CASL Enforcement: The Anti-Malware Provisions
By Richard Stobbe
Canada’s Anti-Spam Law (affectionately known as CASL) is best known as a means to combat unwanted email and other commercial electronic messages, but the law also contains anti-malware provisions. We first reviewed those software-related provisions in 2014, when the legislation was being rolled out. Essentially, you can’t install software onto someone’s computer or device without getting their consent.
The CRTC recently announced an enforcement action against two Ontario companies, Datablocks and Sunlight Media, and assessed a Notice of Violation carrying penalties of $250,000, for allegedly aiding in the installation of malware through the distribution of online advertising. The penalty can be disputed by the two companies.
This recent notice of a possible penalty comes hot on the heels of a search warrant which was executed in January, 2016. So, that means the legislation came into force in January, 2015… the first search warrant was in 2016… the first penalties were assessed in July 2018. Not exactly an enforcement blitz.
Perhaps the take-home message from this case is that the companies in question are alleged to have accepted anonymous clients who then deployed malware to the computer systems of Canadians using the infrastructure and operations of Datablocks and Sunlight Media. It may be good practice for vendors to implement some version of the “know your client” rules that currently apply to banks, financial advisors, lawyers and other professional advisors. At a minimum, compliance should involve written agreements with clients or customers, and according to the CRTC, neither Datablocks nor Sunlight had written contracts in place with their clients regarding compliance with CASL, or monitoring measures in place to guard against this risk.
Calgary – 07:00
No commentsDear CASL: When can I rely on “implied consent”?
.
By Richard Stobbe
Canada’s Anti-Spam Legislation (CASL) is overly complex and notoriously difficult to interpret – heck, even lawyers start to see double when they read the official title of the law (An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act).
The concept of implied consent (as opposed to express consent) is built into the law, and the trick is to interpret when, exactly, a company can rely on implied consent to send commercial electronic messages (CEMs). There are a number of different types of implied consent, including a pre-existing business or non-business relationship, and the so-called “conspicuous publication exemption”.
One recent administrative decision (Compliance and Enforcement Decision CRTC 2016-428 re: Blackstone Learning Corp.) focused on “conspicuous publication” under Section 10(9) of the Act. A company may rely on implied consent to send CEMs where there is:
- conspicuous publication of the email address in question,
- the email address is not accompanied by a statement that the person does not wish to receive unsolicited commercial electronic messages at the electronic address; and
- the message is relevant to the person’s business, role, functions, or duties in a business or official capacity.
In this case, Blackstone Learning sent about 380,000 emails to government employees during 9 separate ad campaigns over a 3 month period in 2014. The case against Blackstone by the CRTC did not dwell on the evidence – in fact, Blackstone admitted the essential facts. Rather, this case focused on the defense raised by Blackstone. The company pointed to the “conspicuous publication exemption” and argued that it could rely on implied consent for the CEMs since the email addresses of the government employees were all conspicuously published online.
However, the company provided very little support for this assertion, and it did not provide back-up related to the other two elements of the defense; namely, that the email addresses were not accompanied by a “no spam” statement, and that the CEMs were relevant to the role or business of the recipients. The CRTC’s decision provides some guidance on implied consent and “conspicuous publication”:
- The CRTC observed that “The conspicuous publication exemption and the requirements thereof set out in paragraph 10(9)(b) of the Act set a higher standard than the simple public availability of electronic addresses.” In other words, finding an email address online is not enough.
- First, the exemption only applies if the email recipient publishes the email address or authorizes someone else to publish it. Let’s take the example of a sales rep who might publish his or her email, and also authorize a reseller or distributor to publish the email address. However, the CRTC notes if a third party were to collect and sell a list of such addresses on its own then “this would not create implied consent on its own, because in that instance neither the account holder nor the message recipient would be publishing the address, or be causing it to be published.”
