Canada’s anti-spam law (CASL) requires a person installing updates or upgrades to computer programs on another person’s computer system to obtain an express consent. This can be a challenge. If a person is able to get a consent to the installation of the program before installing it, the person can get consent to the installation of the update or upgrade at that time. The person cannot get consent for updates or upgrades that require enhanced disclosure under s.10(5) of CASL at that time, unless, of course, the person knows about them and can get a consent for them in advance.
It is far more challenging to get consents to install updates or upgrades to pre-installed software on computer systems including embedded software or firmware in devices or machines such as software in motor vehicles or mobile phones. The manufacturer of an item containing pre-installed software may have contemplated that updates will be installed, but may have no practical way of getting a consent from a purchaser of the item. Similarly, there are problems getting consents for updates and upgrades from purchasers who buy a used good from someone else. The seller of a used item may have given a consent to install updates and upgrades, but the purchaser may not have. For example, if I sell my car, the vehicle manufacturer who has a consent to push updates to my vehicle may not know of the sale and may continue to push updates to the vehicle without obtaining a new express consent. Vendors of appliances and equipment used in homes and businesses have similar challenges. They may never be told that properties containing their products have been sold and may continue to rely on previously obtained consents. For example, if I sell my home, my thermostat manufacturer may not be notified and the buyer will just get the updates or upgrades I had consented to receive. As technologies evolve to an Internet of Things, these challenges will only exacerbate.
CASL’s “ban all approach” to regulating computer programs, regardless of the context, predictably has led to this and similar dilemmas where honest businesses are bound to violate CASL and become subject to massive penalties (AMPs) or damages when the private right of action becomes available.
The CRTC and Industry Canada have recognized the dilemmas of getting express consents in the circumstances described above. In the information sessions they recently provided to members of IT.Can and ITAC Lynne Perrault of the CRTC and Andy Kaplan Myrth of Industry Canada purported to come up with a solution: no new express consents will be required from purchasers of computer systems containing pre-installed software or from buyers of such items where an express consent had previously been obtained. In their view, manufacturers of computer systems (or goods) containing software already consented (with themselves) to the installation of updates and upgrades as will purchasers of computer systems onto which software will be installed. In their view, these original express consents automatically transfer to purchasers so that no new express consents are required. This is subject to two caveats: first, it does not apply where the update or upgrade is something the purchaser would not reasonably expect; second, the seller has some kind of duty of disclosure to the purchaser, the nature of which was not made clear.
The CRTC and Industry Canada should be complimented for trying to creatively solve a dilemma that would have entrapped many an innocent supplier of products containing embedded software. The solution, however, raises a number of questions:
- What is the statutory basis for this theory of transferred consents? Neither of the representatives of the CRTC or Industry Canada pointed to any statutory basis in CASL to support this theory.
- Even assuming that a consent can be transferred, must the software installer prove that it actually expressly consented to the installation of updates and upgrades at the time of installing the software?
- If the computer system is transferred through multiple channels before reaching end users, will it be inferred that the consent has transferred through each channel? What kind of proof is required?
- What is the basis for adding a limitation that the transferred consent would not apply to a feature requiring an enhanced disclosure? If the basis for the limitation is that the manufacturer or other person would hypothetically not consent to the installation of a feature requiring enhanced disclosure, could that be circumvented by a manufacturer or other person that did agree with itself that such updates and upgrades were consented to?
- Why is this guidance not in the recent CRTC Guideline? Will it be added to a new update of the Guidelie?
- What kinds of disclosure should be made by vendors of products; in which situations should such disclosures be made; and what is the consequence of not providing them?
- Will courts accept this interpretation once the private right of action comes into force?
The CRTC is obviously trying to exempt manufacturers and distributors of products from getting consents in circumstances in which it is impossible or impractical to get them. If CASL recognized implied or inferred consents to install computer programs including updates or upgrades this problem might not exist, but egregiously it does not. While trying to solve the problem, the CRTC is also trying to preserve a liability window where it believes CASL should apply. While that may be laudable, gerrymandering the interpretation of CASL to achieve a results oriented enforcement framework, as it appears to have done in interpreting the phrase “caused to be installed”, only raises more questions and makes compliance with the Act that much more difficult.
There are real problems with the program provisions of CASL. They should be fixed through a legislative amendment or by regulation, preferably before this part of CASL becomes law.