1. McCarthy Tétrault LLP / mccarthy.ca / 13300658
OBA: Countdown to Canada’s
Anti-Spam Legislation: Make
Sure You are Ready
Barry B. Sookman
McCarthy Tétrault LLP
bsookman@mccarthy.ca
416-601-7949
April 7, 2014
2. SCOPE OF CASL
• Anti-SPAM
• Anti-spyware/malware
• Amendments to PIPEDA prohibiting address
harvesting and personal information harvesting
• Amendments to the Competition Act prohibiting
false or misleading representations in electronic
messages, sender information in electronic
messages, subject matter information in
electronic messages, locaters
McCarthy Tétrault LLP / mccarthy.ca / 13300658
2
3. CASL HISTORY
• Received royal assent on December 15, 2010.
• Original draft regulations were published in the summer of 2011 by the CRTC
and Industry Canada. The Canadian business community raised serious
objections to their strict requirements.
• The CRTC enacted revised regulations which were finalized on March 28,
2012.
• CRTC issues 2 sets of Guidelines - October, 2012
• Revised draft regulations from Industry Canada on January 5, 2013. The
Canadian business community, non-profit community, colleges, universities
and others all raised serious concerns.
• Industry Canada released finalized regulations on December 4, 2013.
• CRTC issued FAQ - December 2013
• Messaging Provisions coming into force -July 2014. Computer Programs
provisions coming into force -January 2015. Private Right of Action coming
into force - July 2017.
McCarthy Tétrault LLP / mccarthy.ca / 13300658
3
4. WHAT YOU NEED TO CONSIDER IN
DEVELOPING A COMPLIANCE PROGRAM
• CASL
• CRTC Regulations
• Industry Canada regulations
• Regulatory Impact Analysis Statement
• CRTC Guidelines on the interpretation of the Electronic
Commerce Protection Regulations (Oct. 10, 2012)
• CRTC Guidelines on the use of toggling as a means of
obtaining express consent under Canada’s anti-spam
legislation (Oct. 10, 2012)
• CRTC FAQ Canada’s Anti-Spam Legislation (December 18,
2013)
McCarthy Tétrault LLP / mccarthy.ca / 13300658
4
5. Is there a need to be
concerned about CASL?
McCarthy Tétrault LLP / mccarthy.ca / 13300658
5
6. VERY HIGH LIABILITY
¬ Administrative monetary penalties (AMPS) with caps up $10 million for an
organization. (s.20(4))
¬ Private rights of action by anyone affected by a prohibited act (s.47(1)) with
liability that consists of:
¬ compensation for loss, damages and expenses; and
¬ extensive awards that are capped at:
¬ $1 million per day for breach of SPAM, malware, spyware, message
routing, address and personal information harvesting, and Competition
Act provisions;
¬ $1 million for each act of aiding, inducing, or procuring a breach of the
SPAM, malware and spyware, and message routing provisions, plus
liability up to $1 million per day for breach of SPAM, malware, spyware,
and message routing provisions.
¬ Risk of class actions.
¬ Will be in force January 1, 2017. Are prior claims covered?
McCarthy Tétrault LLP / mccarthy.ca / 13300658 6
7. EXTENSIVE ACCESSORIAL AND
VICARIOUS LIABILITY
¬ Liability extends to any person who aids, induces or procures a
prohibited act. (s.9)
¬ Senders of CEMs are liable for acts of their employees within the
scope of their authority. (s.32, s.53)
¬ Liability extends to officers, directors, and agents if they directed,
authorized, assented to, acquiesced, or participated in the
prohibited act. (s.31, s.52)
¬ Risk implications too easy to pierce corporate veil; requirements
for insurance?
¬ Does the risk make sense?
McCarthy Tétrault LLP / mccarthy.ca / 13300658
7
8. McCarthy Tétrault LLP / mccarthy.ca
TERRITORIAL REACH
• The anti-spam provisions apply to any message where a computer
system located “in Canada is used to send or access the electronic
message”. (s.12(1))
• Anti-spam exception IC Regs 3(f) “if the person who sends the
message or causes or permits it to be sent reasonably believes the
message will be accessed in a foreign state that is listed in the
schedule and the message conforms to the law of the foreign state
that addresses conduct that is substantially similar to conduct
prohibited under section 6 of the Act”;
• The computer program provisions apply “if the computer system is
located in Canada at the relevant time or if the person either is in
Canada at the relevant time or is acting under the direction of a
person who is in Canada at the time when they give the directions”.
