DOBRMAN

DOES MY WEBSITE NEED A COOKIES POLICY IN CANADA?

By Julian Dobre

DOES MY WEBSITE NEED A COOKIES POLICY IN CANADA?

By Julian Dobre 

Introduction

The Cookies Policy is a policy that covers your use of cookies and other automatic trackers on your website. In Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) requires you to obtain consent to the use of cookies and the purposes for which they’re used. The use of cookies may also be governed by the Canadian Anti-Spam Legislation (CASL), which deals with spam and other electronic risks and threats. CASL prohibits the installation of any computer program or software program in the course of a commercial activity, without the device owner’s consent.  

While it is mandatory to have a Privacy Policy in Canada if you collect personal information on Canadians, in most provinces it is not mandatory to have a separate Cookies Policy. That is, you can cover your use of cookies in the Privacy Policy. However, if you operate in certain jurisdictions, such as in Quebec, Europe, or California, it is recommended that you have a separate Cookies Policy. 

The Cookies Policy is often found in concert with the Terms of Service, a contract that governs use of your website, and the Privacy Policy, a policy that governs your collection and use of personal information.  

What are cookies and do I use them?

Cookies are small files that your website places on a user’s browser or hard drive. Cookies are used for a variety of purposes, including to speed up searches and load times, store information about a user’s preferences, and recognize users that return to your website so they can pick up where they left off. 

Your website may use cookies without your knowledge. Website builders like WordPress, Squarespace, or Wix may use cookies automatically, and certain addons or plugins used on your website may also use cookies automatically. It’s important to work with your website developer to determine which cookies are being used, so that you can list them in your privacy policy and/or cookies policy. 

What if I have users in Quebec?

If you have users in Quebec, your use of cookies may be governed by An Act to Modernize Legislation Provisions Respecting the Protection of Personal Information (“Law 25”). Law 25 is Canada’s most stringent privacy law which most closely resembles Europe’s GDPR. Law 25 requires privacy by default, meaning your website must automatically be set to the highest level of privacy by design. For cookies, this means that all tracking features must be turned “off” by default. To turn them on, you first need consent. 

It is recommended you use consider the following best practices with users in Quebec: 

  • Delineate between essential cookies and non-essential cookies
  • Receive consent before the use of any cookies except essential cookies
  • Provide the option to customize cookie preferences or opt-out of certain categories of cookies
  • Provide accurate information about the data each cookie tracks and its purpose in plain language 
  • Document and store consent received from users
  • Enable users to easily withdraw consent

What if I have users in Europe?

If you have users of your website in Europe, your use of cookies may be governed by the General Data Protection Regulation (GDPR). The GDPR is a much more stringent piece of regulation than Canada’s PIPEDA. This is why when you visit websites in the EU you are immediately pestered with a cookies popup that asks you for your consent, with options to accept, reject, or manage your cookies.  

In short, to comply with GDPR, you must: 

  • obtain consent from users before, not after, you use cookies
  • explain what information your cookies are gathering and for what purpose
  • document and store the consent you’ve received
  • allow users to access your website even when they deny consent
  • make it easy for users to withdraw their consent 

What if I have users in California?

If you have users in California, your use of cookies may be governed by the California Consumer Privacy Act (CCPA). The CCPA is designed to give California residents more control over their personal information collected by businesses who i) have a gross annual revenue over $25 million USD, (ii) buy or sell personal information of 50,000 or more California residents, households, or devices annually, or (iii) derive 50% or more of its annual revenue from selling California resident’s personal information. To comply with the CCPA, you must implement a number of measures including allowing consumers to opt-out of the sale of their personal data, regularly update privacy notices, and conduct regular compliance audits. 

This blog is for general information and entertainment purposes. It is not intended to be legal, business, or other professional advice to be relied on. Do not make or refrain from any decisions on the basis of this blog. Please contact us to receive advice from a qualified lawyer. 

BOOK YOUR FREE CONSULATATION