CASL consent requirements a complex business

Law’s anti-malware provisions complicate transactions for software developers

ISign CEO Alex Romanov: proximity marketing that uses Bluetooth-type signals should not be captured by CASL

Anyone who has ever downloaded free software has probably experienced the annoyance of discovering that the program came with a toolbar or some other program he or she didn't ask for.

Under Canada's Anti-Spam Legislation (CASL), software companies offering programs or apps in Canada will need to have the express consent of the user before such programs are installed. It applies to computers and computer devices – i.e. smartphones, tablets and wearable technology.

Section 8 of CASL deals with installing computer programs. It does not come into force until January 15, 2015.

After that date, software companies doing business in Canada will need to ensure that any program, app or add-on they provide to a user has that user's express consent.

CASL's provisions on computer programs are aimed at curbing spyware, malware and phishing, but it is so broadly written that it will likely affect many legitimate Canadian high-tech companies.

“The Section 8 prohibition does not only apply to programs that could be potentially malicious, but to any programs whatsoever,” according to the CASL guidebook Internet Law Essentials: Canada's Anti-Spam Law.

When seeking consent to install something, companies will need to clearly explain what the program is for and why consent is being requested.

There are provisions forbidding companies to change settings or preferences without consent. CASL also restricts the communication of one computer or device with another without the user's consent.

Certain pieces of software that are critical to the functioning of a program, such as cookies, java script and operating systems, are exempt, if there is a reasonable belief that the owner authorized them along with an associated program.

Software companies might have to have different opt-in provisions, depending on whether the software or app is being sold in Canada or the U.S., where the laws will differ. Developers outside Canada will be affected by the new law because it applies to any installation on a computer or device in Canada, regardless of its country of origin.

Where software and other high-tech companies could run afoul of CASL is when they use the permissions that customers granted to receive things like software updates to market other products.

Scott Michaels, executive vice-president of Atimi Software Inc., cites gaming software as an example.

When someone buys a console game to play online, he will need to create a user profile, and companies like Electronic Arts (Nasdaq:EA) or Microsoft (Nasdaq:MSFT) save the player profile information. This allows the company to maintain the progress of the player's game profile and send updates or notifications, either directly to the game console or by email.

It's one thing if EA or Microsoft sends the player an option to buy the latest map for a game he already bought – Battlefield or Call of Duty, for example – but whether the company would also have the consent to send the player information about some other new game or product is unclear.

Michaels said some companies might be tempted to use a player's profile and contact information to push products to the user without express consent.

Another emerging area of high-tech that might need to stay on top of CASL is proximity marketing companies.

It's not clear how much of an impact CASL might have on proximity marketing, because in most cases it uses machine-to-machine communication, whereas CASL is directed at commercial electronic messages that are sent to an electronic address such as a phone number, email address or IP address.

One of the pioneers in proximity marketing was iSign Media Solutions Inc. (TSX-V:ISD). It uses a transmitter in a store to send notifications to a person's cellphone or smartphone.

For example, a customer might walk into a store and get a pop-up ad on his or her phone offering a coupon or advertising an in-store special. The recipient can either ignore it or click on the offer to download a coupon.

Recipients do not need to download an app or give prior consent to receive a “pull” notification. The person just needs to have his or her Bluetooth turned on.

Receiving an electronic message like that – without having given prior consent – on the surface would appear to violate CASL's fundamental principles.

But iSign CEO Alex Romanov said CASL captures only commercial electronic messages that are sent via some electronic address, not machine-to-machine transmissions via Bluetooth, iBeacon or near-field communication.

“We don't need a name, email, phone number or any private information to communicate with a mobile device,” Romanov said. “We don't use a personal electronic address.”

As proximity marketing develops, however, technologies may emerge that use personal electronic addresses, and in that case, CASL will apply.

While Canadian high-tech companies still have a few months to study CASL to see if it will affect their business, the CASL prohibitions against sending unsolicited emails and newsletters are now in effect. 

For more information on the new CASL regulations, visit To order your copy of Internet Law Essentials: Canada's Anti-Spam Law, visit 

Read the other stories in this series:

Spam law to affect virtually every business in Canada 

Looming anti-spam law touches off flurry of email  

New anti-spam legislation won't stop most spam 

Companies grapple with anti-spam implementation costs