Vilo Automation Inc.’s Anti-Spam Legislation Manual

1. Introduction

This resource has been developed as a service to VILO AUTOMATION INC.’s mobile application, namely IAUTOMATE, and to make its compliance with Canada’s Anti-Spam Legislation (CASL) easier. It aims to help VILO AUTOMATION INC. employees understand the requirements of CASL and how it applies to commercial electronic messages (CEMs). The final section of this document provides guidance on the application of CASL to the installation of computer programs and applications.

When CASL was introduced in 2009, Canada was the only G-8 County without an anti-spam framework. In this context, implementation was a matter of when, and not a question of if.

1.1. What is CASL

Canada's Anti-Spam Legislation (CASL) is a law that regulates how you can send consumer electronic messages, which include email, text messages and other forms of electronic messages, and how you can use certain applications (Apps) for marketing purposes. The federal government passed the law in an effort to reduce spam, malware, and related internet threats. This is one of the world’s strictest anti-spam laws in the world and is intended to provide individuals with control over most of the marketing messages they receive. The legislation took effect on the following dates:

·        on July 1, 2014, the Anti-Spam provisions came into force

·        on January 15, 2015, the provisions related to unsolicited installed software programs came into force; and

·        on July 1, 2017, provisions providing for a private rights of action came into force.

CASL establishes three primary rules for sending CEMs:

1)   senders must have consent from the recipient of the message before sending a CEM;

2)   senders must provide proper identification and contact information to the recipient in each CEM; and

3)   senders must have a functioning unsubscribe mechanism in their CEMs.

Complying with CASL means there are five questions you should ask yourself before sending an electronic message:

1.   Is the message a CEM?

2.   Is the CEM subject to CASL?

3.   Is there consent to send the CEM?

4.   Does the CEM contain the required information?

5.   Does the CEM contain an unsubscribe mechanism?

The rule with respect to computer programs and Apps is straight-forward: express consent must always be obtained before a computer program or an App is installed.


1.2. Why is it important to comply?

CASL contains significant penalties for non-compliance. The Canadian Radio-television Telecommunications Commission (CRTC) can impose fines of up to $10 million per violation; e.g., for each email sent or App installed in violation of the legislation. Although subject to a three year delay, a private right of action in the law also allows any person who receives an email sent contrary to the rules to sue the sender. This means a recipient of unwanted messages can sue for actual damages, as well as statutory damages of up to $200 per violation. While $200 may not seem like a lot, it can quickly add up if the recipient has received a large number of unwanted messages from a single sender. Furthermore, class actions lawsuits could be brought if there are many individuals who have received the same message. The owner of a device can sue for statutory damages of up to $1 million for the installation of a computer program or an App in violation of the law.


2. Application of CASL

2.1. What is a CEM?

The law applies to CEMs. There are two key components to the definition of a CEM: it must be an electronic message and it must be commercial. An electronic message includes email, SMS text messages, instant messages, and any form of electronic messaging that is sent to an electronic account. This does not include telephone calls. This would include private messages sent through social media platforms such as LinkedIn or Facebook. However, a post on Twitter or one's own Facebook page would not be an electronic message because it is not sent to an account, such as an email address. The law also does not apply to live or recorded voice or fax messages. The CASL rules apply to CEMs sent from or accessed from Canada.

A message is considered commercial if it is reasonable to conclude that it is intended to encourage participation in a commercial activity. This includes messages that promote a product, a service, a business opportunity, or any person who does any of those things. This is extremely broad. Any links included in a message, such as a link to a 3rd party website, are to be taken into consideration in determining whether the message is commercial.

The following are examples of content in a message that would likely be considered “commercial”:

•        information about a new VILO AUTOMATION INC. product/service; and

•        asking an individual if they are interested in buying a VILO AUTOMATION INC. product/service.

The following are examples that would likely not be considered “commercial”:

•        a message that delivers a standard form (i.e. purchase order, etc.); and

•        a message to a client or colleague that discusses only personal matters.

