On December 15, 2010, Canada passed Canada's Anti-Spam Legislation ("CASL"), one of the world's most stringent anti-spam laws.1 On January 15, 2015, the provisions set forth in Section 8 of CASL relating to the installation of computer programs came into effect.2 Section 8 prohibits the installation of a computer program, including any mobile application, as well as upgrades and updates ("Updates") to a computer program (each a "Computer Program") on another person's device in the course of commercial activity without the express consent of the device owner or authorized user.3 Another person's device can include any laptop, smartphone, desktop, gaming console, or other connected device (each a "Computer System").
Failure to comply with CASL could result in substantial liability. The Canadian Radio-Television and Telecommunications Commission ("CRTC") is authorized to impose administrative monetary penalties of up to C$1 million per violation of CASL for individuals and C$10 million for businesses.4 Officers, directors, and agents may be personally liable if they acquiesced in a violation of the law.5 However, because CASL takes into account "honest mistakes," a company that has undertaken good faith efforts to comply with the law has an affirmative defense in the event the CRTC initiates action based on a violation of CASL.6
Because CASL requires installation of a Computer Program on another person's Computer System, Section 8 does not apply when a user self-installs a Computer Program on her own Computer System, such as in the case of a user-installed mobile application. However, an automatically downloaded and installed Update to a self-installed Computer Program would be considered an installation of a Computer Program on another person's Computer System.7 Thus, automatic Updates require consent.8
The consent required by Section 8 applies to U.S. and other non-Canadian companies because the law applies to Computer Programs installed on Computer Systems located in Canada even if the installation originated elsewhere.9 Consequently, companies located outside of Canada, including U.S. companies, need to obtain the required consent if they are automatically installing any Computer Programs, including Updates, on Computer Systems in Canada.10
In order to reduce exposure to liability, you should consider the following steps to ensure that your company complies with Section 8 of CASL if you have determined that your company is automatically installing any Computer Programs, including Updates, on Computer Systems located in Canada.
1. Determine if you have implied or deemed consent to automatically install any Computer Programs, including Updates.
Section 8 provides that you will be deemed to have received consent to automatically install the following types of Computer Programs as long as the user's conduct does not indicate that she does not provide consent (e.g. if a user disables cookies in her browser, then you cannot install cookies in that person's computer):11
In addition, Section 8 provides that you will be considered to have received implied consent to upgrade or update any Computer Programs installed prior to January 15, 2015. Such implied consent will be considered valid until January 15, 2018, unless the user notifies you that she no longer consents to the installation of future Updates.12
2. If you do not have implied or deemed consent, you must obtain express consent from the owner or authorized user of a Computer System before you automatically install any Computer Programs, including Updates. Terms for express consent must be clearly and simply set out and cannot be incorporated into an agreement or bundled with requests for consents for other purposes.
Consent must be obtained from the owner or authorized user of the Computer System.13 The following are examples of owners and authorized users:14
A request for express consent must clearly and simply set out:18
Even if a user consented to the initial installation of the Computer Program (or initial consent was not required because the user installed the Computer Program), you must obtain consent for automatic installation of Updates.19 One important note: to avoid having to get consents for Updates in the future, you can request consent from the user to install Updates at the time of the initial installation of the Computer Program.20
You will want to maintain a record of the consents that you receive from users, as the burden of proving that you have obtained consent rests with the company that automatically installs the Computer Program or causes the Computer Program to be installed.21
3. If you know and intend that your Computer Program will cause the user's Computer System to operate in manner contrary to the reasonable expectations of the user and your Computer Program performs certain functions, such as collecting personal information stored on the Computer System, you must comply with additional heightened consent requirements.
A Computer Program that performs any of the following types of functions contrary to the reasonable expectation of a user triggers the heightened consent requirement:22
For example, if a user installs a mobile game application that also collects personal information from the user's mobile device for advertising purposes—a function that would not be reasonably expected by the user—the heightened consent requirements apply.
The heightened information requirements set out above do not apply to Computer Programs that only collect, use, or communicate transmission data.23
If your Computer Program is subject to the heightened consent requirements, prior to the installation of the Computer Program you must clearly and prominently (and separately from a license agreement):24
In addition to the heightened consent requirements, for a period of one year after installation, you must ensure that that the person who provided consent is provided with an electronic address to which she may send a request to remove or disable the Computer Program in the event that she believes that the function, purpose, or impact of the Computer Program installed under the consent was not accurately described when the consent was requested.26
If the consent was based on an inaccurate description of the material elements of the function or functions described under the heightened requirements, on receipt within that one-year period of a request to remove or disable that Computer Program, you must assist that person in removing or disabling the Computer Program as soon as feasible, without cost.27