifies or purports to identify the type, direction, date, time, duration, size, origin, destination or termination of the communication; and (c) does not reveal the substance, meaning or purpose of the communication).
- What is the higher level of disclosure and acknowledgement required? When installing a computer program that operates contrary to the system owner’s reasonable expectations the installer must do more than merely describe the program in clear and simple terms; she must clearly and prominently:
- describe the computer program’s material elements, including the nature and purpose of those elements and their reasonably foreseeable impact on how the computer system operates;
- bring the material elements to the attention of the user separately from any other information it provides in a request for consent; and
- obtain the user’s written acknowledgement that the user understands and agrees that the computer program performs the specified functions.
- Can a User Withdraw Consent? Yes. Computer programs caught by the higher level of disclosure (see FAQ 8 above) must give the user an electronic address valid for at least one year after installation so the user can ask the installer to remove or disable the computer program. A user can make this request if she believes the installer didn’t accurately describe the “function, purpose, or impact” of the computer program when the installer requested consent to install it. If the installer gets a removal request within one year of installation, and consent was based on an inaccurate description of the program’s material elements, then the installer must assist the user in removing or disabling the program as soon as feasible – and at no cost to the user. We don’t yet know the scope of this “duty to assist” – but it’s likely that failing to assist a user when required to do so will attract CASL’s penalties – and they are significant (see McInnes Cooper’s: Counting Down To Canada’s Anti-Spam Legislation (CASL) – 10 Reasons Why You Should Care About The Upcoming CASL Right Now). Beyond that, you aren’t generally required to help users remove software from their computers.
- Is there a “grace period”? Yes. If a computer program was installed on a user’s computer system before January 15, 2015, that user’s consent to the installation of an update or upgrade will be implied until the earlier of January 15, 2018 or the date the user gives notice that she no longer consents to the installation. However, it appears that installers must comply with CASL when installing any new computer programs (rather than updates to existing ones) from January 15, 2015 onward.
Visit McInnes Cooper’s CASL Knowledge Page at www.mcinnescooper.com/services/privacy/casl/ to learn more about CASL.
Please contact your McInnes Cooper lawyer or any member of our McInnes Cooper CASL Team to discuss this topic or any other legal issue.
McInnes Cooper has prepared this document for information only; it is not intended to be legal advice. You should consult McInnes Cooper about your unique circumstances before acting on this information. McInnes Cooper excludes all liability for anything contained in this document and any use you make of it.
© McInnes Cooper, 2014. All rights reserved. McInnes Cooper owns the copyright in this document. You may reproduce and distribute this document in its entirety as long as you do not alter the form or the content and you give McInnes Cooper credit for it. You must obtain McInnes Cooper’s consent for any other form of reproduction or distribution. Email us at email@example.com to request our consent.
- Share with others
- Stay informed with our legal updates by subscribing.