A message sent specifically for the purposes of obtaining consent, even if it does not contain any commercial content, is also deemed to be a CEM. In other words, an electronic message sent without consent cannot be used to obtain consent.


2.2. CEMs Subject to CASL

It is a violation of CASL to send a CEM to an electronic address unless the recipient has consented to receiving the CEM and the CEM contains the required information. However, there are some exceptions to this requirement.

Exemption within CASL

Messages sent between individuals that have a family or personal relationship are exempt from the legislation. The CRTC has stated that corporations cannot have a family or personal relationship.

Family Relationship

A family relationship is defined as one where the sender and recipient of the message are related to one another through a marriage, common-law partnership or any legal parent-child relationship and those individuals have had direct, voluntary, two-way communication. This would probably not include siblings or cousins.

Personal Relationship

A personal relationship is defined as one where the sender and the recipient of the message have had direct, voluntary, two-way communications and it would be reasonable to conclude that they have a personal relationship, taking into consideration any relevant factors such as the sharing of interests, experiences, opinions and information evidenced in the communications, the frequency of communication, the length of time since the parties communicated or whether the parties have met in person. A friendship on Facebook is insufficient to establish a relationship.

Inquiry about a Commercial Activity

Should a party be engaged in a commercial activity, such as a logistics company, you are permitted to contact them and inquire about the commercial activity provided that your inquiry is related to the commercial activity they are engaged in.

Response to an Inquiry or Complaint

Should a party send an inquiry about a product or service, for example, a message being sent from a consumer to a VILO AUTOMATION INC. employee, would permit the VILO AUTOMATION INC. employee to reply accordingly to them. Similarly, a VILO AUTOMATION INC. employee would be permitted to respond to an inquiry or complaint about a product or service.

CEM within Organizations

Communications among employees of an organization and communications between employees of two organizations that have a relationship are permitted.

 

Enforcing a Legal Rights

Communications to enforce a legal right are permitted.

Additional Exemptions

The following communications do not require consent but should include the name, contact and unsubscribe information:

·        CEM facilitates, completes or confirms a commercial transaction;

·        CEM provides warranty, product recall, or safety information about a product or service the recipient uses, has used or has purchased;

·        CEM provides notification of factual information about ongoing:

o  use/purchase by recipient of a product/service under subscription/ membership/ account/ loan/ similar relationship with sender; or

o  subscription/ membership/ account/ loan/ similar relationship with recipient.

·        CEM communicates information directly related to an employment relationship or related benefit plan; and

·        CEM delivers product/service, including updates/upgrades, in which the receipt is entitled to receive in accordance with a previous transaction.


3. Consent

All CEMs sent by VILO AUTOMATION INC. employees that do not qualify for these exemptions must comply with CASL, which means the messages must contain the required information and the VILO AUTOMATION INC. employee must ensure there is consent before sending the messages. There are two forms of consent under CASL: implied and expressed.

3.1. Implied consent

Although there is a mechanism by which implied consent can be obtained, best practices advise on only relying on expressed consent. There are four different circumstances where consent can be implied from a potential recipient (i.e. a CEM can be sent by a VILO AUTOMATION INC. employee without explicitly asking for permission):

•        Existing Business Relationships;

•        Existing Non-Business Relationships;

•        Conspicuous Publication of Electronic Address (an email was on a website and they did not state they did not wish to receive a CEM); and

•        Disclosure of Electronic Address by Recipient to a VILO AUTOMATION INC. employee.


3.1.1. Existing Business Relationship

An existing business relationship arises where VILO AUTOMATION INC. and the recipient have done business together in the two years before the message is sent. Examples of “doing business” includes:

·        purchase (or bartering) of a product, service, etc. within two years immediately before the CEM was sent;

·        acceptance of a business, investment or gaming opportunity of the sender within two years immediately before the CEM was sent;

·        a written contract for a product, service, etc. entered into by the recipient and the sender within two years before the CEM was sent;

·        and an inquiry or application in respect or a product, service, business, investment or gaming opportunity within six months before the CEM was sent.


