canada’s anti-spam law (casl) apps, software, and other computer programs - december 2014

Canada’s Anti-Spam Law (CASL)Apps, Software, and other Computer Programs

Margot Patterson

Jawaid Panjwani

December 2014

Dentons Canada LLP

Canada’s Anti-Spam Law (CASL)

Dentons Canada LLP 2

• CASL was enacted in December 2010

• CASL is intended to promote e-commerce by deterring spam, identity

theft, phishing, spyware, viruses, botnets, and misleading commercial

representations online

• CASL creates new offences, enforcement mechanisms and

penalties

• The “commercial electronic message” (email, text) requirements entered

into force on July 1 2014

• The “computer program installation” provisions enter into force on

January 15, 2015

Canada’s Anti-Spam Law (CASL) – Overview

3

• Scope: Who, Where, What

• Exclusions

• Updates and Upgrades

• Obtaining Consent

• Enforcement

• Next Steps: Transition Period, Compliance Program

Dentons Canada LLP

Scope: Who


• A person who installs or causes to be installed a computer program on

any other person’s computer system or, having so installed or caused to

be installed a computer program, causes an electronic message to be

sent from that computer system.

• The person who installs the program or causes it to be installed may be:

Software Developer Software Vendor

Scope: Who


Software Developer Software Vendor

Either or both could be liable.

Was their action:

a necessary cause leading to the installation?

reasonably proximate to the installation?

sufficiently important toward the end result of causing the installation?

[CRTC Staff policy interpretation, November 2014]

Scope: Who


Also…

Potential vicarious liability. CASL expressly includes:

• directors, officers, agents or mandataries of a corporation

• employers of employees acting within the scope of employment

Therefore consider:

• necessary training, policies (see CRTC Guidelines to help businesses

develop corporate compliance programs; and

• the “due diligence defence” available under CASL

[Compliance and Enforcement Information Bulletin CRTC 2014-326]

Scope: Where


Activities outside Canada may be caught

Computer system receiving the program in Canada

OR

Installer is in Canada

OR

Installer is operating under direction of person in Canada

[CASL section 8(2)]

CASL Section 8

8

Scope: What

The “computer program” provision

Dentons Canada LLP

CASL Section 8


8. (1) A person must not, in the course of a commercial activity,

install or cause to be installed a computer program on any

other person’s computer system or, having so installed or caused

to be installed a computer program, cause an electronic message

to be sent from that computer system, unless

• (a) the person has obtained the express consent of the owner

or an authorized user of the computer system and complies

with subsection 11(5); or

• (b) the person is acting in accordance with a court order.

CASL Section 8 – Commercial Activity


8. (1) A person must not, in the course of a commercial activity, install or cause to

be installed a computer program on any other person’s computer system or, having

so installed or caused to be installed a computer program, cause an electronic

message to be sent from that computer system, unless […]

“commercial activity” means any particular transaction, act or conduct or

any regular course of conduct that is of a commercial character, whether or

not the person who carries it out does so in the expectation of profit, other

than any transaction, act or conduct that is carried out for the purposes of

law enforcement, public safety, the protection of Canada, the conduct of

international affairs or the defence of Canada.

[CASL section 1(1)]

CASL Section 8 – Computer Program / System



be installed a computer program on any other person’s computer system or,

having so installed or caused to be installed a computer program, cause an

electronic message to be sent from that computer system, unless […]

• “computer program” means data representing instructions or

statements that, when executed in a computer system, causes the

computer system to perform a function;

• “computer system” means a device that, or a group of interconnected

or related devices one or more of which, (a) contains computer programs

or other data, and (b) pursuant to computer programs, (i) performs logic

and control, and (ii) may perform any other function

[subsection 342.1(2) of the Criminal Code]

CASL Section 8 – Install or Cause to be Installed






“install or cause to be installed” is not defined

(However, the CRTC has taken the position that concealed or undisclosed

secondary software is an example of “cause to be installed”. See slide 17)

CASL Section 8 – Owner or Authorized User


A person must not install …unless the person has obtained the express consent

of the owner or an authorized user of the computer system.

An owner or authorized user includes anyone that has permission to use

a particular device or computer system. For example:

[CRTC: CASL Requirements for Installing Computer Programs]

Owner Authorized User

Employer Employee

Device/computer owner Child, spouse or other relative for their sole use

Lessor Lessee

Owner Repair company / employee doing repair

requested by owner

http://www.crtc.gc.ca/eng/info_sht/i2.htm

CASL Section 8 – Self-Installed Programs






• The CRTC has taken the position that CASL does not apply where

owners or authorized users install software on their own computer

devices or systems

[Source: CASL Requirements for Installing Computer Programs]




Examples – when you own the system / device

CASL does not apply where you yourself:

• Buy an app from an app store and download it on your own device

• Buy software on a CD and install it on your computer

• Download software from a website and install it on your device

• Install an update on a previously installed app

CASL does not apply where:

• A business installs software on business devices used by its employees





Example – firmware

CASL does not apply where:

• The manufacturer “self-installs” software on the system or device during

the manufacturing process

Note:

• If you will be installing updates or upgrades to that firmware, you will still

need express consent for those.

