Just when everyone was finally getting comfortable complying
with Canada’s Anti-Spam Legislation (CASL) requirements for communicating
commercial messages electronically, along came the CASL provisions that apply
to the installation of “computer programs” – software, apps and other programs.
If your business or organization installs software or other
computer programs on other people’s connected devices in Canada, including
mobile apps, you should be aware of the significant new requirements that came
into force as of January 15, 2015. These provisions will impact software
vendors, app developers, gaming and entertainment companies as well as other companies
that are in the business of providing software to businesses and individuals in
Canada.
Like CASL’s “spam” provisions:
- the software provisions
apply where a Canadian is the recipient – in this case, the recipient of
the software, app, or other program;
- the installation of
computer programs regime under CASL is also based on “express consent”, as
defined by the legislation; and
- significant administrative monetary penalties (maximum $10 million) can be levied for non-compliance.
The CRTC’s guidance document confirms that generally
speaking, CASL does not apply to self-installed software. This means that any
time an individual knowingly downloads and installs an app or program, or loads
software from a CD, or accepts a prompt to update an existing program, CASL
will not apply. Of course, this exclusion only applies if the scope of
installation is consistent with the program functionalities the consumer
expected. The guidance document suggests that if a second program or function
is automatically installed or executed when a person deliberately installs a
program, CASL would be triggered by the second installation. The CRTC gives the
examples of installing a game application that also installs malware, or a
music CD that surreptitiously executes concealed software. So no “tag-alongs”
with a consumer’s self-installation.
There are also helpful deemed and implied consent provisions.
For the first three years, computer programs that were installed before January
15, 2015 will be subject to implied consent until January 15, 2018, unless the
owner/authorized user gives notification that they no longer consent to the
original installation.
In addition, if a person’s conduct is such that it is
reasonable to believe that they consented to the program’s installation,
consent is deemed to have been provided for certain types of installations,
including cookies, HTML code, Javascript, operating systems, and all programs
executable through another program that was already consented to. However, if
the owner/authorized user has, for example, disabled cookies or Javascript, or
activated “do not track” functionality, this is sufficient (according to the
CRTC) to negate deemed consent.
Stay tuned, things will get even more interesting once the
private right of action provisions in CASL come into force…