3.1.2. Existing Non-Business Relationship

A non-business relationship exists where the sender: (a) is a charity, political party or political candidate, and the recipient has volunteered or made a donation within the previous two years; or (b) is a club, association, or volunteer organization of which the recipient has been a member within the previous two years.


3.1.3. Conspicuous Publication of Electronic Address

Consent may be implied if the recipient has conspicuously published their electronic address (e.g., on a website), has not expressly stated that they do not wish to receive unsolicited messages, and the content of the message is related to the recipient's business or official capacity. This form of consent is more relevant in a business-to-business context.

CASL does not allow businesses to send commercial electronic messages to any email addresses they can find online. Consent is evaluated on a case-by-case basis and the onus of proving consent (including implied consent) falls on the party relying on it. It is also important to be aware that VILO AUTOMATION INC. employees cannot use computer programs to collect electronic addresses that are published on the internet, as this is a contravention of the Personal Information Protection and Electronic Documents Act (PIPEDA).

Recently, there has been judicial guidance for implied consent via conspicuous publication. The CRTC Spam Reporting Center received numerous complaints that Blackstone had been sending unsolicited emails. Blackstone argued that the email address were publicly available. RTC in its decision explained that in order for there to be implied consent the address of the person to whom the message is sent must be conspicuously published. Ultimately, Blackstone was fined $640,000 which was subsequently lowered to $50,000.


3.1.4. Disclosure of Electronic Address by Recipient to VILO AUTOMATION INC.

Consent may be implied if the recipient has disclosed their electronic address directly to the sender, has not expressly stated that they do not wish to receive unsolicited messages, and the content of the message is related to the recipient's professional capacity.


3.1.5. Transitional Provision for Implied Consent

CASL contains a transitional provision that extends the time period during which consent to send a CEM can be implied up to July 1, 2017, if:

•        there has ever been an existing business relationship or existing non-business relationship in existence between VILO AUTOMATION INC. and recipient before July 1, 2014, without regard for the expiry dates associated with the various types of relationships; and

 

•        there has been communication by CEM between VILO AUTOMATION INC. and the recipient (e.g., VILO AUTOMATION INC. has been sending updates or newsletters by email).

This means that if an existing business relationship or non-existing business relationship has existed at any time prior to July 1, 2014, and VILO AUTOMATION INC. and recipient have communicated through means of electronic communications, then consent is implied until July 1, 2017, unless the recipient unsubscribes. Conversely, if business relationship was developed after July 1, 2014 the two-year and 6-month period apply.

VILO AUTOMATION INC. can use this three-year window to send a CEM to obtain express consent, which would close after July 1, 2017. It is important to note that normally an email sent to obtain consent would be considered a CEM itself, which means the sender would have to possess consent before sending the email in order to comply with CASL. However, if express consent is sought in an email sent during this transitional period, then consent is implied for that CEM.

Many VILO AUTOMATION INC. employees may have existing databases of email and/or other electronic addresses. One way to ensure that VILO AUTOMATION INC. employees can continue to send emails to these addresses is to send a message to request consent as soon as possible. Alternatively, if VILO AUTOMATION INC. has an existing business or non-business relationship with the owners of the email addresses, then the VILO AUTOMATION INC. can take advantage of the three-year transitional provisions and send an email to obtain consent during that period.

Since CASL is now in force, it will be important to stop sending CEMs to anyone who has not provided consent in accordance with the law or who does not provide consent when consent is sought using the transitional provisions.


3.1.6. Tips for compliance

•        An existing business relationship is the most relevant form of implied consent for contacting individual clients. It may allow you to contact individuals you have done business with in the past. However, an existing business relationship is time-limited, meaning that it should be used as an opportunity to obtain express consent. Express consent does not expire unless consent is withdrawn.

 

•        If relying on an existing business relationship or existing non-business relationship, it is important to keep track of the varying “expiry dates” that arise under the different categories of implied consent (six months or two years).

 

•        The transitional provision described above will allow VILO AUTOMATION INC. employees to imply consent to send CEMs where there is an existing business relationship or an existing non-business relationship wherein VILO AUTOMATION INC. employees have sent emails to the recipient previously.

 

•        Implied consent based on the conspicuous publication of an electronic address, or where the recipient has provided their electronic address to the sender, is likely only relevant for business-to-business communications because of the requirement that the message be relevant in the context of the recipient's official or business capacity. Before relying on this form of consent, it is important to be sure that the recipient has not indicated that they do not want to be contacted.


3.2. Asking for express consent

If consent cannot be implied, then express consent is necessary. Express consent means that the recipient has affirmatively indicated to you that they would like to receive a CEM in response to a request for consent.

If consent cannot be implied and if express consent is not obtained it is important not to send the CEM or doing so will violate the legislation.

There are a number of things that must be taken into consideration when seeking express consent.

3.2.1. Information to be Included in a Request for Consent

•        Purpose. CASL requires you to clearly explain the purpose for requesting consent. Be as specific as possible, and tell the individual what they will be hearing about, and from whom. For example, tell the individual if they will be added to a newsletter or regular publication. Furthermore, it is essential to be clear about who they will be hearing from and whether their address will be shared with anyone else. A failure to explain any of this information could result in a finding that consent was not properly obtained.

 

•        Identifying information. CASL specifically requires that certain identifying information be provided when asking for consent. This information must be set out “clearly and prominently”, meaning that it must be easily read. The required information is as follows:

 

o The name of the person requesting consent (or the name by which the person carries on business).

o If one person is asking for consent on behalf of another, then both of those persons need to be identified, and the individual needs to be told on whose behalf consent is sought.

o Contact information for either the person requesting consent or the person on whose behalf consent is sought must be provided, including a physical address, and either a telephone number, email address, or web address.

 

•        Withdrawal of Consent: The person providing must be informed that they can withdraw their consent (i.e. unsubscribe) at any time.


3.2.2. Form of Consent

Express consent can be obtained electronically, in writing, or verbally.

• Electronically: Consent can be obtained electronically, for example, through a website. This often involves the use of a check box. The CRTC has indicated that consent must be opt-in, not opt-out, meaning that check boxes cannot be pre-checked. If the individual is required to actively enter their email address specifically for the purposes of subscribing to a list, then a separate check box is not required.  

•        In writing: Consent can be obtained in writing, for example, on a form at a trade show. The same requirements that apply to an electronic request for consent apply to a request in writing.

 

•        Verbally: Consent can be requested and provided verbally. All of the information that is required when obtaining consent electronically or in writing (i.e. purpose and identification) must be provided in a verbal request for consent as well.

A request for consent cannot be subsumed or 'buried' in a larger agreement, such as an end-user license agreement or privacy policy. The request must be separate from these agreements, and brought to the specific attention of the recipient. Furthermore, the CRTC has stated that a recipient must be able to agree to general terms of use or sale without being required to consent to receiving a CEM.


3.2.3. Confirmation Message

The CRTC has noted that they expect businesses to send a “confirmation” message following the receipt of consent. The confirmation message reminds the individual that they have provided consent, and offers an opportunity to opt out. This is often referred to as “notified opt in”. Please note that this is not a requirement of the CASL legislation, but has been recommended as a best practice by the CRTC, and as such, we recommend that VILO AUTOMATION INC. adhere to this best practice.


3.2.4. Existing express consent obtained in compliance with PIPEDA

If you obtained express consent from someone before July 1, 2014 in a manner that is compliant with the Personal Information Protection and Electronic Documents Act (PIPEDA), then that consent is also considered compliant with CASL. This means that you would not need to seek express consent again from that person for the purposes of sending email or other electronic messages under CASL.

