Many of us were working hard to become compliant (or get our clients compliant) with the July 1, 2014 deadline imposed by the Canadian Anti-Spam Legislation (CASL) for compliance with the prohibition against sending unwanted commercial electronic messages. While July 1 has come and gone, many are now scrambling to untangle Phase 2 of CASL – the prohibition against the installation of unwanted computer programs.
The computer program provisions of CASL will come into force on January 15, 2015. A date otherwise known as “pretty damn soon”.
The general rule comes from s.8(1) of CASL.
A person must not, in the course of a commercial activity, install or cause to be installed a computer program on another person’s computer system or having so installed or caused to be installed on a computer system, cause an electronic message to be sent from the computer system, unless
(a) the person has obtained the express consent of the owner or an authorized user of the computer system and complies with [the disclosure requirements]; or
(b) the person is acting in accordance with a court order.
What does this mean?
Much like Phase 1 that intended to limit or eliminate spam, the intent of Phase 2, at a high level, is intended to limit or eliminate malware or spyware. However, much like Phase 1, the wording of CASL goes way beyond this initial intent.
Essentially, if you are installing a computer program on another’s computer, you must have their express consent to do so unless an appropriate exemption or exception applies.
The definition of “computer program” is broad enough to include any program that causes a computer system to perform a function . Therefore, the legislation applies not only to malware or spyware but also to the installation of apps and updates.
The definition of “computer system” is similarly broad and can include any device that may contain computer programs, including desktop, laptop and tablet computers, smartphones, even potentially your car or fridge.
IMPORTANT NOTE: We must be very clear that CASL only applies to installing computer programs on someone else’s computer system, not installations by persons on their own computing devices.
We have established that express consent is required to install a computer program on another’s system. When seeking express consent you must comply with the requisite disclosure requirements.
There are two possible “levels” of disclosure:
Minimum Disclosure Requirement
At a minimum, when seeking consent, you must clearly and simply set out the following information:
- The purpose or purposes for which the consent is being sought;
- Certain prescribed identifying information about the sender and the person seeking consent (similar to Phase 1 of CASL);
- Any other prescribed information.
In addition, for the installation of computer programs, the person seeking consent must clearly and simply describe, in general terms, the function and purpose of the computer program that is to be installed if consent is given.
Enhanced Disclosure Requirement
In addition to the Minimum Disclosure requirements described above, persons seeking to install computer programs with the following functions will face additional requirements:
- Collects personal information;
- Interferes with control of the computer system;
- Changes or interferes with the settings preferences or commands of the computer system;
- Obstructs, interrupts, or interferes with access to data;
Causes the computer to communicate with another computer without authorization;
- Installing a computer program that may be activated by a third party without the knowledge of the owner or an authorized user of the computer system; and
- Performing any other function specified in the regulations.
These Enhanced Disclosure requirements only apply where the computer program will cause the computer system to operate in a manner that is contrary to the reasonable expectations of the owner or an authorized user of the computer system.
For these types of computer programs, the installer must clearly and prominently, and separately (from any other information provided) and apart from any license agreement:
- Describe the program’s material elements that perform the function or functions, including the nature and purpose of those elements and their reasonably foreseeable impact on the operation of the computer system; and
- Bring those elements to the attention of the person from whom consent is being sought in the prescribed manner.
When providing Enhanced Disclosure, the person seeking consent must obtain an acknowledgment in writing from the person whom consent is being sought that they understand that the program performs the specified functions.
To Be Continued in Part 2
In Part 2 I will discuss the various exemptions and exceptions to the consent requirements in Phase 2.