1) The document discusses various challenges and strategies for complying with Canada's Anti-Spam Legislation (CASL) in different vertical sectors such as software, mobile/telecom, product manufacturing, and online businesses.
2) Key issues addressed include identifying regulated computer program activities, obtaining express consent, developing consent strategies, satisfying disclosure rules, and proving consent.
3) Challenges for the mobile/telecom sector include obtaining consent during device setup processes and the app submission process, while product manufacturers face issues with no direct user interaction.
Michael fekete and howard fohr lexpert casl computer programs provisions and challenges
1. CASL Computer Programs
Provisions and Challenges in
Specific Vertical Sectors
Michael Fekete (Osler)
Howard Fohr (BlackBerry Limited)
April 30, 2014
3. Software Vertical - Identifying regulated activities
3
Pre-installed/embedded software?
RIAS: “...the requirements under CASL for the
installation of computer programs only apply to the
installation of computer programs on another
person’s computer system”
User initiated installations (e.g., downloads)?
RIAS: “CASL will not apply to installations carried
out by persons on their own computing devices.”
Updates and upgrades
What if the installation is carried out by the
consumer?
Installations by IT help desks
Installations on devices in other countries
5. Assessing whether the “enhanced
disclosure” rules apply
5
Function listed in s.10(5)
AND
Knowledge and intent that function will cause the computer
system to operate in a manner that is “contrary to the
reasonable expectations of the owner or an authorized user
of the computer system”
Operational challenges
software products
update programs
6. Applying the knowledge and intent qualifier
6
Is it reasonable to take into account
“reasonableness” overall, including whether:
The function is required for the very services the
user signed up to receive?
The function would improve the services?
The function would provide some other utility to
the user (outside of the particular
software/services at issue)?
The function would have some non-invasive
business purpose/utility for the vendor?
How much information do consumers reasonably
want? Do they want to understand the technical
details, or do they want it to “just work”?
7. Deciding whether/when to request consent
7
Reliance on exceptions?
What “conduct” is required to demonstrate it is
reasonable to believe consent has been given
Reliance on 3 year transition provision (s.67)?
Seeking consent to updates and upgrades at
the same time as consent for
installation/downloading/first use?
8. Developing strategy for obtaining “CASL-
compliant” express consent
8
Can consent be obtained through a licence
agreement (if 10(4) not triggered)?
Can consent be obtained through the use of a
pre-checked box (e.g., default settings, with
user confirmation)?
Can consent be obtained for a “suite” of
products?
Can consent to updates and upgrades be
mandatory?
Can identity and contact information be
provided through links?
9. Satisfying the Disclosure Rules
9
Minimum disclosures:
Describe the “function and purpose”
“clearly and simply”
“in general terms”
Enhanced disclosures:
Describe the “program’s material elements that
perform the function or functions, including the nature
and purpose of those elements and their reasonably
foreseeable impact on the operation of the computer
system”
“clearly and prominently”
“separately and apart from license agreement”
“separately from any other information provided”
“acknowledgement in writing... that they understand
and agree”
10. Proving Consent
10
CRTC Enforcement Bulletin (2012-548)
“The Commission considers that the requirement for
consent in writing is satisfied by information in
electronic form if the information can subsequently
be verified.”
“Examples of acceptable means of obtaining
consent in writing include checking a box on a web
page to indicate consent where a record of the
date, time, purpose, and manner of that consent is
stored in a database; and filling out a consent form
at a point of purchase.”
11. Satisfying the withdrawal of consent rule
(s.11(5))
11
When does obligation to provide an electronic
address apply?
Only if program performs a function regulated by
s.10(4)?
Exempt if the program is covered by s.10(8)?
How must contact information be provided?
12. “Deemed” express consent (s. 10(8))
12
A person is considered to expressly consent to the installation
of a computer program if:
a) the program is:
i. a cookie,
ii. HTML code,
iii. Java Scripts,
iv. an operating system,
v. any other program that is executable only through
the use of another computer program whose
installation or use the person has previously expressly
consented to, or
vi. any other program specified in the regulations; and
b) the person’s conduct is such that it is reasonable to
believe that they consent to the program’s installation.
13. “Deemed” express consent for network security
& updating a network
(IC Reg’s, s. 6(a) & (b))
13
(a) a program that is installed by or on behalf of a
telecommunications service provider solely to
protect the security of all or part of its network
from a current and identifiable threat to the
availability, reliability, efficiency or optimal use of
its network;
(b) a program that is installed, for the purpose of
updating or upgrading the network, by or on
behalf of the telecommunications service
provider who owns or operates the network on
the computer systems that constitute all or part of
the network;
14. “Deemed” express consent
- Questions for both s. 6(a) & (b) of IC Reg’s
14
Non-definition of a “network”
How to identify the “end node” of the network?
