Search

Undertaking: NortonLifeLock Inc.

File No.: 9110-2022-00611

Effective date of undertaking: 10 February 2023

Monetary payment amount: $0

Under section 21 of An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act, S.C. 2010, C. 23 (the Act).

Person entering into an undertaking

NortonLifeLock Inc.

Acts and omissions covered by the undertaking and provisions at issue

NortonLifeLock Inc. has voluntarily entered into an undertaking with the Chief Compliance and Enforcement Officer (CCEO) concerning alleged violations of paragraph 8(1)(a) and subsections 10(1), 10(3), 10(4) and 10(5) of the Act.

In January 2022, Commission staff commenced an investigation into a series of public allegations that NortonLifeLock Inc. had installed, or caused to be installed, Norton Crypto on the computer systems of some of its Norton 360 customers without consent.

During the course of the investigation, NortonLifeLock Inc. indicated that “the Norton Crypto function was downloaded as part of the Norton 360 installation package, and installed at the same time as Norton 360”, but that it had proactively sought to address the issue posed by the lack of express consent for this installation prior to the Commission’s investigation by modifying the installation process to seek user consent, as early as January 2022.

Amount owing and summary of other conditions

NortonLifeLock Inc. has cooperated fully with the CCEO and voluntarily undertaken measures to resolve the CCEO’s outstanding concerns regarding its compliance with the Act and the Electronic Commerce Protection Regulations (CRTC), SOR/2012-36 (the Regulations (CRTC)), including undertaking to take all reasonable steps to ensure that any software it sells and/or installs, and/or causes to be installed, in the course of a commercial activity, complies with paragraph 8(1)(a) and subsections 10(1), 10(3), 10(4) and 10(5) of the Act.

As part of this undertaking, and in order to promote compliance with the Act and the Regulations (CRTC), NortonLifeLock Inc. undertook to update its compliance program, which will include:

  1. Development, review and revision (as applicable) of written policies and procedures regarding compliance with the Act and Regulations (CRTC);
  2. Development and provision of periodic training programs, which include compliance procedures and processes to comply with the Act, in particular for employees of NortonLifeLock Inc. involved, directly or indirectly, with the installation of computer programs on computer systems in the course of a commercial activity, and related compliance;
  3. Registration and tracking of commercial electronic message complaints and subsequent resolution; and
  4. Implementation of effective corrective measures for compliance failures.

In addition, NortonLifeLock Inc. undertook to designate a corporate compliance representative within 30 days of the effective date of the undertaking. This individual will oversee the implementation of the elements of the compliance program relating to the Act and facilitate any communications with the Commission regarding ongoing compliance measures.

NortonLifeLock Inc. also undertook to confirm within 120 days of the effective date, in writing to the CCEO, that it has updated the compliance program, and to report on the progress made in implementing the compliance program to the CCEO within 6 months of the effective date.

Finally, NortonLifeLock Inc. undertook to review its compliance program on an annual basis and, if requested by the CCEO within five years of the effective date, to provide a written report of its annual review of the compliance program and its implementation.

This undertaking fully and completely resolved all outstanding issues between the Commission and NortonLifeLock Inc. with respect to its alleged non-compliance with the Act, in relation to the CCEO’s investigation into the installation of computer software on computer systems in the course of a commercial activity and without consent, for the period up to and including the effective date of this undertaking.

Date modified: