Canada’s Anti-spam Legislation : Phase 2 comes into force and first monetary penalty imposed

Download this publication

Whereas Canadian businesses have barely recovered from the first phase of Canada’s anti-spam legislation (CASL), which aims primarily to regulate the sending of unsolicited commercial electronic messages, a new series of requirements applicable to the unauthorized installation of computer programs came into force on January 15, 2015.

Like the rules applicable to commercial electronic messages, the second phase of the CASL is based on an opt-in mechanism as opposed to an opt-out mechanism. In other words, if someone wishes to install computer software or programs on someone else’s device, he must first obtain the consent of the device’s owner or authorized user.

Parliament has not limited the legislation to any devices in particular. This means that the installation of software or programs on a computer, smartphone, tablet or game console is likely subject to the new rules. Likewise, the installation of software or programs on any device with computerized components, such as cars, appliances, smartwatches, etc.

Since the legislation does not apply to the personal installation of computer software or programs, it is important to bear in mind that the new rules only apply when a business installs or causes the installation of software on someone’s device as part of its business activities. For example, the new rules do not apply where a person downloads an application onto his or her own device. Nor does the legislation apply to employers who install software or a computer program on the company’s devices. On the other hand, if the employer wishes to install a program or software on a device belonging to its employee, it must obtain the employee’s consent first.

Furthermore, the legislation establishes several cases in which a person is deemed to have consented to the installation of a computer program or software. These include, for example, cookies, HTML, JavaScript, or an operating system such as Windows, OS/IOS, Linux, Android, Unix and BlackBerry OS.

For the time being, if computer software or a computer program was installed on someone else’s computer before January 15, 2015, the person is also deemed to have implicitly consented to the installation of updates until January 15, 2018.


Express consent must be obtained from the device’s owner or an authorized user.

The CASL does not define the notion of “authorized user.” According to the CRTC, anyone who has permission to use the device is an authorized user. For example, an employee who uses a device supplied by his or her business, a spouse or children who use the family computer, the renter of a device, and a person who is repairing a computer (but only to the extent that the person is making agreed-upon repairs) are authorized users.

When a person must obtain consent, the person must convey the following information to the owner or authorized user in clear and simple language:

  1. The reason consent is being requested
  2. The identity of the person who is seeking consent
  3. If consent is sought on behalf of another person, a statement indicating which person is seeking consent and which person on whose behalf consent is being sought
  4. The mailing address and one other type of contact information of the person
  5. A statement indicating that the person whose consent is sought can withdraw their consent
  6. A description in general terms of the functions and purpose of the computer program to be installed

In addition, if the software or computer program collects personal information, interferes with the user’s control of the device, changes the device’s settings or the data stored on the device, causes the device to communicate with another device or allows a third party to connect to the device remotely without the owner or authorized user’s knowledge, the request for consent must also disclose the following information:

  • A description of these functions and the reason for them
  • A description of the impact of these functions on the operation of the device

All the consent-related requirements must be met before the software or computer program is installed. As for the consent itself, it is not presumed and the burden of proof is always on the person who does or causes the installation.


The CRTC recently reprimanded a Quebec business for sending commercial electronic messages without the consent of the addressees and for sending messages with unsubscribe mechanisms that did not function properly. The monetary penalty for the four violations is $1.1 million. The company has 30 days to submit written representations to the CRTC or pay the penalty. It also has the option to request an undertaking with the CRTC to address this issue.

We remind you that the CASL imposes serious penalties on people who do not comply with its provisions, including those concerning the unauthorized installation of computer programs. Offenders who are individuals face administrative monetary penalties of up to $1 million, whereas the maximum is $10 million for all other offenders.

Effective July 1, 2017, any person who suffers a loss or damage due to a contravention of the CASL may apply to a competent court for an order requiring the person to pay the amount of the damage in question, plus up to $1 million in liquidated damages.


Although this second phase of the CASL mainly seeks to protect Canadian consumers and businesses against the installation of malware or spyware that is often particularly harmful to users, it should be kept in mind that the new requirements can apply to many other situations. It is therefore important for businesses to review their practices in this regard, to ensure they comply with the law’s provisions.

Back to the publications list


  • Loïc Berdnikoff

    Chief Privacy Officer and Chief, Legal Operations and Conformity and Lawyer

Stay tuned for the latest legal news. Subscribe to our newsletter.

Subscribe to publications