- The decision does not provide a lot of context around the relevance factor, or how that should be interpreted. CRTC guidance provides some obvious examples – an email advertising how to be an administrative assistant is not relevant to a CEO. Â In this case, Blackstone was advertising courses related to technical writing, grammar and stress management. Arguably, these topics might be relevant to a broad range of people within the government.
- Note that the onus of proving consent, including all the elements of the “conspicuous publication exception”, rests with the person relying on it. The CRTC is not going to do you any favours here. Make sure you have accurate and complete records to show why this exemption is available.
- Essentially, the email address must “be published in such a manner that it is reasonable to infer consent to receive the type of message sent, in the circumstances.” Those fact-sepecific circumstances, of course, will ultimately be decided by the CRTC.
- Lastly, the company’s efforts at compliance may factor into the ultimate penalty. Initially, the CRTC assessed an administrative monetary penalty (AMP) of $640,000 against Blackstone. The decision noted that Blackstone’s correspondence with the Department of Industry showed the “potential for self-correction” even if Blackstone’s compliance efforts were “not particularly robust”. These compliance efforts, among other factors, convinced the commission to reduce the AMP to $50,000.
As always, when it comes to CEMs, an ounce of CASL prevention is worth a pound of AMPs. Get advice from professionals about CASL compliance.
See our CASL archive for more background.
Calgary 07:00 MST
No commentsCASL Enforcement (Part 2)
.
By Richard Stobbe
As reviewed in Part 1, since July 1, 2014, Canada’s Anti-Spam Law (or CASL) has been in effect, and the software-related provisions have been in force since January 15, 2015.
In January, 2016, the Canadian Radio-television and Telecommunications Commission (CRTC) executed a search warrant at business locations in Ontario in the course of an ongoing investigation relating to the installation of malicious software (malware) (See: CRTC executes warrant in malicious malware investigation). The allegations also involve alteration of transmission data (such as an email’s address, date, time, origin) contrary to CASL. This represents one of the first enforcement actions under the computer-program provisions of CASL.
The first publicized case came in December, 2015, when the CRTC announced that it took down a “command-and-control server” located in Toronto as part of a coordinated international effort, working together with Federal Bureau of Investigation, Europol, Interpol, and the RCMP. This is perhaps the closest the CRTC gets to international criminal drama. (See: CRTC serves its first-ever warrant under CASL in botnet takedown).
Given the proliferation of malware, two actions in the span of a year cannot be described as aggressive enforcement, but it is very likely that this represents the visible tip of the iceberg of ongoing investigations.
Calgary – 07:00 MT
1 commentCASL Enforcement (Part 1)
.
By Richard Stobbe
Since July 1, 2014, Canada’s Anti-Spam Law (or CASL) has been in effect, and the software-related rules have been in force since January 15, 2015.
With the benefit of hindsight, we can see a few patterns emerge from the efforts by the enforcement trifecta: the Privacy Commissioner of Canada, the CRTC and the Competition Bureau. (For background, see our earlier posts) What follows is a round-up of some of the most interesting and instructive enforcement actions:
This certainly points to the more technical risks of poorly implemented unsubscribe features, rather than underlying gaps in consent. Perhaps this is because heavy enforcement action related directly to consent is still to come. Implied consent can be relied upon during a three-year transitional period. After that window closes, expect enforcement to focus on failures of consent.
To put this all in perspective, consider enforcement of other laws within the CRTC mandate: in 2014 the CRTC did not issue any notices of violation of CASL, but issued 10 notices of violation related to the Unsolicited Telecommunications Rules and the National Do Not Call List (DNCL); in 2015 the CRTC issued 1 notice of violation of CASL and about 20 related to the Do Not Call List.
