Friday, February 13, 2015

Just when you thought it was safe…More CASL Requirements

By Wendy Hulton

Just when everyone was finally getting comfortable complying with Canada’s Anti-Spam Legislation (CASL) requirements for communicating commercial messages electronically, along came the CASL provisions that apply to the installation of “computer programs” – software, apps and other programs.

If your business or organization installs software or other computer programs on other people’s connected devices in Canada, including mobile apps, you should be aware of the significant new requirements that came into force as of January 15, 2015. These provisions will impact software vendors, app developers, gaming and entertainment companies as well as other companies that are in the business of providing software to businesses and individuals in Canada.

Like CASL’s “spam” provisions:

  • the software provisions apply where a Canadian is the recipient – in this case, the recipient of the software, app, or other program;
  • the installation of computer programs regime under CASL is also based on “express consent”, as defined by the legislation; and
  • significant administrative monetary penalties (maximum $10 million) can be levied for non-compliance.
The Canadian Radio-Television and Telecommunications Commission (“CRTC”) has published an interpretation bulletin, entitled “CASL Requirements for Installing Computer Programs”. This bulletin provides some guidance on the applicability of CASL to software or computer program installations in the course of commercial activity, including requirements for disclosure and consent, and specific guidance on updates or upgrades to software.

The CRTC’s guidance document confirms that generally speaking, CASL does not apply to self-installed software. This means that any time an individual knowingly downloads and installs an app or program, or loads software from a CD, or accepts a prompt to update an existing program, CASL will not apply. Of course, this exclusion only applies if the scope of installation is consistent with the program functionalities the consumer expected. The guidance document suggests that if a second program or function is automatically installed or executed when a person deliberately installs a program, CASL would be triggered by the second installation. The CRTC gives the examples of installing a game application that also installs malware, or a music CD that surreptitiously executes concealed software. So no “tag-alongs” with a consumer’s self-installation.

There are also helpful deemed and implied consent provisions. For the first three years, computer programs that were installed before January 15, 2015 will be subject to implied consent until January 15, 2018, unless the owner/authorized user gives notification that they no longer consent to the original installation.

In addition, if a person’s conduct is such that it is reasonable to believe that they consented to the program’s installation, consent is deemed to have been provided for certain types of installations, including cookies, HTML code, Javascript, operating systems, and all programs executable through another program that was already consented to. However, if the owner/authorized user has, for example, disabled cookies or Javascript, or activated “do not track” functionality, this is sufficient (according to the CRTC) to negate deemed consent.

Stay tuned, things will get even more interesting once the private right of action provisions in CASL come into force…