Software Vertical - Identifying regulated activities 3 Pre-installed/embedded software? RIAS: “...the requirements under CASL for the installation of computer programs only apply to the installation of computer programs on another person’s computer system” User initiated installations (e.g., downloads)? RIAS: “CASL will not apply to installations carried out by persons on their own computing devices.” Updates and upgrades What if the installation is carried out by the consumer? Installations by IT help desks Installations on devices in other countries
Identifying Exempt Activities 4 Law enforcement, protection/defence of Canada, international affairs Public safety
Assessing whether the “enhanced disclosure” rules apply 5 Function listed in s.10(5) AND Knowledge and intent that function will cause the computer system to operate in a manner that is “contrary to the reasonable expectations of the owner or an authorized user of the computer system” Operational challenges software products update programs
Applying the knowledge and intent qualifier 6 Is it reasonable to take into account “reasonableness” overall, including whether: The function is required for the very services the user signed up to receive? The function would improve the services? The function would provide some other utility to the user (outside of the particular software/services at issue)? The function would have some non-invasive business purpose/utility for the vendor? How much information do consumers reasonably want? Do they want to understand the technical details, or do they want it to “just work”?
Deciding whether/when to request consent 7 Reliance on exceptions? What “conduct” is required to demonstrate it is reasonable to believe consent has been given Reliance on 3 year transition provision (s.67)? Seeking consent to updates and upgrades at the same time as consent for installation/downloading/first use?
Developing strategy for obtaining “CASL- compliant” express consent 8 Can consent be obtained through a licence agreement (if 10(4) not triggered)? Can consent be obtained through the use of a pre-checked box (e.g., default settings, with user confirmation)? Can consent be obtained for a “suite” of products? Can consent to updates and upgrades be mandatory? Can identity and contact information be provided through links?
Satisfying the Disclosure Rules 9 Minimum disclosures: Describe the “function and purpose” “clearly and simply” “in general terms” Enhanced disclosures: Describe the “program’s material elements that perform the function or functions, including the nature and purpose of those elements and their reasonably foreseeable impact on the operation of the computer system” “clearly and prominently” “separately and apart from license agreement” “separately from any other information provided” “acknowledgement in writing... that they understand and agree”
Proving Consent 10 CRTC Enforcement Bulletin ( ) “The Commission considers that the requirement for consent in writing is satisfied by information in electronic form if the information can subsequently be verified.” “Examples of acceptable means of obtaining consent in writing include checking a box on a web page to indicate consent where a record of the date, time, purpose, and manner of that consent is stored in a database; and filling out a consent form at a point of purchase.”
Satisfying the withdrawal of consent rule (s.11(5)) 11 When does obligation to provide an electronic address apply? Only if program performs a function regulated by s.10(4)? Exempt if the program is covered by s.10(8)? How must contact information be provided?
“Deemed” express consent (s. 10(8)) 12 A person is considered to expressly consent to the installation of a computer program if: a) the program is: i. a cookie, ii. HTML code, iii. Java Scripts, iv. an operating system, v. any other program that is executable only through the use of another computer program whose installation or use the person has previously expressly consented to, or vi. any other program specified in the regulations; and b) the person’s conduct is such that it is reasonable to believe that they consent to the program’s installation.
“Deemed” express consent for network security & updating a network (IC Reg’s, s. 6(a) & (b)) 13 (a) a program that is installed by or on behalf of a telecommunications service provider solely to protect the security of all or part of its network from a current and identifiable threat to the availability, reliability, efficiency or optimal use of its network; (b) a program that is installed, for the purpose of updating or upgrading the network, by or on behalf of the telecommunications service provider who owns or operates the network on the computer systems that constitute all or part of the network;
“Deemed” express consent - Questions for both s. 6(a) & (b) of IC Reg’s 14 Non-definition of a “network” How to identify the “end node” of the network? Applicability to not just parts of a network that require a 24/7 ‘live’ connection to a telecommunications service? E.g. What about a program which could be used in some cases without active/online wireless connectivity?