Calgary – 07:00 MT
1 commentCASL 2.0: The Computer Program Provisions (Part 3)
–
By Richard Stobbe
The CRTC has released guidelines on the implementation of the incoming computer-program provisions of Canada’s Anti-Spam Law (CASL). Software vendors should review the  CASL Requirements for Installing Computer Programs for guidance on installing software on other people’s computer systems. Remember, the start-date of January 15, 2015 is less than 2 months away. Here are a few highlights:
- CASL prohibits the installation of software to another person’s computing computer – which includes any device, laptop, smartphone, desktop, gaming console, etc.) in the course of commercial activity without express consent;
- Downloading your own app from iTunes or Google Play? CASL does not apply to software, apps or updates that are downloaded by users themselves;Â
- Maybe you still use a CD to install software? CASL does not apply to “offline” installations by a user;
- Where implied consent cannot be relied upon, then express consent is required. The guidelines state the following:
“When seeking consent for the installation you must clearly and simply set out:
- The reason you are seeking consent;
- Who is seeking consent (e.g., name of the company; or if consent is sought on behalf of another person, that person’s name);
- If consent is sought on behalf of another person, a statement indicating which person is seeking consent and which person on whose behalf consent is being sought;
- The mailing address and one other piece of contact information (i.e., telephone number, email address, or Web address);
- A statement indicating that the person whose consent is sought can withdraw their consent; and
- A description in general terms of the functions and purpose of the computer program to be installed.” Â
Â
Calgary – 07:00 MST
No commentsCASL 2.0: The Computer Program Provisions (Part 2)
–
By Richard Stobbe
In Part 1 we looked at some basic concepts. In Part 2, we look at “enhanced disclosure” requirements.
If the computer program that is to be installed performs one or more of the functions listed below, the person who seeks express consent must disclose additional information. This disclosure must be made “clearly and prominently, and separately and apart from the licence agreement”. In this additional or enhanced disclosure, the software vendor must describe the program’s “material elements” including the nature and purpose of the program, and the impact on the user’s computer system. A software vendor must bring this info to the attention of the user. This applies if you, as the software vendor, want to install a program that does any of the following things, and causes the computer system to operate in a manner that “is contrary to the reasonable expectations of the owner”. (You have to guess at the reasonable expectations of the user.) These are the functions that the legislation is aimed at:
- collecting personal information stored on the computer system;
- interfering with the owner’s or an authorized user’s control of the computer system;
- changing or interfering with settings, preferences or commands already installed or stored on the computer system without the knowledge of the owner or an authorized user of the computer system;
- changing or interfering with data that is stored on the computer system in a manner that obstructs, interrupts or interferes with lawful access to or use of that data by the owner or an authorized user of the computer system;
- causing the computer system to communicate with another computer system, or other device, without the authorization of the owner or an authorized user of the computer system;
- installing a computer program that may be activated by a third party without the knowledge of the owner or an authorized user of the computer system.
If the computer program or app that you, as the software vendor, want to install does any of these things, then you need to comply with the enhanced disclosure obligations, as well as get express consent.
There are some exceptions: A user is considered to have given express consent if the program is
-
a cookie,
-
HTML code,
-
Java Scripts,
-
an operating system,
-
any other program that is executable only through the use of another computer program whose installation or use the person has previously expressly consented to, or
-
a program that is necessary to correct a failure in the operation of the computer system or a program installed on it and is installed solely for that purpose; AND
-
the person’s conduct is such that it is reasonable to believe that they consent to the program’s installation.
Remember: These additional provisions in CASL which deal with the installation of software come into effect on January 15, 2015, in less than 3 months. An offence under CASL can result in monetary penalties as high as $1 million for individuals and $10 million for businesses.
If you are a software vendor selling in Canada, get advice on the implications for automatic installs and updates, and how to structure consents, whether this is for business-to-business, business-to-consumer, or mobile apps. There are already more than 1,000 complaints under the anti-spam provisions of the law. You don’t want to be the test case for the computer program provisions.
Calgary – 07:00 MST
No commentsCASL 2.0: The Computer Program Provisions (Part 1)
–
By Richard Stobbe
It’s mid-October. Like many businesses in Canada, you may be weary of hearing about CASL compliance. Hopefully that weariness is due to all the hard work you did 3 months ago to bring your organization into compliance for the July 1st start-date.
