CASL 2.0: The Computer Program Provisions (Part 2)
–
By Richard Stobbe
In Part 1 we looked at some basic concepts. In Part 2, we look at “enhanced disclosure” requirements.
If the computer program that is to be installed performs one or more of the functions listed below, the person who seeks express consent must disclose additional information. This disclosure must be made “clearly and prominently, and separately and apart from the licence agreement”. In this additional or enhanced disclosure, the software vendor must describe the program’s “material elements” including the nature and purpose of the program, and the impact on the user’s computer system. A software vendor must bring this info to the attention of the user. This applies if you, as the software vendor, want to install a program that does any of the following things, and causes the computer system to operate in a manner that “is contrary to the reasonable expectations of the owner”. (You have to guess at the reasonable expectations of the user.) These are the functions that the legislation is aimed at:
- collecting personal information stored on the computer system;
- interfering with the owner’s or an authorized user’s control of the computer system;
- changing or interfering with settings, preferences or commands already installed or stored on the computer system without the knowledge of the owner or an authorized user of the computer system;
- changing or interfering with data that is stored on the computer system in a manner that obstructs, interrupts or interferes with lawful access to or use of that data by the owner or an authorized user of the computer system;
- causing the computer system to communicate with another computer system, or other device, without the authorization of the owner or an authorized user of the computer system;
- installing a computer program that may be activated by a third party without the knowledge of the owner or an authorized user of the computer system.
If the computer program or app that you, as the software vendor, want to install does any of these things, then you need to comply with the enhanced disclosure obligations, as well as get express consent.
There are some exceptions: A user is considered to have given express consent if the program is
-
a cookie,
-
HTML code,
-
Java Scripts,
-
an operating system,
-
any other program that is executable only through the use of another computer program whose installation or use the person has previously expressly consented to, or
-
a program that is necessary to correct a failure in the operation of the computer system or a program installed on it and is installed solely for that purpose; AND
-
the person’s conduct is such that it is reasonable to believe that they consent to the program’s installation.
Remember: These additional provisions in CASL which deal with the installation of software come into effect on January 15, 2015, in less than 3 months. An offence under CASL can result in monetary penalties as high as $1 million for individuals and $10 million for businesses.
If you are a software vendor selling in Canada, get advice on the implications for automatic installs and updates, and how to structure consents, whether this is for business-to-business, business-to-consumer, or mobile apps. There are already more than 1,000 complaints under the anti-spam provisions of the law. You don’t want to be the test case for the computer program provisions.
Calgary – 07:00 MST
No commentsAlberta Privacy Law Update: PIPA on Death’s Door
By Richard Stobbe
About a year ago on November 15, 2013, Alberta’s Personal Information Protection Act (PIPA) was declared invalid on constitutional grounds. The Supreme Court of Canada (SCC), in its wisdom, deferred the effect of this order for a 1 year period, to permit the Alberta legislature to revisit and amend the legislation to bring it in line with the Constitution. The legislature has drafted legislation in the intervening period, but is not due to return to work until November 17, 2014, two days after the court’s declaration of invalidity takes effect.
The Alberta government has filed a motion asking the SCCÂ to extend the suspension period, to provide more time to address the issue, but an overhaul of PIPA is not an easy or quick task. Stay tuned.
Calgary – 07:00 MDT
No commentsCASL 2.0: The Computer Program Provisions (Part 1)
–
By Richard Stobbe
It’s mid-October. Like many businesses in Canada, you may be weary of hearing about CASL compliance. Hopefully that weariness is due to all the hard work you did 3 months ago to bring your organization into compliance for the July 1st start-date.
If you’re a software vendor, then you should gird yourself for round two: Yes, there are additional provisions in CASL which deal with the installation of software, and those rules come on stream in 3 months on January 15, 2015.
Section 8 of CASL ostensibly deals with spyware and malware. Hackers are not the only problem; think of the Sony Rootkit case (See our earlier post here) as another example of the kind of thing that this law was designed to address.
This is the essence of Section 8: “A person must not, in the course of a commercial activity, install …a computer program on any other person’s computer system… unless the person has obtained the express consent of the owner …” This applies only if the computer system is located in Canada, or if the person either is in Canada at the relevant time or is acting under the direction of a person who is in Canada at the time when they give the directions.
This relatively simple idea – get consent if you want to install an application on someone else’s system in Canada – has far-reaching implications due to the way the legislation draws the definitions of “computer program” and “computer system” from the Criminal Code. As you can guess, the Criminal Code definitions are extremely broad. So, what does this mean in real life?
- Certain types of specified programs require “enhanced disclosure” by the software vendor. (I am saying ‘software vendors’ as those are the entities most likely to bring themselves into compliance. Of course, hackers and organized crime syndicates should also take note of the enhanced disclosure requirements);
- Express consent, under this law, means that the consent must be requested clearly and simply, and the purpose of the consent must be described;
- The software vendor requesting consent must describe the function and purpose of the computer program that is to be installed;
- The software vendor requesting consent must provide an electronic address so that the user can request, within a period of one year, that the program be removed or disabled;
- Note that if a computer program is installed before January 15, 2015, then the person’s consent is implied. This implied consent lasts until the user gives notice that they don’t want the installation anymore. Or until January 15, 2018, whichever comes first. I’m not making this stuff up, that’s what the Act says.
