Fighting Spam and Spyware Canadian Style — Part II
August 2, 2011
No Spyware without Consent
As with the new law’s anti-spam provisions, consent is the bedrock principal of the legislation. The law provides that no one may install (or cause to be installed) a computer program on any other person’s computer unless they have obtained the express consent of the owner or authorized user of the computer.
The new law addresses the quality of information that must be provided to the user whose consent is requested. Consider, for instance, the scenario where an electronic retailer wants an online customer to accept a software program from the e-tailer.
First, the law requires the e-tailer to set out clearly and simply the purpose for which the consent is required (i.e., to install the software on the user’s computer). Second, the law stipulates that in addition to this information, the e-tailer must clearly and simply describe the function and purpose of the software (assuming consent is given to install it). This means the e-tailer has to explain the specific activities the new software will facilitate, so that the customer can decide whether it wants to receive the e-tailer’s software or not.
However, depending on what the software actually does, even more disclosure may be required. Software will attract a higher standard of disclosure if, in a manner contrary to the reasonable expectations of the user, it does any of the following:
- collects personal information stored on the computer;
- interferes with the user’s control of the computer;
- changes settings, preferences or commands on the computer without the user’s knowledge;
- interferes with data stored on the computer in a manner that obstructs lawful access to the data;
- causes the computer to communicate with another computer without authorization of the user; or
- is a software program that can be activated by a third party without the knowledge of the user.
For any such software, the person seeking consent must — separately and apart from the license agreement — clearly and prominently describe the software’s material elements that perform the problematic functions, including the nature and purpose of those elements and their reasonably foreseeable impact on the operation of the computer. The person must then bring those elements to the attention of the user in the manner prescribed in the statute’s regulations.
The foregoing disclosure obligations are tempered if the software consists of: a cookie; HTML code; Java scripts; an operating system; or software executable only through a second program where the user consented to the second program. Where this type of software is at issue, the user is deemed to have consented to its installation if the user’s conduct is such that it is reasonable to believe that they consented to the program’s installation.
Presumably, most software companies wanting to install such software on a user’s computer will want to obtain express consent nevertheless, probably not much differently than it does for other software (but perhaps with shorter explanations of the software’s purposes and design).
One other exception from the disclosure rules relates to updates and upgrades. This deals with the situation where the user licensed an original "base version" of the software, and then will receive ongoing product upgrades, such as new releases, or maintenance fixes and patches, to the base software. In those cases, the statute’s disclosure rules do not apply, provided the user is entitled to receive the upgrade and the upgrade is installed in accordance with the original license terms.
Misleading Electronic Representations
The new anti-spam law also amends the Competition Act by adding some additional prohibitions to it. One provides that no person will knowingly or recklessly send or cause to be sent a false or misleading representation in the sender information or subject matter information of an electronic message for the purpose of promoting a business or product.
This provision is intended to combat spam in another manner: instead of focussing on the consent of the recipient of the message to receive it in the first place, it addresses whether the message’s content is accurate, as much spam has traditionally contained overblown or fraudulent claims.
The existing federal data protection law contains various rules that apply when a company or organization is intent on collecting personal information without the consent of individuals. Some of these rules actually permit the collection of personal information without consent, in certain specific, limited circumstances. Interestingly, the new anti-spam law amends the data protection law to make it clear that such permissive provisions in the data protection law do not apply where an individual’s electronic address is collected by a computer program designed to generate, search or collect electronic addressing. In a nutshell, this anti-spam law provision removes the privacy law’s protection for so-called "e-mail address harvesting."
Practical Compliance Strategies and Tactics
So, now that you understand the general parameters of the new anti-spam law, how do you go about complying with it?
The first step is to raise awareness at your company or organization. That means assembling the relevant team to learn about the new law and then operationalizing compliance.
Start by assembling the team. Essentially, the senior managers (or one of their strong designees) of those groups within your organization who communicate to your customers, suppliers and other business or industry partners need to be on the team. This will include marketing and sales, but don’t forget about groups like product/customer support. And be sure to include the "compliance" people within your organization, ranging from in-house counsel, to risk management, to the chief privacy officer.
Electronic messages audit
Now comes the challenging task. You have to determine all the different ways your organization sends electronic messages (and software) to various recipients. This is not a trivial exercise. You have to probe each department methodically, and then cross-reference your findings with someone in the IT department.
This is not a one-time exercise. At least every six months you should have an update process, so that you keep the list of message types current. You will be amazed at how often this list will change. And, of course, ideally your system should give you advance warning of new messages being considered by the organization, so that you can apply the anti-spam law compliance analysis prior to the first new such message being sent.
Applying the new rules
Once you have conducted your electronic messaging and software distribution audit, you have to analyze each message to see if it complies with the new law. Have someone on the team set up a spreadsheet to indicate which express or implied exemption applies, etc. so that a record is kept of the analysis that is performed of each message type. That way, your organization can establish best practices quickly and efficiently by being able to compare its different electronic messaging and software distribution practices.
Finally, for all electronic messages and software distribution channels that survive the analysis, you will have to ensure that they comply with the mandatory features of the new legislation. In the case of electronic messages, this includes building the legislated unsubscribe mechanism into the base message format.
None of this is rocket science, but it does require good forensic skills to suss out all your various forms of electronic touch points with persons outside your organization, and then a pro-active assessment of compliance with the new law. If all organizations comply, we will all benefit from a lot less clutter in our in-boxes.
Articles By This Author
FIPA Report Calls For Unnecessary Regulation of Auto Sector Privacy: Are Other Sectors of the Economy Next?
Fighting Spam and Spyware Canadian Style — Part II
Taking Your Company Public — Part V
Fighting Spam and Spyware Canadian Style — Part I
Taking Your Company Public — Part IV
Risks of Cloud Computing — Part II
Managing Subcontracting Risk
Taking Your Company Public — Part III
Risks of Cloud Computing — Part I
Location-Based Services and Privacy Law — Part II