If you’re a software vendor, then you should gird yourself for round two: Yes, there are additional provisions in CASL which deal with the installation of software, and those rules come on stream in 3 months on January 15, 2015.
Section 8 of CASL ostensibly deals with spyware and malware. Hackers are not the only problem; think of the Sony Rootkit case (See our earlier post here) as another example of the kind of thing that this law was designed to address.
This is the essence of Section 8: “A person must not, in the course of a commercial activity, install …a computer program on any other person’s computer system… unless the person has obtained the express consent of the owner …” This applies only if the computer system is located in Canada, or if the person either is in Canada at the relevant time or is acting under the direction of a person who is in Canada at the time when they give the directions.
This relatively simple idea – get consent if you want to install an application on someone else’s system in Canada – has far-reaching implications due to the way the legislation draws the definitions of “computer program” and “computer system” from the Criminal Code. As you can guess, the Criminal Code definitions are extremely broad. So, what does this mean in real life?
- Certain types of specified programs require “enhanced disclosure” by the software vendor. (I am saying ‘software vendors’ as those are the entities most likely to bring themselves into compliance. Of course, hackers and organized crime syndicates should also take note of the enhanced disclosure requirements);
- Express consent, under this law, means that the consent must be requested clearly and simply, and the purpose of the consent must be described;
- The software vendor requesting consent must describe the function and purpose of the computer program that is to be installed;
- The software vendor requesting consent must provide an electronic address so that the user can request, within a period of one year, that the program be removed or disabled;
- Note that if a computer program is installed before January 15, 2015, then the person’s consent is implied. This implied consent lasts until the user gives notice that they don’t want the installation anymore. Or until January 15, 2018, whichever comes first. I’m not making this stuff up, that’s what the Act says.
- One more thing: Enhanced disclosure does not apply if the computer program only collects, uses or communicates “transmission data”. Transmission data is what you might call envelope information. The Act defines it as data that deals with “dialling, routing, addressing or signalling” and although it might show info like “type, direction, date, time, duration, size, origin, destination or termination of the communication”, it does not reveal “the substance, meaning or purpose of the communication”. So there is effectively a carve-out for the tracking of this category info.
Don’t worry, Canadian anti-spam laws are kind of like Lord of the Rings: Sequels will keep coming whether you like it or not. Once we’re past January 15, 2015, you can look forward to July 1, 2017, which is the day on which sections 47 to 51, 55 of CASL come into force. These provisions institute a private right of action for any breach of the Act.
If you are a software vendor selling in Canada, get advice on the implications for automatic installs and updates, whether this is for business-to-business, business-to-consumer, or mobile apps. There are already more than 1,000 complaints under the anti-spam provisions of the law. You don’t want to be the test case for the computer program provisions.
Calgary – 07:00 MST
No commentsThe Transitional Period & Implied Consent Under CASL
By Richard Stobbe
If the term “CASL compliance” is giving you a nervous twitch, you’re not alone. Many small and medium-sized businesses in Canada are scrambling to prepare for Canada’s Anti-Spam Law (CASL), whose official title says it all – especially the part about “efficiency and adaptability” (take a deep breath before you read “An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act“).
Two weeks from today, on July 1st, the first stage of the new law will come into force. The implied consent provisions in Section 66 create a transitional period.
For a period of three years after July 1, 2014, consent is implied for all “commercial electronic messages” (CEMs) if the sender and the recipient have a preâ€existing business or non-business relationship and that relationship previously included the exchange of CEMs. Consent can be withdrawn by the recipient at any time during that threeâ€year period. Note that “commercial electronic messages”, “existing business relationship” and “existing non-business relationship” all have special definitions in the legislation.
