Impact of Software Installation Provisions of Canada's Anti-Spam Law on US Companies

On December 15, 2010, Canada passed Canada's Anti-Spam Legislation ("CASL"), one of the world's most stringent anti-spam laws.¹ On January 15, 2015, the provisions set forth in Section 8 of CASL relating to the installation of computer programs came into effect.² Section 8 prohibits the installation of a computer program, including any mobile application, as well as upgrades and updates ("Updates") to a computer program (each a "Computer Program") on another person's device in the course of commercial activity without the express consent of the device owner or authorized user.³ Another person's device can include any laptop, smartphone, desktop, gaming console, or other connected device (each a "Computer System").

Failure to comply with CASL could result in substantial liability. The Canadian Radio-Television and Telecommunications Commission ("CRTC") is authorized to impose administrative monetary penalties of up to C$1 million per violation of CASL for individuals and C$10 million for businesses.⁴ Officers, directors, and agents may be personally liable if they acquiesced in a violation of the law.⁵ However, because CASL takes into account "honest mistakes," a company that has undertaken good faith efforts to comply with the law has an affirmative defense in the event the CRTC initiates action based on a violation of CASL.⁶

Because CASL requires installation of a Computer Program on another person's Computer System, Section 8 does not apply when a user self-installs a Computer Program on her own Computer System, such as in the case of a user-installed mobile application. However, an automatically downloaded and installed Update to a self-installed Computer Program would be considered an installation of a Computer Program on another person's Computer System.⁷ Thus, automatic Updates require consent.⁸

The consent required by Section 8 applies to U.S. and other non-Canadian companies because the law applies to Computer Programs installed on Computer Systems located in Canada even if the installation originated elsewhere.⁹ Consequently, companies located outside of Canada, including U.S. companies, need to obtain the required consent if they are automatically installing any Computer Programs, including Updates, on Computer Systems in Canada.¹⁰

Recommendations

In order to reduce exposure to liability, you should consider the following steps to ensure that your company complies with Section 8 of CASL if you have determined that your company is automatically installing any Computer Programs, including Updates, on Computer Systems located in Canada.

1. Determine if you have implied or deemed consent to automatically install any Computer Programs, including Updates.

Section 8 provides that you will be deemed to have received consent to automatically install the following types of Computer Programs as long as the user's conduct does not indicate that she does not provide consent (e.g. if a user disables cookies in her browser, then you cannot install cookies in that person's computer):¹¹

• Cookies;
• HTML;
• JavaScript;
• Operating systems;
• Other Computer Programs that are executable only through another Computer Program for which the person has already provided express consent to the Computer Program's installation or use;
• Computer Programs installed solely to correct a failure in a Computer System (e.g. bug fixes); and
• Computer Programs installed by telecommunications service providers if such Computer Programs are being installed to protect the security of all or part of the provider's network from a current and identifiable threat or to update or upgrade all or part of the provider's network.

In addition, Section 8 provides that you will be considered to have received implied consent to upgrade or update any Computer Programs installed prior to January 15, 2015. Such implied consent will be considered valid until January 15, 2018, unless the user notifies you that she no longer consents to the installation of future Updates.¹²

2. If you do not have implied or deemed consent, you must obtain express consent from the owner or authorized user of a Computer System before you automatically install any Computer Programs, including Updates. Terms for express consent must be clearly and simply set out and cannot be incorporated into an agreement or bundled with requests for consents for other purposes.

Consent must be obtained from the owner or authorized user of the Computer System.¹³ The following are examples of owners and authorized users:¹⁴

1. In an employment relationship, the employer is the owner and the employee is the authorized user.
2. If an individual owns a Computer System but provides it to his child, spouse, or other relative for his or her sole use, the individual is the owner and the child, spouse, or other relative is the authorized user.
3. If an individual leases a Computer System to a third party, the lessor is the owner of the Computer System for the purposes of CASL and the lessee is the authorized user.
4. If a Computer System is sent out for repair, the person conducting the repair is an authorized user under CASL, but only to the extent that she is performing agreed-upon repairs to the Computer System.

