By now, you have probably heard of, or been warned about, the soon-to-be-in-force Canada Anti-Spam Legislation (“CASL”). Most people who hear about CASL assume it deals with the regulation of spam email. This is a misconception of CASL’s breath. As I discussed in previous posts (here and here), CASL regulates much more than what one would consider traditional spam email. It prohibits the sending of any commercial electronic messages (“CEMs”) without having obtained the prior consent of the receiver of that message (with some exceptions). Additionally, CASL regulates many other IT related practices, including the installation of computer programs and the unauthorized electronic collection of personal information and email addresses.
CASL’s computer program requirements
Beginning on January 1, 2015, it will be prohibited for anyone to install, update, or upgrade a computer program (e.g., software, mobile apps, video games, etc.) on any computer or device in Canada (i.e., tablet, phone, video game consoles, etc.), without first obtaining the express consent of the owner of that computer or device.
In very limited circumstances, express consent may be assumed:
- If consent (for the update or upgrade) was expressly provided at the time the program was installed;
- for telecommunication service providers;
- to address a failure in the system’s software or hardware; and
- for specific types of programs (e.g., cookies, HTML code, Java scripts, operating systems etc.);
If the computer program performs any of the following specific functions:
- collects personal information;
- interferes with owner’s ability to control his/her device;
- changes settings or preferences without the owner’s knowledge;
- interferes with data, preventing the owner from accessing it;
- causes the device to communicate with another without the knowledge of the owner; or
- installs any software that can be activated remotely by a third party,
then specific express consent for performance of these functions must be sought and clearly explained to the owner (separate and apart from the consent to the license agreement and/ terms and conditions of use of the program). In other words, if the computer program you sell or provide performs any of these functions, you must ensure that the person who downloads/installs that program knows and understands what the program is doing (in plain language).
What does this mean for you?
If your business operates in the technology, IT and/or online industries you need to pay close attention to CASL. For example, if you sell or develop an app, you should obtain express consents for all current and future downloads, and ensure that consent is worded in a manner that complies with CASL’s specific requirements. If you sell, develop, or manufacture software, or hardware that contains software, you need to obtain consent from all existing and future Canadian customers, with language that complies with CASL.
If you are not in the IT business, you may still require compliance, as you may unknowingly be causing a computer program to be installed. For example, if your business provides its employees with remote access to the office, that function may require the installation of a computer program that requires CASL compliance.
You should therefore conduct an internal audit of your IT functions and systems and determine whether compliance is needed. If so, requests for express consents must be sent out to customers before July 1, 2014. That is because emails requesting consents to comply with CASL constitute CEMs and will be prohibited after July 1, 2014.
Address harvesting and electronic collection of personal information
CASL prohibits the electronic (online) collection and use of personal information and email addresses, without the express consent of the person who owns the information and address.
These days, most business’ online marketing and advertising strategies includes the use of email addresses and other personal information for the purpose of target marketing. In fact, many online platforms and websites, such as Google and Facebook, provide businesses with the option of tracking users’ online activity. This is often done through the use of computer code that collects and/or uses email addresses. Indeed, we have all received emails from online retailers that “surprisingly” offer us deals on items we had been researching online. This form of target marketing uses computer code that collects and/or uses personal information and/or email addresses and may be captured by CASL.
I recommend conducting an audit of your business’ online marketing and advertising strategies to determine whether compliance with CASL is required. Once again, any requests for express consent must be sent out before July 1, 2014 to ensure CASL compliance.
- The new privacy tort – Another victory for victims of cyberbullying - February 16, 2016
- Canadian cyberbullying laws – Where are they now? - January 18, 2016
- My website allows users to post comments – can I be liable for defamation? - November 18, 2015