A computer program’s material elements that perform one or more of the functions listed in subsection 10(5) of the Act must be brought to the attention of the person from whom consent is being sought separately from any other information provided in a request for consent and the person seeking consent must obtain an acknowledgement in writing from the person from whom consent is being sought that they understand and agree that the program performs the specified functions.
The functions listed in 10(5) of the Act are:
(a) collecting personal information stored on the computer system;
(b) interfering with the owner’s or an authorized user’s control of the computer system;
(c) changing or interfering with settings, preferences or commands already installed or stored on the computer system without the knowledge of the owner or an authorized user of the computer system;
(d) changing or interfering with data that is stored on the computer system in a manner that obstructs, interrupts or interferes with lawful access to or use of that data by the owner or an authorized user of the computer system;
(e) causing the computer system to communicate with another computer system, or other device, without the authorization of the owner or an authorized user of the computer system;
(f) installing a computer program that may be activated by a third party without the knowledge of the owner or an authorized user of the computer system; and
(g) performing any other function specified in the regulations.
While this is obviously designed first and foremost at spyware, it targets many other possibilities including the infamous Sony rootkit case and other attempts by software or app developers to unexpectedly collect personal information or interfere with a user’s computer. It could also have an impact on some digital rights management systems, raising interesting questions about the interaction between these requirements and the digital lock rules in Bill C-11.