Fighting Spam and Spyware Canadian Style — Part II

In addition to dealing with commercial electronic messages, Canada’s new anti-spam legislation focuses on combatting so-called "spyware." This activity generally refers to the practice of certain software companies surreptitiously getting users to load certain software onto their computers. This software — or spyware — can then be put to many different tasks, with tracking the user’s behaviour in the online world being one of the most popular.

No Spyware without Consent

As with the new law’s anti-spam provisions, consent is the bedrock principal of the legislation. The law provides that no one may install (or cause to be installed) a computer program on any other person’s computer unless they have obtained the express consent of the owner or authorized user of the computer.

The new law addresses the quality of information that must be provided to the user whose consent is requested. Consider, for instance, the scenario where an electronic retailer wants an online customer to accept a software program from the e-tailer.

First, the law requires the e-tailer to set out clearly and simply the purpose for which the consent is required (i.e., to install the software on the user’s computer). Second, the law stipulates that in addition to this information, the e-tailer must clearly and simply describe the function and purpose of the software (assuming consent is given to install it). This means the e-tailer has to explain the specific activities the new software will facilitate, so that the customer can decide whether it wants to receive the e-tailer’s software or not.

Disclosure Plus

However, depending on what the software actually does, even more disclosure may be required. Software will attract a higher standard of disclosure if, in a manner contrary to the reasonable expectations of the user, it does any of the following:

  • collects personal information stored on the computer;
  • interferes with the user’s control of the computer;
  • changes settings, preferences or commands on the computer without the user’s knowledge;
  • interferes with data stored on the computer in a manner that obstructs lawful access to the data;
  • causes the computer to communicate with another computer without authorization of the user; or
  • is a software program that can be activated by a third party without the knowledge of the user.

For any such software, the person seeking consent must — separately and apart from the license agreement — clearly and prominently describe the software’s material elements that perform the problematic functions, including the nature and purpose of those elements and their reasonably foreseeable impact on the operation of the computer. The person must then bring those elements to the attention of the user in the manner prescribed in the statute’s regulations.

Deemed Consent

The foregoing disclosure obligations are tempered if the software consists of: a cookie; HTML code; Java scripts; an operating system; or software executable only through a second program where the user consented to the second program. Where this type of software is at issue, the user is deemed to have consented to its installation if the user’s conduct is such that it is reasonable to believe that they consented to the program’s installation.

Presumably, most software companies wanting to install such software on a user’s computer will want to obtain express consent nevertheless, probably not much differently than it does for other software (but perhaps with shorter explanations of the software’s purposes and design).

One other exception from the disclosure rules relates to updates and upgrades. This deals with the situation where the user licensed an original "base version" of the software, and then will receive ongoing product upgrades, such as new releases, or maintenance fixes and patches, to the base software. In those cases, the statute’s disclosure rules do not apply, provided the user is entitled to receive the upgrade and the upgrade is installed in accordance with the original license terms.

Misleading Electronic Representations

The new anti-spam law also amends the Competition Act by adding some additional prohibitions to it. One provides that no person will knowingly or recklessly send or cause to be sent a false or misleading representation in the sender information or subject matter information of an electronic message for the purpose of promoting a business or product.

This provision is intended to combat spam in another manner: instead of focussing on the consent of the recipient of the message to receive it in the first place, it addresses whether the message’s content is accurate, as much spam has traditionally contained overblown or fraudulent claims.

Address Harvesting

The existing federal data protection law contains various rules that apply when a company or organization is intent on collecting personal information without the consent of individuals. Some of these rules actually permit the collection of personal information without consent, in certain specific, limited circumstances. Interestingly, the new anti-spam law amends the data protection law to make it clear that such permissive provisions in the data protection law do not apply where an individual’s electronic address is collected by a computer program designed to generate, search or collect electronic addressing. In a nutshell, this anti-spam law provision removes the privacy law’s protection for so-called "e-mail address harvesting."

Practical Compliance Strategies and Tactics

So, now that you understand the general parameters of the new anti-spam law, how do you go about complying with it?

The first step is to raise awareness at your company or organization. That means assembling the relevant team to learn about the new law and then operationalizing compliance.

Start by assembling the team. Essentially, the senior managers (or one of their strong designees) of those groups within your organization who communicate to your customers, suppliers and other business or industry partners need to be on the team. This will include marketing and sales, but don’t forget about groups like product/customer support. And be sure to include the "compliance" people within your organization, ranging from in-house counsel, to risk management, to the chief privacy officer.

Electronic messages audit

Now comes the challenging task. You have to determine all the different ways your organization sends electronic messages (and software) to various recipients. This is not a trivial exercise. You have to probe each department methodically, and then cross-reference your findings with someone in the IT department.

This is not a one-time exercise. At least every six months you should have an update process, so that you keep the list of message types current. You will be amazed at how often this list will change. And, of course, ideally your system should give you advance warning of new messages being considered by the organization, so that you can apply the anti-spam law compliance analysis prior to the first new such message being sent.

Applying the new rules

Once you have conducted your electronic messaging and software distribution audit, you have to analyze each message to see if it complies with the new law. Have someone on the team set up a spreadsheet to indicate which express or implied exemption applies, etc. so that a record is kept of the analysis that is performed of each message type. That way, your organization can establish best practices quickly and efficiently by being able to compare its different electronic messaging and software distribution practices.

Finally, for all electronic messages and software distribution channels that survive the analysis, you will have to ensure that they comply with the mandatory features of the new legislation. In the case of electronic messages, this includes building the legislated unsubscribe mechanism into the base message format.

None of this is rocket science, but it does require good forensic skills to suss out all your various forms of electronic touch points with persons outside your organization, and then a pro-active assessment of compliance with the new law. If all organizations comply, we will all benefit from a lot less clutter in our in-boxes.