CASL Software Provisions

CASL – the Canadian anti-spam legislation – contains provisions that require certain disclosure and permission requirements on the installation of software that does certain things, or when software does certain things. This aspect of CASL has been overshadowed by the anti-spam provisions, in part because the software provisions are not in effect until January 15, 2015.

Unfortunately these software provisions are not easy to comprehend or apply in practice. There is a lot of uncertainty around their interpretation. And IMHO they are going to cause far more harm than good. There is a real danger that some software creators will simply not offer their products in Canada to avoid the pain of complying with CASL.

Yesterday CRTC and Industry Canada representatives were at a Canadian IT Law Association teleconference to collect questions from the IT bar to help them prepare FAQ’s or guides to the CASL software provisions. That guidance should be a big help to understanding the legislation.

Unfortunately they did not give us any hints at all on their thoughts on interpretation. They are aiming to publish their material in November or December, which, as one participant commented, is far too late. Compliance will be more complicated than tweaking a EULA. Software vendors will require time to create new processes and verbiage to comply. Then back that up through an effective lost 2 weeks over the holidays, and the time it will take to digest and advise clients on what they have to do….


  1. In addition, the ‘harvesting’ software provision shoe-horned into PIPEDA at s. 7.1 (2)(a) also requires interpretation.

    What does the provision mean? For example, I can save webpages (including directories of email addresses) in most browsers such as Internet Explorer and Chrome. Are browsers such a ‘computer program’?

    Part of my problem in believing that interpretation documents will yield to reasonable results is illustrated in a Case Summary widely published by the Privacy Commissioner of Canada under number 2005-297 (available at

    In this case summary, they conclude that even though section 2 of PIPEDA defines personal information not to include someone’s ‘business address’, the case finds that the Privacy Commissioner considers someone’s business email address to be personal information. How can an email address not be a business address within section 2?

    What we really need are court decisions not a bureaucracy’s idea of what the legislation means. The challenge is: who will take on the costs and risks of such challenges?

    There seems to be little question of the constitutional validity of large parts of CASL. Where, though, are the public interest challenges?

  2. David Collier-Brown

    This seems to be another case of buggy programming (ie, draftsmanship). I wonder if making the reviews of draft legislation more public would help? I notice Italy just put their Draft Declaration of Internet Rights up for comment yesterday…