Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Canada’s Anti-Spam Law (CASL)
Apps, Software, and other Computer Programs
Margot Patterson
Jawaid Panjwani
December 2014
D...
Canada’s Anti-Spam Law (CASL)
Dentons Canada LLP 2
• CASL was enacted in December 2010
• CASL is intended to promote e-com...
Canada’s Anti-Spam Law (CASL) – Overview
3
• Scope: Who, Where, What
• Exclusions
• Updates and Upgrades
• Obtaining Conse...
Scope: Who
Dentons Canada LLP 4
• A person who installs or causes to be installed a computer program on
any other person’s...
Scope: Who
Dentons Canada LLP 5
Software Developer Software Vendor
Either or both could be liable.
Was their action:
a nec...
Scope: Who
Dentons Canada LLP 6
Also…
Potential vicarious liability. CASL expressly includes:
• directors, officers, agent...
Scope: Where
Dentons Canada LLP 7
Activities outside Canada may be caught
Computer system receiving the program in Canada
...
CASL Section 8
8
Scope: What
The “computer program” provision
Dentons Canada LLP
CASL Section 8
Dentons Canada LLP 9
8. (1) A person must not, in the course of a commercial activity,
install or cause to ...
CASL Section 8 – Commercial Activity
Dentons Canada LLP 10
8. (1) A person must not, in the course of a commercial activit...
CASL Section 8 – Computer Program / System
Dentons Canada LLP 11
8. (1) A person must not, in the course of a commercial a...
CASL Section 8 – Install or Cause to be Installed
Dentons Canada LLP 12
8. (1) A person must not, in the course of a comme...
CASL Section 8 – Owner or Authorized User
Dentons Canada LLP 13
A person must not install …unless the person has obtained ...
CASL Section 8 – Self-Installed Programs
Dentons Canada LLP 14
8. (1) A person must not, in the course of a commercial act...
CASL Section 8 – Self-Installed Programs
Dentons Canada LLP 15
Examples – when you own the system / device
CASL does not a...
CASL Section 8 – Self-Installed Programs
Dentons Canada LLP 16
Example – firmware
CASL does not apply where:
• The manufac...
CASL Section 8 – Undisclosed Programs
Dentons Canada LLP 17
However:
• The CRTC has taken the position that concealed or u...
CASL Section 8 – Electronic Message
Dentons Canada LLP 18
8. (1) A person must not, in the course of a commercial activity...
CASL Section 10
19
Exclusions
Dentons Canada LLP
CASL Section 10 – Excluded Computer Programs
Dentons Canada LLP 20
Where the person’s conduct is such that it is reasonabl...
CASL Section 10 – Excluded Computer Programs
Dentons Canada LLP 21
….and also:
Where the user’s conduct is such that it is...
CASL Section 10 – Excluded Computer Programs: Cookies
Dentons Canada LLP 22
Cookies
• For CASL purposes, cookies are non e...
CASL Section 10 – Excluded Programs: Operating System
Dentons Canada LLP 23
Operating System
• For CASL purposes, operatin...
CASL Section 10
24
Updates and Upgrades
Dentons Canada LLP
CASL Section 10 – Updates / Upgrades
Dentons Canada LLP 25
Updates and Upgrades:
• change or replace previously installed ...
CASL Section 67 – Updates / Upgrades: Transition
Dentons Canada LLP 26
If a computer program was installed on a person’s c...
CASL Section 10 – Updates / Upgrades
Dentons Canada LLP 27
Scenario: You install the software before January 15, 2015
User...
CASL Section 10 – Updates / Upgrades
Dentons Canada LLP 28
Scenario: User self-installs the update or upgrade
No consent r...
CASL Section 10
29
Obtaining Consent
Dentons Canada LLP
CASL Section 10 – Basic Consent
Dentons Canada LLP 30
Image source: Compliance and Enforcement Information Bulletin CRTC 2...
CASL Section 10 – Enhanced Consent
Dentons Canada LLP 31
If the program has an “intrusive” function (see below), contrary ...
CASL Section 10 – Enhanced Consent
Dentons Canada LLP 32
If the program has an “intrusive” function, that is contrary to t...
CASL Section 11 – Removing a Program
Dentons Canada LLP 33
If the program performs an “intrusive” function and the user be...
Enforcement
Enforcement - CRTC
Canadian Radio-television and Telecommunications Commission (CRTC):
primary enforcement agency
Has auth...
