Canada’s Anti-Spam Law (CASL) targets more than just email and text messages
In our previous post, we explained that on July 1, 2014, Canada’s Anti-Spam Law (CASL) had entered into force with respect to email, text and other “commercial electronic messages”.
CASL also targets “malware”. It prohibits installing a “computer program” – including an app, widget, software, or other executable data – on a computer system (e.g. computer, device) unless the program is installed with consent and complies with disclosure requirements. The provisions in CASL related to the installation of computer programs will come into force on January 15, 2015.
Application outside Canada
Like CASL’s email and text message provisions, the Act’s ”computer program” installation provisions apply to persons outside Canada. A person contravenes the computer program provisions if the computer system (computer, device) is located in Canada at the relevant time (or if the person is in Canada or is acting under the direction of a person in Canada). We wrote about CASL’s application outside of Canada here.
The maximum penalty under CASL is $10 million for a violation of the Act by a corporation. In certain circumstances, a person may enter into an “undertaking” to avoid a Notice of Violation. Moreover, a private right of action is available to individuals as of July 1, 2017.
CASL’s broad scope leads to fundamental questions – how does it apply?
The broad legal terms “computer program”, “computer system” “install or cause to be installed” have raised many fundamental questions with industry stakeholders. The CRTC – the Canadian authority charged with administering this new regime – seems to have gotten the message. The first part of the CRTC’s response to FAQ #1 in its interpretation document CASL Requirements for Installing Computer Programs is “First off, don’t panic”.
New CRTC Guidance
The CRTC has clarified some, but not all of the questions that industry stakeholders have raised. CRTC Guidance does clarify the following.
- Self-installed software is not covered under CASL. CASL does not apply to owners or authorized users who are installing software on their own computer systems – for example, personal devices such as computers, mobile devices or tablets.
- CASL does not apply to “offline installations“, for example, where a person installs a CD or DVD that is purchased at a store.
- Where consent is required, it may be obtained from an employee (in an employment context); from the lessee of a computer (in a lease context); or from an individual (e.g. in a family context) where that individual has the “sole use” of the computer.
- An “update or upgrade” – which benefits from blanket consent in certain cases under CASL – is “generally a replacement of software with a newer or better version”, or a version change.
- Grandfathering – if a program (software, app, etc.) was installed on a person’s computer system before January 15, 2015, then you have implied consent until January 15, 2018 – unless the person opts out of future updates or upgrades.
Who is liable?
CRTC staff have clarified that as between the software developer and the software vendor (the “platform”), both may be liable under CASL. To determine liability, the CRTC proposes to examine the following factors, on a case-by-case basis:
- was their action a necessary cause leading to the installation?
- was their action reasonably proximate to the installation?
- was their action sufficiently important toward the end result of causing the installation of the computer program?
CRTC and Industry Canada staff have indicated that they will be publishing additional FAQs, in response to ongoing industry stakeholder questions.
See also: fightspam.gc.ca and consider signing up for information updates through the site.