Canada’s Anti-Spam Legislation Requirements for Installing Computer Programs
The information on this page has been prepared by Commission staff to provide general information only and is not intended to be exhaustive. Further, the content on this page is not intended to serve as legal advice nor is it binding on the Commission itself. Each person’s individual circumstances are unique and those seeking legal advice regarding compliance with CASL should retain independent counsel.
If your business installs software or computer programs on other people's computer systems, you must comply with new requirements as of January 15, 2015. The following guidelines provide an overview of these requirements, which stem from section 8 of CASL, as well as practical examples.
CASL prohibits the installation of a computer program (software) to another person's computing device (e.g., laptop, smartphone, desktop, gaming console or other connected device) in the course of commercial activity without the express consent of the device owner or an authorized user (e.g., other family member or employee).
For example, under CASL, it is prohibited for a website to automatically install software on a visitor's computer without getting consent, or for software to be updated without first obtaining consent.
Usually, CASL requires you to obtain consent from the owner or another authorized user of the computer or device prior to the installation of a computer program. However, in some circumstances, you are considered to already have consent without having to request it. Depending on what your program does, you may need to meet additional requirements. These circumstances and requirements will be explained throughout these guidelines.
CASL does not apply to programs or apps owners or authorized users download themselves to install on their own computer or device, or updates they install for those programs.
1. Does CASL apply to your situation?
The following questions should help you determine whether CASL applies to your situation as well as provide clarification for certain questions you may have regarding the requirements.
When does CASL apply to the installation of computer programs?
First off, don't panic. CASL does not apply to owners or authorized users installing software on their own computer systems (e.g., personal devices such as computers, mobile devices or tablets).
CASL only applies when you install or cause the installation of software on another person's device in the course of commercial activity.
If CASL applies, then you must have consent to install the software. More information about consent is provided later in these guidelines.
Not sure what "cause the installation of software" means? Let us clarify.
CASL applies to software or computer programs that are both installed and caused to be installed on any other person's computer system, without consent.
The following are examples of computer programs which are 'caused to be installed':
Example 1:
Sometimes, malicious software (malware) is installed along with other software. For example, a free Tic Tac Toe app may include concealed malware that is not disclosed to the user. In this situation, the user would be installing the Tic Tac Toe app, so CASL would not apply. However, CASL would apply to the installation of the malware since the software developer would be causing it to be installed.
Example 2:
A consumer purchases a music CD and inserts it in their computer to listen to music or copy songs. However, the CD includes concealed software that is automatically executed when the CD is inserted into the computer. In that case, the distributor or developer would have caused the software to be installed.
What about when people install software on their own computer or device? Is self-installed software covered under the law?
No, self-installed software is not covered under CASL.
For example, the owner of a mobile device goes to an app store to purchase and download an app. As the owner is installing the app on their own personal device, CASL does not apply.
Other examples include the following, if the programs are installed on your own device:
- You buy software on a CD and install it on your computer.
- You download software from a website and install it on your device.
- A small business installs software on business devices used by its employees.
- A previously installed app offers an update, and the individual installs the update. (However, if the app installs the update in the background, without prompting or informing the user, then CASL would apply. More information about updates and upgrades is available in part 5 of this guidance.
However, if the computer program to be installed performs functions that would normally not be expected by the user, then you must disclose additional information and seek the necessary consent from the user. For more information on consent and disclosure requirements, please see "Are there any other consent requirements?".
Does CASL apply to offline installations (e.g. a CD/DVD that is purchased at a store)?
No, CASL does not apply to offline installations in which a person installs a computer program on their own computer system.
2. When are you considered to already have consent?
Based on the questions above, if you've determined that CASL applies to your software installations, the requirement is that you need consent for the installation. That consent must come from the owner or an authorized user of the device.
However, for some types of software listed below, CASL says you are considered to have consent without asking for it.
Do I need consent to install certain types of programs like cookies or operating systems?
Yes, if CASL applies, then you need express consent to install computer programs. However, for certain types of programs, you are considered to already have express consent without requesting it. If your program is included in the following list, you do not need to request consent prior to the installation:
- Cookies
- HTML
- Javascript
- An operating system
- Any other program that is executable through another program that was already consented to
- If you are a telecommunications service provider (as defined in CASL; see below for an explanation) and you are installing software to:
- protect the security of all or part of your network from a current and identifiable threat; or
- update or upgrade all or part of your network
- Software installed solely to correct a failure in a computer system (e.g., bug fixes)
Note that you are only considered to have consent for these types of computer programs as long as the person's conduct indicates that they consent to it. For example, if the person disables Javascript in their browser, you would not be considered to have consent under CASL since their conduct would not indicate that they consent to that type of program. Similarly, if the person disables cookies in their browser, you would not be considered to have consent to install cookies.
