How Canada’s anti-spam legislation applies to software

Learn how Canada’s anti-spam legislation (CASL) applies to various types of software installations.

On this page

Consent for software installation

CASL applies when a person installs software on someone else’s device. Some examples of this are:

  • when a website automatically installs software on a computer that visits the site
  • clicking a link in an email message that causes a program to be installed on a computer
  • when an update to previously installed software is "pushed" to a device, updating the program automatically

In all of these cases, the person installing the program (or causing the program to be installed) must first obtain the consent of the device's owner.

However, a person is considered to have expressly consented to the software installation if their conduct is such that it is reasonable to believe they consent to the program’s installation. You may also be considered to have expressly consented to the use of cookies when you visit certain websites. Cookies let websites identify you, track your preferences and recognize when you return to a website. The CRTC offers more detailed information about consent and cookies.

The legislation doesn’t apply in situations where a person or business installs software on their own computer. For example, if you go to an app store to purchase and download an app, and you install that app on your own personal device, the legislation doesn’t apply. Similarly, it doesn’t apply when the IT department of a small business installs new software on company computers or mobile phones.

Software for security or emergency patches

Companies need to be able to update computer systems in certain instances, such as security patches or bug fixes. This is to make sure Canadians' computing devices continue to function properly. Accordingly, a person is considered to expressly consent to these types of installations as long as their conduct is such that it is reasonable to believe they consent.

For example, if a company that sells GPS devices needs to address a problem that causes the device to crash every time a user leaves a parking garage, the company is permitted to push an update to the operating system of the GPS devices without first asking for each user’s consent. In this case, consent is considered to be expressly provided under CASL s. 10(8) since a person using a GPS device can be reasonably considered to want it to function properly when leaving parking garages. Similarly, a telecommunications service provider can push a critical security update to computers on its network to protect users from a cyber attack.