Express consent for the purposes of PIPEDA is generally similar to express consent under CASL, with a couple of key differences. First, PIPEDA does not necessarily require you to provide all of the same information required when requesting consent under CASL, such as a mailing address, and either a telephone number, web address or email address.

While the CRTC has stated that pre-checked boxes are not acceptable under CASL, pre-checked boxes are acceptable under PIPEDA where non-sensitive personal information is involved.


3.3. Evidence of consent

Any person claiming to have consent under CASL bears the burden of proving that consent was properly obtained if he/she becomes subject to an investigation or lawsuit. It is therefore important for you to maintain a record of when and how consent was obtained. For example, when consent is obtained electronically on a website, a “screen shot” of the site and a log should be retained in a database along with a record of the date, time, and purpose of consent. While there are no prescriptive rules for exactly what constitutes proper evidence under CASL, you should be able to feel comfortable that you could prove that a person provided consent if they ever tried to argue otherwise.

It will likely be more difficult to prove that consent was obtained verbally, which should be taken into consideration when seeking express consent.


3.4. Tracking Consent

A system to track recipient consents can be as simple as a spreadsheet or as complex as a fully integrated database. As such, good record-keeping practices can help the sender:

·        identify potential non-compliance issues

·        investigate and respond to consumer complaints

·        identify the need for corrective actions

·        demonstrate that these corrective actions were implemented

·        establish a due diligence defense in the case of a violation of CASL

Senders of commercial electronic message should consider keeping a hard copy or an electronic record of, among others:

·        all evidence of express and implied consent (e.g. audio recordings, copies of signed consent forms, completed electronic forms) from consumers who agree to receive CEMs

·        documented methods through which consent was collected

·        policies and procedures regarding CASL compliance

·        all unsubscribe requests and resulting actions.

If VILO AUTOMATION INC. intends to rely on the implied consent provisions of CASL in order to send CEMs, the consent tracking system must be able to track the “expiry” dates of the implied consent categories.

Along with a system that tracks both situations of implied and express consent within a contacts database, it is recommended that VILO AUTOMATION INC. make efforts to “convert” the implied consents to express consents within the applicable timeframe when the implied consents are still “active”.

4. Information to be Included in a CEM

Once consent has been obtained (whether express or implied), VILO AUTOMATION INC. employees must ensure that any CEM they wish to send satisfies two additional requirements: the sender must be properly identified in the message; and, each message must contain a functioning unsubscribe mechanism.


4.1. Identification

Every CEM must contain prescribed identification information. The required information is as follows:

•        The name of the person sending the message (or the name by which the person carries on business).

•        If one person is sending the message on behalf of another, then both of those persons must be identified by name, and the message must indicate who is sending on behalf of whom.

•        Contact information for either the person sending or the person on whose behalf the message is sent must be provided, including a physical address, and either a telephone number, email address, or web address.

This information must be set out “clearly and prominently”. CASL does not specify what this means; however, the information must be readily viewable by the recipient, with no attempt to hide or deceive. As an example, very small font, and font colors that are not easily distinguishable from the background should be avoided. Many email service provider systems (e.g., systems that allow you to send large quantities of email) allow you to enter this information into a template that is automatically included in the “footer” of the emails you send through that system.

If the required identification information described above cannot be practically included in a message, then it is acceptable to include the required information in a link to a web page that is set out clearly and prominently in the message. This could be used, for example, if sending an SMS text message, which is limited to 140 characters.


4.2. Unsubscribe

Every message must contain a functional unsubscribe mechanism. An unsubscribe mechanism allows a recipient to easily withdraw consent from receiving any messages in the future. There are a few key requirements that apply to the unsubscribe mechanism:

•        Form: The unsubscribe mechanism must use the same electronic means by which the message is sent, unless impracticable. For example, if the CEM is an email, then the recipient should not be required to unsubscribe by telephone. A CEM must allow the recipient to unsubscribe either by sending a message to an electronic address (e.g. replying to an email with “Unsubscribe” in the subject line), or by clicking on a link to an unsubscribe web page. The unsubscribe mechanism must be able to be “readily performed”, meaning that it must not be too onerous for the recipient. For example, it would be too onerous to require a user to log into an account in order to unsubscribe. Web pages that allow users to select from a number of options when unsubscribing are acceptable. The unsubscribe mechanism must be functional for at least 60 days after a CEM is sent.