Enforcement – Liability, Due Diligence
• Onus is on you to show consent to install, not on the complainant
• Directors and...
Enforcement – Private Right of Action
• Private Right of Action (in effect July 1, 2017)
• For individual or organization ...
Transition Period
Compliance Program
Next Steps
Next Steps – Transition Period
Three-Year Transition Period
• Until January 15, 2018:
• Implied consent for updates and up...
Next Steps – Audit and Checklist
CASL Audit
• Conduct an audit of online communications with clients, prospects,
and third...
Next Steps – Review and Update
Review and update:
• Update forms and procedures that document consent
• Update existing cu...
Next Steps: Compliance Program
Dentons Canada LLP 42
CRTC Information Bulletin “to provide general guidance and best pract...
More Information
43
More Information on CASL:
http://www.dentons.com/en/issues-and-opportunities/anti-spam-legislation.asp...
The preceding presentation contains
examples of the kinds of issues companies
dealing with Canada’s Anti-Spam Law
(CASL) c...
Upcoming SlideShare
Loading in …5
×

Canada’s Anti-Spam Law (CASL) Apps, Software, and other Computer Programs - December 2014

1,616 views

Published on

Canada's Anti-Spam Law by Margot Patterson and Jawaid Panjwani

Published in: Law
  • Be the first to comment

Canada’s Anti-Spam Law (CASL) Apps, Software, and other Computer Programs - December 2014

  1. 1. Canada’s Anti-Spam Law (CASL) Apps, Software, and other Computer Programs Margot Patterson Jawaid Panjwani December 2014 Dentons Canada LLP
  2. 2. Canada’s Anti-Spam Law (CASL) Dentons Canada LLP 2 • CASL was enacted in December 2010 • CASL is intended to promote e-commerce by deterring spam, identity theft, phishing, spyware, viruses, botnets, and misleading commercial representations online • CASL creates new offences, enforcement mechanisms and penalties • The “commercial electronic message” (email, text) requirements entered into force on July 1 2014 • The “computer program installation” provisions enter into force on January 15, 2015
  3. 3. Canada’s Anti-Spam Law (CASL) – Overview 3 • Scope: Who, Where, What • Exclusions • Updates and Upgrades • Obtaining Consent • Enforcement • Next Steps: Transition Period, Compliance Program Dentons Canada LLP
  4. 4. Scope: Who Dentons Canada LLP 4 • A person who installs or causes to be installed a computer program on any other person’s computer system or, having so installed or caused to be installed a computer program, causes an electronic message to be sent from that computer system. • The person who installs the program or causes it to be installed may be: Software Developer Software Vendor
  5. 5. Scope: Who Dentons Canada LLP 5 Software Developer Software Vendor Either or both could be liable. Was their action: a necessary cause leading to the installation? reasonably proximate to the installation? sufficiently important toward the end result of causing the installation? [CRTC Staff policy interpretation, November 2014]
  6. 6. Scope: Who Dentons Canada LLP 6 Also… Potential vicarious liability. CASL expressly includes: • directors, officers, agents or mandataries of a corporation • employers of employees acting within the scope of employment Therefore consider: • necessary training, policies (see CRTC Guidelines to help businesses develop corporate compliance programs; and • the “due diligence defence” available under CASL [Compliance and Enforcement Information Bulletin CRTC 2014-326]
  7. 7. Scope: Where Dentons Canada LLP 7 Activities outside Canada may be caught Computer system receiving the program in Canada OR Installer is in Canada OR Installer is operating under direction of person in Canada [CASL section 8(2)]
  8. 8. CASL Section 8 8 Scope: What The “computer program” provision Dentons Canada LLP
  9. 9. CASL Section 8 Dentons Canada LLP 9 8. (1) A person must not, in the course of a commercial activity, install or cause to be installed a computer program on any other person’s computer system or, having so installed or caused to be installed a computer program, cause an electronic message to be sent from that computer system, unless • (a) the person has obtained the express consent of the owner or an authorized user of the computer system and complies with subsection 11(5); or • (b) the person is acting in accordance with a court order.
