CASL Round 2: Computer Programs
On January 15, 2015 section 8 of the Canadian Anti Spam Legislation (CASL) will come into play, and it’s my job to make sure you’re prepared for it. If you need a refresher on section 6, which came into effect July 1st, definitely check it out here.
Otherwise, buckle up and let’s go!
What’s the Same
- All of the previously laid out pieces of the legislation are still in effect, including the super stiff penalties for non-compliance.
- Similar to electronic messages, expressed consent is required to install computer programs on a user’s computer.
- A three year transitional period will begin at the time that this section of the legislation comes into play.
- The onus is on the installer to prove that they had consent if called into question.
The focus of section 8 is the installation of “computer programs” and it is intended to crackdown on spyware and malware. Basically, if you are installing a piece of software or a program on a user’s computer then you need their expressed consent to do so. Further, there are new and necessary disclosure elements that also must be made available.
The basic requirements when seeking consent for programs are very similar to the CASL guidelines for sending electronic messages. When seeking consent you must clearly lay out:
- The function and purpose (in general terms) of the computer program that is to be installed.
- The purpose(s) that for which the consent is being sought.
- Identifying information for the party seeking consent.
- A statement saying that the user can unsubscribe at any time at no cost to them.
As the issue of installing computer programs is more complex than the sending of electronic communications, special functions-specific disclosures must be made along with written acknowledgements if you know the intended program will cause a computer to “operate contrary to the reasonable expectations of the owner or user in respect to:
- collecting personal information stored on the computer system
- interfering with the owner’s or an authorized user’s control of the computer system
- changing or interfering with settings, preferences, or commands already installed or stored on a computer system without the knowledge of the owner or an authorized user of the computer system
- changing or interfering with data that is stored on a computer system in a manner that obstructs, interrupts, or interferes with the lawful access to or use of that data by the owner or an authorized user of the computer system
- causing the computer system to communicate with another computer system without the authorization of the owner or an authorized user of the computer system
- Installing a computer program that may be activated by a third party without the knowledge of the owner or authorized user of the computer system”
This basically means that with any “invasive” programs, specific disclosure must be made so that the user understands exactly what they are getting into. With ALL of the above, failure to meet the disclosure requirements instills an obligation for the installing party to assist the owner/user to remove/disable the program at no cost if called upon to do so. Penalties within this section of CASL are the same as before—Up to $1M for individuals and up to $10M for businesses.
“CASL deems a person to have provided express consent for the installation of a computer program, if it is reasonable to believe that the person consented to the installation based on the person’s conduct, and the computer program is:
- HTML code
- Java Scripts
- an operating system
- any other program that is executable only through the use of another program whose installation or use the individual has previously expressly consented to”
Further exemptions (if it is reasonable to believe that the owner/user of the computer consented to the program’s installation) include:
- a program that is installed by or on behalf of a telecommunications service provider solely to protect the security of all or part of its network from a current and identifiable threat to the availability, reliability, efficiency, or optimal use of its network.
- a program that is installed, for the purpose of updating or upgrading the network, by or on behalf of the telecommunications service provider who owns or operates the network on the computer systems that constitute all or part of the network
- a program that is necessary to correct a failure in the operation of the computer system or a program installed on it and is installed solely for that purpose
Automatic updates are also exempt so long as the original installation of the program was done so in accordance with the consent and disclosure requirements.
The rules and regulations around CASL are extremely ambiguous and therefore are very difficult to interpret. Ultimately, if your company either directly or indirectly installs or distributes computer software of any kind, then you need to be thinking about how to stay compliant with the law. It might even be best to seek out legal advice if you feel that your business is at risk.
If you have any questions or concerns regarding the new legislation, please feel free to comment below or contact us directly. We’re there for you!
***Please note the foregoing is provided to you as general information only, and is not intended as a substitute for specific legal advice or counsel. Please contact proper legal council to obtain specific legal advice before taking or refraining from taking any action.***