Joint letter from federal enforcement agencies to remind mobile app industry of obligations associated with Canada’s anti-spam legislation

November 26, 2020

BY EMAIL

Re: Your obligations under Canada’s Anti-Spam Legislation (CASL)

As part of a CASL compliance awareness-raising campaign, we are writing to draw your attention to important statutory obligations that affect your business.

The Canadian Radio-television and Telecommunications Commission (CRTC), the Office of the Privacy Commissioner of Canada (OPC) and the Competition Bureau (the Bureau) are respectively mandated to enforce Canada’s Anti-Spam Legislation^{Footnote 1}, the CASL-related provisions of the Personal Information Protection and Electronic Documents Act^{Footnote 2} and the CASL-related provisions of the Competition Act^{Footnote 3}(collectively the “CASL-related provisions”).  Together, our agencies are committed to protecting Canadian consumers online, including those who install and use mobile applications (apps).  Public trust in electronic commerce is essential to a healthy, competitive economy and benefits consumers and businesses alike.

We would like to remind you that, as a business involved in making apps available to Canadian consumers, your organization has obligations under the CASL-related provisions (an overview of which is provided in Appendix A to this letter).  In addition, your business is in a unique position to detect, prevent and stop activities prohibited by these provisions, thereby minimizing harm to Canadians arising from financial loss, fraud and identity theft, among other things.

The following are examples of mobile app practices that may potentially represent violations of the CASL-related provisions:   

• Apps that convey false or misleading representations for the purpose of promoting the supply or use of a product or any business interest;
• Apps that collect consumer information without adequately disclosing to consumers how their information will be used or shared (even when such apps are free) or apps that make representations that are false or misleading regarding the collection, use, sharing, storage or disposal of consumer information;
• Apps designed or marketed to collect or use electronic addresses (email, SMS, social media accounts) in bulk, e.g.,  apps that “harvest” a user’s contacts for their own use, or to sell/share with other parties without express user consent;
• Apps designed to send out unsolicited commercial electronic messages once installed, e.g., they send out spam to users’ friends and contacts without consent;
• Apps that collect or use personal information by accessing a user’s computer system, or enabling such access, without consent, e.g., “keylogging” malware that secretly collects user credentials;
• Apps that don’t completely identify their functions, particularly where those functions may collect personal information, change or interfere with settings, preferences or data, or cause the user’s computer to communicate with another computer system without authorization;
• Apps that, when installed, immediately download a second program on  a user’s computer or device without a user’s knowledge or consent; and,
• Apps that generate malicious activity once installed, e.g., sending out phishing messages or other communications which, if clicked, download malware or other online threats.

We recommend that you carefully review the content of this letter and, where necessary, take steps to revise your practices to ensure they comply with the CASL-related provisions.  Additionally, you may wish to exercise due diligence by adopting further preventative measures.  These could include:

• developing and implementing a written corporate compliance program;
• adopting robust client and app vetting practices;
• adopting agreements with app developers and other parties that require compliance with CASL; and
• documenting these operating policies and procedures.  

In developing the above, you may find it helpful to consider the following compliance guidance issued by our three agencies and review the legislative overview detailed in Appendix A:

• CRTC: Compliance and Enforcement Information Bulletin 2014-326: Guidelines to help businesses develop corporate compliance programs
• CRTC: Compliance and Enforcement Information Bulletin 2018-415: Guidelines on the Commission's approach to section 9 of Canada's anti-spam legislation (CASL)
• CRTC: Frequently Asked Questions about Canada's Anti-Spam Legislation
• CRTC: Requirements for Installing Computer Programs
• OPC: The OPC's responsibilities under CASL
• OPC: Guidelines for obtaining meaningful consent
• Competition Bureau: Frequently Asked Questions about Canada's anti-spam legislation
• Competition Bureau: The Deceptive Marketing Practices Digest - Volume 5: Big data and the hidden cost of “free” digital products and services
• Competition Bureau: Bulletin - Corporate Compliance Programs
• Innovation, Science and Economic Development Canada: the www.fightspam.gc.ca  website on CASL for individuals and businesses

We encourage you to take careful note of this information.  In the event of an investigation by one or more of our agencies into your CASL-related app practices, you should expect that the investigation will include consideration of the actions you have taken to ensure compliance with these provisions.

Finally, you should also be aware that our three agencies intend to release online a template version of this letter (with links to the guidance material) and a joint announcement.  Links to this material will be published shortly on our websites at: www.crtc.gc.ca, www.priv.gc.ca and www.competitionbureau.gc.ca. 

Thank you for your time and attention to this important matter.

Yours sincerely,

 

Originally signed by

Steven Harroun
Chief Compliance and Enforcement Officer
Canadian Radio-television and Telecommunications Commission

 

Originally signed by

Brent R. Homan
Deputy Commissioner, Compliance
Office of the Privacy Commissioner of Canada

 

Originally signed by

Josephine A. L. Palumbo
Deputy Commissioner of Competition, Deceptive Marketing Practices Directorate,
Competition Bureau Canada

---

Appendix A: Legislative Overview

The CRTC is responsible for the enforcement of sections 6 to 8 of CASL. 

• Section 6 prohibits the sending of unsolicited commercial electronic messages (commonly referred to as spam). 
• Section 7 prohibits the altering of transmission data in electronic messages, in the course of commercial activity, without consent. 
• Section 8 states, in part, that a person must not install or cause to be installed a computer program on another person’s computer system, in the course of commercial activity, without the user’s consent. 

In addition, pursuant to section 9 of CASL, it is prohibited to aid, induce, procure or cause to be procured any act contrary to sections 6 to 8.  This provision extends liability to intermediaries in the e-commerce value chain, and imposes obligations on Canadian organizations who publish apps for themselves, or third-parties.

The OPC is responsible for ensuring compliance with PIPEDA, Canada’s federal private-sector privacy legislation. CASL amended PIPEDA in two respects:

• First, certain exceptions to consent under PIPEDA do not apply to the collection or use of an individual’s electronic address, if the address is collected by the use of a computer program designed or marketed primarily to generate or search for and collect such addresses (subsection 7.1(2)).
• Second, certain exceptions to consent under PIPEDA do not apply if an organization collects or uses an individual’s personal information by accessing a computer system illegally, e.g. through the use of malware (subsection 7.1(3)).

The Competition Bureau is responsible for enforcing the Competition Act. The Competition Act includes provisions (criminal and civil) related to misleading representations and deceptive marketing practices that prohibit the making, or the permitting of the making, directly or indirectly, of a representation to the public that is false or misleading in a material respect. The general impression a representation conveys, as well as its literal meaning, are considered when determining whether the representation is false or misleading in a material respect.

CASL amended the Competition Act in two ways:

• First, new provisions were added, and others modified, to more effectively address false or misleading representations and deceptive marketing practices in the electronic marketplace. Among these provisions are those that prohibit the following practices:
• Sending or causing to be sent a false or misleading representation in the sender or subject matter information of an electronic message (subsections 74.011 (1) and 52.01(1));
• Sending or causing to be sent a representation that is false or misleading in a material respect in an electronic message (subsections 74.011 (2) and 52.01(2));
• Making of or causing to be made a false or misleading representation in a locator such as URL or metadata (subsections 74.011 (3); and 52.01(3)); and
• Second, the Competition Act now includes technology-neutral language that captures emerging technologies and covers all means of telecommunication, including apps, websites, blogs, social media and SMS or text messages. 

---