January 15, 2015 saw the second piece of Canada’s Anti-Spam legislation come into force. What has been happening since January 15, 2015? As you may be aware, the corporate software sections of the Act are designed to prevent the installation of unauthorized malware and spyware programs in computers; nonetheless, there are different degrees of effects on all types of software applications. The Act provides that employers will be held liable for the actions of their employees which contravene the prohibitions contained in the legislation.
The affect of the legislation is extensive to say the least. You may be aware that section 8 of the CASL requires that “express consent” must be obtained before any third party can install a computer program on another party’s computer system in the course of commercial activity. The impact of section 8 requires compliance by any party who provides computer maintenance and repair work, which results in the installation of software on another party’s computer. Another prohibition is that a web site cannot automatically install software on the computer of a visitor to the site, nor can the visitor’s software be uploaded without the express consent of the visitor, whether the computer is owned or leased. Another requirement of this Act deals with other matters related to the actual consent being obtained; namely,
- Obtain and maintain details of who, when, and where consent was provided by;
- The reason consent was being requested;
- The contact information for the party who gives consent including their mailing address, phone number, email address;
- Providing a written statement to the consenting party informing them of their right to withdraw their consent; and,
- A description explaining the function and purpose of the computer program which is to be installed on the consenting party’s computer.
An additional aspect of the legislation is that the law applies to organizations located outside of Canada which offer software downloads onto computers. Many people have wondered what level of enforcement would be applied by the CRTC. In March 2015, the CRTC imposed a fine of $1.1 million on Compu-Finder, a Quebec based management trading company which had committed four violations in sending emails without obtaining the required consent and without a functioning unsubscribe feature. Another fine of $48,000.00 was imposed on PlentyOfFish Media Inc., an online dating company, for violating the unsubscribe requirement of the Act. The settlement in terms of the fines also involved an undertaking from the offending party to the CRTC because of the failure to provide a clear, readily visible, easily understandable, and uncomplicated workable unsubscribe feature.
Based on these few cases, it appears that the CRTC fully intends to enforce the legislation and assess very significant monetary penalties on violators who do not comply – even if the non-compliance violation is of a non-technical matter. It also would appear that enforcement will be applied to all sizes of businesses and not restricted to only large corporations.
It is extremely important that any party making software available commercially, describes in sufficient detail, the function and purpose of the software in order to ensure that the user clearly understands what they are consenting to by agreeing to the installation of any software on their computer. In summary, the requirements imposed on the installer of computer programs are extensive. Therefore, if you are a supplier/installer of computer programs, be cautious, and ensure your organization complies.