The communications prohibitions in Canada’s sweeping Anti-Spam Legislation (CASL) prohibit, unless exempt, a person from sending a “commercial electronic message” without the consent of the recipient. On January 15, 2015, further prohibitions relating to the installation of computer programs came into force.
CASL imposes significant compliance hurdles for traditional software providers due to its regulation of programs “installed” on a computer system. However CASL does not appear to regulate software-as-a-service to the same extent, and so CASL appears to favour the cloud-computing service business model and supports the expanded adoption of cloud computing in Canada.
Broadly, the software prohibitions in CASL require that a number of specialized formalities be followed in obtaining consent for the installation of computer software, updates to software (including automatic updates), or other computer code on another’s computer system. A computer program that performs certain functions will attract additional scrutiny and more onerous disclosure requirements. These functions include, among other things, the collection of personal information, interfering with the control of the computer system and using the system to communicate with other systems without authorization. Under CASL, such software may only be installed on another’s computer system with separate express notice and specific consent to such functionality.
Once these restrictions come into force, distribution of traditional enterprise and consumer software products will attract consent and disclosure requirements at most stages of rollout and maintenance. Prudent IT departments, software developers, licensors, vendors, and applicable service providers should review their compliance obligations and procedures in respect of these CASL requirements and assess where they can rely on deemed consent, in the absence of reasonable evidence to the contrary, in a number of specified cases.
The scope of CASL is broad – it captures virtually any computer program or executable code with “instructions or statements that, when executed in a computer system, causes the computer system to perform a function”. By contrast, depending on their structure and implementation, cloud based services that do not involve installation of computer programs on another’s computer system may not trigger substantive portions of the prohibitions under CASL. Cloud-based services are typically operated on the vendor’s (or other) server and provide services to the end user. While distribution of traditional computer programs will require consent and ongoing regulatory compliance, customers of many cloud-based services may not need to consent to the use or update of such software.
Developers and users of cloud-based programs may therefore be spared the onerous compliance effort of more traditional software delivery, and as a result, be in a position to save time and money. CASL creates a regulatory environment supportive of further adoption and migration to cloud-computing solutions. Legitimate software, managed and delivering services from remote servers, may gain a competitive edge in regulatory compliance costs and speed of delivery and updates.
This can be expected to accelerate existing developments as the economic advantages of cloud-based delivery encourage many functions and even entire products to migrate to the cloud. While compliance with the computer program provisions of CASL are likely to be burdensome for some computer industry participants, Canadian cloud-based service providers and users may be in a better position to avoid the ambiguity and complexity of the new regulatory regime.