Applicability to not just parts of a network that require a 24/7
‘live’ connection to a telecommunications service?
• E.g. What about a program which could be used in some cases
without active/online wireless connectivity?
15. “Deemed” express consent
- Questions for both s. 6(a) & (b) of IC Reg’s
15
Definition of “telecommunications service provider”
Broad?
Not so broad, due to constitutional limitations? (e.g. applicability of
CASL’s computer program provisions to intraprovincial
communications?)
16. “Deemed” express consent
- Questions for s. 6(a) of IC Reg’s (network
security exemption)
16
Is a “threat to the availability, reliability, efficiency
or optimal use” just:
Malware?
Viruses?
Software bug?
Other?
What is a “current and identifiable” threat?
Threats that are not ‘identifiable’ in addition to
being ‘current’?
What about ‘future’ security threats?
“Solely” – is the exemption available if the program
has an additional legitimate purpose in addition to
just addressing a ‘security’ threat?
17. “Deemed” express consent
(IC Reg’s, s. 6(c) – correcting a failure)
17
(c) a program that is necessary to correct a failure
in the operation of the computer system or a
program installed on it and is installed solely for
that purpose.
“Solely” – is the exemption available if the program
provided ‘new’, improved or additional functionality or
features, and not “solely” bug fixes?
18. “Deemed” express consent
- Questions for each of s. 6(a), (b) & (c) of IC Reg’s
18
How to assess whether the person’s conduct is
such that they consent to the program’s
installation (s. 10(8)(b))?
19. Additional Compliance Challenges and
Solutions – Mobile/Telecom
19
Scenario I:
Initial software updates during “Out Of Box
Experience” (OOBE) for a new BlackBerry 10
device
20. Out Of Box Experience (OOBE) on BlackBerry 10
- First substantive step after user chooses UI language is acceptance of BlackBerry
Solution License Agreement, which indicates software may automatically check for
updates and that BlackBerry may make required updates available
21. OOBE on BlackBerry 10 (cont’d)
- The last substantive step before completion of initial setup is a user
notice regarding software update as part of the OOBE (most current OS
available for relevant carrier/region)
22. 22
Scenario II:
3rd Party App Submission Process in
BlackBerry World
Additional Compliance Challenges and
Solutions – Mobile/Telecom
23. Step 1: Developer
creates a Vendor
account – after
acceptance of
BlackBerry World vendor
terms, etc various fields
made available for
vendor to complete.
- These include for
vendor identification and
contact info.
3rd Party App Submission Process in BlackBerry World
24. Step 1 (cont’d): fields
also made available for
vendor‟s support email,
Privacy Policy url etc.
3rd Party App Submission Process in BlackBerry World (cont’d)
25. Step 2: App
submission process:
Vendor creates the
listing for the app
under their Vendor
account.
3rd Party App Submission Process in BlackBerry World (cont’d)
26. Step 2 (cont’d): Vendor adds Descriptive text which will be seen by the user when they
view the app in BlackBerry World, prior to download.
Substantial space available in “Long Description” – vendor free to provide information
about the function and purpose of the computer program (or to provide additional
disclosures as may be required by s. 10(4) or (5) of CASL if the vendor so chooses
(presumably „separate and apart from the license agreement‟ as it is prior to download).)
3rd Party App Submission Process in BlackBerry World (cont’d)
27. Step 2 (cont’d):
Vendor adds App icon
and screenshots
3rd Party App Submission Process in BlackBerry World (cont’d)
28. Step 2 (cont’d): Vendor can limit
the availability of their app by
Carrier and or Country
3rd Party App Submission Process in BlackBerry World (cont’d)
29. Step 3: End user
process:
• Once app accepted for
distribution in BlackBerry
World, it is made available
for users to access in
BlackBerry World, either
through the user browsing or
searching for the desired app
3rd Party App Submission Process in BlackBerry World (cont’d)
30. Step 3: End user process
(cont’d):
• Users goes to the app listing
in BlackBerry World, to view
the information that the
vendor had input about the
app
3rd Party App Submission Process in BlackBerry World (cont’d)
31. • Users chooses to download
the app
Step 3 (cont’d): BlackBerry
World End user process:
32. • Users presented with any
required permissions sought
by app prior to using the
software
• (Note: outside of
BlackBerry World, once the
user is in the app the vendor
may also provide its EULA
or other notice(s) for
acceptance etc).
Step 4: App permissions notice to
end user
33. Additional Compliance Challenges and
Solutions – Product Manufacturing
33
Lack of direct interaction with consumers
Express consent
Exceptions to consent
Obtaining consent for products with no user
interface
Global marketplace challenges