Canadian Anti-Spam Legislation: Part 2
Posted on January 9, 2015
Richards Buell Sutton’s Information Technology Newsletter
By: D. Scott Lamb
What Happens Next – Computer Programmes and Consent
Much of the attention in 2014 with respect to the new Canadian Anti-Spam Legislation commonly referred to as CASL, concerned the impact CASL had on organizations communicating commercial electronic messages (CEMs) in their businesses such as e-mail messages.
While there were significant concerns, much of it justified as to the cost and uncertainty created by the new legislative landscape governing marketing and business practices regarding CEMs, a very important part of CASL is only yet to come into force concerning the distribution of computer programmes.
On January 15, 2015, the sections of CASL imposing a new legislative scheme for installation of computer programmes will come into effect.
Again, CASL has been criticized as causing undue expense and compliance uncertainties for business owners in imposing this new legislative scheme upon the computer software industry.
The provisions in CASL requiring consent for delivery of computer programmes from recipients are not found in any comparable legislation among Canada’s major trading partners and software providers are left to deal with Canadian customers in isolation to all of their other markets, particularly the United States.
At the heart of these new provisions is section 8 of CASL which requires that:
A person must not, in the course of a commercial activity, install or cause to be installed a computer program on any other person’s computer system or, having so installed or caused to be installed a computer program, cause an electronic message to be sent from that computer system, unless
(a) the person has obtained the express consent of the owner or an authorized user of the computer system and complies with subsection 11(5).
The definition of “computer programmes” and “computer systems” are very broad and includes computer desktops, smart phones and potentially even consumer products such as appliances.
It is important to note that express consent is not required where the computer program is one of the following:
- a cookie;
- HTML code;
- Java scripts;
- an operating system; and
- any other computer program executable only through the use of a program which has previously been consented to.
The Regulations to CASL also provide exceptions to compliance for the following:
- network security;
- updates and upgrades to a network;
- correcting computer program failures; and
- programmes installed by or on behalf of a telecommunications service provider solely to protect its network from a current and identifiable threat to the availability, reliability, efficiency or optional use of its network.
There are two levels of disclosure required by a computer program provider in order to obtain consent:
1. Minimum Disclosure
In seeking consent there must be a clear and simple description in general term of the computer program.
2. Enhanced Disclosure
If the computer program meets malware or spyware criteria, the consent is given only where it is given clearly and prominently, and separately apart from the license agreement. The person requesting the consent must:
- describe the program’s material elements that perform functions, including the nature and purpose of those elements and the reasonably foreseeable impact on the operation of the computer systems; and
- those elements are brought to the attention of the person from whom consent is sought.
There are transition provisions for the consent requirement for installation of computer programmes under CASL. If a computer program was installed before CASL came into force, the consent to install or upgrade the program is implied until whichever occurs earlier:
- notification that consent is no longer given; or
- until three years after CASL comes into force.
As with the CEM provisions under CASL, the failure to comply with the consent provisions of CASL carry with it significant potential liability.
Administrative monetary penalties can be levied against those who contravene CASL of up to $1 million for individuals and up to $10 million for organizations. There is also vicarious liability to organizations for the acts of their employees along with liability to officers, directors, and agents if they direct, authorize, assent to, acquiesce or participate in the prohibited act. As well, there is liability to anyone who induces or procures a prohibited act under CASL.
Importantly, a private right of action will come into force on July 1, 2017 allowing for individuals and class actions to seek compensation for loss, damages and expenses.
In conclusion, it is hoped that this legislative framework achieves its goals to protect Canadians from unwanted spyware, malware and ensure they obtain full disclosure of what is installed on their computer systems. However, the consent requirements for installation of computer programmes are novel to Canada, impose a compliance obstacle for computer program providers and the failure to comply may result in significant liability.