COOKIES AND SIMILAR TECHNOLOGIES IN THE PROVINCE OF QUEBEC

2022-02-24
L’attribut alt de cette image est vide, son nom de fichier est image.png.

Cookies and similar technologies in the province of Quebec

Caroline Jonnaert and Élisabeth Lesage-Bigras[1]
ROBIC, LLP
Lawyers, patent and trademark agents

This article has been published as a Guidance Notee on OneTrust Data Guidance platform in December 2021.

1. GOVERNING TEXTS

1.1.    Key acts and bills

There is no legislation specifically directed at cookies. Instead, cookies are regulated in the Province of Quebec under: (i) the anti-spam law; and (ii) privacy laws (collectively, the “Governing texts”).

  • Anti-spam law

Canada’s anti-spam Legislation[1] (“CASL”) is currently the only act expressly mentioning or governing the use of cookies and other similar technologies.

  • Privacy laws

In the province of Quebec, the leading[2] legislation responsible for data protection in the private sector is the Act respecting the protection of personal information in the private sector[3] (the “Act”). The Act applies to the collection, use, or disclosure of personal information within the province by any person carrying on an enterprise. The Act is deemed “substantially similar” to the federal act, the Personal Information Protection and Electronic Documents Act[4] (“PIPEDA”), which applies to private organisations at the federal level[5], but also when personal information is disclosed over provincial or international borders[6]. It is worth noting that Bill 64[7], an important legislative reform, has been enacted in the Province of Quebec on September 22, 2021. Bill 64 will substantially modify the data privacy regime regulating both the private and public sectors. This Guidance Note has been drafted to take into account the changes that will be introduced by such legislative reform with respect to the use of cookies in the private sector.

Up to now, case law has not interpreted whether cookies meet the definition of “personal information” and fall under the privacy laws’ scope of application. However, regulators have issued guidelines on tracking and targeting cookies. In particular, the Office of the Privacy Commissioner of Canada (the “OPC”) issued the “Policy position on online behavioural advertising”[8] which provides that the OPC will generally consider information collected for the purpose of online behavioural advertising to be personal information[9]. Similarly, the Commission d’accès à l’information du Québec (“CAI”) has provided that businesses that use profiling and targeted advertising systems on the Internet are subject to the Act[10]. It should also be noted that, without specifying whether cookies constitute “personal information”, Bill 64 contains specific provision on “profiling”[11] and cookies as further explained below.

1.2.    Regulatory authorities’ guidelines

In Quebec, the supervisory authority responsible for overseeing application of the Act is the CAI. The CAI has issued a guidance entitled “Le profilage et la publicité ciblée”[12] in 2013, which pertains more specifically to profiling and targeted advertising. Although the subject of this guidance is relevant for the purpose of this Guidance Notice, it does not offer specific information on how to regulate the use of cookies or other similar technologies and aims more so at informing the public on direct marketing and targeted advertising.

The statutory scheme in Quebec is complemented at the federal level by guidance documents from: (i) the OPC with respect to PIPEDA[13]; and (ii) the Canadian Radio-television and Telecommunications Commission (“CRTC”) in relation to CASL[14].

1.3       Case law

There is no current relevant case law on the subject of cookies and similar technologies in Canada, including in the Province of Quebec.

2. DEFINITIONS

There is no definition of “cookies” or similar technologies in the relevant Governing texts (including in Bill 64), and case law has not yet interpreted this concept. However, “cookies” are commonly understood as small pieces of text that are placed on a computer, mobile device, tablet, or other device when using a browser to visit an online service[15]. They are enabled by the operator of a website and can be set by such operator (“first party cookies”) or a third-party (“third party cookies”). Cookies are typically classified based on their purposes, namely:

  • Essential cookies are essential to make a website operational; they include session cookies that keep individuals logged as they navigate the website;
  • Non-essential cookies are not necessary for the website work properly; they include functionality, performance and targeting cookies.

Depending on their purposes and the data they gather, cookies can be subject to specific legal requirements, including those pertaining to consent and transparency.

3. CONSENT AND COOKIE POLICY

3.1     Consent

There are no clear guidelines on consent for the use of cookies in the Province of Quebec. However, in light of the Governing texts, including the relevant guidelines, the form of consent that enterprises will be required to obtain will likely vary depending on the type of cookies at hand.

  • Anti-spam law

Under CASL, a person is considered to consent to the installation of a cookie if the persons’ conduct is such that it is reasonable to believe that they consented[16]. In this respect, the CRTC provides that “if the persons disable cookies in their browser, you would not be considered to have consent to install cookies”[17]. However, there is no further guidance on the conduct that will be deemed “reasonable” to assume consent.

  • Privacy laws

Generally speaking, privacy laws require consent in order to collect, use and disclose personal information. Depending on certain factors such as the sensitivity of the information involved, such consent may be express or implied. In this respect, the OPC considers that implied consent for tracking and targeting cookies is only valid under specific conditions[18]. There is no similar guidance in the Province of Quebec with respect to consenting to cookies. However, the Act provides general requirements for a consent to be valid, and Bill 64 adds specific provisions for the use of cookies and similar technologies.

