CASL – New Guidance on the Installation of Computer Programs

The Canadian Radio-television Telecommunications Commission (CRTC) has released new guidance on the provisions of Canada’s Anti-Spam Legislation (CASL) dealing with the installation of computer programs. The installation of computer program provisions will come into force in just over two months’ time on January 15, 2015.

The good news is that the CRTC appears to confirm that the installation of computer program provisions are largely limited to addressing the scourge of malware and spyware or covert installations. The CRTC is not interpreting the legislation as being intended to unduly interfere with legitimate business.

Among the highlights of from the guidance (warning – this is an initial review by me and subject to change):

1. CASL does not apply when a person is installing software on their own computer, mobile device or tablet.

  • This means that the express consent provision (with the mandatory disclosures) should not apply to mobile app downloads by consumers to their own devices from an App store.
  • The express consent provisions and mandatory disclosures should not apply in the enterprise context where the installation is initiated by the organization onto its own devices used by its employees.
  • The express consent provisions and mandatory disclosures should not apply where the lessor is installing a program on the leased device.

2. The examples provided by the CRTC appear to mean that the term “causes to be installed” does not include code that facilitates the installation. Instead, “causes to be installed” refers to concealed software within an installation .

  • This means that the mere making available of software or code to facilitate an installation probably does not result in the organization being deemed to be “installing” or “causing the installation”.
  • Although the CRTC was not as clear as it could have been on this point, it would seem that there is no requirement for organizations to “police” user-initiated downloads even if the download is by a person who is not the owner of the device.

3. If the installation is not owner-initiated, then consent is required. However, consent is deemed for many types of programs, such as operating systems or programs executable through a program for which consent was already provided, or bug fixes. It should be noted though that consent is only deemed if it would be reasonable based on the person’s conduct that they consented to the installation.

  • This means that organizations must obey signals such as browser settings that disable cookies or Javascript.

4. Automatic updates that are not controlled by the user do require express consent. This can be obtained at the point of installation.

  • The CRTC did not give guidance on whether automatic updates that occur as a result of mobile phone or computer settings that are user-controlled; however, one would hope that the CRTC applies the same logic to these updates as to the original user-initiated installation.
  • In any event, the issue is partially mitigated because the transition period means that automatic upgrades can continue until January 15, 2018 for installations prior to January 15, 2015.

5. Certain spyware-like or malware-like features may require enhanced consent but only if these functions would normally not be expected by the user.

  • These special features include programs that: (a) collect personal information from the device; (b) interferes with the user’s control of the device; (c) changes or interferes with user’s settings, preferences or commands without the user’s knowledge; (d) changes or interferes with data in a manner that will obstruct the user’s access to that data; (e) causes the device to connect to or send messages to another device without the user’s authorization; or (f) installs an application that can be activated remotely without the user’s authorization.
  • Importantly, the CRTC appears to have agreed that the mere inclusion of these types of features does not require enhanced consent. The features must be unexpected given the nature of the program.

6. There will only be limited situations when an organization must provide assistance with uninstalling a program. These situations are primarily limited to misrepresentations regarding the features of the program.