[Based on CRTC Staff policy interpretation November 2014]

CASL Section 8 – Undisclosed Programs


However:

• The CRTC has taken the position that concealed or undisclosed

secondary software is not “self-installed”. Instead, you “caused that

software to be installed”. CASL applies to that software.


CASL does not apply to

self-installation

CASL DOES apply to software that a

person has “caused to be installed”

Free game app …with concealed malware

CD …with concealed software that executes when

CD is inserted into device

Software …that later installs update “in the background”

without prompting or informing user


CASL Section 8 – Electronic Message



be installed a computer program on any other person’s computer system or, having

so installed or caused to be installed a computer program, cause an electronic

message to be sent from that computer system, unless […]

“electronic message” means a message sent by any means of

telecommunication, including a text, sound, voice or image message.

[CASL section 1(1)]

CASL Section 10

19

Exclusions

Dentons Canada LLP

CASL Section 10 – Excluded Computer Programs


Where the person’s conduct is such that it is reasonable to believe that

they consent to the program’s installation, you can install the following

programs without seeking consent:

• Cookies

• HTML

• JavaScript

• Operating system

• Program that is executable through another program that the user

previously expressly consented to

[CASL section 10(8)(a)and (b)]

[CASL Requirements for Installing Computer Programs]


CASL Section 10 – Excluded Computer Programs


….and also:

Where the user’s conduct is such that it is reasonable to believe that they

consent to the program’s installation,

• software can be installed solely to correct a failure (e.g. bug) in a

computer system; and

• a TSP* can install software without consent to protect network security

from a current and identifiable threat; or update or upgrade network.

*telecommunications service provider: business or person who, independently or as part

of a group or association, provides “telecommunications services”. TSP may either own or

lease its equipment or software. [CASL section 1(1)]

[CASL section 10(8)(a)and (b); Electronic Commerce Protection Regulations, s. 6]



CASL Section 10 – Excluded Computer Programs: Cookies


Cookies

• For CASL purposes, cookies are non executable computer programs that

cannot carry viruses or install malware.

• A person is considered to consent to the installation of a cookie if the

person's conduct is such that it is reasonable to believe that they

consent.

[CASL section 10(8)(a)(i) and (b)]



CASL Section 10 – Excluded Programs: Operating System


Operating System

• For CASL purposes, operating systems are “a type of computer program

that have special access to the hardware of a computer system, and act

as a platform to allow other computer programs to make use of the

hardware”.

• Examples: “Microsoft Windows, Mac OS/iOS, Linux, Android, Unix and

Blackberry OS, among others.”

• A person is considered to consent to the installation of an OS if the

person's conduct is such that it is reasonable to believe that they

consent.

[CASL section 10(8)(a)(iv) and (b)]



CASL Section 10

24

Updates and Upgrades

Dentons Canada LLP

CASL Section 10 – Updates / Upgrades


Updates and Upgrades:

• change or replace previously installed software;

• usually with newer or better version, new features;

• to bring the computer system up to date or improve it.

Examples: “changing the version of an operating system, an office suite,

an anti-virus program, or various other tools”



CASL Section 67 – Updates / Upgrades: Transition


If a computer program was installed on a person’s computer system

before January 15, 2015 you have implied consent to install updates or

upgrades to the program until:

• the user withdraws consent, or

• January 15, 2018

…whichever comes first.

[CASL section 67]



Scenario: You install the software before January 15, 2015

User’s consent to the update or upgrade is installed until January 15,

2018, or user withdraws consent to receive future updates /upgrades.

Scenario: You install the software January 15, 2015 or later

Get express consent to install the software, and for any updates and

upgrades to it.

Scenario: You want to install an update or upgrade, the software was

installed January 15, 2015 or later, and you did not obtain express

consent to install updates or upgrades

Get express consent to install the update or upgrade.



Scenario: User self-installs the update or upgrade

No consent required.

Scenario: New program is executable through another program that the

user previously expressly consented to, and user’s conduct is such that it

is reasonable to believe that user consents to the program’s installation.

No consent required.

