Monday, March 31, 2014

Canadian Anti-Spam legislation (Including software instalation) A world wide concern (Part I)


 & Software Installation

 On July 1 2014 the new Canadian Anti-Spam legislation (CASL) will begin to be enforced(first of three phases). Why should I care if I live outside Canada, or what does it mean if I am a Canadian Business, or should I care if I am a SMB, as this is only  for spammers/the 'bad' guys?

Well you will be very surprised at the answers to these questions. So let’s get started.

One of the first things that most experts agree with is that the 'new' Canadian legislation/regulations is one of the strongest invoked anywhere in the world that is concerning commercial messaging.

But I am getting ahead of myself.  In the 1st part what is exactly CASL? In the best non-legal verbiage, CASL establishes the rules concerning commercial electronic messages (CEM). ALL  CEM, with exceptions (see below for some examples), must have explicit consent (OPT-IN) before the CEM is sent. It also deals with installation of software programs just to make things more interesting. (This last part is something that should worry software development companies. In fact I would hazard a guess that most software developers are not aware of this implication (more on this later)).

Now let’s try to address some of the not so obvious parts of this quagmire.

1) 'Well, this legislation deals with spamming, which we don't do' !!

Very wrong. It covers everyone, individuals, corporations, unincorporated businesses not-for profit organizations, and everyone else who sends messages for commercial purposes. And CEM is not only email, but Instant Messages, Facebook, Instagram, Twitter, SMS to name just a few. OH, by the way, it could also apply to telephone calls.

2) I am not located in Canada,why should I care?

The answer may surprise you. As long as either the sender or the RECEIVER of any CEM,  'lands' on a computer that is located in Canada,  is covered under the act. In the atmosphere of globalization, extraterritorial laws are becoming more and more prevalent. Examples abound in today's society. Just look at the EU Data Protection Directive. It has been argued as long as the information (PII) concerns a citizen of an EU country, the EU privacy legislation will apply, even though the company in question has no presence within the Europe Union. In fact the new regulation, EU's General Data Protection Regulation, that has been proposed and awaiting passing, explicitly mentions this. But I transgress. So being located outside Canada does not exempt you from the regulations.

3) Let’s dispel another issue. 

The US anti-spam legislation (CAN-SPAM ACT) replies on an OPT-OUT consent (it is assumed you want commercial email unless you say otherwise), CASL requires an OPT-IN consent. In fact, not only that, but sender information, consent requirements and contact info must also be listed as part of the notice/consent request. So even though your commercial email is designed to comply with the US rules, it will not be compliant with the Canadian regulations.

4) Provisions concerning installation of software programs in Canada. 

The legislation also covers consent concerning software programs that are installed in Canada, whether the person installing the program is located in Canada or Not (remote control of sites as an example). Even more about this later.

5) There are exceptions to the OPT-IN consent requirements. 

They are some exceptions for example, if the CEM concerns a requested quote or estimate for a service or product, help/confirm/complete a commercial transaction or provide warranty information. But be forewarned, the law does not have a very extensive exception list. There are some rules concerning implied consent as well. They include: if there is a business relationship within a period of time, if there is a written contract and is only valid for  a couple of years following termination of the contract or if there has been an inquiry made by the recipient in the prior six months.

6)  So can a check box fulfill the requirements of the legislation?

This actual gets a little sticky. There is no mention within either the legislation, or the regulations that were published in Dec 2013, that a check box OPT-IN would suffice. HOWEVER in a non-binding enforcement guideline, issued by the CRTC (Canadian Radio-Television Telecommunication Commission), it was suggested that a check box is not enough to comply with the requirement.

7) Additional Computer 'stuff'.

Previously I mentioned needing consent to install software on to a computer. The definition of a computer is more all encompassing that you may think. It includes smart phones, tablets, or in fact any computer based device. Now there are some exceptions to this. Certain classes of programs are exempt. The list includes cookies, operating systems, java scripts, sub-routines, HTML code, etc. Also I would be remiss if I did not mention that installation of programs like anti-virus software can also be an exception to the regulation requirments, but only if it was done by, or for,  a telecommunication service provider[1]. Also, a one shot program to fix an issue may be an exemption.

8) EUL (End user License).

There is nothing about EUL within either the legislation or regulation concerning CASL However, the CRTC issued an non binding guideline, that accepting a EUR is in itself can not to be considered explicit consent. Rather a separate agreement dealing with consent needs to be created for review and acceptance by the end user. In that way the consumer can refuse or give informed consent.

In my next blog, I will be dealing with additional items to consider and what should companies do to prepare for CASL.

In the mean time, if there are issues (non legal advice) you may want me to address, questions you may have feel free in contacting me

I also invite you to review my other blog posts concerning Data, Security and Privacy.

Please note, do not consider this  legal advice, nor does it address individual circumstances. These blog entries are solely for the purpose to address generalized questions concerning the subject. I STRONGLY suggest that you do your due diligence concerning this matter.

[1] A service, or a feature of a service, that is provided by means of telecommunications facilities, whether the telecommunications service provider owns, leases or has any other interest or right respecting the telecommunications facilities and any related equipment used to provide the service.