 

•        Time to give effect: An unsubscribe request must be given effect “without delay, or in any event no longer than 10 business days”. This means that every effort should be made to ensure that a user will not receive any CEMs after an unsubscribe request is made, unless extenuating circumstances make this impossible. Once an individual has unsubscribed, do not follow-up with any messages asking the recipient to re-subscribe. Receiving messages after an unsubscribe request has been made is one of the most common causes of spam-related complaints.

 

•         Cost: The unsubscribe mechanism must be free of charge.

 

•        Specific considerations for SMS Messages: An SMS message must provide the recipient with the choice between replying to the message with the word “STOP” or “Unsubscribe” or clicking on a link that will take the user to a web page where he or she can unsubscribe.


4.2.1. Tips for Compliance

•        Except in cases where very small numbers of CEMs are sent, it is generally preferable that the unsubscribe mechanism be automated. There are many products and services that enable automated email list management and unsubscribe mechanisms. For example, email service provider systems provide unsubscribe mechanisms that will automatically remove recipients from your list when they unsubscribe.

 

•        Web-based unsubscribe pages are often more reliable than unsubscribe requests sent to an electronic address, as this removes the risk that an unsubscribe request will be caught in a spam filter.


4.3 Third Party Approval

A person can get consent on behalf of yet to be determined third parties, however, A person can get consent on behalf of yet to be determined third parties. Identification and unsubscribe rules still apply.

5. Strategies for Obtaining Electronic Addresses

A database of electronic addresses is a valuable marketing tool that allows VILO AUTOMATION INC. employees to effectively maintain contact with past, existing, and future clients and business contacts. This section provides practical guidance respecting common practices used for obtaining electronic addresses and practices that should be avoided.


5.1. Business Cards

The exchange of business cards is an effective way to collect contact information. Note that when a recipient provides their business card to a sender, the sender can rely on implied consent to send a CEM, but only if the CEM is related to the recipient's business or official capacity. As such, the exchange of a business card without obtaining express consent is really only effective for business-to-business type communications. If a person provides their business card with the intention of having you use their business email address to contact them for reasons unrelated to their business, VILO AUTOMATION INC. would need to obtain their express consent to do so by following the steps identified above.


5.2. Landing Pages

Landing pages are commonly used to attract traffic online and obtain prospects. A landing page may offer an article, report, or webinar, in exchange for the user's contact information. This can be an effective collection strategy; however, VILO AUTOMATION INC. employees must be sure to include all of the required information in a request for consent (i.e. your name, contact information, purpose for the consent, and a statement about the ability of the recipient to withdraw consent).

If you are selling a product or service, then you cannot require a person to consent to receiving CEMs as a condition of purchasing that product or service. In other words, they must be able to purchase the product or service without being required to provide consent.


6. Practices to Avoid

6.1. List Purchase

There are companies that offer lists of email addresses for sale. These lists are often marketed as fully “opt-in”, “permission-based” or “compliant”. Purchasing such a list may be tempting but is very risky. Despite advertised claims, it is unlikely that proper consent has been obtained, and anyone purchasing and sending communications to such a list are mostly likely doing so in violation of CASL. In addition, it is also a violation of privacy legislation to buy and sell a list of email addresses without the consent of everyone whose email is on the list.


6.2. Email Appending

Email appending generally refers to the practice of attempting to add email addresses to an existing database of contact information by merging two separate databases. There are many companies that offer such a service. This practice should be avoided as the use of email addresses obtained through an email appending service would be without consent, and therefore very likely to result in the sending of emails that are not compliant with CASL. 