“Deemed” express consent - Questions for both s. 6(a) & (b) of IC Reg’s 15 Definition of “telecommunications service provider” Broad? Not so broad, due to constitutional limitations? (e.g. applicability of CASL’s computer program provisions to intraprovincial communications?)
“Deemed” express consent - Questions for s. 6(a) of IC Reg’s (network security exemption) 16 Is a “threat to the availability, reliability, efficiency or optimal use” just: Malware? Viruses? Software bug? Other? What is a “current and identifiable” threat? Threats that are not ‘identifiable’ in addition to being ‘current’? What about ‘future’ security threats? “Solely” – is the exemption available if the program has an additional legitimate purpose in addition to just addressing a ‘security’ threat?
“Deemed” express consent (IC Reg’s, s. 6(c) – correcting a failure) 17 (c) a program that is necessary to correct a failure in the operation of the computer system or a program installed on it and is installed solely for that purpose. “Solely” – is the exemption available if the program provided ‘new’, improved or additional functionality or features, and not “solely” bug fixes?
“Deemed” express consent - Questions for each of s. 6(a), (b) & (c) of IC Reg’s 18 How to assess whether the person’s conduct is such that they consent to the program’s installation (s. 10(8)(b))?
Additional Compliance Challenges and Solutions – Mobile/Telecom 19 Scenario I: Initial software updates during “Out Of Box Experience” (OOBE) for a new BlackBerry 10 device
Out Of Box Experience (OOBE) on BlackBerry 10 - First substantive step after user chooses UI language is acceptance of BlackBerry Solution License Agreement, which indicates software may automatically check for updates and that BlackBerry may make required updates available
OOBE on BlackBerry 10 (cont’d) - The last substantive step before completion of initial setup is a user notice regarding software update as part of the OOBE (most current OS available for relevant carrier/region)
22 Scenario II: 3rd Party App Submission Process in BlackBerry World Additional Compliance Challenges and Solutions – Mobile/Telecom
Step 1: Developer creates a Vendor account – after acceptance of BlackBerry World vendor terms, etc various fields made available for vendor to complete. - These include for vendor identification and contact info. 3rd Party App Submission Process in BlackBerry World
Step 2: App submission process: Vendor creates the listing for the app under their Vendor account. 3rd Party App Submission Process in BlackBerry World (cont’d)
Step 2 (cont’d): Vendor adds Descriptive text which will be seen by the user when they view the app in BlackBerry World, prior to download. Substantial space available in “Long Description” – vendor free to provide information about the function and purpose of the computer program (or to provide additional disclosures as may be required by s. 10(4) or (5) of CASL if the vendor so chooses (presumably ‘separate and apart from the license agreement’ as it is prior to download).) 3rd Party App Submission Process in BlackBerry World (cont’d)
Step 2 (cont’d): Vendor adds App icon and screenshots 3rd Party App Submission Process in BlackBerry World (cont’d)
Step 2 (cont’d): Vendor can limit the availability of their app by Carrier and or Country 3rd Party App Submission Process in BlackBerry World (cont’d)
Step 3: End user process: Once app accepted for distribution in BlackBerry World, it is made available for users to access in BlackBerry World, either through the user browsing or searching for the desired app 3rd Party App Submission Process in BlackBerry World (cont’d)
Step 3: End user process (cont’d): Users goes to the app listing in BlackBerry World, to view the information that the vendor had input about the app 3rd Party App Submission Process in BlackBerry World (cont’d)
Users chooses to download the app Step 3 (cont’d): BlackBerry World End user process:
Users presented with any required permissions sought by app prior to using the software (Note: outside of BlackBerry World, once the user is in the app the vendor may also provide its EULA or other notice(s) for acceptance etc). Step 4: App permissions notice to end user
Additional Compliance Challenges and Solutions – Product Manufacturing 33 Lack of direct interaction with consumers Express consent Exceptions to consent Obtaining consent for products with no user interface Global marketplace challenges
Additional Compliance Challenges and Solutions – Online Business 34 Cookies Java scripts HTML code