What are Canada’s rules on cookies? Do you need consent for cookies in Canada? What information do you need to provide Canadian users?
When it comes to cookies, Canada’s privacy law is somewhat stricter than most U.S. states, but it doesn’t go as far as the EU.
To explain Canada’s cookie rules, we’ll look at provisions from two important privacy laws and consider some guidance from Canada’s Office of the Privacy Commissioner (OPC).
Cookies and PIPEDA
The Personal Information Protection and Electronic Documents Act (PIPEDA) covers private sector organizations operating in Canada. The law doesn’t mention cookies, but it does provide rules on consent.
“Consent” is one of the ten “privacy principles” set out in PIPEDA. The law explains when and how businesses should be seeking consent:
You should seek an individual’s knowledge and consent to collect, disclose, and use their personal information except “where inappropriate” (e.g. for legal, medical, or security reasons).
You should make a reasonable effort to inform individuals of the purposes for which you are collecting their personal information.
You should not require an individual to consent to collecting, using, or disclosing their personal information as a precondition for accessing a service (unless you need to collect that personal information to provide the service).
PIPEDA mentions two types of consent: “express consent” and “implied consent”:
“Express consent” normally arises when an individual provides a positive indication of their agreement (e.g., by ticking a box or saying “yes” when directly asked for consent).
“Implied consent” can be inferred from other actions or from an individual’s relationship with a business (e.g., buying a product might be deemed implied consent to receiving direct marketing materials).
Cookies and CASL
Canada’s Anti-Spam Law (CASL) deals with email marketing and with the installation of “computer programs” (including cookies) on people’s devices. CASL also uses the terms “express” and “implied” consent—but it gets a little confusing.
You might infer that a person doesn’t wish to receive cookies if, for example, they disable cookies in their browser. This means you should configure your cookie consent mechanism to respect global privacy signals.
Cookies and the OPC
Canada’s Office of the Privacy Commissioner (OPC) provides important guidance based on its interpretation of Canadian privacy law.
According to the OPC, data collected via cookies for use in “online tracking and targeting” is personal information. This is important because it brings cookies into the scope of PIPEDA’s consent rules.
The OPC provides the following guidance for complying with Canadian privacy law:
Give individuals information about any third parties with whom cookie data may be shared, “on or before the time of collection.”
Provide an opt-out that “takes effect immediately and is consistent.”
Avoid collecting sensitive information via cookies, and erase or de-identify personal information as soon as possible.
Based on the rules from PIPEDA and CASL, plus the guidance provided by the OPC, we can conclude that:
You must provide clear information about cookies at the time of collection.
You must provide a way for users to opt out of cookies.
A comprehensive guide to privacy law in Canada
This free ebook guide empowers you with expertise and guidance to champion a privacy-centric approach in your business (and avoid fines!). We cover the foundations of privacy legislation in Canada, introducing PIPEDA and other relevant laws.
An understanding of the Canadian privacy law landscape
Canadian compliance challenges specific to certain industries
The role of technology in ensuring PIPEDA compliance