The regulatory framework for “cookies” and its impact on Canadian businesses

Vanessa Deschênes and Elisabeht Lesage-Bigras [1]
ROBIC, LLP
Lawyers, Patent and Trademark Agents

You may have recently noticed that while browsing the web, new windows appear asking you for your preferences regarding “cookies”. This new way of doing things is partly due to the fact that several legislative and regulatory changes have taken place in Europe in the last year.

As analytical, profiling, marketing and advertising tools, to name a few, cookies are an integral part of modern electronic communications. Their presence in almost all parts of the Internet makes them an important factor in terms of information protection (personal or not) and privacy. With important Canadian legislative changes on the horizon and stricter European obligations in this domain, it has become crucial for any company to fully understand the impact of cookies in order to ensure compliance, both in Canada and elsewhere in the world.

1. What is a « cookie »?

Cookies, in their simplest form, are small files (or groups) of data created by your web browser and placed on your computer. In other words, a web server transmits these clusters of data to your computer after you land on a website. Your computer then stores the data as files in your browser’s cache. Here is a concrete example on how they work:

(1) You visit a website, (2) the web server sends a short message to your web browser, (3) the browser saves this message in a file called “cookie.txt” (4) you click on another page of the site (for example, a store category) (5) your browser sends a short “back” message to the server that tells it a little more about what you are looking at.

In the real world, there are several types of cookies: session cookies, persistent cookies, third-party cookies, first-party cookies, marketing cookies, and performance and analytics cookies. Here is a more detailed description of each type:

Session Cookies

Session cookies are temporary. They only last for the duration of a “session”. Once you close the browser window or leave the website, the cookie disappears. Unlike other types of cookies, session cookies are never stored on your computer. They allow you to use your shopping cart on e-commerce sites and to browse websites without having to re-enter the same information over and over again.

Persistent Cookies

Persistent cookies are a little different. They remain on your computer once you close your browser. They are designed to remember your preferences for a period of time, whether it’s your login information, your shopping wish list, or items you’ve recently viewed.

Third-Party Cookies

The use of this type of cookies is becoming increasingly outdated, due to new restrictions on their use. They allow third parties to verify the performance of their advertisements on other websites. In other words, if you click on an ad for a product from Company A while you are browsing Company B’s website, you will obtain a cookie from Company A on your computer.

Since these cookies raise potential privacy and data protection concerns, their use has become much less popular and platforms like Google are now cracking down on their use.

First-party Cookies

First party cookies should not be confused with third party cookies. These cookies enhance the overall functionality of a website and are set by the site owner. Unlike session cookies, which disappear immediately after your session, these cookies remain on your device, making it easier for you to use the website the next time you visit.

Marketing Cookies

Marketing cookies are similar to third party cookies, although less invasive. They are primarily used to show you advertisements that are relevant to you, which may enhance your Internet browsing experience.

Performance and Analysis Cookies

This type of cookie allows companies to evaluate the overall performance and user-friendliness of their website. Specifically, these cookies can track the amount of time users spend on the website, determine whether individuals find the information they are looking for or whether they are ignoring certain parts of the site or if activity is unusually high in other areas of the site.

2. Cookies and Canadian Privacy Laws

Now that you may have a slightly better understanding of what a cookie consists of, you may already have an idea of the kind of legal concerns this can bring.

Due to the increasing use of this type of technology in recent years, the Office of the Privacy Commissioner of Canada (“OPC“) issued a Policy Position on Behavioural Advertising (“BPA“)[2] in 2015. According to the Federal Commissioner, BPA “is defined as tracking and targeting of individuals’ web activities, across sites and over time, in order to serve advertisements that are tailored to those individuals’ inferred interests. “[3].

