Three regulators issued a joint warning letter to numerous mobile app developers late in November 26, 2020 cautioning the companies to comply with various compliance obligations under Canada’s Anti-Spam Law (CASL), the federal privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA), and the Completion Act.
The co-operative effort was part of a CASL compliance awareness-raising campaign and the warning letters were directed at businesses involved in making apps available to Canadian consumers. The letter is available online and reminds the businesses that they have obligations under the CASL-related provisions under CASL, PIPEDA, and the Completion Act.
The letters warn of a number of a number of examples of mobile app practices that may represent violations of the CASL-related provisions if adequate consent or an exemption is not applicable, namely:
- “Apps that convey false or misleading representations for the purpose of promoting the supply or use of a product or any business interest;
- Apps that collect consumer information without adequately disclosing to consumers how their information will be used or shared (even when such apps are free) or apps that make representations that are false or misleading regarding the collection, use, sharing, storage or disposal of consumer information;
- Apps designed or marketed to collect or use electronic addresses (email, SMS, social media accounts) in bulk, e.g., apps that “harvest” a user’s contacts for their own use, or to sell/share with other parties without express user consent;
- Apps designed to send out unsolicited commercial electronic messages once installed, e.g., they send out spam to users’ friends and contacts without consent;
- Apps that collect or use personal information by accessing a user’s computer system, or enabling such access, without consent, e.g., “keylogging” malware that secretly collects user credentials;
- Apps that don’t completely identify their functions, particularly where those functions may collect personal information, change or interfere with settings, preferences or data, or cause the user’s computer to communicate with another computer system without authorization;
- Apps that, when installed, immediately download a second program on a user’s computer or device without a user’s knowledge or consent; and,
- Apps that generate malicious activity once installed, e.g., sending out phishing messages or other communications which, if clicked, download malware or other online threats.”
The letters caution the mobile app businesses to pay attention to the cautions in the letter and ensure that they are in compliance with the applicable obligations.
The letter goes on to encourage the businesses to exercise due diligence by adopting further protective measures such as:
- developing and implementing a written corporate compliance program;
- adopting robust client and app vetting practices;
- adopting agreements with app developers and other parties that require compliance with CASL; and
- documenting these operating policies and procedures.
The “shot across the bow” is a reminder of the mobile app businesses existing legal duties and seems to represent a concern that misleading practices are being seen in the mobile app sector by these regulators. The three regulators have different powers and have in the past shown a willingness to exercise those powers. Mobile app businesses are well advised to take this warning seriously.
 The three regulators and the Canadian Radio-television and Telecommunications Commission (CRTC), the Office of the Privacy Commissioner of Canada (OPC) and the Competition Bureau (the Bureau).