Canada Prohibits Installation of Software, Updates Without Consent

A new provision in Canada’s Anti-Spam Legislation (CASL) prohibiting the installation of software without consent from the device’s owner came into effect on Thursday.

According to the Canadian Radio-television and Telecommunications Commission, the new rule applies when someone installs or causes the installation of software on another individual’s device in the course of commercial activity.

One example provided by the commission involves websites that automatically install software on visitors’ computers without their consent. This likely refers to websites that serve malware and adware. However, the law also prohibits software updates and upgrades without getting consent from the owner or authorized user.

Software “caused to be installed” can include the installation of malware bundled with apparently legitimate applications, or the installation of concealed software from music CDs, the commission said.

“Usually, CASL requires you to obtain consent from the owner or another authorized user of the computer or device prior to the installation of a computer program. However, in some circumstances, you are considered to already have consent without having to request it” read the requirements for the new rules.

The list of programs that can be installed without requesting consent consists of cookies, HTML, JavaScript, operating systems, applications that are executable through a piece of software that was already consented to, and updates designed to fix bugs. Telecoms service providers can also install software to protect their infrastructure against security threats, and updates/upgrades for their network.

However, companies are warned that these types of programs can only be installed if the user’s conduct indicates that they consent to it. For instance, if JavaScript and/or cookies are disabled by the user in the Web browser, it indicates that they don’t agree with the installation of such elements.

As far as updates and upgrades are concerned, software providers need consent from the device’s owner before installing them if the program was self-installed by the user. However, companies can seek consent for all future updates and upgrades when they request the initial consent to install an application.

For software installed before January 15, 2015, updates and upgrades are allowed without seeking consent until January 15, 2018. Until this date, the user’s consent is implied, unless they specifically state that they no longer agree to the installation of future updates.

The consent request must include the reason for seeking consent, the company’s name, contact information, and a general description of the program. Users must also be informed that they can withdraw their consent. In addition, the provider must clearly specify if the application is designed to collect personal information, if it interferes with the user’s control of the device, if it changes settings or preferences, if it obstructs, interrupts or interferes with the user’s access to data, if it installs third-party programs, or if it causes the device to send messages to other computers.

Canada’s anti-spam legislation came into effect on July 1, 2014. For serious violations of the law, penalties can be as high as CAD$ 1 million for individuals and CAD$ 10 million for businesses.