1. McCarthy Tétrault Advance™
Building Capabilities for Growth
Canada’s Anti-spam Law (CASL):
Navigating the
Computer Program Provisions
April 30, 2014
McCarthy Tétrault LLP / mccarthy.ca #13392852
Daniel G. C. Glover, Partner
Direct Line: (416) 601-8069
E-Mail: dglover@mccarthy.ca
2. Question:
What countries have anti-
malware/spyware laws that
are similar to those in CASL?
McCarthy Tétrault LLP / mccarthy.ca / #13392852 2
4. CASL = MORE THAN MALWARE/SPYWARE
• Applies to “computer programs” as
meaning “data representing instructions or
statements that, when executed in a
computer system, causes the computer
system to perform a function”.
• Broad definition
• Includes apps and updates
McCarthy Tétrault LLP / mccarthy.ca / #13392852 4
5. CASL = MORE THAN MALWARE/SPYWARE
• Applies to installation of programs on another
person’s “computer system” = “a device that, or a
group of interconnected or related devices one or
more of which, (a) contains computer programs or
other data, and (b) pursuant to computer programs,
(i) performs logic and control, and (ii) may perform
any other function”.
• Could include servers, PCs, smartphones, tablets,
ebook readers, the “Cloud”, websites and web
services, industrial machines, appliances, smart
medical devices, autos, thermostats and other
consumer products.
McCarthy Tétrault LLP / mccarthy.ca / #13392852 5
6. WHAT ACTS DOES CASL APPLY TO?
RIAS: CASL will only apply to the installation of computer
programs on another person’s computer system. CASL
will not apply to installations carried out by persons on
their own computing devices.
¬A consumer buys a program on disc and installs it on a
home computer?
¬ Fairly clear, but need express consent for
update/upgrade
¬A manufacturer pre-installs a program on a device and
sells the product to consumers?
¬ Need express consent for update/upgrade
¬ How to get express consents for smart devices?
McCarthy Tétrault LLP / mccarthy.ca / #13392852 6
7. WHAT ACTS DOES CASL APPLY TO?
RIAS: CASL will only apply to the installation of computer
programs on another person’s computer system. CASL will
not apply to installations carried out by persons on their
own computing devices.
¬A retailer offers computer services such as to install software
or to repair or configure computers or installs updates?
¬ How is it possible to disclose?
¬A person goes to a website to download a program?
¬ Who is installing the program:
¬ the user?
¬ the site operator?
¬ both acting in concert?
McCarthy Tétrault LLP / mccarthy.ca / #13392852 7
8. McCarthy Tétrault LLP / mccarthy.ca
CASL REACHES ACROSS BORDERS (s. 8(2))
Computer program provisions apply:
¬if the computer system is located in Canada at
the relevant time or
¬if the person either:
¬ is in Canada at the relevant time or
¬ is acting under the direction of a person who
is in Canada at the time when they give the
directions
Will foreign clients consider geo-blocking?
McCarthy Tétrault LLP / mccarthy.ca #13392852 8
9. THE PROHIBITIONS (s. 8(1))
A person must not, in the course of a commercial
activity, install or cause to be installed a computer
program on any other person’s computer system
or, having so installed or caused to be installed a
computer program, cause an electronic message
to be sent from that computer system, unless:
(a)the person has obtained the express consent of
the owner or an authorized user of the computer
system and complies with [the disclosure
requirements of] subsection 11(5); or
(b)the person is acting in accordance with a court
order. [Rare]
McCarthy Tétrault LLP / mccarthy.ca / #13392852 9
10. DEEMED “EXPRESS” CONSENT (s. 10(8))
A person is considered to expressly consent to the installation
of a computer program if:
a)the program is:
i. a cookie,
ii. HTML code,
iii. Java Scripts,
iv. an operating system,
v. any other program that is executable only through the use
of another computer program whose installation or use
the person has previously expressly consented to, or
vi. any other program specified in the regulations; and
b)the person’s conduct is such that it is reasonable to believe
that they consent to the program’s installation.
McCarthy Tétrault LLP / mccarthy.ca / #13392852 10
11. DEEMED EXPRESS CONSENT QUESTIONS
¬ Is disclosure still required?
¬ What is a “cookie”?
RIAS: Insofar as cookies are not executable
computer programs, and they cannot carry viruses
and cannot install malware, and are simply lines of
text or data that are read from a web browser, they
are not computer programs for the purposes of CASL
¬ How can you measure the person’s “conduct”?
¬Does “conduct” = “reasonable expectations”?
