This Alert is Part 1 of 2, and it addresses some of the CRTC’s guidance regarding CASL’s installation of computer program provisions. Part 2 of this Alert, which will be released in early February, will address more of the CRTC’s guidance.
Another CASL in-force date
On January 15, 2015, section 8 of Canada’s Anti-Spam Legislation (CASL) comes into force.
Under section 8, it is prohibited to install, or cause to be installed, a computer program onto another person’s computer system (e.g. desktop, laptop, smartphone, tablet, gaming console or other device connected to the Internet) in the course of a commercial activity without the express consent of the owner of the computer system or an authorized user (e.g., an employee or a family member).
Additionally, it is prohibited under section 8 for a person, who has installed or caused to be installed a computer program onto another person’s computer, to cause an electronic message to be sent from that computer system unless the prior express consent of the owner or an authorized user of the computer system has been obtained.
Section 8 only applies if a computer system is located in Canada at the relevant time or if the person committing the prohibited act is either in Canada at the relevant time or is acting under the direction of a person who is in Canada at the time when they give the directions.
On November 11, 2014, staff from the Canadian Radio-television and Telecommunications Commission (CRTC) released new guidance to help organizations and individuals understand CASL’s requirements for installing computer programs.
This new guidance was released at a joint CRTC and Industry Canada information session hosted by the Canadian IT Law Association (IT.CAN)’s Public Affairs Forum. In my role as the Chair of IT.CAN’s Public Affairs Forum, I chaired this information session. The CRTC concurrently published a guidance document entitled “CASL Requirements for Installing Computer Programs”, which is available at http://www.crtc.gc.ca/eng/info_sht/i2.htm.
What does “cause to be installed” mean?
The CRTC has provided two examples of what “cause to be installed” means:
1. If an individual installs an app and, unknown to the individual, the app also contains a concealed malicious computer program (malware) contained within the app, CASL would apply to the installation of the malware because the developer of the computer program would be considered to have caused it to be installed. CASL would not apply to the individual’s self-installation of the part of the app that he or she knew about.
2. If an individual purchases a music/audio CD and inserts it into his or her computer system to either listen to the music or transfer the audio files, and, unknown to the individual, the CD includes a concealed computer program that automatically commences when the CD is inserted into the computer system, CASL would apply because the distributer and/or the developer of the computer program would be considered to have caused the software to be installed.
Self-installed computer programs
Section 8 does not apply to computer programs that are knowingly installed by the owner or an authorized user on their own computer systems. For example, if the owner of a smartphone purchases and downloads an app from an online application store, the owner is considered to be installing the app on her own computer system, and CASL will not apply. Another example is when an organization installs a computer program onto a computer system that is, as between an organization and its employees, owned by the organization and used by its employees.
However, if another computer program is surreptitiously installed at the same time that a person knowingly self-installs a computer program, the surreptitiously installed computer program will be considered to have been “caused to be installed” on another person’s computer system and CASL will apply.
Off-line installations of computer programs
CASL does not apply to situations where a person purchases a computer program (e.g., a DVD or CD) and installs it onto their own computer system (e.g., an off-line installation), or other types of off-line installations.
When CASL applies to the installation of a computer program, express consent must be obtained from either the owner or an authorized user of a computer system before the installation of a computer program takes place. However, in some circumstances, individuals are considered to have expressly consented to the installation of a computer program, even when the individual’s express consent is not sought.
More information about deemed consent is available in section 10(8) of CASL and in section 6 of CASL’s Electronic Commerce Protection Regulations (SOR/2013-221).
Additionally, in the CRTC’s “CASL Requirements for Installing Computer Programs” guidance document, the CRTC has defined the following terms: (i) cookie; (ii) operating system; (iii) telecommunications service provider (TSP); and (iv) correcting a failure.
Subject to the availability of deemed consent, as discussed above, the express consent of the owner or an authorized user of a computer system is required in order to install a computer program onto that person’s computer system. Similar to CASL’s anti-spam information disclosure requirements, the person seeking consent must disclosure some required information such as the reason consent is being sought and a clear and simple description, in general terms, of the functions and purpose(s) of the computer program being installed. All of the required information should be reviewed and considered by organizations and individuals before seeking express consent. The responsibility to prove that express consent was obtained rests with the person seeking consent.
In addition, if a person withdraws their consent, an organization or individual can no longer rely on the consent for future updates or upgrades that are installed in the background (i.e, unknown to the person who provided consent).
Additional express consent required in some instances
Some computer program functions require the disclosure of additional information when consent is sought.
