Bennett Jones
The communications provisions of Canada's Anti-Spam Legislation (CASL) came into force on July 1, 2014. Generally speaking, CASL prohibits a person from sending a "commercial electronic message" without the consent of the recipient.
On January 15, 2015, further prohibitions relating to the installation of computer programs will come into force. Considerable uncertainty remains with respect to the application of these provisions. We expect that CASL will impose significant compliance hurdles for traditional software providers due to its regulation of programs "installed" on a computer system. Because it does not appear to regulate software-as-a-service to the same extent, CASL may favour cloud-computing products and catalyze the expanded adoption of cloud computing in Canada.
Broadly, the new prohibitions in CASL require that a number of specialized formalities be followed in obtaining consent for the installation of computer software, updates to software (including automatic updates), or other computer code on another's computer system. A computer program that performs certain functions will attract additional scrutiny and more onerous disclosure requirements. These functions include, among other things, the collection of personal information, interfering with the control of the computer system and using the system to communicate with other systems without authorization. Under CASL, such software may only be installed on another's computer system with separate express notice and specific consent to such functionality.
Once these restrictions come into force, distribution of traditional enterprise and consumer software products will attract consent requirements at most stages of rollout and maintenance. Prudent IT departments, software developers, licensors, vendors (including app stores), and applicable service providers should review their compliance obligations and procedures in respect of these CASL requirements.
The scope of CASL is broad “ it captures virtually any computer program or executable code with "instructions or statements that, when executed in a computer system, causes the computer system to perform a function". Downloading, installation, and updating (however minor) of computer programs will require consent.
Without an exemption, all web pages, online resources and executable files would appear to require consent before such code is transmitted to a user's computer “ for example, to the extent that HTML code causes a computer system to perform a function, it would require the pre-emptive consent of the user. To obviate these practical issues, CASL deems users, in the absence of reasonable evidence to the contrary, to consent to the following elements:
- cookies;
- HTML code;
- Javascript;
- operating systems;
- any other program that is executable only through the use of another computer program whose installation or use has previously been consented to; and
- any program that is necessary to correct a failure in the operation of a computer system or program.
By contrast, depending on their structure and implementation, cloud products that do not involve installation of computer programs on another's computer system may not trigger substantive portions of the incoming prohibitions under CASL. Rather the cloud-based products are typically operated on the vendor's (or other) server and provide services to the end user. While distribution of traditional computer programs will require consent and ongoing regulatory compliance, customers of many cloud-based services may not need to consent to the use or update of such software.
Developers and users of cloud-based programs may therefore be spared the onerous compliance effort of more traditional software delivery, and as a result, be in a position to save time and money beginning in January 15, 2015.
In the longer-term, we expect CASL to create a regulatory environment supportive of further adoption and migration to cloud-computing solutions. Legitimate software, managed and delivering services from remote servers, may gain a competitive edge in regulatory compliance costs and speed of delivery and updates.
This is expected to accelerate existing developments as the economic advantages of cloud-based delivery encourage many functions and even entire products to migrate to the cloud. Although the incoming computer program provisions of CASL are likely to be burdensome for some computer industry participants, Canadian cloud-based service providers and users may be in a better position to avoid the ambiguity and complexity of the new regulatory regime.