On January 29, 2013 I posted some information on Canada’s new Anti-Spam Legislation (CASL), related to the new regulatory requirements for sending certain types of emails and other electronic communications, and for installing software, including updates and upgrades.
In my February 14, 2013 post I provided a commentary on what electronic messages are governed by the statute. As outlined there, unless exempted under CASL, commercial electronic messages (known as CEMs) may only be sent where: (a) the recipient has consented to receiving it, whether by express or implied consent, and (b) the message complies with the identification and unsubscribe mechanism requirements.
The March 3, 2013 post outlines what qualifies as “express consent” under CASL, for the purpose of sending CEMs and for installing software.
In Part IV, posted March 20, 2013 I discussed “implied consent”, and commented on the unsubscribe mechanism requirements.
The April 10, 2013 post provides guidance on exceptions that are available for certain CEMs.
Since consent is also required for the installation of computer programs, including updates and upgrades, this post will provide some information on that issue, as well as a discussion on the penalties for non-compliance and the prescribed transition period.
Installation of Computer Programs
While one purpose of CASL is to regulate the sending of commercial electronic messages, a second purpose is to prevent the installation of certain types of computer programs (such as malware or spyware) on your computer without your consent. A person is not entitled to “install or cause to be installed a computer program on any other person’s computer system or, having so installed or caused to be installed a computer program, cause an electronic message to be sent from that computer system, unless the person has obtained the express consent of the owner or an authorized user of the computer system, and complies with the unsubscribe mechanism requirements.
Under the CRTC Regulations, certain types of computer programs must be brought to the attention of the owner of the computer or authorized person. Examples include programs or functions that collect personal information, interfere with the owner’s/user’s control of the computer system and those that change, interfere with existing settings, preferences or commands without the owner’s/user’s knowledge.
The person seeking consent is required to obtain an acknowledgement in writing that the owner/authorized person understands and agrees to the specified functions.
There are certain enumerated exceptions, however, where consent is deemed to be given (i.e. cookies and others).
Requests for consent to install a computer program cannot be contained in a license agreement or other online terms, so two (2) consents are required: consent to the license agreement and a separate consent to the installation of the program. When structuring an application download process, however, it is acceptable to enable a user to download an app and then provide the necessary disclosures and obtain consent prior to installation of the application.
Requests for consents to install a computer program have to be obtained before the product or service is used or sold. It is unclear how that is going to be possible for over the counter software products.
Penalties for Non-Compliance
The penalties for contravening CASL are substantial. A person who fails to comply with the consent and identification requirements can be liable for a fine of up to $1,000,000 in the case of an individual, and $10,000,000 in the case of any other person, such as a business or organization. A person who aids in the violation can be liable for a fine of up to the same $1 million dollar maximum per violation. These are referred to as “administrative monetary penalties”.
In addition, CASL provides a private right of action, where a person or business may commence a civil lawsuit against another person or business for sending CEMS or installing computer programs in breach of CASL, for a breach of certain requirements outlined in the Personal Information Protection and Electronic Documents Act (Canada) (PIPEDA) and for certain reviewable conduct in the Competition Act. This private right of action allows for damages in addition to the imposition of monetary penalties that are similar in scope to the administrative monetary penalties under CASL.
Where a business obtains consent for the collection of personal information to comply with PIPEDA, it is also required to comply with the higher threshold of consent provided in CASL in respect of CEMs (the identification and unsubscribe mechanisms).
For CEMs, there is a transition period of three (3) years after CASL comes into force for individuals, businesses and organizations to comply if they have an existing business or existing non-business relationship on the date CASL comes into force and the relationship includes the sending of CEMs. An express consent received within these existing relationships will be “grandfathered” in and valid, even if the consent did not include all of the identification and contact information required by CASL.
Any other relationship and all new relationships are required to be CASL compliant.
For software programs, updates and upgrades, if the program was installed on a computer prior to the date CASL comes into force, consent is implied until the person notifies that they no longer consent to receiving installations, including updates and upgrades, for three (3) years after CASL comes into force. Thereafter the programs, and all new programs or programs with new functions that are regulated, are required to be CASL compliant.
What does this mean for you?
If you are in a position of responsibility in your business or organization, it would be wise for you to consider the types of communications your business or organization sends, and strategies for compliance. If your business involves software development, you have additional requirements.
If you would like to discuss how you or your business or organization might comply with CASL, I would be happy to speak with you.