Canada’s new anti-spam legislation (CASL) is best known for its provisions to cut down on unwanted spam emails. With over 80% of global email traffic being unwanted spam, Canadian inboxes are no doubt welcoming the relief.
But less well-known are provisions in the legislation that will have a significant impact on the software download space. It’s important to note that this act not only applies within Canada’s borders, it applies to installations in Canada originating from elsewhere. So software sellers with any downloads happening in the great white north need to know the details of this law.
Here are some highlights of what you should know about CASL.
For commercial activity, it will be prohibited for anyone to directly or indirectly install a computer program on any other person’s computer system without either proof of express consent or a court order. Consent cannot be assumed from the user accepting a product’s term and conditions and consent can only be given after a company has clearly stated the purpose and function of the program as well as any impact it might have on the operation of a user’s computer (allowing third-party access, setting changes etc.).
Additionally, software sellers will also need express consent from users if their installed software is going to send out any electronic messages or information from the computer. This is meant to curb malware and spyware makers.
Certain types of software are deemed to have express consent in circumstances where it is reasonable to believe the computer’s owner authorized installation. These include cookies, HTML code, Java scripts, an operating system or software that enables the installation of another program that has already received express consent for installation.
In addition, self-installed software like programs from a disc or downloaded from a website or mobile app store will be exempt as well unless the program is accompanied by additional software outside what the user should reasonably expect. For example, CASL would not apply if you download a game to your phone. However, if that game were installed along with malware not disclosed to the user, then CASL would apply since the software developer caused that additional program to be installed.
Other exemptions include installs from telecommunications companies that protects or upgrades their network and SaaS companies that are cloud-based and do not require any software installation by users.
While the CRTC, the agency charged with enforcing the new regulations, has provided some useful guidelines for software merchants, there are still some areas that remain unclear. There is some ambiguity surrounding the details when obtaining consent like whether it can be given with a pre-checked box and what exactly meets the definitions of what installs are exempted.
Luckily, there is a grace period where implied consent is assumed for all install updates on programs that are originally installed before January 15th, 2015. This means that businesses will be able to continue installing updates for up to three years without express consent from their current customers, unless the user gives notice they no longer want the software.
However, all organizations who currently make software available to consumers will need to ensure they are compliant with the CASL revisions come January. The new regulations call for penalties of up to $10 million for corporations and $1 million for individuals in addition to being liable for possible statutory damages of up to $1 million a day for non-compliance. Compounded to this, consumers and businesses will also be allowed to start civil proceedings themselves in 2017 to recover claimed damages.
For more information on CASL’s requirements, check out the Government of Canada’s website