On the Québec side, the Commission d’accès à l’information (hereinafter “CAI”) defines BPA as:

[TRAD] “marketing techniques aimed at collecting your personal information and analyzing it in order to provide you with commercial offers that match your profile. On the one hand, profiling is the act of collecting data about you through your visits and actions on the Internet in order to categorize you (e.g. woman, 30-35 years old, married, living in an urban environment, mother, running enthusiast, etc.). On the other hand, targeted advertising is the use of this profile to offer you personalized commercial offers.” [4]

In 2016, in a discussion paper on possible improvements to consent under PIPEDA, the OPC reiterated its interpretation that data that is inherently fragmented and non-personal can become as such:

“The purpose of big data algorithms is to draw correlations between individual pieces of data. While each disparate piece of data on its own may be non-personal, by amassing, combining and analyzing the pieces, the processing of non-personal information may result in information about an identifiable individual. Big data analytics has the ability to reconstitute identities that have been stripped away.“[5]

This interpretation is also similar to that of the CAI, which states that [TRAD] “businesses that use profiling and targeted advertising systems on the Internet are subject to the Act respecting the protection of personal information in the private sector“.[6]

Thus, it is not surprising to see in the new provincial bill[7] (“Bill64”), a new provision on profiling and BPA. It is here that the Québec legislator proposes, among other things, the addition of the new section 8.1, which reads as follows:

In addition to the information that must be provided in accordance with section 8, anyone who collects personal information from the person concerned using technology that includes functions allowing the person concerned to be identified, located or profiled must first inform the person

(1) of the use of such technology; and

(2) of the means available, if any, to deactivate the functions that allow a person to be identified, located or profiled.

“Profiling” means the collection and use of personal information to assess certain characteristics of a natural person, in particular for the purpose of analyzing that person’s work performance, economic situation, health, personal preferences, interests or behaviour.

In light of the above, we can understand the importance of clearly informing users, which goes beyond using overly broad generic phrases. Whether in Québec, in Canada or in Europe, the notion of valid consent is paramount.[8]

3. Cookies and Europe

The main challenge of European regulation regarding the use of cookies is the lack of harmonization between jurisdictions. In fact, although the General Data Protection Regulation[9] (“GDPR“) applies as a general law to personal data, cookies are addressed more specifically by the Directive on Privacy and Electronic Communications[10] (“Directive“), at Section 5(3). However, each Member State is responsible for implementing the European Directives into its national law, which reduces to some extent the uniformity of regulation to that effect[11]. Companies must therefore adapt their practices with regards to the use of cookies in different jurisdictions.

Corporate compliance is all the more important in light of the decisions and changes of recent years, which have considerably increased the severity of the regulations in force. On October 1, 2019, the Court of Justice of the European Union (“CJEU”) issued a groundbreaking decision, Bundesverband der Verbraucherzentralen und Berbraucherverbände v. Planet49 GmbH[12],  clarifying the Directive’s obligations regarding consent to the use of cookies. This has led some national and European authorities to review their guidelines and practices, such as the Commission Nationale de l’Information et des Libertés (“CNIL”) in France, the Irish Data Protection Commission (“DPC”) and the European Data Protection Committee (“EDPS”), among others[13].

So, what are the main regulations to be respected with regards to cookies?

Article 5(3) of the Directive stipulates that cookies are permitted provided that the user is in possession of “clear and comprehensive information in accordance with Directive 95/46/EC, inter alia about the purposes of the processing, and is offered the right to refuse such processing by the data controller”[14], in accordance with the GDPR. In other words, the User, in light of the information he or she receives, must be able to consent or refuse the use of cookies, subject to applicable exceptions. Therefore, not only must they consent, but such consent must consist of a “freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action“[15] by which the data subject agrees to the processing of the data, whether personal or not[16] according to point 11 of Article 4 of the GDPR.

How to obtain valid consent?

Essentially, a company wishing to use cookies must ensure that it obtains two things: (1) the valid and informed consent of the user and (2) evidence of the validity of that consent.

a. Valid and Informed Consent

On May 5, the EDPS issued new guidelines on the consent requirements under the GDMP to assist Member States in developing their policies regarding this issue[17]. These new guidelines clarify consent concerns, in particular with regard to the implementation and use of cookies.[18] It is important to note, however, that due to the lack of harmonization of regulations, this section will only set out the basic conditions that are common to European jurisdictions.