¬How does one document proof of “conduct”?
McCarthy Tétrault LLP / mccarthy.ca / #13392852 11
12. DEEMED CONSENT FOR SMART DEVICES?
RIAS: In addition, the software on some
computer dedicated systems in automobiles
may be “operating systems”, such as
computers that operate specific functions like
braking. There is deemed consent to update
that as operating systems under the Act.
¬Where is the dividing line between an O/S
and other functions?
¬What other kinds of devices could qualify?
McCarthy Tétrault LLP / mccarthy.ca / #13392852 12
14. GETTING EXPRESS CONSENTS TO COMPLY WITH
“MALWARE” AND “SPYWARE” PROVISIONS
Obtaining consent: s. 10(1): A person who seeks
express consent must, when requesting consent, set
out clearly and simply the following information:
(a) the purpose or purposes for which the consent
is being sought;
(b) prescribed information that identifies the
person seeking consent and, if the person is
seeking consent on behalf of another person,
prescribed information that identifies that other
person; and
(c) any other prescribed information.
McCarthy Tétrault LLP / mccarthy.ca / #13392852 14
15. MINIMUM DISCLOSURE (s. 10(3))
“Minimum disclosure” applies to computer
programs generally:
A person who seeks express consent, must
when requesting consent, also, in addition to
setting out any other prescribed information,
must clearly and simply describe, in
general terms the function and purpose
of the computer program that is to be
installed if the consent is given.
McCarthy Tétrault LLP / mccarthy.ca / #13392852 15
16. CONSENT MUST BE “SOUGHT SEPARATELY”
14. … in order to meet the requirement of seeking
consent separately, the person seeking consent
must identify and obtain specific and separate
consent for each act contemplated by the sections
of the Act...
15. For example, … persons must be able to
grant their consent for the installation of a
computer program while refusing to grant their
consent for receiving CEMs. However, the
Commission does not consider it necessary for
consent to be sought separately for each instance
of the acts listed in paragraph 13 above...
McCarthy Tétrault LLP / mccarthy.ca / #13392852 16
17. REQUESTS CAN’T BE SUBSUMED OR
BUNDLED WITH TERMS & CONDITIONS
16. The Commission considers that requests for
consent contemplated above must not be
subsumed in, or bundled with, requests for
consent to the general terms and conditions of
use or sale. The underlying objective is that the
specific requests for consent in question must be
clearly identified to the persons from whom the
consent is being sought. For example, persons
must be able to grant their consent to the terms
and conditions of use or sale while, for
instance, refusing to grant their consent for
receiving CEMs.McCarthy Tétrault LLP / mccarthy.ca / #13392852 17
18. DIFFICULTIES OF CONSENT
¬ Implied consents cannot be relied upon. Only
express consents are valid, assuming
compliance with the disclosure requirements.
¬ The CRTC suggests that written agreements
or click-wraps will comply if the consent is not
bundled in the agreement. Enhanced consent
requires a specific acknowledgement from the
person consenting.
¬ Web wrap agreements will likely not comply.
McCarthy Tétrault LLP / mccarthy.ca / #13392852 18
19. GETTING EXPRESS CONSENTS TO
INSTALL PROGRAMS
CRTC Reg s. 4. For the purposes of ss. 10(1) and (3)
of the Act, a request for consent may be obtained
orally or in writing and must be sought separately
for each act described in ss. 6 to 8 of the Act and
must include …
(e) a statement indicating that the person
whose consent is sought can withdraw their
consent.
Problem: How can consent be withdrawn for a
program that is already installed?
McCarthy Tétrault LLP / mccarthy.ca / #13392852 19
20. WHAT IS WRITTEN CONSENT?
24. … the term “in writing” includes both paper and
electronic forms of writing.
25. The Commission considers that the requirement
… is satisfied by information in electronic form if the
information can subsequently be verified.
26. Examples of acceptable means of obtaining
consent in writing include checking a box on a web
page to indicate consent where a record of the date,
time, purpose, and manner of that consent is stored
in a database; and filling out a consent form at a
point of purchase.
McCarthy Tétrault LLP / mccarthy.ca #13392852 20
21. If the computer program meets a “malware” or
“spyware” criterion, the person must “clearly and
prominently, and separately and apart from the
licence agreement,
(a)describe the program’s material elements that
perform the function or functions, including the
nature and purpose of those elements and their
reasonably foreseeable impact on the operation of
the computer system; and
(b)bring those elements to the attention of the person
from whom consent is being sought in the
prescribed manner”.
