CASL’s computer program rules cover much more than spyware

April 2018

The computer program provisions in Canada’s anti-spam law (known as “CASL”) came into force on January 15, 2015. Significantly, these rules go further in regulating the installation of computer programs than laws in other jurisdictions.

The rules impose an express (opt-in) consent regime on the installation of a computer program on another person’s PC, smart phone or other computer-based device, regardless of whether the program is installed for a malicious or fraudulent purpose. As a result, virtually all organizations that operate a website, offer mobile applications, incorporate software into their products or otherwise make software available to customers[1] need to review their practices for installing programs and implement a related compliance plan.

Stiff penalties

The rules can be enforced with stiff penalties, including administrative monetary penalties of up to C$10,000,000 for corporations (C$1,000,000 for individuals) and statutory damages of up to $1 million a day. A private right of action was scheduled to come into force on July 1, 2017, but has now been suspended. The private right of action would have allowed consumers and businesses to commence enforcement proceedings and recover damages.

Opt-in consent requirements

Any person who in the course of a commercial activity directly or indirectly installs a computer program on another person’s computer needs the prior, express consent of the other person, subject to limited exceptions. Express consent is also needed if any person, having so installed a computer program, causes an electronic message to be sent from the computer.

Applies outside Canada

These rules do not stop at Canada’s borders. For example, they apply to installations on computers located in Canada even if the installation originated elsewhere and to installations on a computer located outside Canada if the person who installed the program was in Canada or was acting under the direction of a person in Canada at the relevant time.

“Basic” disclosure requirements

When seeking consent, businesses are required to set out clearly and simply:

• the function and purpose (in general terms) of the computer program that is to be installed;
• the purposes for which the consent is being sought; and
• prescribed information identifying the person seeking consent or the person on behalf of whom consent is being sought.

“Function-specific” requirements

Additional “function-specific” disclosures (including reasonably foreseeable impacts on the user’s computer and email contact information) and written acknowledgements are required if you know and intend that the program will cause a computer-based device to operate contrary to the reasonable expectations of the owner or user in respect of one or more of the following functions:

• collecting personal information stored on the computer system;
• interfering with the owner’s or an authorized user’s control of the computer system;
• changing or interfering with settings, preferences or commands already installed or stored on the computer system without the knowledge of the owner or an authorized user of the computer system;
• changing or interfering with data that is stored on the computer system in a manner that obstructs, interrupts or interferes with lawful access to or use of that data by the owner or an authorized user of the computer system;
• causing the computer system to communicate with another computer system, or other device, without the authorization of the owner or an authorized user of the computer system; and
• installing a computer program that may be activated by a third party without the knowledge of the owner or an authorized user of the computer system. 

A failure to meet the function-specific disclosure requirements gives rise to an obligation to assist the owner or user of the computer-based device to remove or disable the program at no cost. Potential liability also exists under the general penalty provisions described above.

Exceptions to the express consent requirement 

CASL “deems” express consent to have been given for certain classes of computer programs if it is reasonable to believe that the owner or authorized user of the computer consented to the program’s installation. The applicable classes of programs identified in CASL are:

• a cookie;
• HTML code;
• Java Scripts;
• an operating system;
• any other program that is executable only through the use of another program whose installation or use the individual has previously expressly consent to; and
• any other program specified in the regulations.

Regulations issued under CASL add the following additional classes of exempt programs (with the exemption being triggered only if it is reasonable to believe that the owner or authorized user of the computer consented to the program’s installation):

• a program that is installed by or on behalf of a telecommunications service provider[2] solely to protect the security of all or part of its network from a current and identifiable threat to the availability, reliability, efficiency or optimal use of its network;
• a program that is installed, for the purpose of updating or upgrading the network, by or on behalf of the telecommunications service provider who owns or operates the network on the computer systems that constitute all or part of the network;
• a program that is necessary to correct a failure in the operation of the computer system or a program installed on it and is installed solely for that purpose.

To allow for automatic update services offered by many software publishers, the installation of an update or upgrade to a computer program is exempted from the express consent requirement if the program was initially installed in accordance with the consent and “basic” disclosure requirements, the initial consent entitles individuals to receive the update or upgrade and the installation is made in accordance with the initial consent. No exemption is provided in respect of the “function-specific” disclosure rules.

Critical legal issues 

There is no shortage of legal issues that businesses need to consider in the context of their compliance planning activities. Perhaps the four most significant issues applicable to the computer program rules are:

• deciding whether CASL’s computer program provisions apply only to programs that are ‘pushed’ to an end user’s computer (or whether they also apply to other installations, such as downloads from a website or updates installed by businesses who provide customer support or repair services);
• deciding whether consent can be obtained through an end user license agreement or terms of use document
  • although there is nothing in CASL that addresses this issue, the CRTC – which has regulatory enforcement powers – has suggested through non-binding enforcement guidelines that consent cannot be bundled with requests to confirm agreement with a license or other consumer agreement (such as privacy policies or general terms and conditions of sale); rather, the CRTC wants consumers to be given the opportunity to accept the agreement terms, but separately have the ability to refuse to provide consent for the installation of computer programs;
• deciding whether consent can be obtained through the use of a pre-checked box
  • although there is nothing in CASL that addresses this issue, the CRTC has suggested through non-binding enforcement guidelines that valid consent cannot be obtained using pre-checked boxes or other forms of opt-out consent; and
• deciding when it will be reasonable to believe that owner or authorized user of the computer consented to the program’s installation for the purposes of the exceptions to the express consent requirement.