For more detailed information see section 10(8) of CASL and section 6 of the Governor-in-Council regulations.
Are you unfamiliar with some of the above terms? Here are a few definitions:
- What's a cookie?
-
Cookies are non executable computer programs that cannot carry viruses and install malware. As described above, under CASL, a person is considered to consent to the installation of a cookie if the person's conduct is such that it is reasonable to believe that they consent.
- What's an operating system?
-
Computer systems are composed of physical components (hardware) and computer programs (software). Operating systems are a type of computer program that have special access to the hardware of a computer system, and act as a platform to allow other computer programs to make use of the hardware.
Examples of operating systems include Microsoft Windows, Mac OS/iOS, Linux, Android, Unix and Blackberry OS, among others. They also include operating systems in your car (e.g., that control braking systems).
- What's a telecommunications service provider (TSP) under CASL?
-
Although 'TSP' may be defined differently in other laws, in CASL a 'TSP' means any business or person who, independently or as part of a group or association, provides telecommunications services. Unlike other definitions, such as that in the Telecommunications Act, CASL doesn't require the TSP to own or lease the equipment or software used to provide the service.
For example, automobile manufacturers are TSPs for the purposes of CASL when their vehicles include wireless telecommunications functionality.
In addition, the Act only regulates the installation of software in the course of a commercial activity, the definition of which excludes public safety, among other purposes
- What does it mean to "correct a failure"?
-
'Correcting a failure' includes taking steps to ensure the safe and proper functioning of the computer programs and the systems they operate. This includes, for example, both reactive and proactive steps, so long as they are consistent with consumer expectations.
As an example, to 'correct a failure' may include a patch designed to fix a security vulnerability or a software error, flaw, failure or fault in a computer program or system that causes it to produce an incorrect or unexpected result or to behave in unintended ways.
3. How can consent be obtained?
The following section will provide you with guidance on how to obtain express consent to install a computer program.
How do I seek express consent to install software or computer programs under CASL?
In order to install software or computer programs on another person's computer or device, consent is required. If you are not considered by CASL to already have consent without needing to ask for it (see part 2 above for more information), you must request it before installing the software. When seeking consent for the installation you must clearly and simply set out:
- The reason you are seeking consent;
- Who is seeking consent (e.g., name of the company; or if consent is sought on behalf of another person, that person's name);
- If consent is sought on behalf of another person, a statement indicating which person is seeking consent and which person on whose behalf consent is being sought;
- The mailing address and one other piece of contact information (i.e., telephone number, email address, or Web address);
- A statement indicating that the person whose consent is sought can withdraw their consent; and
- A description in general terms of the functions and purpose of the computer program to be installed. (See additional considerations below).
Note that the person who has obtained consent has the responsibility to prove consent. This means that a person who seeks consent should keep a record of it.
Note also that if a person withdraws their consent, you can no longer rely on that consent for future updates or upgrades that are installed in the background. More information about updates and upgrades is provided in part 5 of this guidance.
Who do I seek consent from?
Consent must be obtained from the owner or authorized user of the computer system or device.
What constitutes the 'owner or authorized user'?
For the purposes of CASL, an owner or authorized user includes anyone that has permission to use a particular device or computer system. For example,
- In the context of an employment relationship, the employer would be the owner and the employee would be the authorized user.
- If an individual owns a computer but provides it to their child, spouse, or other relative for their sole use, the child, spouse or other relative is the authorized user of the computer.
- If someone leases a device, the lessor will retain ownership of the device for the purposes of CASL and the lessee is the authorized user.
- If a device is sent out for repair, the person conducting the repair would be considered an authorized user under CASL, but only to the extent that they perform the agreed-upon repairs to the device.
4. Are there any other consent requirements?
The above guidance covers the general consent requirements under CASL to install software on another person's computer system or device. Some program functions, however, require the disclosure of additional information when seeking consent. These functions are outlined in the following questions.
What functions require you to disclose additional information when seeking consent?
If the computer program performs one or more of the following functions that would normally not be expected by the user, then you must disclose additional information when seeking consent, as outlined below:Footnote 1
-
Collects personal information;
Example: An application or software program that has been installed collects user credentials, such as usernames and passwords.
-
Interferes with the user's control of the device;
Example: A program is installed on a user’s home computer and it prevents the user from being able to start their computer.
-
Changes or interferes with the user's settings, preferences or commands without their knowledge;
Example: The program turns on the location tracking services without the user’s knowledge.
-
Changes or interferes with the data stored on the device in a way that obstructs, interrupts or interferes with the user's access to the data;
Example: The program blocks the user’s access to documents stored on the user’s device.