(s.8(2)).
McCarthy Tétrault LLP / mccarthy.ca / 13300658
8
12. THE PROHIBITION
8. (1) A person must not, in the course of a commercial activity, install or
cause to be installed a computer program on any other person’s
computer system or, having so installed or caused to be installed a
computer program, cause an electronic message to be sent from
that computer system, unless:
(a) the person has obtained the express consent of the owner or an
authorized user of the computer system and complies with [the
disclosure requirements of] subsection 11(5); or
(b) the person is acting in accordance with a court order.
Problems:
Implied consents cannot be relied upon. Only express consents are
valid, assuming compliance with the disclosure requirements.
Written agreements or click-wraps will comply, assuming the consent is
not bundled in the agreement. Web wrap agreements will likely not
comply.
McCarthy Tétrault LLP / mccarthy.ca / 13300658
12
13. WHAT PROGRAMS DOES CASL APPLY TO?
• Applies to “computer programs” (defined in subsection 342.1(2) of
the Criminal Code) as meaning “data representing instructions or
statements that, when executed in a computer system, causes the
computer system to perform a function”. Includes apps and updates.
• Note: Computer programs are not limited to malware or spyware.
• Installed on another person’s “computer system” ” (defined in
subsection 342.1(2) of the Criminal Code) as meaning “a device that,
or a group of interconnected or related devices one or more of which,
(a) contains computer programs or other data, and (b) pursuant to
computer programs, (i) performs logic and control, and (ii) may
perform any other function”.
• Note: Computer systems could include: servers, PCs, smartphones,
tablets, ebook readers, the “Cloud”, websites and web services,
industrial machines, appliances, autos, and other consumer products.
McCarthy Tétrault LLP / mccarthy.ca / 13300658
13
14. WHAT PROGRAMS DOES CASL APPLY TO?
• RIAS: “the requirements under CASL for the installation of computer
programs only apply to the installation of computer programs on
another person’s computer system. CASL will not apply to installations
carried out by persons on their own computing devices.”
¬ A consumer buys a program on a physical media and installs the
program on a home computer?
¬ A manufacturer pre-installs a program on a computer, machine,
device or appliance and directly, or through a channel, sells the
product to consumers?
¬ A retailer offers computer services such as to install software or to
repair or configure computers or installs updates? While new
hardware or software is installed by the service provider, the
program may automatically go to a web site to look for and
download an upgrade?
¬ A person goes to a website to download a program?
McCarthy Tétrault LLP / mccarthy.ca / 13300658
14
15. WHAT PROGRAMS DOES CASL APPLY TO?
A person is considered to expressly consent to the installation of a computer program if:
a) the program is:
i. a cookie,
ii. HTML code,
iii. Java Scripts,
iv. an operating system,
v. any other program that is executable only through the use of another
computer program whose installation or use the person has previously
expressly consented to, or
vi. any other program specified in the regulations; and
b) the person’s conduct is such that it is reasonable to believe that they consent
to the program’s installation. (s.10(8))
NOTE:, there is no express waiver of the disclosure requirement, but disclosure is
only required where express requests are being sought.
McCarthy Tétrault LLP / mccarthy.ca / 13300658
15
16. WHAT PROGRAMS DOES CASL APPLY TO?
RIAS:
¬ “In addition, the software on some computer
dedicated systems in automobiles may be
“operating systems”, such as computers that
operate specific functions like braking. There
is deemed consent to update that as
operating systems under the Act.”
McCarthy Tétrault LLP / mccarthy.ca / 13300658
16
17. GETTING EXPRESS CONSENTS TO COMPLY WITH
“MALWARE” AND “SPYWARE” PROVISIONS
Obtaining consent: A person who seeks express
consent must, when requesting consent, set out clearly
and simply the following information:
(a) the purpose or purposes for which the consent is
being sought;
(b) prescribed information that identifies the person
seeking consent and, if the person is seeking consent
on behalf of another person, prescribed information
that identifies that other person; and
(c) any other prescribed information.” (s.10(1)).
McCarthy Tétrault LLP / mccarthy.ca / 13300658
17
18. DISCLOSURE REQUIREMENTS TO COMPLY WITH
“MALWARE” AND “SPYWARE” PROVISIONS
Two levels of disclosure required when obtaining
consent.
1. Minimum Disclosure: A person who seeks
express consent, must when requesting consent,
also, in addition to setting out any other prescribed
information, must clearly and simply describe, in
general terms the function and purpose of the
computer program that is to be installed if the
consent is given. (s.10(3))
McCarthy Tétrault LLP / mccarthy.ca / 13300658
18
19. 2. Enhanced Disclosure: If the computer program meets
one of the specified “malware” or “spyware” criteria in
s.10(5), “the person who seeks express consent must,
when requesting consent, clearly and prominently, and
separately and apart from the licence agreement, (a)
describe the program’s material elements that perform the
function or functions, including the nature and purpose of
those elements and their reasonably foreseeable impact on
the operation of the computer system; and (b) bring those
elements to the attention of the person from whom consent
is being sought in the prescribed manner”.
DISCLOSURE REQUIREMENTS TO COMPLY WITH
“MALWARE” AND “SPYWARE” PROVISIONS
McCarthy Tétrault LLP / mccarthy.ca / 13300658
19
20. ¬ Enhanced Disclosure: The enhanced disclosure standard applies where
¬ the program performs functions that the person knows and intends will
cause the computer system to operate in a manner that is contrary to the
reasonable expectations of the owner or authorized user of the computer
¬ collects personal information;
¬ interferes with control of the computer;
¬ changes or interferes with settings preferences or commands;
¬ obstructs, interrupts, or interferes with access to data;
¬ causes the computer to communicate with another computer without
authorization,:
¬ installing a computer program that can be activated by a third party:
¬ installing a bot, or something set out in the regulations;
¬ but not merely transmission data. (s.10(5) &(6)).
DISCLOSURE REQUIREMENTS TO COMPLY WITH
“MALWARE” AND “SPYWARE” PROVISIONS
McCarthy Tétrault LLP / mccarthy.ca / 13300658
20
21. MEANING OF “SOUGHT SEPARATELY”
CRTC Guidelines:
a. What does “sought separately” mean?
14. The Commission considers that in order to meet the requirement of
seeking consent separately, the person seeking consent must identify and
obtain specific and separate consent for each act contemplated by the
sections of the Act described in paragraph 13 above. Accordingly, consent
for each act above must be sought separately from any other act captured by
sections 6 to 8 of the Act. The Commission also considers that the activities
captured by each of the above acts are distinct, as are the consequences.
15. For example, the Commission considers that persons must be able to
grant their consent for the installation of a computer program while refusing
to grant their consent for receiving CEMs. However, the Commission does
not consider it necessary for consent to be sought separately for each
instance of the acts listed in paragraph 13 above, as long as the consent
request is in accordance with subsections 10(1), 10(2), 10(3), and 10(4) of
the Act, where applicable.
McCarthy Tétrault LLP / mccarthy.ca / 13300658
21
22. REQUESTS FOR CONSENT
CRTC Guidelines
¬ 6. The Commission considers that requests for consent
contemplated above must not be subsumed in, or bundled
with, requests for consent to the general terms and
conditions of use or sale. The underlying objective is that
the specific requests for consent in question must be
clearly identified to the persons from whom the consent is
being sought. For example, persons must be able to grant
their consent to the terms and conditions of use or sale
while, for instance, refusing to grant their consent for
receiving CEMs.
McCarthy Tétrault LLP / mccarthy.ca / 13300658
22
23. CRTC Regulations, s.5 (unchanged):
5. A computer program’s material elements that perform
one or more of the functions listed in subsection 10(5) of the
Act must be brought to the attention of the person from
whom consent is being sought separately from any other
information provided in a request for consent and the
person seeking consent must obtain an acknowledgement
in writing from the person from whom consent is being
sought that they understand and agree that the program
performs the specified functions.