7. Installation of Apps

It is a violation of CASL to install a computer program on a computer without the consent of the computer owner. The definition of “computer program” includes many different things, but most importantly to VILO AUTOMATION INC. employees, they pertain to applications (App or Apps), which is why this section focuses on Apps instead of computer programs more broadly. However, it is still important for VILO AUTOMATION INC. employees to know that CASL applies to computer programs in general. It should also be noted that consent is implied for the installation of certain “computer programs”, such as operating systems and HTML code.

Apps can be a valuable marketing tool for VILO AUTOMATION INC.. CASL requires that before an App is installed on a device that the authorized user (i.e. the owner) of the mobile device expressly consents to install the App. The following describes how VILO AUTOMATION INC. should design their Apps so as to properly seek express consent from the owner of a mobile device.


7.1. Obtaining Express Consent

Express consent means that the owner of the mobile device has affirmatively indicated his/her consent to the installation of the App in response to a request for consent. In order to obtain express consent VILO AUTOMATION INC. should design their Apps with the following three rules in mind:

•        Provide the required information to the user when obtaining consent from him/her;

•        Make sure that the format of the consent is in the proper format;

•        Comply with any additional requirements for those Apps that require special treatment as they perform specified functions.


7.1.1. Information to be provided

CASL requires that before an App is installed on a mobile device the following information be provided to the owner of the mobile device:

•        Purpose. CASL requires you to clearly explain the purpose for requesting consent. For example, inform the user that they are consenting to the installation of an App on their device.

•        General description of the App: VILO AUTOMATION INC. must clearly and simply describe, in general terms, the function and purpose of the App. This would include, for example, notifying the individual if the App will make use of location-based functionality on the device (i.e. GPS).

•        Identifying information. CASL specifically requires that certain identifying information be provided when asking for consent. This information must be set out “clearly and prominently”, meaning that it must be easily read. The required information is as follows:

o The name of the person requesting consent (or the name by which the person carries on business).

o If one person is asking for consent on behalf of another, then both of those persons need to be identified, and the individual needs to be told on whose behalf consent is sought.

o Contact information for either the person requesting consent or the person on whose behalf consent is sought must be provided, including a physical address, and either a telephone number, email address, or web address.


7.1.2. Form of consent

Express consent for the installation of an App must be in the proper format. Such consent will typically be obtained electronically through the website or platform where the App is downloaded by the individual. Consent must be opt-in, not opt-out, meaning that the user must be required to explicitly click on a check box or icon indicating that they provide express consent. Check boxes cannot be pre-checked.

A request for consent cannot be subsumed or ‘buried’ in a larger agreement, such as an end-user license agreement or privacy policy. The request must be separate from these agreements, and brought to the specific attention of the recipient. Consent for receiving CEMs and the installation of an App must be obtained separately (i.e. a user cannot be required to consent to receiving CEMs as a condition of consenting to the installation of an App, and vice versa).


7.2. Additional Requirements for Specified Functions

Additional requirements apply if an App performs certain specified functions, causing the App or mobile device to perform in a manner that would be contrary to the reasonable expectations of the user. For example, if the App:

•        collects personal information from the device;

•        interferes with the user's control of the device;

•        changes or interferes with settings, preferences or commands on the device without the user's knowledge;

•        causes the device to communicate with another computer without the user's knowledge;

•        changes or interferes with data that is stored on the device in a manner that obstructs, interrupts or interferes with lawful access to or use of that data; or

•        allows another third party to install a program on the device without the user's knowledge.

These functions must be brought to the explicit attention of the user, and separate express consent must be obtained for each of these functions in addition to express consent obtained for the installation of the App.

Furthermore, if the App performs any of the functions described above, the user must be provided with an electronic address where they can request assistance in having the App removed. The ability to seek this assistance must be active for a period of one year following the installation of the App.


(Updated September 24, 2024)