  10. 10. CASL Section 8 – Commercial Activity Dentons Canada LLP 10 8. (1) A person must not, in the course of a commercial activity, install or cause to be installed a computer program on any other person’s computer system or, having so installed or caused to be installed a computer program, cause an electronic message to be sent from that computer system, unless […] “commercial activity” means any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, whether or not the person who carries it out does so in the expectation of profit, other than any transaction, act or conduct that is carried out for the purposes of law enforcement, public safety, the protection of Canada, the conduct of international affairs or the defence of Canada. [CASL section 1(1)]
  11. 11. CASL Section 8 – Computer Program / System Dentons Canada LLP 11 8. (1) A person must not, in the course of a commercial activity, install or cause to be installed a computer program on any other person’s computer system or, having so installed or caused to be installed a computer program, cause an electronic message to be sent from that computer system, unless […] • “computer program” means data representing instructions or statements that, when executed in a computer system, causes the computer system to perform a function; • “computer system” means a device that, or a group of interconnected or related devices one or more of which, (a) contains computer programs or other data, and (b) pursuant to computer programs, (i) performs logic and control, and (ii) may perform any other function [subsection 342.1(2) of the Criminal Code]
  12. 12. CASL Section 8 – Install or Cause to be Installed Dentons Canada LLP 12 8. (1) A person must not, in the course of a commercial activity, install or cause to be installed a computer program on any other person’s computer system or, having so installed or caused to be installed a computer program, cause an electronic message to be sent from that computer system, unless […] “install or cause to be installed” is not defined (However, the CRTC has taken the position that concealed or undisclosed secondary software is an example of “cause to be installed”. See slide 17)
  13. 13. CASL Section 8 – Owner or Authorized User Dentons Canada LLP 13 A person must not install …unless the person has obtained the express consent of the owner or an authorized user of the computer system. An owner or authorized user includes anyone that has permission to use a particular device or computer system. For example: [CRTC: CASL Requirements for Installing Computer Programs] Owner Authorized User Employer Employee Device/computer owner Child, spouse or other relative for their sole use Lessor Lessee Owner Repair company / employee doing repair requested by owner
  14. 14. CASL Section 8 – Self-Installed Programs Dentons Canada LLP 14 8. (1) A person must not, in the course of a commercial activity, install or cause to be installed a computer program on any other person’s computer system or, having so installed or caused to be installed a computer program, cause an electronic message to be sent from that computer system, unless […] • The CRTC has taken the position that CASL does not apply where owners or authorized users install software on their own computer devices or systems [Source: CASL Requirements for Installing Computer Programs]
  15. 15. CASL Section 8 – Self-Installed Programs Dentons Canada LLP 15 Examples – when you own the system / device CASL does not apply where you yourself: • Buy an app from an app store and download it on your own device • Buy software on a CD and install it on your computer • Download software from a website and install it on your device • Install an update on a previously installed app CASL does not apply where: • A business installs software on business devices used by its employees [Source: CASL Requirements for Installing Computer Programs]
  16. 16. CASL Section 8 – Self-Installed Programs Dentons Canada LLP 16 Example – firmware CASL does not apply where: • The manufacturer “self-installs” software on the system or device during the manufacturing process Note: • If you will be installing updates or upgrades to that firmware, you will still need express consent for those. [Based on CRTC Staff policy interpretation November 2014]
  17. 17. CASL Section 8 – Undisclosed Programs Dentons Canada LLP 17 However: • The CRTC has taken the position that concealed or undisclosed secondary software is not “self-installed”. Instead, you “caused that software to be installed”. CASL applies to that software. [Source: CASL Requirements for Installing Computer Programs] CASL does not apply to self-installation CASL DOES apply to software that a person has “caused to be installed” Free game app …with concealed malware CD …with concealed software that executes when CD is inserted into device Software …that later installs update “in the background” without prompting or informing user
  18. 18. CASL Section 8 – Electronic Message Dentons Canada LLP 18 8. (1) A person must not, in the course of a commercial activity, install or cause to be installed a computer program on any other person’s computer system or, having so installed or caused to be installed a computer program, cause an electronic message to be sent from that computer system, unless […] “electronic message” means a message sent by any means of telecommunication, including a text, sound, voice or image message. [CASL section 1(1)]
  19. 19. CASL Section 10 19 Exclusions Dentons Canada LLP
  20. 20. CASL Section 10 – Excluded Computer Programs Dentons Canada LLP 20 Where the person’s conduct is such that it is reasonable to believe that they consent to the program’s installation, you can install the following programs without seeking consent: • Cookies • HTML • JavaScript • Operating system • Program that is executable through another program that the user previously expressly consented to [CASL section 10(8)(a)and (b)] [CASL Requirements for Installing Computer Programs]