ENHANCED DISCLOSURE IN REGULATIONS
McCarthy Tétrault LLP / mccarthy.ca / 13300658
23
24. EXCEPTIONS FOR SOFTWARE UPDATES,
UPGRADES AND PATCHES
The formalities for obtaining express consent (ss.10(1) and (3)) are not
required for the installation of an update or upgrade so long as the
installation or use of the computer program being updated was
expressly consented to and the person who gave the consent is entitled
to, and does receive the update under the terms of the express
consent. (s.10(7))
Problem:
¬ There is no express exception that permits installation of an
update or upgrade without consent.
¬ The original consent to install a program must include a consent
to install updates or upgrades or they cannot be installed without
requesting and obtaining a new consent.
McCarthy Tétrault LLP / mccarthy.ca / 13300658
24
25. GETTING EXPRESS CONSENTS TO
INSTALL UPDATES AND UPGRADES
RIAS:
¬ “For updates and upgrades to computer programs installed
after CASL comes into force, the Act allows companies to
get the consent of the owner or authorized user for future
updates or upgrades to the computer program at the same
time they obtain consent for the original installation, or
when the user is downloading. That is, when a computer
program is installed, consent must in general be requested
in accordance with the Act, but there are no requirements
for the form of a request for consent to install updates and
upgrades, whether that consent is requested in advance or
when the update or upgrade is installed.”
McCarthy Tétrault LLP / mccarthy.ca / 13300658
25
26. GETTING EXPRESS CONSENTS TO
INSTALL PROGRAMS
CRTC Reg s.4. For the purposes of subsections 10(1) and (3) of the Act, a request for consent may
be obtained orally or in writing and must be sought separately for each act described in sections
6 to 8 of the Act and must include
(a) the name by which the person seeking consent carries on business, if different from their
name, if not, the name of the person seeking consent;
(b) if the consent is sought on behalf of another person, the name by which the person on
whose behalf consent is sought carries on business, if different from their name, if not,
the name of the person on whose behalf consent is sought;
(c) if consent is sought on behalf of another person, a statement indicating which person is
seeking consent and which person on whose behalf consent is sought; and
(d) the mailing address, and either a telephone number providing access to an agent or a
voice messaging system, an email address or a web address of the person seeking
consent or, if different, the person on whose behalf consent is sought; and
(e) a statement indicating that the person whose consent is sought can withdraw their
consent.
Problems: Each consent must be separate; how can consent be withdrawn for a program that is
already installed?
McCarthy Tétrault LLP / mccarthy.ca / 13300658
26
27. Withdrawal of consent: If the computer program installed
meets one of the specified “malware” or “spyware” criteria in
s.10(5), the person who installs the program with consent must
for 1 year provide an electronic address to which a request can
be sent to remove or disable the computer program if the
requestor believes that the function, purpose or impact of the
computer program installed under the consent was not
accurately described when consent was requested; and if the
consent was based on an inaccurate description of the material
elements of the enumerated function or functions, must, without
cost to the person who gave consent, assist that person in
removing or disabling the computer program as soon as feasible.
(s.11(5))
WITHDRAWAL OF CONSENT FOR “SPYWARE”
FUNCTIONALITY
McCarthy Tétrault LLP / mccarthy.ca / 13300658
27
28. NEW EXCEPTIONS – (IC REGS S.6)
• (a) network security
• (b) updates and upgrades to a network
• (c) correcting computer program failures.
NOTE: exemptions are subject to the condition that “the person’s conduct is
such that it is reasonable to believe that they consent to the program’s
installation”. (s.10(8))
RIAS:
¬ “Note that the Act only applies to computer programs installed in the
course of commercial activity, a defined term that excludes public
safety and other purposes, so issues of public safety. However, for
software issues that are not matters of public safety, the Regulations
provide for deemed consent for the installation of computer programs
that are necessary to correct a failure in the operation of a computer
system or program that is already installed.”
McCarthy Tétrault LLP / mccarthy.ca / 13300658
28
29. NEW EXCEPTION – NETWORK SECURITY
(IC REGS S.6)
(a) a program that is installed by or on behalf of a telecommunications service provider solely to
protect the security of all or part of its network from a current and identifiable threat to the
availability, reliability, efficiency or optimal use of its network;
¬ RIAS:
¬ “Note that CASL provides a broad definition of a Telecommunications Service Provider
(TSP), which includes any persons who together or independently provides a
telecommunications service. These services include features of services delivered by
means of telecommunications facilities including network routers and servers,
regardless whether the provider owns, leases or has any interest in or right to the
equipment and software used to provide the telecommunications service….
