Organizations that wish to install software on a customer’s computer, phone or other device will require express consent as of January 15, 2015. The new rules under Canada’s anti-spam legislation (CASL) do not distinguish between malware and legitimate business software programs. CASL defines a computer program to include any data or symbols capable of causing a computer system to perform some function.
The new rules may appear simple, but organizations must ensure they pay attention to the details. Michael Fekete and Adam Kardash of Osler, Hoskin & Harcourt LLP write:
Any person who, in the course of a commercial activity, directly or indirectly installs a computer program on another person’s computer, will need the prior, express consent of the other person, subject to limited exceptions. Express [opt-in] consent will also be needed if any person, having so installed a computer program, causes an electronic message to be sent from the computer.
To help businesses understand what this all means, on November 10, 2014, the Canadian Radio-Television and Telecommunications Commission (CRTC) released guidance on the installation of computer programs that sets out:
- When consent is required for the installation of computer programs
- What computer program functions require the disclosure of additional information when seeking consent
- When certain exceptions to express consent requirements apply
- How updates and upgrades are treated under the Act
Understanding the exception: Self-installed software not covered by CASL
CASL does not apply to owners or authorized users installing computer programs on their own computer systems (e.g., personal devices such as computers, mobile devices or tablets). CASL only applies when you install or cause the installation of a computer program on another person’s device in the course of commercial activity.
Generally, “causing a computer program to be installed” refers to malicious or concealed software that is automatically installed without the user’s knowledge when the user attempts to install other software or inserts a CD or DVD into their computer.
The following examples of self-installed software are not covered by CASL:
- An app purchased and downloaded to a mobile device from an app store
- Software on a CD purchased from a store and installed on a computer
- Software from a website downloaded and installed on a device
- Software installed by a small business on its devices used by its employees
- An update to a previously installed app, which the user installs
In the last case, the guidelines state that if the app or software program installs the update in the background, without prompting or informing the user, then CASL applies.
In this sense, CASL applies to intrusive computer programs: those that, contrary to the user’s “reasonable expectations,” collect personal information stored on the user’s computer system; interfere with the user’s control of the computer system; surreptitiously change settings, preferences or commands; obstruct, interrupt or interfere with access to or use of data; cause communication with another computer system without authorization; or surreptitiously install additional programs that can be activated by a third party.
According to David Elder from Stikeman Elliott LLP, businesses should be aware that even in self-install scenarios, they may still have obligations under the anti-spam law.
Unexpected [additional] programs could include “tag-along” installations of programs such as browsers, toolbars and anti-virus software that are tied to the installation of a primary program. Unexpected functionality could include the collection or personal information from a device (even if only to identify the user), the modification of user settings or causing the program to communicate with another computer system, such as where programs report system errors and crashes to the software developer.
The CRTC has indicated that the reasonable expectations of users will be the key to a determination of what programs and features might be “unexpected”, based on a review of all relevant circumstances, including the nature of the program being installed and the nature and extent of the disclosures made by the relevant developer or distributor.
What is consent?
The law and CRTC guidance state that you must have consent to install software on another person’s computer. CASL further requires a person who installs a program capable of certain specified functions, including tracking or recording personal information, to give notice of and obtain a separate express consent in respect of each individual specified function.
CASL also extends the deemed consent rule to computer programs:
- Installed by a Telecommunications Service Provider (TSP) solely to protect the security of the TSP’s network from a current and identifiable threat
- Installed to update or upgrade the TSP’s network
- Necessary to correct a failure in the operation of a computer system or program installed on it and installed solely for that purpose (e.g., to fix a bug or security vulnerability)
To assist in transitioning to the new rules, there is a three-year transition period during which organizations that provide computer programs can update or upgrade their software. Implied consent exists only if the software program was installed before January 15, 2015, and only until the sooner of January 15, 2018 or date uninstall requested.
Consent must come from the owner or an authorized user of the device
The “owner” or “authorized user” of a computer or device includes any person who has permission to use the computer or device. For instance:
- If an employer provides a device to an employee, then the employer is the owner of the device and the employee is the authorized user of the device
- If an individual owns a computer but provides it to their child, spouse or other relative for their sole use, then the child, spouse or other relative is the authorized user of the computer;
- If a person leases a device, then the lessor is the owner of the device and the lessee is the authorized user of the device
- If a device is sent out for repair, then the person conducting the repair is an authorized user of the device, but only to the extent that they perform the agreed-upon repairs to the device
How to obtain consent?
CASL sets out the specific information that must be disclosed when requesting express consent to install a computer program. There are two levels of disclosure:
- Basic disclosure for “standard” programs, in which the organization must clearly and simply state the purpose for which consent is sought and the prescribed information identifying the person seeking consent (which is the same as for CEMs), and must clearly and simply describe, in general terms, the computer program’s function and purpose. The consent request must also state that the person whose consent is sought may withdraw consent; and
- Enhanced disclosure for programs that, contrary to the recipient’s reasonable expectations, perform certain invasive functions (including collecting personal information stored on the computer system, interfering with the user’s control of the computer system and changing already-installed settings or preferences without the user’s knowledge).
The person who has obtained consent has the responsibility to prove it; that is, the person who seeks consent should keep a record of it.
What about updates and upgrades?
According to the guidelines:
An update or upgrade is generally a replacement of software with a newer or better version, in order to bring the system up to date or to improve its characteristics. Usually the update or upgrade will have new features. Common software updates or upgrades include changing the version of an operating system, an office suite, an anti-virus program, or various other tools.
An update or upgrade makes changes to or replaces previously installed software. Retrieving current information and displaying it within a program is not considered to be updating the program within the context of CASL. For example, updating or refreshing information displayed in a program, such as refreshing the weather forecast in a weather app, or refreshing television listings in an electronic programming guide are not updates or upgrades for the purposes of CASL.
You need consent to install updates or upgrades. At the time you get the initial consent to install the original computer program, you can also seek consent for all future updates and upgrades.
The guidelines indicate that consent can be assumed for updates and upgrades to the specified computer programs discussed above (e.g., cookies and operating systems, etc.). However, if the program was self-installed by the device owner or authorized user and you didn’t get consent for updates or upgrades at the time of original installation, you will need to seek consent to install any updates or upgrades. You can do this in the same way that you would generally seek consent to install software.
The guidelines provide the example:
If a person installs an app from an app store on their own device, CASL would not apply. As a result, their consent for future updates may not have been requested by the app developer. If the software developer wishes to install an update to the app at a later date, they must obtain the person’s consent to do so. Alternatively, when the user self-installs the app, the developer can use that opportunity to request consent to automatically install future updates.
Penalties for non-compliance
The new rules will be enforced with stiff penalties, including administrative monetary penalties of up to $10,000,000 for corporations, $1,000,000 for individuals, and statutory damages of up to $1 million a day. As well, beginning on July 1, 2017, a private right of action will allow consumers and businesses to commence enforcement proceedings and recover damages. Class actions are anticipated.
As a result, virtually all organizations that operate a website, offer mobile applications, incorporate software into their products or otherwise make software available to customers will need to review of their current practices for installing programs to ensure they are complying with CASL.