CASL “Computer Program” Provisions: Guidance From The CRTC
The Canadian Radio-television and Telecommunications Commission (CRTC) released guidance on Section 8 of Canada’s Anti-Spam Legislation (CASL), which will go into effect on January 15, 2015. CASL has been described as “the toughest anti-spam law in the world,” because of its broad reach and stringent requirements. CASL applies not only to Canadian organizations, but any organization that sends commercial electronic messages from or to Canada or installs a program on a computer located in Canada. CASL provisions related to sending out commercial electronic messages and altering data in electronic messages took effect on July 15, 2014, and, as of September, the CRTC had already received 85,000 complaints about organizations that are not in compliance with CASL. You can read more about the provisions already in effect in our previous blog post.
The provisions taking effect in January require organizations offering computer programs—including apps, widgets, software, or other executable data—to obtain the express consent of users before such programs are installed on the users’ computer systems. Section 8 also sets forth disclosure requirements, requires users be given an opt-out mechanism once they consent to installation, and, in some cases, mandates that the organization assist users in uninstalling the program.
Broad and unclear terms in Section 8, such as “computer program,” “computer system,” and “installed or causes to be installed,” created some uncertainty about how broadly the provisions would be applied. The CRTC’s guidance indicates its biggest concerns and areas of focus, as highlighted below.
What does “computer systems” include?
Among other things, computer systems include laptops, smartphones, desktop computers, gaming consoles, or other connected devices.
What does “installed or causes to be installed” mean?
The CRTC clarified that CASL only applies if an organization “install[s] or cause[s] the installation of software on another person’s device in the course of commercial activity.”
Thus, the provisions do not apply if owners or authorized users install software on their own devices, including when:
- Owners or authorized users purchase and download apps from an app store;
- Owners or authorized users buy software and install it on their own devices;
- A business installs software on business devices used by employees;
- A previously installed app offers an update, prompts the user, and the user installs the update in response to a prompt; and
- Offline installations.
Is consent needed to install every type of program?
For certain types of programs, organizations are considered to automatically have express consent. These programs are:
- An operating system;
- Any program that is executable through another program that was installed with consent;
- Programs installed by telecommunications providers to protect the security of its network from a current identifiable threat OR to update or upgrade all or part of its network; and
- “Bug fixes.”
However, express consent is not assumed if a user’s behavior indicates they do not consent to a particular type of program. Such behavior includes:
- Disabling cookies in their browser; or
Is consent needed for upgrades and updates? How does an organization get consent?
Consent is required to install an update or upgrade. The CRTC noted that:
- An installer could seek consent for all future updates and upgrades when obtaining consent to install the computer program initially.
- Consent is not needed for updates and upgrades to the specified computer programs listed above.
- If consent for future updates and upgrades was not obtained when the program was initially installed, an installer can seek consent the same way it generally seeks consent to install a program.
- If a program was installed on a device prior to January 15, 2015, consent is implied for updates and upgrades until July 15, 2018.
When does an organization need to make additional disclosures when seeking consent? What are the additional disclosure requirements?
CASL requires additional disclosures for computer programs that perform one or more of the following functions:
- Collects personal information;
- Interferes with the user’s control of the device;
- Changes or interferes with the user’s settings, preferences, or commands without their knowledge;
- Changes or interferes with the data stored on the device in a way that obstructs, interrupts, or interferes with the user’s access to the data;
- Causes the computer system to connect to or send messages to other computer systems without the user’s authorization; or
- Installs a program that may be activated by a third party without the user’s knowledge.
However, the CRTC clarified that additional disclosures are necessary only if the function “would normally not be expected by the user.”
If an installer is required to provide additional disclosure, the installer must clearly and prominently and separately and apart from the license agreement:
- Describe to the user what the program does in relation to those functions and why it does it; and
- Describe to the user the impact of those functions on the operation of the computer system.
When would an organization have to help a user uninstall a program?
The CRTC reiterates that generally an organization is only obligated to help a user uninstall a program if the program performs one of the functions requiring additional disclosure, and the user believes that the function or impact of the software was inaccurately described to him. In those situations, the user must request assistance within a year of installing the program, and assistance must be provided as soon as feasible and at no cost to the user. The CRTC did not specify any other situations where an organization would be obligated to provide assistance to users uninstalling a program.
Photo by Jamie in Bytown from Flickr