Specifically, the Act provides that consent must be “manifest, free, informed and given for specific purposes”[19]. The CAI has recognized that such consent may be explicit or implied, depending on the circumstances at hand[20]. Bill 64 opens the door to implied consent for some cookies. Indeed, the bill imposes that the parameters of technological products or services must, by default, provide the highest level of confidentiality to users, except for cookies[21]. However, any identification, localization, or profiling functions must be deactivated by default, which means that individuals must be able to consent to such features through an opt-in mechanism. As such, cookies that do not include identification, localization, or profiling functions (e.g., essential cookies) are likely exempt from the opt-in requirement. Still, considering that these amendments were just adopted by the government, they have yet to be tested and interpreted by the courts, and no further detail as been issued on the matter.

3.2     Cookie Policy

The relevant Governing texts do not specifically demand that a cookie policy be adopted by enterprises. However, based on the general transparency obligation under privacy laws[22], enterprises are required to disclose specific information on their use of personal information.

In particular, the Act provides that enterprises must inform individuals, prior to or at the moment of collection, of the following mentions: (i) the subject and purposes of the collection; (ii) the intended use; (iii) the categories of person within the company that shall have access to their personal information; and (iv) the location where their personal information shall be kept, as well as (v) their right to access and rectify them when needed[23]. In addition to the foregoing, Bill 64 will impose additional disclosures[24], including with respect to “tracking technologies” or other technologies allowing for data subjects to be identified, located or profiled (such as is often the case with cookies and other similar technologies). Specifically, the amended Act will require that individuals be informed of: (i) the use of such technologies by the enterprise; and (ii) the means used to activate such functions[25]. It is also worth noting that, as of September 22, 2023, enterprises will be obligated to publish this information on their website or make it available by any other means[26].
4. COOKIES AND THIRD PARTIES

4.1       Third party access

Enterprises are responsible for personal information in their possession/custody, including when such information that has been transferred to a third party.

4.2       Third party cookies

The Governing texts do not provide any guidance on third party cookie, including on how to obtain consent to their use. However, the OPC expressed concerns about the use of third party cookies as they “typically involve unknown third parties and are conducted without your knowledge or consent”[27].

5. COOKIES RETENTION

The Governing texts do not deal specifically with cookies retention. Yet, privacy laws generally impose limitations on the length of time that personal information can be retained. For example, PIPEDA requires that the collection, use and disclosure of personal information be limited to the extent consented to, and necessary to, fulfil the purposes identified in the consent. Similarly, the Act provides that personal information can be retained for as long as the purposes agreed to are not yet fulfilled[28]. Once personal information is no longer required to fulfil the identified purposes, it must be destroyed or anonymized, subject to statutory exemptions. It is also important to note that Bill 64 imposes the adoption of a retention policy and the publication of detailed information about the enterprises’ practices in clear and simple terms on their website[29].

6. OTHERS

This issue of “cookie walls” is not addressed precisely by the Governing texts, and Canadian courts have not dealt yet with this issue. However, the privacy laws applicable in the Province of Quebec prohibit for an enterprise to block access to its services if individuals do not consent to the collection of their personal information[30].

The OPC also issued guidance on the use of specific cookies, namely zombie cookies, super cookies, third party cookies that appear to be first-party cookies, device fingerprinting, and other techniques that cannot be controlled by individuals[31]. In the OPC’s view, such techniques should not be allowed as individuals cannot effectively opt out.

7. PENALTIES

The penalties for non-compliance with privacy laws vary and can include fines, orders as well as reputational damages. For example, the Act currently provides that a first-time offender will be forced to pay a fine ranging from $1,000 to $10,000 for infringing the Act[32]. For any subsequent offence, that same person will face a fine ranging from $10,000 to $20,000[33]. However, as of September 22, 2023, a different set of sanctions and penalties will come into effect. In particular, Bill 64 will add administrative sanctions in addition to the penal sanctions previously mentioned and significantly raises the fine amounts as well as distinguishes when infractions are committed by individuals and companies.


*        © CIPS, 2021.

Caroline Jonnaert is a lawyer and trademark agent with ROBIC, llp, a multidisciplinary firm of lawyers, patent and trademark agents.

Elisabeth Lesage-Bigras is a lawyer with ROBIC, llp, a multidisciplinary firm of lawyers, patent and trademark agents.

The authors wish to thank Valmi Dufour-Lussier for his contribution to this Guidance Notice.

[1]        An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act, S.C. 2010, c. 23 (“CASL”).

[2]        Other legislations contain privacy obligations in the Province of Quebec, such as the Civil Code of Quebec, CQLR c CCQ-1991.

[3]        Act respecting the protection of personal information in the private sector, CQLR, c. P-39.1. (the “Act”).

