First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

Website cookies in Canada: is consent required?

website cookies

Website cookies are small files sent by websites to users’ computers, usually without knowledge or specific consent. Cookies can be used to personalize a website, remember users’ preferences, and retain products in electronic shopping carts. A bigger concern for regulators is that cookies can also be used to track online behaviour, activities and interests, and can be accessible by third parties. 

The EU has specific legislation dealing with cookies. This legislation is the primary impetus behind the pop-up cookie consents that have proliferated across the internet.

Canada does not have legislation specifically directed at cookies. Instead, cookies are regulated in Canada under anti-spam law and privacy law. 

Canada’s Anti-Spam Law

Canada’s Anti-Spam Law (“CASL”) is the federal law that regulates unsolicited emails, installation of computer programs, and other electronic threats.

CASL prohibits a person from installing any kind of computer program on another person’s computer in the course of a commercial activity without first obtaining express consent. A “person” is defined as any individual, partnership, corporation, organization, association, trustee, receiver or legal representative.

CASL requires this consent to be obtained in a specific way. In particular, a person who seeks express consent for the installation of a computer program must set out at least: (a) the purpose for which the consent is sought; and (b) the identity of the party seeking such consent. This is the safest way to obtain consent, and it’s the way primarily used on EU websites.

However, CASL also states that a person is deemed to have expressly consented to the installation of cookies if the person’s conduct is such that it is reasonable to believe that the person has consented by their conduct.

CASL is relatively new legislation, and there is not currently much guidance on the conduct that will be deemed “reasonable” to assume consent. At this point, the only example provided by the regulator is that a person will not be considered to have consented to the cookie’s installation if the person had disabled cookies in their browser. 

That leaves open the question of what other conduct would indicate consent to the installation of cookies. Accordingly, the EU approach to pop-up consents is still advisable, particularly given the significant penalties that can be levied under CASL.

Privacy law

Canadian privacy laws generally require consent to the collection, use and disclosure of personal information. Again, the safest way to obtain this consent is through express, informed consent. 

Consent can be also implied for reasonable purposes unless the personal information at issue is sensitive. However, the Federal Privacy Commissioner has imposed limits on the effectiveness of implied consent. In particular, the Commissioner’s policy states that that implied consent can only be acceptable for online behavioural advertising (“OBA”) if:

  • Individuals are made aware of the purposes for the practice in a manner that is ‎clear and understandable – the purposes must be made obvious and cannot be ‎buried in a privacy policy. Organizations should be transparent about their ‎practices and consider how to effectively inform individuals of their OBA ‎practices, by using a variety of communication methods, such as online ‎banners, layered approaches, and interactive tools;‎
  • Individuals are informed of these purposes at or before the time of collection and ‎provided with information about the various parties involved in OBA;‎
  • Individuals are able to easily opt-out of the practice – ideally at or before the time the ‎information is collected;‎
  • The opt-out takes effect immediately and is persistent;‎
  • The information collected and used is limited, to the extent practicable, to non-‎sensitive information (avoiding sensitive information such as medical or health information); and
  • Information collected and used is destroyed as soon as possible or effectively de-‎identified.

To the extent that the information is sensitive or will be used for unanticipated purposes, it is necessary to obtain express consent. 

In addition, the Commissioner has stated that organizations should not knowingly track children’s personal information, and in particular, websites that are targeted at children should not contain any tracking technologies whatsoever.

Retention

There are no laws that deal specifically with cookie retention in Canada. However, all privacy laws in Canada impose limitations on the length of time that personal information can be retained. 

For example, the federal privacy legislation, the Personal  Information Protection and Electronic Documents Act (“PIPEDA”) requires the collection, use and disclosure of personal information to be limited to the extent consented to, and necessary to, fulfil the purposes identified in the consent. Once personal information is no longer required to fulfil the identified purposes, it must be destroyed, subject to statutory retention periods. 

The retention or deletion of cookies is, of course, up to the individual web user;  however, to the extent that personal information is collected from those cookies by website providers and third parties, privacy law destruction requirements will require the information to be deleted at some point in the future.

Specific types of cookies

The Federal Privacy Commissioner has also commented on specific types of cookies which may be particularly difficult to avoid. 

The first, “super cookies”, are not really “cookies” as we normally understand the concept (i.e., bits of data stored on a user’s computer), but rather, super cookies are a process by which an internet service provider (“ISP”) tracks, saves and discloses information about a user. When an ISP receives a request from a user to access a website, it tracks this request and logs it into a unique data profile for that user. Before sending the request to the website host, the ISP generates what is known as a Unique Identifier Header from this unique data profile and includes this header with the user’s request to the website’s host. This permits the host to access, use, store, and further disclose the information contained in the Unique Identifier Header to third parties. While cookies also track similar information, the difference is that since the super cookie operates between the user’s device and the host, it cannot be deleted or turned off by the user. Accordingly, the Commissioner believes super cookies should not be used in Canada. There may also be an argument that super cookies could be prohibited by CASL.

The second, “zombie cookies” are cookies that are stored in atypical or multiple locations on a user’s device. As such, these cookies are harder to detect and can last until each copy is permanently deleted. Given that a person cannot effectively opt-out of these specific types of cookies, the Commissioner believes that these cookies should also be prohibited in Canada. As with super cookies, there is also an argument that zombie cookies might violate CASL.

Cookie walls

Some websites prohibit users from accessing the websites unless the users agree to accept all offered cookies. This issue has not been directly addressed by Canadian law, although Canadian privacy law does prohibit organizations from requiring consent to collect, use or disclose more personal information than is reasonable and necessary to provide a service. The Federal Privacy Commissioner has also expressed the opinion that website operators should not prohibit individuals from opting out of tracking their personal information. 

Penalties

The penalties for breaching privacy legislation vary, but can include fines, orders and negative publicity. The penalties for breaching CASL can be much more onerous: up to $1,000,000 per violation for individuals, and up to $10,000,000 per violation for organizations.

Accordingly, despite the fact that the EU-style pop-up consent boxes are intrusive and somewhat irritating, they can be a reasonable way to avoid the risk of violating Canadian privacy and anti-spam laws with respect to cookies.

By Chris Bennett and Tyson Gratton, DLA Piper

Occasional Contributors

In addition to our regular guest bloggers, Inside Internal Controls blog published by First Reference, provides occasional guest post opportunities from various subject matter experts on the topics of risk management and best practices in finance and accounting, information technology, environmental issues, corporate governance, sales/marketing and operations, not-for-profits and business related issues in Canada. If you are a subject matter expert and would like to become an occasional blogger, please contact Yosie Saint-Cyr at editor@firstreference.com. If you liked this post and would like to subscribe to Inside Internal Controls blog click here.

, , , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.