Canada’s Anti-Spam Law (CASL) – A step by step guide on how it applies to apps and software

Canada’s new anti-spam law targets more than just spam. CASL also targets malware, and it has a very broad reach. CASL prohibits installing a computer program–including an app, software, or other executable data–on a computer system (computer, device, network) unless the program is installed with consent and complies with disclosure requirements. The provisions in CASL related to the installation of computer programs are in force as of January 15, 2015.

What follows is a snapshot of CASL’s key elements.

(i) “First off, don’t panic”

Software developers and vendors have raised questions about what certain CASL terms mean, and how they work. These include “install or cause to be installed”, “basic consent” and “enhanced consent”. The CRTC – the government authority charged with administering CASL – seems to have gotten the message. The first part of the CRTC’s response to FAQ #1 in CASL Requirements for Installing Computer Programs is “First off, don’t panic”. See

(ii) What’s excluded

Cookies, HTML, JavaScript, and an OS can be installed without consent where it’s reasonable to believe from the user’s conduct that they do consent to the installation.

(iii) Recent guidance

  1. The CRTC has also clarified some of the questions that software vendors and developers have raised:
    Self-installed software is not covered under CASL. CASL does not apply to owners or authorized users who are installing software on their own computer systems – for example, personal devices such as computers, mobile devices or tablets.
  2. Where consent is required, it may be obtained from an employee (in an employment context); from the lessee of a computer (in a lease context); or from an individual (e.g., in a family context) where that individual is an authorized user.
  3. An “update or upgrade” – which benefits from blanket consent in certain cases under CASL – is “generally a replacement of software with a newer or better version”, or a version change.
  4. Grandfathering – if a program (software, app, etc.) was installed on a person’s computer system before January 15, 2015, then you have implied consent to install updates and upgrades until January 15, 2018 – unless the person opts out of future updates or upgrades.

(iv) Penalties

The maximum penalty under CASL is CA$10 million for a violation of the Act by a corporation. A private right of action is available to individuals as of July 1, 2017.

(v) Software developer vs. software vendor – who is liable?

The CRTC has taken the position that as between the software developer and the software vendor (the platform), both may be liable under CASL. To determine liability, the CRTC proposes to examine the following factors, on a case-by-case basis:

  • Was their action a necessary cause leading to the installation?
  • Was their action reasonably proximate to the installation?
  • Was their action sufficiently important toward the end result of causing the installation of the computer program?

Among other things, this means that agreements between developers and vendors should include language to address CASL compliance and liability.


Questions? Email us at