¬ The Regulations provide deemed consent for any companies or individuals who
together or independently provide a telecommunications service, defined in the Act as
a Telecommunications Service Provider (TSP), to install a computer program for the
limited purposes of protecting the security of all or part of its network from a current
and identifiable threat to its availability, reliability, efficiency, or optimal use…
¬ It should also be noted, that auto manufacturers may be TSPs for the purposes of
CASL when they run computing networks such as GM’s OnStar or Ford’s Sync…”
McCarthy Tétrault LLP / mccarthy.ca / 13300658
29
30. NEW EXCEPTION – UPDATE A NETWORK
(IC REGS S.6)
• (b) program that is installed, for the purpose of updating or upgrading
the network, by or on behalf of the telecommunications service
provider who owns or operates the network on the computer systems
that constitute all or part of the network;
• Will the definition of TSP be broad enough to include all networks
such as those operated by vehicle manufacturers, appliance
manufacturers and others who provide products and services to
consumers?
• Where is the end node of the network such as the network of a
vehicle manufacturer?
• How will TSPs be able to conclude that all users of its network are
consenting to the installation of the program?
McCarthy Tétrault LLP / mccarthy.ca / 13300658
30
31. NEW EXCEPTION – CORRECTING
PROGRAM FAILURES (IC REGS S.6)
¬ (c) a program that is necessary to correct a failure in the
operation of the computer system or a program installed on it
and is installed solely for that purpose.
¬ RIAS:
¬ “Some stakeholders argued that they should not be required to
get consent every time they install an update or upgrade. CASL
provides a three year transitional period to continue updates and
upgrades to existing computer programs, after which they will be
required to get express consent to continue updates in the
future, if they don’t fall under one of the exemptions.”
McCarthy Tétrault LLP / mccarthy.ca / 13300658
31
32. TRANSITIONAL PROVISIONS
¬ S67. “If a computer program was installed on a person’s computer
system before section 8 comes into force, the person’s consent to the
installation of an update or upgrade to the program is implied until the
person gives notification that they no longer consent to receiving such an
installation or until three years after the day on which section 8 comes
into force, whichever is earlier.”
¬ RIAS:
¬ “Auto manufacturers were also concerned that the three year
transitional period in section 67 would limit their ability to continue to
install updates or upgrades to computer programs on automobiles.
To address this concern, these Regulations specify that express
consent of an individual is deemed for updates and upgrades to
computer programs that are installed across all or part of the auto
manufacturer’s network, and the installation of computer programs to
correct failures in the operation of the computer system or an existing
program.”
McCarthy Tétrault LLP / mccarthy.ca / 13300658
32
33. VANCOUVER
Suite 1300, 777 Dunsmuir Street
P.O. Box 10424, Pacific Centre
Vancouver BC V7Y 1K2
Tel: 604-643-7100
Fax: 604-643-7900
Toll-Free: 1-877-244-7711
CALGARY
Suite 3300, 421 7th Avenue SW
Calgary AB T2P 4K9
Tel: 403-260-3500
Fax: 403-260-3501
Toll-Free: 1-877-244-7711
TORONTO
Box 48, Suite 5300
Toronto Dominion Bank Tower
Toronto ON M5K 1E6
Tel: 416-362-1812
Fax: 416-868-0673
Toll-Free: 1-877-244-7711
MONTRÉAL
Suite 2500
1000 De La Gauchetière Street West
Montréal QC H3B 0A2
Tel: 514-397-4100
Fax: 514-875-6246
Toll-Free: 1-877-244-7711
QUÉBEC
Le Complexe St-Amable
1150, rue de Claire-Fontaine, 7e étage
Québec QC G1R 5G4
Tel: 418-521-3000
Fax: 418-521-3099
Toll-Free: 1-877-244-7711
UNITED KINGDOM & EUROPE
125 Old Broad Street, 26th Floor
London EC2N 1AR
UNITED KINGDOM
Tel: +44 (0)20 7786 5700
Fax: +44 (0)20 7786 5702
McCarthy Tétrault LLP / mccarthy.ca / 13300658