Do you need to review your cookies policy?

Authors: Kristél Kriel, Nicole Graham

Cookies are small text files that your website sends to a visitor’s browser to remember them the next time they visit – e.g., their username and password. (There are also chocolate chip cookies, but that’s a topic for another blog.)

If you use cookies on your website (most do), it’s important to comply with privacy law requirements. Depending on where you operate, this may require you to inform the visitors to your site and obtain their consent before you install any cookies on their browser.

Cookies requirements vary among different jurisdictions; Canada’s requirements are less stringent than the European Union’s. By complying with the EU’s rules for using cookies, you can have confidence knowing your cookies policy complies with Canadian requirements.

Cookies in Canada

Canada’s Personal Information Protection and Electronic Documents Act requires you to clearly state that you use cookies and what purpose you use them for. You must also allow users to withdraw their consent to the use of cookies.

The Office of the Privacy Commissioner of Canada (OPC) recommends you use online banners and interactive tools to make users aware of your cookies policy.

According to guidance from the OPC, you can obtain consent to the use of cookies when you:

  • Make users aware of your cookies policy through online banners, layered approaches and interactive tools ( not by burying the information in a privacy policy).
  • Let users know how you’re using the information you gather and who has access to it. This should be done when or before the information is collected.
  • Give users the option to opt out, ideally before any data is collected.
  • Inform users that you are limiting the sensitive data you collect as much as possible.
  • Tell users the information you collect is either destroyed or de-identified as soon as possible.

Cookies in the EU

In the EU, the General Data Protection Regulation and the ePrivacy Directive regulate the use of cookies. To comply with these laws, you must:

  • Obtain consent from users before installing cookies.
  • Explain what information your cookies are gathering and for what purpose.
  • Document and store the consent you have received.
  • Allow users to access your website even if they deny consent.
  • Make it easy for users to withdraw consent at any time.

One exception to the above rules is that you are not required to obtain consent before installing cookies if the cookies are needed to access certain parts of your website, such as secure areas. These cookies are often referred to as “strictly necessary” cookies. However, you must still explain what the cookies do and why they are needed.

What we recommend

To confirm that your use of cookies complies with applicable privacy laws, it is important to understand which privacy laws apply and then update your website appropriately.

The lawyers in the MLT Aikins Privacy, Data & Cybersecurity group have wide-ranging experience advising clients in the public and private sectors on best practices for collecting and managing personal information. If you require assistance with your cookies policy and implementation, contact us to learn how we can help.

Note: This article is of a general nature only and is not exhaustive of all possible legal rights or remedies. In addition, laws may change over time and should be interpreted only in the context of particular circumstances such that these materials are not intended to be relied upon or taken as legal advice or opinion. Readers should consult a legal professional for specific advice in any particular situation.