More details on the law are here
1. It looks like security and bug fixes are exempt, provided they don't add "features".
2. It looks like permission boxes must be de-selected by default.
"... Express Consent Requirements
While there are three main exceptions under which consent may be implied or is simply not required, the default position under CASL is that consent must be obtained before taking any action which would otherwise be prohibited. Because any person alleging to have obtained consent bears the evidentiary burden of proving such consent5, it is important for any company that installs computer programs to implement clear policies that provide for the proper documentation of customer consent for any computer programs that are installed. ..."
and later it says
There are three exemptions to the above rules, where consent is deemed to have been obtained or is simply not required. These exemptions apply to upgrades, cookies and telecommunication service providers. ..."
And those exemptions are then defined.
"... The regulations under CASL also provide that a person is considered to expressly consent if their conduct is such that it is reasonable to believe they consent and the program is one of the following:
a program that is installed by a telecommunications service provider solely to protect the security of its network from a current and identifiable threat to the availability, reliability, efficiency or optimal use of its network;
a program that is installed to update or upgrade the network by the telecommunications service provider who owns or operates the network on the computer systems that constitute all or part of the network; and
a program that is necessary to correct a failure in the operation of the computer system or a program installed on it and is installed solely for that purpose.22"