[4]        Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5

[5]        Office of the privacy commissioner of Canada, “Provincial laws that may apply instead of PIPEDA”, May 2020, available online: https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/r_o_p/prov-pipeda/#h01.

[6]        Id.

[7]        Projet de loi n°64, Loi modernisant des dispositions législatives en matière de protection des renseignements personnels (“Bill 64”).

[8]        Office of the privacy commissioner of Canada, “Policy position on online behavioral advertising”, December 2015, available online: https://www.priv.gc.ca/en/privacy-topics/technology/online-privacy-tracking-cookies/tracking-and-ads/bg_ba_1206/.

[9]        « Taking a broad, contextual view of the definition of personal information, the OPC will generally consider information collected for the purpose of OBA to be personal information, given: the fact that the purpose behind collecting information is to create profiles of individuals that in turn permit the serving of targeted ads; the powerful means available for gathering and analysing disparate bits of data and the serious possibility of identifying affected individuals; and the potentially highly personalized nature of the resulting advertising.”, id.

[10]       CAI, “Le profilage et la publicité ciblée”, October 2013, available online : https://www.cai.gouv.qc.ca/documents/CAI_FI_profilage.pdf.

[11]       The term “profiling” is defined as “the collection and use of personal information to assess certain characteristics of an individual, such as job performance, economic status, health, personal preferences, interests or behaviour of that individual.”, Section 8.1 of the Act as amended by Bill 64.

[12]       CAI, “Le profilage et la publicité ciblée”, October 2013, available online : https://www.cai.gouv.qc.ca/documents/CAI_FI_profilage.pdf.

[13]       See for example: Office of the privacy commissioner of Canada, “Policy position on online behavioral advertising”, December 2015, available online: https://www.priv.gc.ca/en/privacy-topics/technology/online-privacy-tracking-cookies/tracking-and-ads/bg_ba_1206/.

[14]       See for example: CRTC, “Canada’s Anti-Spam Legislation Requirements for Installing Computer Programs”, September 2020, available online: https://crtc.gc.ca/eng/internet/install.htm.

[15]       See for example: Office of the privacy commissioner of Canada, “Frequently asked questions about cookies”, 2011, available online: https://www.priv.gc.ca/en/privacy-topics/technology/online-privacy-tracking-cookies/cookies/frequently-asked-questions-about-cookies/.

[16]       Sections 8 and 10(8) of CASL.

[17]       CRTC, “Canada’s Anti-Spam Legislation Requirements for Installing Computer Programs”, September 2020, available online: https://crtc.gc.ca/eng/internet/install.htm.

[18]       In particular: (i) the personal information must be demonstrably non-sensitive in nature and context; (ii) the information-sharing situation must be limited and well-defined as to the nature of the personal information to be used or disclosed and the extent of the intended use or disclosure; (iii) the organization’s purposes must be limited and well-defined, and stated in a clear and understandable manner; (iv) as a general rule, organizations should obtain consent for the use or disclosure at the time of collection; and (v) the organization must establish a convenient procedure for opting out of, or withdrawing consent to, secondary purposes. The opt-out should take effect immediately and prior to any use or disclosure of personal information for the proposed new purposes.

See: Office of the privacy commissioner of Canada, “Policy position on online behavioral advertising”, December 2015, available online: https://www.priv.gc.ca/en/privacy-topics/technology/online-privacy-tracking-cookies/tracking-and-ads/bg_ba_1206/

[19]       Section 14 of the Act

          Bill 64 imposes additional requirements for a consent to be valid, for example when obtaining a consent from children aged fourteen and below; see: Section 14 of the Act as amended by Bill 64.

[20]       Commission d’accès à l’information du Québec, “Rapport quinquennal 2016, Rétablir l’équilibre », September 2016, available online: https://www.cai.gouv.qc.ca/la-commission-souhaite-retablir-lequilibre-les-donnees-ouvertes/.

[21]       Section 9.1 of the Act as amended by Bill 64.

[22]       See: Section 8 of the Act and section 8.2 of the Act as amended by Bill 64 and Principle 8 of PIPEDA.

[23]       Sections 5 and 8 of the Act.

[24]       See: Section 8 of the Act as amended by Bill 64.

[25]       Section 8.1 of the Act as amended by Bill 64.

[26]       Sections 8 and 8.2 of the Act as amended by Bill 64.

[27]       Office of the privacy commissioner of Canada, “Web tracking with cookies”, May 2011, available online: https://www.priv.gc.ca/en/privacy-topics/technology/online-privacy-tracking-cookies/tracking-and-ads/bg_ba_1206/

[28]       Sections 4 and 5 of the Act.

[29]       Section 3.2 of the Act as amended by Bill 64.

[30]       Section 14 of the Act.

[31]       Office of the privacy commissioner of Canada, “Web tracking with cookies”, May 2011, available online: https://www.priv.gc.ca/en/privacy-topics/technology/online-privacy-tracking-cookies/tracking-and-ads/bg_ba_1206/

[32]       Section 91(1)1 of the Act.

[33]       Id.