As a response to EU GDPR regulations, website cookie settings have become more robust in terms of how we, as individuals, communicate our consent for our data being gathered. With Canada implementing its own consumer privacy legislation in the coming years, I thought I’d highlight the area that at a first glance might be where internet cookies are loosely regulated.
To provide a bit of background, in November of 2020 Parliament saw a first reading of the Consumer Privacy Protection Act as part of Bill C-11, the broader Digital Charter Implementation Act which seeks to modify Canadian consumer privacy protections with a new regulatory regime and additionally create a Data Privacy Tribunal.
s.52(3)(a) of the Act indicates that organizations cannot collect individuals’ data for business purposes (as noted in s.18) “without their knowledge or consent, through any means of telecommunication”. This enshrines the need for similar consent in Canadian law. Additionally, s.53(4) of the Act indicates that express consent is required, and implied consent is not sufficient. This particular subsection even overrides s.15(4) which provides room for implied consent to data collection in certain reasonable circumstances.
It’s important to note that the provision denotes ‘knowledge’ in addition to consent, which likely provides room for strictly necessary cookies to be gathered under s.18 of the Act.
s.18(1) of the draft legislation deals with business organizations’ ability to collect individuals’ personal information without consent. It states that organizations can collect information without consent if it is done under the auspices of an activity described in s.18(2). The ‘strictly necessary’ cookies which cannot optionally be turned off in our browsers would each likely fall under an activity described in ss.(2), and broadly relate to organizational due diligence, network functionality, and consumer/organizational safety. Consumer knowledge of these strictly necessary cookies, provided in frequently-seen cookie setting pop-ups, may satisfy an organization’s obligations under s.52(3)(a) as described above.
**This is not legal advice, and the legislation isn’t even enacted yet.