On September 30 the Canadian Radio-television and Telecommunications Commission (CRTC), which is tasked with enforcing Canada’s Anti-Spam Legislation (CASL), announced that it had reached a voluntary undertaking with Notesolution Inc. (doing business as OneClass) to resolve several alleged violations of the Act. As part of its agreement with the CRTC, OneClass agreed to pay a monetary payment of $100,000 to the Receiver General of Canada and implement a compliance program.
OneClass primarily operates an online platform for students to share notes and materials. Postsecondary school students can access student-created exam study guides, lecture notes and video tutorials.
In response to complaints from recipients, the CRTC investigated allegations that OneClass had sent commercial electronic messages (CEMs) without consent between October 31, 2016 and March 25, 2020 to promote its business through one-time and monthly purchases of varying subscription lengths in Canada as well as globally, in violation of paragraph 6(1)(a) of the Act and section 4 of the Electronic Commerce Protection Regulations (CRTC) SOR/2012-36 (the Regulations).
The CRTC’s Chief Compliance and Enforcement Officer also alleged that OneClass installed a computer program, known as the “OneClass Easy Invite Chrome Extension,” on the computer systems of postsecondary students between October and November 2016, without their express consent or setting out the purpose for which consent was being sought. The CCEO further alleged that OneClass should have been aware that the “OneClass Easy Invite Chrome Extension would cause the computer system to operate in a manner contrary to the reasonable expectations of the owners or authorized users of those computer systems” as it collected personal information stored on the students’ computer systems, including usernames and password credentials, in violation of sections 8(1)(a), 10(1)(a), 10(3), 10(4), and 10(5)(a) of the Act as well as section 5 of the Regulations.
The case is interesting as it highlights the CRTC’s commitment to sanction companies for violating the lesser-known provisions of the Act relating to the installation of computer programs. In addition to its focus on email, section 8 of CASL expressly prohibits organizations from installing, during the course of a commercial activity, computer programs (software) on other persons’ computer systems (or to cause an electronic message to be sent from that computer system) without the express consent of the owner or authorized user of the computer system.
This prohibition covers all computer devices, including laptops, smartphones, desktops, gaming consoles or other connected devices. In the absence of a court order, the Act also requires organizations that wish to lawfully install computer programs (‘installing organization’) to meet additional technical requirements to the standard CASL consent requirements set out in the Act.
Subject to limited exceptions in the Act — i.e. for programs such as cookies, html, or bug fixes/patches — when requesting consent, the installing organization must clearly and simply describe, in general terms, the function and purpose of the computer program that is to be installed if the consent is given.
CASL also sets out additional requirements. If the computer program that is to be installed performs one or more of the functions described in the paragraph below, the installing organization must, clearly and prominently, (a) describe the software program’s material elements that perform the function or functions, including (i) the nature and (ii) purpose of those elements and (iii) their reasonably foreseeable impact on the operation of the computer system; and (b) clearly bring those elements to the attention of the person from whom consent is being requested. Significantly, this must be provided in a transparent fashion, separate and apart from the terms and conditions, document or end-user licensing agreement.