As a Canadian business, should you too be adding a cookie notice to your website?

March 13, 2020

Website Cookies

Unless you have been living under a rock, you have likely noticed that countless websites today are equipped with a popup informing you that they use cookies.

Chances are, like most people, you clicked a button to make the popup disappear and continued browsing. When it comes to your own website, however, you may be wondering whether or not you too should be adding a cookie notice. Since there is a lot of conflicting information out there regarding cookie banners, this article will attempt to clarify and help to shed some light on the matter.

Let’s start with the basics and first explain what a cookie is, while refraining from making reference to the baked good. Simply put, a cookie is a tiny file that your browser drops onto your computer when you visit a website. This file contains information about your interactions with said website, such as whether or not you’re logged in, and items you’ve put into a shopping cart. Most of the time, cookies make for a better browsing experience. So why bother with the warning?

The main purposes of cookie banners are to inform their visitors that their data is being collected and utilized, and to get their consent to use this data. In May of 2018, the General Data Protection Regulation (GDPR) was put into effect by the European Union with the intent to protect individuals’ privacy and personal data on the internet.

Legally, you need a cookie banner if you collect data from European Union visitors.

Given this information, you might be wondering why cookie banners are still becoming more prevalent on Canadian websites. This is where it gets a bit tricky. The internet is currently lacking a hard and fast rule when it comes to cookie consent in Canada, and there is a divide as to whether Canadian websites need them or not. If your website is designed for the European market and you are expecting traffic from there, you should comply with the GDPR guidelines. It is less pressing if you are not expecting European visitors; although it’s good to keep in mind that who visits your website is out of your control.

A good way to stay on the safe side with regards to cookie consent is to familiarize yourself with Canada’s Privacy Laws.

Canada has two main privacy laws: the Personal Information Protection and Electronic Documents Act (PIPEDA), and Canada’s Anti-Spam Legislation (CASL). The CASL requires you to obtain something called “express consent” when certain “computer programs” are installed on a user’s device via your website. Express consent refers to consent that is given explicitly when a user completes a specific action. A topical example of giving express consent would be clicking “I agree” on a cookie banner. The CASL considers cookies to be a computer program, so does that mean that the use of cookies would require getting express consent? Here’s the caveat: the CASL also lists several computer programs for which you do not have to request express consent, and cookies are included on this list (you can view the full list under section 2 here). Note that the CASL states you can assume that you have a person’s express consent for cookies if “the person’s conduct is such that it is reasonable to believe that they consent.”

As you can see it takes a bit of digging and inferring to understand what Canadian privacy laws require of you in terms of cookie consent. Perhaps you have familiarized yourself with these laws and decided that you do want to include a cookie banner on your site. The next step would be to determine the type of cookie banner you want to implement. You may have noticed different types in your internet endeavours, varying in levels of options given to, and protection for, users.

Website Cookies

Let’s take a look at the four main approaches to cookie consent that are used today.

Notice Only

The most basic type of cookie consent is simply to include a notice informing the user that the site uses cookies. Typically the user does not have to take any action and is not given the choice to opt out. If they’re not comfortable with their data being collected, they’ll simply have to cease using the site. Keep in mind this does not comply with the GDPR, so if your site is targeting the European market, this is not the option for you.

Opt-Out Consent

Next we have banners that do offer the choice to opt out of cookie usage. Sites that use this method will drop all cookies when a user navigates to their site. These usually do not negatively affect the user’s experience and are relatively simple to implement on a website, compared to other approaches. The one drawback here is that this still may be at risk of violating the GDPR.

Implied Consent

The third type of cookie consent you may come across uses an implied consent approach and drops only the cookies that are seen as necessary by the GDP. Sites taking this approach will show a cookie banner that will either have the user choose to continue, or inform them that the remaining cookies, those not deemed necessary by the GDPR, will be dropped if they continue browsing the site.

Opt-In Consent

The last type of cookie consent is referred to as opt-in consent. Websites using this will drop only the most necessary cookies, and notify users what each type of cookie that they drop is for. Users will be asked to take action to consent to dropping the remainder of the cookies (ie. clicking a button or checking a box). Those that adopt this approach to cookie consent are very likely to be in the clear with regard to the GDPR.

Website Cookies

In summary

Unless you are targeting visitors in the EU, chances you are not yet legally required to obtain consent for using cookies as a Canadian business. You may want to play it safe and include a cookie banner anyway. Regardless of your decision, and as aforementioned, it is best to stay up to speed on Canada’s privacy laws to ensure you are keeping your website safe and your users informed.