DISCLOSURE REQUIREMENTS TO COMPLY WITH
“MALWARE” AND “SPYWARE” PROVISIONS
McCarthy Tétrault LLP / mccarthy.ca / #13392852
21
21
ENHANCED DISCLOSURE (S. 10(4))
22. The enhanced disclosure standard applies
where the program performs functions that
the person knows and intends will cause
the computer system to operate in a manner
that is contrary to the reasonable
expectations of the owner or authorized
user of the computer…
¬Imports a subjective intent element (for
installer) and an objective standard (for user)
DISCLOSURE REQUIREMENTS TO COMPLY WITH “MALWARE”
AND “SPYWARE” PROVISIONS
McCarthy Tétrault LLP / mccarthy.ca / #13392852
22
22
ENHANCED DISCLOSURE TRIGGERS (s. 10(5))
23. ¬ collects personal information;
¬ interferes with control of the computer;
¬ changes or interferes with settings preferences or
commands;
¬ obstructs, interrupts, or interferes with access to data;
¬ causes the computer to communicate with another
computer without authorization;
¬ installs a program that can be activated by a third party;
¬ installs a bot; or
¬ performs any other function set out in the regs; [none yet]
but not if the function only collects, uses or communicates
transmission data or performs an operation set out in the
regs
DISCLOSURE REQUIREMENTS TO COMPLY WITH “MALWARE”
AND “SPYWARE” PROVISIONS
McCarthy Tétrault LLP / mccarthy.ca / #13392852
23
23
LISTED FUNCTIONS (s. 10(5)-(6))
25. EXCEPTIONS FOR SOFTWARE UPDATES,
UPGRADES AND PATCHES (s. 10(7))
Formalities for obtaining express consent (ss. 10(1) and (3)) not
required to install an update or upgrade so long as the
installation or use of the computer program being updated was
expressly consented to and the person who gave the consent
is entitled to, and does receive the update under the terms of
the express consent.
Problems:
¬No explicit exception that permits installation of an update or
upgrade without consent.
¬The original consent to install a program must include a
consent to install updates or upgrades or they cannot be
installed without requesting and obtaining a new consent.
McCarthy Tétrault LLP / mccarthy.ca / #13392852 25
26. NEW EXEMPTIONS – IC REGS, s. 6
• network security
• updates and upgrades to a network
• correcting computer program failures.
Exemptions available only if “the person’s conduct
is such that it is reasonable to believe that they
consent to the program’s installation”. (s. 10(8)(b))
¬ To be dealt with by Michael Fekete and
Howard Fohr in the next presentation
McCarthy Tétrault LLP / mccarthy.ca / #13392852 26
27. THREE-YEAR TRANSITION
s. 67: If a computer program was installed on
a person’s computer system before section 8
comes into force, the person’s consent to the
installation of an update or upgrade to the
program is implied until the person gives
notification that they no longer consent to
receiving such an installation or until three
years after the day on which section 8
comes into force, whichever is earlier.
McCarthy Tétrault LLP / mccarthy.ca / #13392852 27
28. VANCOUVER
Suite 1300, 777 Dunsmuir Street
P.O. Box 10424, Pacific Centre
Vancouver BC V7Y 1K2
Tel: 604-643-7100
Fax: 604-643-7900
Toll-Free: 1-877-244-7711
CALGARY
Suite 4000, 421 7th Avenue SW
Calgary AB T2P 4K9
Tel: 403-260-3500
Fax: 403-260-3501
Toll-Free: 1-877-244-7711
TORONTO
Box 48, Suite 5300
Toronto Dominion Bank Tower
Toronto ON M5K 1E6
Tel: 416-362-1812
Fax: 416-868-0673
Toll-Free: 1-877-244-7711
MONTRÉAL
Suite 2500
1000 De La Gauchetière Street West
Montréal QC H3B 0A2
Tel: 514-397-4100
Fax: 514-875-6246
Toll-Free: 1-877-244-7711
QUÉBEC
Le Complexe St-Amable
1150, rue de Claire-Fontaine, 7e étage
Québec QC G1R 5G4
Tel: 418-521-3000
Fax: 418-521-3099
Toll-Free: 1-877-244-7711
UNITED KINGDOM & EUROPE
125 Old Broad Street, 26th Floor
London EC2N 1AR
UNITED KINGDOM
Tel: +44 (0)20 7489 5700
Fax: +44 (0)20 7489 5777
McCarthy Tétrault LLP / mccarthy.ca #13392852