- One more thing: Enhanced disclosure does not apply if the computer program only collects, uses or communicates “transmission data”. Transmission data is what you might call envelope information. The Act defines it as data that deals with “dialling, routing, addressing or signalling” and although it might show info like “type, direction, date, time, duration, size, origin, destination or termination of the communication”, it does not reveal “the substance, meaning or purpose of the communication”. So there is effectively a carve-out for the tracking of this category info.
Don’t worry, Canadian anti-spam laws are kind of like Lord of the Rings: Sequels will keep coming whether you like it or not. Once we’re past January 15, 2015, you can look forward to July 1, 2017, which is the day on which sections 47 to 51, 55 of CASL come into force. These provisions institute a private right of action for any breach of the Act.
If you are a software vendor selling in Canada, get advice on the implications for automatic installs and updates, whether this is for business-to-business, business-to-consumer, or mobile apps. There are already more than 1,000 complaints under the anti-spam provisions of the law. You don’t want to be the test case for the computer program provisions.
Calgary – 07:00 MST
No commentsDrafting IT Agreements: Oct. 14-15
–
By Richard Stobbe
I will be speaking next week at the 10th Essentials of Commercial Contracts Course in Calgary, Alberta (Download PDF) on the subject of IT contracting. This session will discuss key considerations in IT licensing and service agreements including:
- Key clauses in IT agreements and common mistakes
- Various models for licensing software
- Overlap between licenses and service agreements
- Service level metrics and remedies for non-compliance
- Statements of work in IT consulting and the lawyer’s role
- Other issues: privacy, vendor lock-in, third party and open source software.
If you want additional information, please contact me.
Calgary – 07:00 MST
No commentsWhat, exactly, is a browsewrap?
–
By Richard Stobbe
Browsewrap, clickwrap, clickthrough, terms of use, terms of service, EULA. Just what are we talking about and how did we get here?
In Nguyen v. Barnes & Noble, Inc., 2014 WL 4056549 (9th Cir. Aug. 18, 2014) the US Ninth Circuit wades into the subject of online contracting. Law professor Eric Goldman (ericgoldman.org) argues that these terms we’re accustomed to using, to describe ecommerce agreements, only contribute to the confusion. The term “browsewrap” derives from “clickwrap”, which is itself a portmanteau derived from the concept of a shrinkwrap license. As one court described it in 1996: “The ‘shrinkwrap license’ gets its name from the fact that retail software packages are covered in plastic or cellophane shrink wrap, and some vendors… have written licenses that become effective as soon as the customer tears the wrapping from the package.”
The enforceability of a browsewrap – it is argued – is based not on clicking, but on merely browsing the webpage in question. However, the term browsewrap is often used in the context of an online retailer hoping to enforce its terms, in a situation where they should have used a proper click-through agreement.
In Nguyen, the court dealt with a claim by a customer who ordered HP TouchPad tablets from the Barnes & Noble site. Although the customer entered an order through the shopping cart system, Barnes & Noble later cancelled that order. The customer sued. The resulting litigation turned on the enforceability of the online terms of service (TOS). The court reviewed the placement of the TOS link and found a species of unenforceable browsewrap - the TOS link was somewhere near the checkout button, but completion of the sale was not conditional upon acceptance of the TOS.
There is a whole spectrum upon which online terms can be placed. At one end, a click-the-box agreement (in which completion of the transaction is conditional upon acceptance of the TOS) is generally considered to be valid and enforceable. At the other end, we see passive terms that are linked somewhere on the website, usually from the footer, sometimes hovering near the checkout or download button.  In Nguyen, the terms were passive and required no active step of acceptance. The court concluded that: “Where a website makes its terms of use available via a conspicuous hyperlink on every page of the website but otherwise provides no notice to users nor prompts them to take any affirmative action to demonstrate assent, even close proximity of the hyperlink to relevant buttons users must click on —without more — is insufficient…”
This leaves open the possibility that browsewrap terms (where no active step is required) could be enforceable if the user has notice (actual or constructive) of those terms.
In Canada, the concept was most recently addressed by the court in Century 21 Canada Limited Partnership v. Rogers Communications Inc., 2011 BCSC 1196 (CanLII). In that case, there was no active click-the-box terms of use, but the “browsewrap” terms were nevertheless upheld as enforceable, in light of the circumstances. Three particular factors convinced the court that it should uphold the terms: 1. the dispute did not involve a business-to-consumer dispute (as it did in Nguyen). Rather the parties were “sophisticated commercial entities”. 2. The defendants had actual notice of the terms. 3. The defendants employed similar terms on their own site.
The lessons for business?
The “browsewrap” is a passive attempt to impose terms on a site visitor or customer. Such passive terms should not be employed where the party seeking to enforce those terms requires certainty of enforceability. Even where there is a “conspicuous hyperlink” or “notice to users” or “close proximity of the hyperlink”, none of these factors should be relied upon, even if they might create an enforceable contract in special cases. Maybe it is time to retire the term “browsewrap” and replace it with “probably unenforceable”.
Now, do you still want to rely on a browsewrap agreement?
Related Reading: Online Terms – What Works, What Doesn’t
Calgary – 07:00 MST
1 comment