Thus, consent must be free, which implies that it will be considered invalid if the user is pressured or denied access to the website when he or she refuses to consent to the use of cookies; a phenomenon commonly known as “cookie walls”.[19]

Along those same lines, since consent must be demonstrated by a “clear affirmative action”, a company cannot present the user with boxes that have already been ticked when making a choice[20]. It has been held by the CJEU that it is “it would appear impossible in practice to ascertain objectively whether a website user had actually given his or her consent to the processing of his or her personal data by not deselecting a pre-ticked checkbox “[21]. In so doing, the CJEU determined that it is no longer acceptable to simply presume the user’s consent and that the user must absolutely make a clear gesture in order to consent; an example would be to tick a box.[22] As a result, since it is impossible to infer that the user has consented when the user is silent or inactive, many jurisdictions, such as France, now require that the user’s silence be automatically considered as a refusal to use cookies.[23]

Furthermore, for consent to be valid, according to the GDMP and the Directive, companies must disclose certain information beforehand so that users can make an informed choice. This information must be presented at the time the user makes the choice and in clear language.[24] Although it must be analyzed on a case-by-case basis, generally speaking, the company must inform the user of (i) the type of cookies and the data collected, (ii) the third party partners that will have access to the data and cookies, (iii) the purposes of collection or processing and the purpose for which the cookies will be installed, (iv) how long the cookies will be in operation, and most importantly, (v) the possibility for users to withdraw their consent.[25] The last element is fundamental since the user must have the option of withdrawing consent at any time, with the same ease they first gave their consent.[26]

Finally, for consent to be valid, it must be specific to each type of cookie or their specific purpose.[27] So, if the company uses both advertising and analysis cookies, the user must be given the choice to accept analysis cookies and to refuse advertising cookies if he or she so desires. The company must therefore implement an opt-in consent system that allows for the setting of consent parameters.[28]

In other words, a consent is valid when the user has been able to (i) become aware of the different types of cookies, how they work, how long they will last and the partners involved, (ii) accept or not accept, by checking a box for example, the use of cookies for each type, and (iii) has not been obliged to accept their use by not having the option to refuse. As the legislation in force does not specifically address the method to be taken to reach this consent, national authorities, such as the CNIL, give some examples: Cookies et traceurs : comment mettre mon site web en conformité? 

b. Proof of Valid Consent

Once consent (or refusal) has been obtained, companies are obliged to keep a record or trace of such consent for the duration of the user’s visit to the website and for a strictly necessary period following the end of the visit.[29] The duration may vary by jurisdiction, but both the CNIL and the DPC require that the user’s choice be retained for a period of six months, after which consent must be obtained again.[30]

Why is it important to comply with European regulations?

Despite the lack of uniformity and some notable differences between jurisdictions (for example, Ireland requires companies to obtain consent for so-called analysis cookies, while some of the latter are exempted from the consent requirement in France under certain conditions[31]), cookies have been judged in Europe to have an impact on users’ privacy.[32] Thus, failure to comply with information and consent regulations can lead to some very hefty monetary penalties.

As a matter of fact, last December 7, the CNIL condemned Google LLC and Google Ireland Limited to pay a $100 million euro fine for having installed advertising cookies on the computers of google.fr users, and this, before having informed them clearly and completely, and before having obtained their consent[33].

Therefore, in light of the new guidelines from the various national and European authorities, companies would be well advised to verify their compliance as soon as possible since some of the current upgrade periods are short and may have already ended. For example, France requires companies to comply with the new rules by March 31, 2021, while the period in Ireland ended on October 6, 2020[34].

4. Conclusion

Given the many changes and the potential arrival of a new European legislation in this field,[35] it is now more than ever important for Canadian companies to verify that the use of their cookies is in compliance with both Canadian and European regulations. The difficulty resulting from the lack of consistency between jurisdictions can make the task more than daunting. If you have any questions, please do not hesitate to contact our Data Protection, Privacy and Cybersecurity team.

---