-
Causes the computer system to communicate with another computer system or device without the user's authorization;
Example: The program causes the computer system to send spam emails to the user’s friends and family without the user’s authorization.
-
Installs a program that may be activated by a third party without the user's knowledge:
Example: An extension to a user’s internet browser is installed that may be activated by a third party to allow it to collect, store, and use personal information of the user without the user’s knowledge.
See section 10(5) of CASL for more detailed information.
What are the additional disclosure requirements?
Whenever you are seeking express consent, you must meet the consent requirements described in these guidelines. In addition, there are disclosure requirements when installing software that performs any of the functions listed above. In particular, the installer must clearly and prominently, and separate and apart from the licence agreement:
- Describe to the user what the program does in relation to those functions and why it does it.
- Describe to the user the impact of those functions on the operation of the computer system.
All of the above must be done prior to the installation of the computer program. See section 10(4) of CASL and section 5 of the Electronic Commerce Protection Regulations (CRTC) for more details.
Suppose you develop a gaming app for a smartphone or tablet that includes functionality to collect information from the GPS, camera and microphone that would not normally be expected by the user. You would be required to disclose the unexpected functionality as described above and you would need consent to install the app on another person's computer. When seeking consent, you would have to, among other things, describe to the user why the game collects that information and what it does with it as well as the impact of those functions on the operation of the computer system. This description would need to be provided in a clear fashion, separate and apart from the terms and conditions or end-user licensing agreement.
For greater clarity, although CASL does not generally apply to situations where a person installs a particular computer program themselves, there could be elements in relation to that computer program that are not reasonably expected by the owner or authorized user. This would be covered by CASL and its requirements regarding installing computer programs would apply. For further clarification, see "Does CASL apply to your situation?".
If your program's functions require the disclosure of additional information when seeking consent, then you also need to provide assistance with uninstalling the computer programs or software.
When do I need to provide assistance with uninstalling computer programs or software?
Only in very specific circumstances would you be required under CASL to assist somebody to remove or disable software from their computer or device.
The circumstance arises when the software performs one of the functions listed in section 10(5) of CASL (e.g., collects personal information), and the owner or authorized user believes that the function or impact of the software was inaccurately described to them.
In that instance, the owner or authorized user can request, within a one-year period of the software's installation, that you assist in disabling or removing the software. This must be done as soon as feasible and at no cost to the user. In addition, for a period of one year after installation, you must provide the person who consented to the installation with an electronic address where they can send the request to remove or disable the program.
Beyond that, you are not generally required to help users remove software from their computers.
See section 11(5) of CASL for more details.
5. Are updates and upgrades covered by CASL?
What is an update or upgrade?
An update or upgrade is generally a replacement of software with a newer or better version, in order to bring the system up to date or to improve its characteristics. Usually the update or upgrade will have new features. Common software updates or upgrades include changing the version of an operating system, an office suite, an anti-virus program, or various other tools.
An update or upgrade makes changes to or replaces previously installed software. Retrieving current information and displaying it within a program is not considered to be updating the program within the context of CASL. For example, updating or refreshing information displayed in a program, such as refreshing the weather forecast in a weather app, or refreshing television listings in an electronic programming guide are not updates or upgrades for the purposes of CASL.
Do I need consent for upgrades or updates and, if so, how do I get it?
Yes, you need consent to install updates or upgrades. There are several options to obtain consent:
- When you get the initial consent to install the original computer program, you can also seek consent for all future updates and upgrades.
- Consent can be assumed for updates and upgrades to the specified computer programs discussed above (listed in section 10(8) of CASL, e.g., cookies and operating systems)
- If the program was self-installed by the device owner or authorized user and you didn't get consent for updates or upgrades at the time of original installation, you will need to seek consent to install any updates or upgrades. You can do this in the same way that you would generally seek consent to install software.
- You can update or upgrade computer programs until January 15, 2018 if the program was installed on the device or computer system prior to January 15, 2015. (See more details later in this guidance.)
For example, if a person installs an app from an app store on their own device, CASL would not apply. As a result, their consent for future updates may not have been requested by the app developer. If the software developer wishes to install an update to the app at a later date, they must obtain the person's consent to do so. Alternatively, when the user self-installs the app, the developer can use that opportunity to request consent to automatically install future updates.
What about software that was installed before January 15, 2015?
Under CASL, if a computer program was installed on a person's computer system before January 15, 2015, the person's consent to the installation of an upgrade or update is implied until January 15, 2018, unless the person notifies you that they no longer consent to the installation of future updates or upgrades.
If you obtained valid express consent prior to January 15, 2015, you will be able to rely on that express consent for the purpose of section 8 of the Act. It is important to note that the onus of proving consent rests with the person installing the computer program.
- Date modified: