Cookie Consent in Canada

What are Canada’s rules on cookies? Do you need consent for cookies in Canada? What information do you need to provide Canadian users?

When it comes to cookies, Canada’s privacy law is somewhat stricter than most U.S. states, but it doesn’t go as far as the EU.

To explain Canada’s cookie rules, we’ll look at provisions from two important privacy laws and consider some guidance from Canada’s Office of the Privacy Commissioner (OPC).

Cookies and PIPEDA

The Personal Information Protection and Electronic Documents Act (PIPEDA) covers private sector organizations operating in Canada. The law doesn’t mention cookies, but it does provide rules on consent.

“Consent” is one of the ten “privacy principles” set out in PIPEDA. The law explains when and how businesses should be seeking consent:

• You should seek an individual’s knowledge and consent to collect, disclose, and use their personal information except “where inappropriate” (e.g. for legal, medical, or security reasons).
• You should make a reasonable effort to inform individuals of the purposes for which you are collecting their personal information.
• You should not require an individual to consent to collecting, using, or disclosing their personal information as a precondition for accessing a service (unless you need to collect that personal information to provide the service).

PIPEDA mentions two types of consent: “express consent” and “implied consent”:

• “Express consent” normally arises when an individual provides a positive indication of their agreement (e.g., by ticking a box or saying “yes” when directly asked for consent).
• “Implied consent” can be inferred from other actions or from an individual’s relationship with a business (e.g., buying a product might be deemed implied consent to receiving direct marketing materials).

Cookies and CASL

Canada’s Anti-Spam Law (CASL) deals with email marketing and with the installation of “computer programs” (including cookies) on people’s devices. CASL also uses the terms “express” and “implied” consent—but it gets a little confusing.

Under CASL, you can infer a person’s express consent for the installation of certain “computer programs,” including cookies, HTML code, or javascript—as long as “the person’s conduct is such that it is reasonable to believe that they consent to the program’s installation”

You might infer that a person doesn’t wish to receive cookies if, for example, they disable cookies in their browser. This means you should configure your cookie consent mechanism to respect global privacy signals.

Cookies and the OPC

Canada’s Office of the Privacy Commissioner (OPC) provides important guidance based on its interpretation of Canadian privacy law.

According to the OPC, data collected via cookies for use in “online tracking and targeting” is personal information. This is important because it brings cookies into the scope of PIPEDA’s consent rules.

The OPC provides the following guidance for complying with Canadian privacy law:

• Ensure individuals are given information about cookies that is not “buried in a privacy policy.”
• Give individuals information about any third parties with whom cookie data may be shared, “on or before the time of collection.”
• Provide an opt-out that “takes effect immediately and is consistent.”
• Avoid collecting sensitive information via cookies, and erase or de-identify personal information as soon as possible.

Conclusion

Based on the rules from PIPEDA and CASL, plus the guidance provided by the OPC, we can conclude that:

• You must provide clear information about cookies at the time of collection.
• Your cookie notice must not simply be a link to your general privacy policy.
• You must provide a way for users to opt out of cookies.