  21. 21. CASL Section 10 – Excluded Computer Programs Dentons Canada LLP 21 ….and also: Where the user’s conduct is such that it is reasonable to believe that they consent to the program’s installation, • software can be installed solely to correct a failure (e.g. bug) in a computer system; and • a TSP* can install software without consent to protect network security from a current and identifiable threat; or update or upgrade network. *telecommunications service provider: business or person who, independently or as part of a group or association, provides “telecommunications services”. TSP may either own or lease its equipment or software. [CASL section 1(1)] [CASL section 10(8)(a)and (b); Electronic Commerce Protection Regulations, s. 6] [CASL Requirements for Installing Computer Programs]
  22. 22. CASL Section 10 – Excluded Computer Programs: Cookies Dentons Canada LLP 22 Cookies • For CASL purposes, cookies are non executable computer programs that cannot carry viruses or install malware. • A person is considered to consent to the installation of a cookie if the person's conduct is such that it is reasonable to believe that they consent. [CASL section 10(8)(a)(i) and (b)] [CASL Requirements for Installing Computer Programs]
  23. 23. CASL Section 10 – Excluded Programs: Operating System Dentons Canada LLP 23 Operating System • For CASL purposes, operating systems are “a type of computer program that have special access to the hardware of a computer system, and act as a platform to allow other computer programs to make use of the hardware”. • Examples: “Microsoft Windows, Mac OS/iOS, Linux, Android, Unix and Blackberry OS, among others.” • A person is considered to consent to the installation of an OS if the person's conduct is such that it is reasonable to believe that they consent. [CASL section 10(8)(a)(iv) and (b)] [Source: CASL Requirements for Installing Computer Programs]
  24. 24. CASL Section 10 24 Updates and Upgrades Dentons Canada LLP
  25. 25. CASL Section 10 – Updates / Upgrades Dentons Canada LLP 25 Updates and Upgrades: • change or replace previously installed software; • usually with newer or better version, new features; • to bring the computer system up to date or improve it. Examples: “changing the version of an operating system, an office suite, an anti-virus program, or various other tools” [Source: CASL Requirements for Installing Computer Programs]
  26. 26. CASL Section 67 – Updates / Upgrades: Transition Dentons Canada LLP 26 If a computer program was installed on a person’s computer system before January 15, 2015 you have implied consent to install updates or upgrades to the program until: • the user withdraws consent, or • January 15, 2018 …whichever comes first. [CASL section 67]
  27. 27. CASL Section 10 – Updates / Upgrades Dentons Canada LLP 27 Scenario: You install the software before January 15, 2015 User’s consent to the update or upgrade is installed until January 15, 2018, or user withdraws consent to receive future updates /upgrades. Scenario: You install the software January 15, 2015 or later Get express consent to install the software, and for any updates and upgrades to it. Scenario: You want to install an update or upgrade, the software was installed January 15, 2015 or later, and you did not obtain express consent to install updates or upgrades Get express consent to install the update or upgrade.
  28. 28. CASL Section 10 – Updates / Upgrades Dentons Canada LLP 28 Scenario: User self-installs the update or upgrade No consent required. Scenario: New program is executable through another program that the user previously expressly consented to, and user’s conduct is such that it is reasonable to believe that user consents to the program’s installation. No consent required. [CASL section 10(8)(a)(v)]
  29. 29. CASL Section 10 29 Obtaining Consent Dentons Canada LLP
  30. 30. CASL Section 10 – Basic Consent Dentons Canada LLP 30 Image source: Compliance and Enforcement Information Bulletin CRTC 2012-548 Requirement The reason you are seeking consent Who is seeking consent (e.g., name of the company; or if consent is sought on behalf of another person, that person's name) If consent is sought on behalf of another person, a statement indicating which person is seeking consent and which person on whose behalf consent is being sought; The mailing address and one other piece of contact information (phone number, email address, or URL) A statement indicating that the person whose consent is sought can withdraw their consent A description in general terms of the functions and purpose of the computer program to be installed
  31. 31. CASL Section 10 – Enhanced Consent Dentons Canada LLP 31 If the program has an “intrusive” function (see below), contrary to the user’s reasonable expectations: • collects personal information • interferes with user control of the system • changes or interferes with: • settings / preferences / commands without user knowledge • data in a manner that obstructs / interrupts / interferes with user access • causes the system to communicate with another system or device, without user consent • installs a program that can be activated by a third party without user knowledge …you will need enhanced consent
  32. 32. CASL Section 10 – Enhanced Consent Dentons Canada LLP 32 If the program has an “intrusive” function, that is contrary to the user’s reasonable expectations, you will need enhanced consent. In addition to obtaining Basic Consent, you must also Clearly and prominently… Separate and apart from the license agreement… • Describe to the user what the program does in relation to the “intrusive” functions and why it does it. • Describe to the user the impact of those functions on the operation of the computer system.
  33. 33. CASL Section 11 – Removing a Program Dentons Canada LLP 33 If the program performs an “intrusive” function and the user believes that when you installed it, you did not accurately describe that function, or its impact: For a period of 1 year after installation: • The owner or authorized user can ask you to assist in disabling or removing the program. You must do this “as soon as feasible”, at no cost. • You must provide the person who consented to the installation with an electronic address where they can send their request. [CASL section 11(5)]
  34. 34. Enforcement
  35. 35. Enforcement - CRTC Canadian Radio-television and Telecommunications Commission (CRTC): primary enforcement agency Has authority to impose administrative monetary penalties (AMPs) Maximum penalty is $10 million for an organization, per violation Relevant factors include purpose of penalty, nature & scope of violation, history, financial benefit, ability to pay Enforcement tools include: • Preservation Demands • Notices to Produce • Search Warrants • Compliance Undertakings with CRTC See: http://www.crtc.gc.ca/eng/casl-lcap.htm
  36. 36. Enforcement – Liability, Due Diligence • Onus is on you to show consent to install, not on the complainant • Directors and officers’ liability / Employers’ liability • Importance of “due diligence”: • No liability where due diligence taken to prevent the violation See: Compliance and Enforcement Information Bulletin CRTC 2014-326
  37. 37. Enforcement – Private Right of Action • Private Right of Action (in effect July 1, 2017) • For individual or organization affected by a contravention: can obtain court order for compensation • Acts or omissions • Remedies include compensation for loss or damage suffered or expenses incurred, and a maximum penalty of $1 million per day • for contravening the software provisions (CASL section 8); or • for aiding, inducing, procuring a violation • Class Actions? [CASL sections 47, 51]
  38. 38. Transition Period Compliance Program Next Steps
  39. 39. Next Steps – Transition Period Three-Year Transition Period • Until January 15, 2018: • Implied consent for updates and upgrades to software installed before January 15, 2015 • In all cases, recipient can still withdraw consent at any time • You must obtain CASL-compliant express consent during the three- year transition period, to continue to install updates and upgrades after January 15, 2018 [CASL section 67]
  40. 40. Next Steps – Audit and Checklist CASL Audit • Conduct an audit of online communications with clients, prospects, and third parties, including: • processes for installation of software updates/upgrades CASL Checklist • Review against CASL requirements: • available exceptions • disclosure, consent See: Compliance and Enforcement Information Bulletin CRTC 2014-326
  41. 41. Next Steps – Review and Update Review and update: • Update forms and procedures that document consent • Update existing customer service processes • Include information/training for employees, management, Board of Directors • Address third-party contract requirements (limitation of liability, representations & warranties) • Consider insurance (traditional policies may not cover) See: Compliance and Enforcement Information Bulletin CRTC 2014-326
  42. 42. Next Steps: Compliance Program Dentons Canada LLP 42 CRTC Information Bulletin “to provide general guidance and best practices for businesses on the development of corporate compliance programs”: Components of a corporate compliance program: • Senior management involvement • Risk assessment • Written corporate compliance policy • Record keeping • Training program • Auditing and monitoring • Complaint-handling system • Corrective (disciplinary) action See: Compliance and Enforcement Information Bulletin CRTC 2014-326
  43. 43. More Information 43 More Information on CASL: http://www.dentons.com/en/issues-and-opportunities/anti-spam-legislation.aspx Questions? Margot Patterson margot.patterson@dentons.com (613) 783-9693 Jawaid Panjwani jawaid.panjwani@dentons.com (613) 783-9632
  44. 44. The preceding presentation contains examples of the kinds of issues companies dealing with Canada’s Anti-Spam Law (CASL) could face. If you are faced with one of these issues, please retain professional assistance as each situation is unique. Dentons Canada LLP 44

×