In order to provide valid express consent, the owner or authorized user must take an active step to "opt in," such as by checking a previously unchecked box.¹⁵ Express consent cannot be included in or bundled with requests for consents for other purposes.¹⁶ For example, checking a single box cannot provide consent to automatic installation of a Computer Program in addition to consent to a license agreement or terms of use.¹⁷

A request for express consent must clearly and simply set out:¹⁸

• A description in general terms of the functions and purpose of the Computer Program for which you are seeking consent to install;
• The reason for seeking consent;
• Who is seeking consent (e.g. name of company, or if consent is being sought for another person, that person's name);
• If consent is sought on behalf of another person, a statement indicating the person who is seeking consent and the person on whose behalf the consent is being sought;
• Mailing address and one other piece of contact information (i.e. phone number, email, website address); and
• A statement that the person whose consent is being sought may withdraw their consent at any time.

Even if a user consented to the initial installation of the Computer Program (or initial consent was not required because the user installed the Computer Program), you must obtain consent for automatic installation of Updates.¹⁹ One important note: to avoid having to get consents for Updates in the future, you can request consent from the user to install Updates at the time of the initial installation of the Computer Program.²⁰

You will want to maintain a record of the consents that you receive from users, as the burden of proving that you have obtained consent rests with the company that automatically installs the Computer Program or causes the Computer Program to be installed.²¹

3. If you know and intend that your Computer Program will cause the user's Computer System to operate in manner contrary to the reasonable expectations of the user and your Computer Program performs certain functions, such as collecting personal information stored on the Computer System, you must comply with additional heightened consent requirements.

A Computer Program that performs any of the following types of functions contrary to the reasonable expectation of a user triggers the heightened consent requirement:²²

• Collects personal information stored on the Computer System;
• Interferes with the owner's or an authorized user's control of the Computer System;
• Changes or interferes with settings, preferences, or commands already installed or stored on the Computer System without the knowledge of the owner or an authorized user of the Computer System;
• Changes or interferes with data that is stored on the Computer System in a manner that obstructs, interrupts, or interferes with lawful access to or use of that data by the owner or an authorized user of the Computer System;
• Causes the Computer System to communicate with another Computer System without the authorization of the owner or an authorized user of the Computer System; or
• Installs a Computer Program that may be activated by a third party without the knowledge of the owner or an authorized user of the Computer System.

For example, if a user installs a mobile game application that also collects personal information from the user's mobile device for advertising purposes—a function that would not be reasonably expected by the user—the heightened consent requirements apply.

The heightened information requirements set out above do not apply to Computer Programs that only collect, use, or communicate transmission data.²³

If your Computer Program is subject to the heightened consent requirements, prior to the installation of the Computer Program you must clearly and prominently (and separately from a license agreement):²⁴

• Describe the Computer Program's material elements that perform the unanticipated function or functions, including the nature and purpose of those elements and their reasonably foreseeable impact on the operation of the Computer System;
• Bring those elements to the attention of the user separate from other information provided in a request for consent; and
• Obtain the user's written acknowledgment that the user understands and agrees that the Computer Program performs the specified functions. An example of an acceptable means of obtaining consent in writing includes having the user check another previously unchecked box to indicate consent to the heightened consent requirements, where a record of the date, time, purpose, and manner of that consent is stored in a database.²⁵

In addition to the heightened consent requirements, for a period of one year after installation, you must ensure that the person who provided consent is provided with an electronic address to which she may send a request to remove or disable the Computer Program in the event that she believes that the function, purpose, or impact of the Computer Program installed under the consent was not accurately described when the consent was requested.²⁶

If the consent was based on an inaccurate description of the material elements of the function or functions described under the heightened requirements, on receipt within that one-year period of a request to remove or disable that Computer Program, you must assist that person in removing or disabling the Computer Program as soon as feasible, without cost.²⁷