[CASL section 10(8)(a)(v)]

CASL Section 10

29

Obtaining Consent

Dentons Canada LLP

CASL Section 10 – Basic Consent


Image source: Compliance and Enforcement Information Bulletin CRTC 2012-548

Requirement

The reason you are seeking consent

Who is seeking consent

(e.g., name of the company; or if consent is sought on behalf

of another person, that person's name)

If consent is sought on behalf of another person, a

statement indicating which person is seeking consent and

which person on whose behalf consent is being sought;

The mailing address and one other piece of contact

information

(phone number, email address, or URL)

A statement indicating that the person whose consent is

sought can withdraw their consent

A description in general terms of the functions and

purpose of the computer program to be installed

http://www.crtc.gc.ca/eng/archive/2012/2012-548.htm

CASL Section 10 – Enhanced Consent


If the program has an “intrusive” function (see below), contrary to the

user’s reasonable expectations:

• collects personal information

• interferes with user control of the system

• changes or interferes with:

• settings / preferences / commands without user knowledge

• data in a manner that obstructs / interrupts / interferes with user access

• causes the system to communicate with another system or device, without

user consent

• installs a program that can be activated by a third party without user

knowledge

…you will need enhanced consent

CASL Section 10 – Enhanced Consent


If the program has an “intrusive” function, that is contrary to the user’s

reasonable expectations, you will need enhanced consent.

In addition to obtaining Basic Consent, you must also

Clearly and prominently…

Separate and apart from the license agreement…

• Describe to the user what the program does in relation to the “intrusive”

functions and why it does it.

• Describe to the user the impact of those functions on the operation of the

computer system.

CASL Section 11 – Removing a Program


If the program performs an “intrusive” function and the user believes

that when you installed it, you did not accurately describe that function, or

its impact:

For a period of 1 year after installation:

• The owner or authorized user can ask you to assist in disabling or

removing the program. You must do this “as soon as feasible”, at no cost.

• You must provide the person who consented to the installation with an

electronic address where they can send their request.

[CASL section 11(5)]

Enforcement

Enforcement - CRTC

Canadian Radio-television and Telecommunications Commission (CRTC):

primary enforcement agency

Has authority to impose administrative monetary penalties (AMPs)

Maximum penalty is $10 million for an organization, per violation

Relevant factors include purpose of penalty, nature & scope of violation,

history, financial benefit, ability to pay

Enforcement tools include:

• Preservation Demands

• Notices to Produce

• Search Warrants

• Compliance Undertakings with CRTC

See: http://www.crtc.gc.ca/eng/casl-lcap.htm

http://www.crtc.gc.ca/eng/casl-lcap.htm

Enforcement – Liability, Due Diligence

• Onus is on you to show consent to install, not on the complainant

• Directors and officers’ liability / Employers’ liability

• Importance of “due diligence”:

• No liability where due diligence taken to prevent the violation

See: Compliance and Enforcement Information Bulletin CRTC 2014-326

Enforcement – Private Right of Action

• Private Right of Action (in effect July 1, 2017)

• For individual or organization affected by a contravention: can obtain court

order for compensation

• Acts or omissions

• Remedies include compensation for loss or damage suffered or expenses

incurred, and a maximum penalty of $1 million per day

• for contravening the software provisions (CASL section 8); or

• for aiding, inducing, procuring a violation

• Class Actions?

[CASL sections 47, 51]

Transition Period

Compliance Program

Next Steps

Next Steps – Transition Period

Three-Year Transition Period

• Until January 15, 2018:

• Implied consent for updates and upgrades to software installed before

January 15, 2015

• In all cases, recipient can still withdraw consent at any time

• You must obtain CASL-compliant express consent during the three-

year transition period, to continue to install updates and upgrades after

January 15, 2018

[CASL section 67]

Next Steps – Audit and Checklist

CASL Audit

• Conduct an audit of online communications with clients, prospects,

and third parties, including:

• processes for installation of software updates/upgrades

CASL Checklist

• Review against CASL requirements:

• available exceptions

• disclosure, consent


Next Steps – Review and Update

Review and update:

• Update forms and procedures that document consent

• Update existing customer service processes

• Include information/training for employees, management, Board of

Directors

• Address third-party contract requirements (limitation of liability,

representations & warranties)

• Consider insurance (traditional policies may not cover)


Next Steps: Compliance Program


CRTC Information Bulletin “to provide general guidance and best practices

for businesses on the development of corporate compliance programs”:

Components of a corporate compliance program:

• Senior management involvement

• Risk assessment

• Written corporate compliance policy

• Record keeping

• Training program

• Auditing and monitoring

• Complaint-handling system

• Corrective (disciplinary) action


More Information

43

More Information on CASL:

http://www.dentons.com/en/issues-and-opportunities/anti-spam-legislation.aspx

Questions?

Margot [email protected] (613) 783-9693

Jawaid [email protected](613) 783-9632

http://www.dentons.com/en/issues-and-opportunities/anti-spam-legislation.aspx

http://www.dentons.com/margot-patterson

mailto:[email protected]

The preceding presentation contains

examples of the kinds of issues companies

dealing with Canada’s Anti-Spam Law

(CASL) could face.

If you are faced with one of these issues,

please retain professional assistance as

each situation is unique.

Dentons Canada LLP

44

canada’s anti-spam law (casl) apps, software, and other computer programs - december 2014

Law

persons computer system

canada casl section

dentons canada llp98

whodentons canada llp4a

casl compliance

scope of employment

direction of person

bthe person