Installing software without consent: The costs can be high under CASL

Author:

 

Canada Publication October 16, 2020

On September 21, the Canadian Radio-television and Telecommunications Commission (CRTC) accepted a voluntary undertaking made by Notesolution Inc., doing business in Canada as OneClass, to pay $100,000 to resolve the CRTC’s ongoing investigation into its alleged breaches of Canada's Anti-spam Legislation (CASL) and its regulations, along with other commitments to ensure future compliance.

Such an investigation forms part of the CRTC’s ongoing mandate to promote and enforce compliance with CASL sections that prohibit companies from sending commercial electronic messages (spam) without consent, altering transmission data in electronic messages without consent and installing a computer program on another person's computer system without consent, among other things.

This decision underscores the need for Canadian businesses to properly understand the applicable regulatory requirements pertaining to applicable spam and privacy legislation, more particularly for software programs.

OneClass pays $100,000 and corrects its corporate procedures

This resolution follows an investigation launched by the CRTC’s chief compliance and enforcement officer (CCEO), who determined that between October 2016 and March 2020 OneClass committed various offences under CASL and its regulations by sending mass commercial electronic messages (CEMs) in Canada and abroad without consent from recipients. The CEMs promoted OneClass’ platform for post-secondary students to access student-created exam study guides, lecture notes and video tutorials by purchasing subscriptions.

Furthermore, the investigation showed that during commercial activity, OneClass unilaterally installed an extension on the students’ browsers called the “OneClass Easy Invite” without seeking the students’ express consent and identifying why such consent is sought, as required by CASL. The CCEO determined that OneClass ought to have known that this extension would operate contrary to the data subjects’ reasonable expectation by collecting personal information stored on their computers, including usernames and passwords. 

CASL requires that certain provisions must be followed by all businesses that market into Canada or install a program on a computer system in Canada. Namely, a software developer must, among other requirements (1) clearly and simply describe, in general terms, the function and purpose of the computer program to be installed if the consent is given, (2) inform such person as to why consent is being sought and (3) seek such consent clearly, prominently and separately from the software licence agreement granting the usage rights thereto.

In addition to the $100,000 payment, OneClass undertook to bring its software and marketing efforts into compliance with CASL and its regulations by implementing a compliance program under which it will adopt appropriate corporate policies and procedures, employee training and education sessions, as well as monitoring, auditing and reporting mechanisms. As OneClass operates in a sales-based environment, it has also pledged to evaluate whether its current internal policies might incentivize its employees to violate CASL and its regulations and has undertaken to eliminate such incentives going forward.

The CRTC praised OneClass for taking such corrective action voluntarily and actively participating in its investigation. As indicated by the CCEO, this outcome emphasizes that, “All businesses must ensure their commercial activities do not jeopardize Canadians’ online security or disrupt their online activities as they participate in the digital economy.”

The CRTC has in parallel recently updated its guidance document regarding the installation of computer programs with indications to ensure proper CASL compliance. This information is available at: Canada’s Anti-Spam Legislation Requirements for Installing Computer Programs. This resource provides guidance on circumstances in which a business can consider to have obtained meaningful consent and the disclosure requirements for such process to be valid. It also gives specific information on the cases in which software updates or upgrades fall within the purview of CASL’s requirements. Additional legal guidance may be required to adequately navigate these pitfalls.



Recent publications

Subscribe and stay up to date with the latest legal news, information and events...