Notes

1. An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, S.C. 2010, chapter 23, formerly referred to as the "Fighting Internet and Wireless Spam Act", now known as Canada's Anti-Spam Legislation ("CASL"), available at http://laws-lois.justice.gc.ca/eng/acts/E-1.6/page-1.html.
2. Order 81000-2-1795 (SI/TR), available at http://fightspam.gc.ca/eic/site/030.nsf/eng/00272.html.
3. CASL, supra note 1, §8. Section 8(1) provides "A person must not, in the course of a commercial activity, can install, or cause to be installed, a computer program on any other person's computer system or, having so installed or caused to be installed, a computer program, cause an electronic message be sent from that computer system, unless the person has obtained the express consent of the owner or authorized use of the computer system and complies with [Section 11(5) of CASL] or the person is acting in accordance with a court order."
4. CASL, supra note 1, §20(4). §47 of CASL and Order 81000-2-1795 (SI/TR), supra note 2, provide that a private right of action will become effective on July 1, 2017. Class actions are anticipated. Also on July 1, 2017, §51 of CASL will become effective. §51 of CASL provides statutory damages of C$200 per commercial electronic message (up to a maximum of C$1 million per day) and C$1 million per day for altering transmission data. The penalties also apply to anyone aiding, inducing or procuring, or causing to be procured a violation of CASL. In addition, for each occurrence of conduct reviewable under the Competition Act, there is also a penalty of C$200 for each occurrence of the conduct, not exceeding C$1,000,000 for each day on which the conduct occurred.
5. CASL, supra note 1, §31.
6. CASL, supra note 1, §33(1).
7. CASL, supra note 1, §10(7); Canada's Anti-Spam Legislation Requirements for Installing Computer Programs available at http://www.crtc.gc.ca/eng/info_sht/i2.htm.
8. Id.
9. CASL, supra note 1, §8(2).
10. A company can install software on company-owned business devices used by their employees without obtaining consent from such employees since the company is installing software own its own computer systems. It is not clear, however, whether software installed on employee devices in a "Bring Your Own Device" context would be covered by CASL.
11. CASL, supra note 1, §10(8); Electronic Commerce Protection Regulations 81000-2-175 (SOR/DORS) §6, available at http://fightspam.gc.ca/eic/site/030.nsf/eng/00273.html.
12. CASL, supra note 1, §67.
13. CASL, supra note 1, §8.
14. Canada's Anti-Spam Legislation Requirements for Installing Computer Programs, supra note 7.
15. Compliance and Enforcement Information Bulletin, CRTC 2012-548, October 10, 2012, available at http://www.crtc.gc.ca/eng/archive/2012/2012-548.htm.
16. Electronic Commerce Protection Regulations SOR/2012-36 §4, March 5, 2012, available at http://laws-lois.justice.gc.ca/eng/regulations/SOR-2012-36/FullText.html; Id.
17. Id.
18. CASL, supra note 1, §10; Electronic Commerce Protection Regulations SOR/2012-36 §4, supra note 16.
19. CASL, supra note 1, §10(7); Canada's Anti-Spam Legislation Requirements for Installing Computer Programs, supra note 7.
20. Id.
21. CASL, supra note 1, §13.
22. CASL, supra note 1, §10(5)
23. CASL, supra note 1, §10(6). "Transmission data" is defined as data that (a) relates to the telecommunications functions of dialing, routing, addressing or signaling; (b) either is transmitted to identify, activate or configure an apparatus or device, including a computer program, in order to establish or maintain a communication, or is generated during the creation, transmission or reception of a communication and identifies or purports to identify the type, direction, date, time, duration, size, origin, destination or termination of the communication; and (c) does not reveal the substance, meaning or purpose of the communication. CASL, supra note 1, §1(1).
24. CASL, supra note 1, §10(4); Electronic Commerce Protection Regulations SOR/2012-36 §5, supra note 16; Compliance and Enforcement Information Bulletin, CRTC 2012-548, supra note 15.
25. Compliance and Enforcement Information Bulletin, CRTC 2012-548, supra note 15.
26. CASL, supra note 1, §11(5)(a).
27. CASL, supra note 1, §11(5)(b).

This content is provided for general informational purposes only, and your access or use of the content does not create an attorney-client relationship between you or your organization and Cooley LLP, Cooley (UK) LLP, or any other affiliated practice or entity (collectively referred to as “Cooley”). By accessing this content, you agree that the information provided does not constitute legal or other professional advice. This content is not a substitute for obtaining legal advice from a qualified attorney licensed in your jurisdiction and you should not act or refrain from acting based on this content. This content may be changed without notice. It is not guaranteed to be complete, correct or up to date, and it may not reflect the most current legal developments. Prior results do not guarantee a similar outcome. Do not send any confidential information to Cooley, as we do not have any duty to keep any information you provide to us confidential. This content may be considered Attorney Advertising and is subject to our legal notices.