This article has been published as a Guidance Notee on OneTrust Data Guidance platform in December 2021.

1. GOVERNING TEXTS

1.1.    Key acts and bills

There is no legislation specifically directed at cookies. Instead, cookies are regulated in the Province of Quebec under: (i) the anti-spam law; and (ii) privacy laws (collectively, the “Governing texts”).

  • Anti-spam law

Canada’s anti-spam Legislation[1] (“CASL”) is currently the only act expressly mentioning or governing the use of cookies and other similar technologies.

  • Privacy laws

In the province of Quebec, the leading[2] legislation responsible for data protection in the private sector is the Act respecting the protection of personal information in the private sector[3] (the “Act”). The Act applies to the collection, use, or disclosure of personal information within the province by any person carrying on an enterprise. The Act is deemed “substantially similar” to the federal act, the Personal Information Protection and Electronic Documents Act[4] (“PIPEDA”), which applies to private organisations at the federal level[5], but also when personal information is disclosed over provincial or international borders[6]. It is worth noting that Bill 64[7], an important legislative reform, has been enacted in the Province of Quebec on September 22, 2021. Bill 64 will substantially modify the data privacy regime regulating both the private and public sectors. This Guidance Note has been drafted to take into account the changes that will be introduced by such legislative reform with respect to the use of cookies in the private sector.

Up to now, case law has not interpreted whether cookies meet the definition of “personal information” and fall under the privacy laws’ scope of application. However, regulators have issued guidelines on tracking and targeting cookies. In particular, the Office of the Privacy Commissioner of Canada (the “OPC”) issued the “Policy position on online behavioural advertising”[8] which provides that the OPC will generally consider information collected for the purpose of online behavioural advertising to be personal information[9]. Similarly, the Commission d’accès à l’information du Québec (“CAI”) has provided that businesses that use profiling and targeted advertising systems on the Internet are subject to the Act[10]. It should also be noted that, without specifying whether cookies constitute “personal information”, Bill 64 contains specific provision on “profiling”[11] and cookies as further explained below.

1.2.    Regulatory authorities’ guidelines

In Quebec, the supervisory authority responsible for overseeing application of the Act is the CAI. The CAI has issued a guidance entitled “Le profilage et la publicité ciblée”[12] in 2013, which pertains more specifically to profiling and targeted advertising. Although the subject of this guidance is relevant for the purpose of this Guidance Notice, it does not offer specific information on how to regulate the use of cookies or other similar technologies and aims more so at informing the public on direct marketing and targeted advertising.

The statutory scheme in Quebec is complemented at the federal level by guidance documents from: (i) the OPC with respect to PIPEDA[13]; and (ii) the Canadian Radio-television and Telecommunications Commission (“CRTC”) in relation to CASL[14].

1.3       Case law

There is no current relevant case law on the subject of cookies and similar technologies in Canada, including in the Province of Quebec.

2. DEFINITIONS

There is no definition of “cookies” or similar technologies in the relevant Governing texts (including in Bill 64), and case law has not yet interpreted this concept. However, “cookies” are commonly understood as small pieces of text that are placed on a computer, mobile device, tablet, or other device when using a browser to visit an online service[15]. They are enabled by the operator of a website and can be set by such operator (“first party cookies”) or a third-party (“third party cookies”). Cookies are typically classified based on their purposes, namely:

  • Essential cookies are essential to make a website operational; they include session cookies that keep individuals logged as they navigate the website;
  • Non-essential cookies are not necessary for the website work properly; they include functionality, performance and targeting cookies.

Depending on their purposes and the data they gather, cookies can be subject to specific legal requirements, including those pertaining to consent and transparency.

3. CONSENT AND COOKIE POLICY

3.1     Consent

There are no clear guidelines on consent for the use of cookies in the Province of Quebec. However, in light of the Governing texts, including the relevant guidelines, the form of consent that enterprises will be required to obtain will likely vary depending on the type of cookies at hand.

  • Anti-spam law

Under CASL, a person is considered to consent to the installation of a cookie if the persons’ conduct is such that it is reasonable to believe that they consented[16]. In this respect, the CRTC provides that “if the persons disable cookies in their browser, you would not be considered to have consent to install cookies”[17]. However, there is no further guidance on the conduct that will be deemed “reasonable” to assume consent.

  • Privacy laws

Generally speaking, privacy laws require consent in order to collect, use and disclose personal information. Depending on certain factors such as the sensitivity of the information involved, such consent may be express or implied. In this respect, the OPC considers that implied consent for tracking and targeting cookies is only valid under specific conditions[18]. There is no similar guidance in the Province of Quebec with respect to consenting to cookies. However, the Act provides general requirements for a consent to be valid, and Bill 64 adds specific provisions for the use of cookies and similar technologies.

Specifically, the Act provides that consent must be “manifest, free, informed and given for specific purposes”[19]. The CAI has recognized that such consent may be explicit or implied, depending on the circumstances at hand[20]. Bill 64 opens the door to implied consent for some cookies. Indeed, the bill imposes that the parameters of technological products or services must, by default, provide the highest level of confidentiality to users, except for cookies[21]. However, any identification, localization, or profiling functions must be deactivated by default, which means that individuals must be able to consent to such features through an opt-in mechanism. As such, cookies that do not include identification, localization, or profiling functions (e.g., essential cookies) are likely exempt from the opt-in requirement. Still, considering that these amendments were just adopted by the government, they have yet to be tested and interpreted by the courts, and no further detail as been issued on the matter.

3.2     Cookie Policy…

Read The Full Article at Lexology

Check Also

Cookie consent: 5 harmful designs from UK Regulators’ guidance

The UK’s data protection regulator, the Information Commissioner’s Office (ICO), and …