Beginning January 15, 2015 the Canadian government has enforced a law that prohibits businesses to install software on devices without the explicit consent of the user. The law, Canada Anti-Spam Legislation (CASL), is aimed at limiting the distribution of malware. Businesses wanting to install software on users’ devices must also disclose if any personal information is collected, or if the code would interfere with the normal operation of the computer. The law entails that users must also be informed if the software changes any settings or preferences on a device, or if third parties are allowed access to it.
Although operating systems are exempted under the new law along with browser cookies, HTML and Javascript for web pages, software updates and upgrades can only be installed automatically if users previously consented. Telecommunication service providers and others can add software or security upgrades designed to mitigate a risk to its network from an identifiable threat.
Analyst comment:
An anti-spam law intended to target malware is positive, although it is unclear how much it will actually help enhance the security of devices. A majority of users can be tricked into giving consent while downloading a software, application, or update. Nonetheless, the law may create greater awareness around the problem of malicious applications and push businesses to strengthen processes to protect consumers. The new law, however, is limited only to businesses and users in Canada.
Pinkerton recommends businesses in Canada study and understand the implications of the new law and plan accordingly. Fines up to USD 10 million (CAD 12.3 million) could reportedly be imposed in case of non-compliance. In the short-term, the law could force tech companies to keep their products out of Canada.