While this transitional period only lasts for 36 months, it allows a sender of CEMs to rely on prior relationships that reach back in time. The regular implied consent provisions only permit a sender to rely on a two-year window – in other words, implied consent depends on an existing relationship during the two-year period before the CEM is sent (or only 6-months in some cases).
In recent information sessions, the CRTC has indicated that the Section 66 transition provisions do not impose those two-year or 6-month rules: “So what Section 66 does is during that transition period of three years, the definitions of existing business relationship and existing non-business relationship are not subject to the limitation period, which are six months and two years that would otherwise be applicable. So in theory, if you meet the definition of existing business relationship or existing non-business relationship and there’s the communication of CEMs between the individuals, you could go back 25 years in theory.” [Link to transcript.]
Don’t think the transitional period lets you off the hook. Every organization should be preparing for CASL for a July 1st start date. If you need assistance on reviewing the scope of your obligations, how the law applies, and how the transitional provisions might apply to your organization, contact us.
Calgary – 07:00 MST
No commentsAn American Attorney in Canada (Part 2: Anti-Spam)
By Richard Stobbe
Canada and the USA. We enjoy the world’s longest undefended border… a border that unfortunately does not screen spam.
If you are an American attorney with US clients doing business in Canada, then you should be aware of a few things, like our lack of imaginative legislative acronyms, such as the CAN-SPAM Act (from Controlling the Assault of Non-Solicited Pornography And Marketing) (…or while we’re at, who can forget the Preventing Real Online Threats to Economic Creativity and Theft of Intellectual Property (PROTECT-IP) Act, or the Enforcing and Protecting American Rights Against Sites Intent on Theft and Exploitation (E-PARASITE) Act).
Secondly, you should be aware that Canada’s incoming anti-spam law, known unimaginatively as CASL (Canada’s Anti-Spam Law) is coming into force next week, on July 1, 2014. Here are some pointers for US counsel:
- Remember, an organization’s compliance with CAN-SPAM does not necessarily mean compliance with CASL. This is because of a number of important points of departure between the two laws. Canada’s law has been described as among the strictest internationally.
- CASL broadly covers all “commercial electronic messages” and is not restricted to email, as is the case with CAN-SPAM. Thus, CASLÂ is broad enough to capture text messages, social media messaging and other forms of electronic messages.
- CAN-SPAM permits a “negative option” approach to consent, in which toggle consent boxes can be pre-clicked and the user has the ability to opt out by “un-clicking”. CASL prohibits such an approach and requires express consent with an opt-in mechanism.
- Statutory penalties under CASL are more severe (up to $10 million for organizations, and up to $1 million for individuals), and the law also establishes a broader private right of civil action (which will come into effect in the future).
- Lastly, CASL does provide for personal liability for directors and officers.
For more information on the application of this law to American businesses, contact Field Law.
Calgary – 07:00 MST
No commentsIncoming Anti-Spam Software Regulations
–
Most Canadian businesses will have heard of the incoming Canadian Anti-Spam Law (referred to as CASL, which joins the Canadian pantheon of legislative acronyms like PIPEDA and PIPA). The consent requirements for sending commercial electronic messages (CEMs) is covered elsewhere (See here, and see this upcoming event on March 18 and 20, 2014). Those requirements come into effect July 1, 2014.
The software-related regulations are getting less press. Why? Possibly because CASL is being implemented in phases, and the software-related rules are not expected to be in full force until January 15, 2015. And possibly because the software-related regs are complicated and at times confusing.
This element of CASL is designed to control surreptitious installation of software, particularly “invasive software”. Generally, express, clear consent is required. Installation of invasive software imposes additional requirements. Implied consent (or “deemed express consent”) may be relied upon in other cases:
- cookies, HTML code, Java scripts;
- upgrades for telecom network security;
- “reasonable” installs – where it is reasonable to expect that the user would consent.
Software vendors should take note of these incoming obligations, to assess and plan for any updates that will be required for CASL compliance. Get advice on how these regulations apply to your software products.
Calgary – 07:00 MST
No comments