& Software Installation
On July 1 2014 the new Canadian Anti-Spam legislation (CASL) will begin to be enforced(first of three phases). Why should I care if I live outside Canada, or what does it mean if I am a Canadian Business, or should I care if I am a SMB, as this is only for spammers/the 'bad' guys?
Well you will be very surprised at
the answers to these questions. So let’s get started.
One of the first things that most
experts agree with is that the 'new' Canadian legislation/regulations is one of the
strongest invoked anywhere in the world that is concerning commercial
messaging.
But I am getting ahead of
myself. In the 1st part what is exactly CASL? In the best non-legal
verbiage, CASL establishes the rules concerning commercial electronic
messages (CEM). ALL CEM, with exceptions (see below for some examples), must have explicit consent (OPT-IN) before the CEM is sent. It also deals with installation of software programs just to
make things more interesting. (This last part is something that should
worry software development companies. In fact I would hazard a guess that
most software developers are not aware of this implication (more on this
later)).
Now let’s try to address some of the
not so obvious parts of this quagmire.
1) 'Well, this legislation deals with spamming, which we
don't do' !!
Very wrong. It covers everyone,
individuals, corporations, unincorporated businesses not-for profit
organizations, and everyone else who sends messages for commercial purposes.
And CEM is not only email, but Instant Messages, Facebook, Instagram, Twitter,
SMS to name just a few. OH, by the way, it could also apply to telephone calls.
2) I am not located in Canada,why should I care?
The answer may
surprise you. As long as either the sender or the RECEIVER of any CEM, 'lands' on a computer that is located in
Canada, is covered under the
act. In the atmosphere of globalization, extraterritorial laws are becoming
more and more prevalent. Examples abound in today's society. Just look at the
EU Data Protection Directive. It has been argued as long as the information
(PII) concerns a citizen of an EU country, the EU privacy legislation will
apply, even though the company in question has no presence within the Europe
Union. In fact the new regulation, EU's General Data Protection Regulation, that has
been proposed and awaiting passing, explicitly mentions this. But I transgress.
So being located outside Canada does not exempt you from the regulations.
3) Let’s dispel another issue.
The US anti-spam legislation
(CAN-SPAM ACT) replies on an OPT-OUT consent (it is assumed you want commercial
email unless you say otherwise), CASL requires an OPT-IN consent. In fact, not
only that, but sender information, consent requirements and contact info must
also be listed as part of the notice/consent request. So even though your commercial email is designed to comply with
the US rules, it will not be compliant with the Canadian regulations.
4) Provisions concerning installation of software programs
in Canada.
The legislation also covers consent
concerning software programs that are installed in Canada, whether the person
installing the program is located in Canada or Not (remote control of sites as
an example). Even more about this later.
5) There are exceptions to the OPT-IN consent
requirements.
They are some exceptions for example, if the CEM concerns a
requested quote or estimate for a service or product, help/confirm/complete a
commercial transaction or provide warranty information. But be forewarned, the law
does not have a very extensive exception list. There are some rules
concerning implied consent as well. They include: if there is a business relationship
within a period of time, if there is a written contract and is only valid for a couple of years
following termination of the contract or if there has been an inquiry made by the
recipient in the prior six months.
6) So can a check box fulfill the requirements of the
legislation?
This actual gets a little sticky.
There is no mention within either the legislation, or the regulations that were
published in Dec 2013, that a check box OPT-IN would suffice. HOWEVER in a
non-binding enforcement guideline, issued by the CRTC (Canadian
Radio-Television Telecommunication Commission), it was suggested that a check
box is not enough to comply with the requirement.
7) Additional Computer 'stuff'.
Previously I mentioned needing
consent to install software on to a computer. The definition of a computer is
more all encompassing that you may think. It includes smart phones, tablets, or
in fact any computer based device. Now there are some exceptions to this.
Certain classes of programs are exempt. The list includes cookies, operating
systems, java scripts, sub-routines, HTML code, etc. Also I would be remiss if
I did not mention that installation of programs like anti-virus software can also be an exception to
the regulation requirments, but only if it was done by, or for, a telecommunication
service provider[1]. Also, a one shot program to fix an issue may be an
exemption.
8) EUL (End user License).
There is nothing about EUL within
either the legislation or regulation concerning CASL However, the CRTC issued
an non binding guideline, that accepting a EUR is in itself can not to be
considered explicit consent. Rather a separate agreement dealing with
consent needs to be created for review and acceptance by the end user. In that way the consumer can refuse or give informed consent.
In my next blog, I will be dealing with
additional items to consider and what should companies do to prepare for CASL.
In the mean time, if there are issues
(non legal advice) you may want me to address, questions you may have feel free
in contacting me
I also invite you to review my other blog posts concerning Data, Security and Privacy.
Please note, do not consider this legal advice, nor does it address individual
circumstances. These blog entries are solely for the purpose to address
generalized questions concerning the subject. I STRONGLY suggest that you do
your due diligence concerning this matter.
[1] A service, or a feature of a
service, that is provided by means of telecommunications facilities, whether
the telecommunications service provider owns, leases or has any other interest
or right respecting the telecommunications facilities and any related equipment
used to provide the service.