If a computer program performs one or more of the following functions:
(i) collects personal information stored on the computer system;
(ii) interferes with the owner’s or an authorized user’s control of the computer system;
(iii) changes or interferes with settings, preferences or commands already installed or stored on the computer system without the knowledge of the owner or an authorized user of the computer system;
(iv) changes or interferes with data that is stored on the computer system in a manner that obstructs, interrupts or interferes with lawful access to or use of that data by the owner or an authorized user of the computer system;
(v) causes the computer system to communicate with another computer system, or other device, without the authorization of the owner or an authorized user of the computer system;
(vi) installs a computer program that may be activated by a third party without the knowledge of the owner or an authorized user of the computer system; and
(vii) performs any other function specified in the regulations,
and the person seeking consent knows and intends that the function(s) will cause the computer system to operate in a manner that is contrary to the reasonable expectations of the owner or an authorized user of the computer system, then the person seeking consent must, when requesting consent, clearly and prominently, and separately and apart from the license agreement,
(a) describe the program’s material elements that perform the function or functions, including the nature and purpose of those elements and their reasonably foreseeable impact on the operation of the computer system; and
(b) bring those elements to the attention of the person from whom consent is being sought in the prescribed manner.
Who is an “owner” or an “authorized user”?
In the “CASL Requirements for Installing Computer Programs” guidance document, the CRTC has stated that, for the purposes of CASL, an owner or authorized user includes anyone who has permission to use a particular computer system. The CRTC has provided the following four examples:
1. In the context of an employment relationship, the employer would be the owner and the employee would be the authorized user.
2. If an individual owns a computer but provides it to their child, spouse, or other relative for their sole use, the child, spouse or other relative is the authorized user of the computer.
3. If someone leases a device, the lessor will retain ownership of the device for the purposes of CASL and the lessee is the authorized user.
4. If a device is sent out for repair, the person conducting the repair would be considered an authorized user under CASL, but only to the extent that they perform the agreed-upon repairs to the device.
Updates and upgrades under CASL
Consent is required under CASL if an organization or individual wishes to install an update or an upgrade to a computer program. Several options for obtaining consent are available:
(i) Consent for future updates and upgrades can be obtained as part of the consent initially obtained to install the original computer program;
(ii) Consent can be assumed for an update or upgrade to one of the computer programs described in the section above headed “Deemed consent”;
(iii) If a computer program is self-installed by the owner or an authorized user of a computer system and an organization or an individual did not obtain consent for updates or upgrades at the time of the original installation, consents for updates and upgrades will have to be obtained in the same manner as consent for an original installation in a non-self-install situation; and
(iv) If a computer program was installed on a computer system prior to January 15, 2015, an organization or individual can update or upgrade the computer program, without consent, until January 15, 2018, unless the owner or an authorized user indicates that they no longer consent to the installation of future updates or upgrades.
Part 2 of this Alert
Part 2 of this Alert will be issued in early February and it will address topics such as: (i) firmware; (ii) undisclosed secondary functions; (iii) consents obtained prior to January 15, 2015; (iv) transferring a computer system with computer programs pre-installed; (v) what is the installation of software; and (vi) liability under section 8.
In late November, 2014, I delivered a presentation on section 8 of CASL as part of the MaRS Discovery District’s Best Practices Series and recorded a short informational video for MaRS. The video, entitled “Obtaining consent for computer program installations under Canada’s anti-Spam legislation: Three Hot Tips for Startups”, is available on MaRS’ website at http://www.marsdd.com/mars-library/obtaining-consent-for-computer-program-installations-under-canadas-anti-spam-legislation-three-hot-tips-for-startups/.
Another resource that may be of assistance is my August, 2014 article entitled “Developing a Corporate Compliance Program Under Canada’s Anti-Spam Legislation (CASL)”, which is available at https://www.millerthomson.com/en/publications/communiques-and-updates/intellectual-property-ip-and-information/2014-archives/august-26-2014.
Under CASL, there is a due diligence defence available against claims of non-compliance with CASL. This applies to both CASL’s computer program provisions as well as its anti-spam provisions.
If individuals and organizations take proactive steps to set up appropriate policies, procedures, and processes relating to activities prohibited under CASL, and properly enforce them, such individuals and organizations may be able to use their efforts as an aid to a due diligence defence, and such efforts may be a factor in determining liability or damage awards arising out of a CASL non-compliance claim.
If you would like to follow me on Twitter®, you can find me @canadaantispam.