Cookie banners are increasingly prevalent on internet sites. A section about cookies may appear in privacy policies and, sometimes, even an entire policy is devoted exclusively to them.
But what is a “cookie”? Also known as “HTTP cookies”, “browser cookies” or “web cookies”, a cookie is a small piece of digital data in the form of a text file sent by a website and saved locally on the user’s device (computer, tablet, cell phone) through the web browser used while browsing on the Internet, often without the user’s knowledge.
Cookies perform what are often essential functions. For example, authentication cookies[1] track when a user has logged into a website and under what name.[2] Without such a mechanism, the site would not know, for example, if it should require the user to identify themself when logging in. Tracking cookies, especially third-party tracking cookies, which belong to a different domain than the one indicated in the address bar,[3] unlike first-party cookies which are related to the domain appearing in the address bar, are being used at an exponential rate. This type of cookie appears when web pages present content from third-party sites, such as publicity banners, and track the user’s browsing history to suggest relevant advertising adapted to the user’s profile.
But can a cookie be considered personal information?
1. Situation in Canada
(a) Concept of “personal information”
As there is currently no legislation in Canada that directly refers to cookies, can a cookie be considered “personal information” under Canadian laws regarding personal information, in which case privacy laws would apply? In other words, can a cookie be “information about an identifiable individual,”[4] or is there a “serious possibility that an individual could be identified through the use of that information, alone or in combination with other available information“?[5] While, in principle, Canadian case law requires a broad interpretation of the concept of personal information,[6] up to now it is silent regarding the interpretation of both the provincial and federal laws as to whether cookies meet the definition of personal information.
In 2011, the Office of the Privacy Commissioner of Canada (the “Commissioner”) released its guidelines about this issue concerning tracking cookies. It stated that online behavioural advertising and the tailoring of advertisements based on the user’s browsing activities, which include purchasing patterns, “shopping cart” items saved via online shopping platforms and search histories, involves the collection of information by third parties receiving these tracking cookies. As such, “[g]iven the scope and scale of information collected, the powerful means available for gathering and analyzing disparate pieces of data and the personalized nature of the activity, it is reasonable to consider that there will often be a serious possibility that the information could be linked to an individual.”[7]
In other words, the information collected and saved through cookies as part of online tracking and targeting for the purpose of providing personalized advertising, “will generally constitute personal information“[8] as defined under the Personal Information Protection and Electronic Documents Act[9](the “PIPEDA”).
(b) Consent
It should be noted that the PIPEDA, just like the other provincial laws in this area, generally requires consent in order to collect, use and disclose personal information. This consent may be express or implied, depending on the circumstances and certain factors such as the sensitivity of the information involved.
Specifically regarding the use of cookies for online behavioural advertising, the Commissioner considers that implied consent is valid when certain conditions are met. In particular, Internet users must be informed, at or before the time of collection, of the purposes for this practice in a manner that is clear and understandable and about the various parties involved in such online behavioural advertising. Users must also be able to opt-out, which choice must be enduring. Lastly, the personal information involved must not be sensitive information, otherwise express consent will be required, and the information must be destroyed or de-identified (permanently and irreversibility) as soon as possible.[10]
As such, because “zombie cookies,”[11] “super cookies”[12] and third-party cookies do not provide the user with the opportunity to control the information, and therefore no opportunity for the individual to consent or withdraw their consent, the Commissioner feels that this type of tracking should not be undertaken because it cannot be done in compliance with the PIPEDA.
In sum, cookies that allow an individual to be identified are considered personal information and are therefore subject to Canadian privacy laws. Is this very different from the situation in Europe?
2. Situation in Europe
(a) Considering cookies as personal information
In Europe, the situation is somewhat different because of a certain text designed to apply to cookies through the notion of information storage: the e-Privacy Directive.[13] It provides, among other things, that cookies cannot be inserted without first informing the user and obtaining their consent.[14] However, this directive does not specify whether a cookie is considered personal data.
To resolve this issue, we should examine the GDPR,[15] which provides that “[n]atural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.”[16]
In other words, a cookie by itself would not be considered personal data, but it would, when combined with other elements. This is basically the definition of personal data under article 4(1) of the GDPR which states that “a natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
This position was recently confirmed by the Court of Justice of the European Union:[17]
“45. […]cookies likely to be placed on the terminal equipment of a user participating in the promotional lottery organised by Planet49 contain a number which is assigned to the registration data of that user, who must enter his or her name and address in the registration form for the lottery. The referring court adds that, by linking that number with that data, a connection between a person to the data stored by the cookies arises if the user uses the internet, such that the collection of that data by means of cookies is a form of processing of personal data.”
“67. As stated in paragraph 45 above, according to the order for reference, the storage of cookies at issue in the main proceedings amounts to a processing of personal data.”
As a result, if the cookie is not personal data, only the e-Privacy Directive applies. Whereas, if the cookie is personal data, the e-Privacy Directive and the GDPR will both apply. This is not a problem given that the e-Privacy Directive[18] already often refers to the GDPR’s predecessor, Directive 95/46.[19] In fact, the provisions of the e-Privacy Directive and GDPR regarding consent “are not to be interpreted differently according to whether or not the information stored or accessed on a website user’s terminal equipment is personal data within the meaning of Directive 95/46 and Regulation 2016/679.”[20]
(b) Consequences in terms of consent and notice
In order to insert cookies…
Schrems II Judgment Day
The Court of Justice of the European Union (“CJEU“) issued its judgment today in …
