Cookies, a bite out of cybernauts’ privacy? A Canadian-European overview

Cookie banners are increasingly prevalent on internet sites. A section about cookies may appear in privacy policies and, sometimes, an entire policy may be devoted exclusively to them.

*This bulletin is an update of the bulletin Cookies, a bite out of cybernauts’ privacy? A Canadian-European overview published on May 14, 2020.

But what is a cookie? Also known as “HTTP cookies,” “browser cookies” or “web cookies,” a cookie is a small set of digital data in the form of a text file sent by a website and saved locally on the user’s device (computer, tablet, cell phone) through the web browser used while browsing on the internet, often without the user’s knowledge.

Cookies perform what are often essential functions. For example, authentication cookies^[1] track when a user has logged into a website and under what name.^[2] Without such a mechanism, the site would not be able to recognize things like whether it should require users to identify themselves when logging in. Tracking cookies, especially third-party tracking cookies, which belong to a different domain than the one indicated in the address bar^[3], unlike first-party cookies, which are related to the domain in the address bar, are being used at an exponential rate. This type of cookie appears when web pages present content from third-party sites, such as publicity banners, and track the user’s browsing history to suggest relevant advertising adapted to the user’s profile.^[4]

But can a cookie be considered personal information?

In Canada

Concept of “personal information”

In Canada, currently, only the anti-spam legislation (CASL) specifically mentions cookies. Under the Act, no person may, in the course of commercial activities, install or cause to be installed a computer program on another person’s computer system without the express consent of the owner (CASL, s. 8 (1) ) unless it is reasonable to believe from the person’s conduct that the person consents to the installation of the program, in which case the person’s consent is deemed to be presumed (CASL, s. 10 (8) ).

In order to obtain this consent, clear information is required (CASL, s. 10 (3) ) (see below). 

In any event, can a cookie be considered “personal information” under Canadian laws on personal information, in which case privacy laws would apply? In other words, can a cookie be “information about an identifiable individual,”^[5] or is there a “serious possibility that an individual could be identified through the use of that information, alone or in combination with other available information”?^[6] While, in principle, Canadian case law requires a broad interpretation of the concept of personal information,^[7] up to now it has been silent on the interpretation of both provincial and federal laws as to whether cookies meet the definition of personal information.

In 2011 the Office of the Privacy Commissioner of Canada (the “Commissioner”) released its guidelines about this issue concerning tracking cookies. It stated that online behavioural advertising and the tailoring of advertisements based on the user’s browsing activities, which include purchasing patterns, “shopping cart” items saved via online shopping platforms and search histories, involves the collection of information by the third parties who receive these tracking cookies. As such, “[g]iven the scope and scale of information collected, the powerful means available for gathering and analyzing disparate pieces of data and the personalized nature of the activity, it is reasonable to consider that there will often be a serious possibility that the information could be linked to an individual.”^[8]

In other words, the information collected and saved through cookies as part of online tracking and targeting for the purpose of providing customized advertising “will generally constitute personal information”^[9] as defined under the Personal Information Protection and Electronic Documents Act^[10] (“PIPEDA”).

In Quebec, the Commission d’accès à l’information (CAI) considers that companies that use profiling and targeted advertising systems on the internet (particularly via cookies) are subject to the Act respecting the protection of personal information in the private sector. They are therefore obliged to collect only the information necessary for the purpose of the file they have on an individual. In addition, they must inform the individual of the purpose of the file and the use that will be made of the information collected.^[11]

Consent

It should be noted that PIPEDA, just like the other provincial laws in this area, generally requires consent to collect, use and disclose personal information. This consent may be express or implied,^[12] depending on the circumstances and some other factors such as the sensitivity of the information involved.

For the specific use of cookies for online behavioural advertising, the Commissioner considers that implied consent is valid when certain conditions are met. More specifically, internet users must be informed of the purposes for this practice at or before the time of collection, in a manner that is clear and understandable; they must also be told about the different parties involved in such online behavioural advertising. Users must also be able to opt out on an ongoing basis. Lastly, the personal information involved must not be sensitive information, otherwise express consent will be required, and the information must be destroyed or de-identified (permanently and irreversibility) as soon as possible.^[13]

Thus, because “zombie cookies,”^[14] “super cookies”^[15] and third-party cookies do not allow users to control the information, and therefore provide no opportunity for individuals to consent or withdraw their consent, the Commissioner feels that this type of tracking should not be undertaken because it cannot be done in compliance with PIPEDA.

Things will soon be different in Quebec. While only one provision of the Act respecting the protection of personal information in the private sector, as amended by Act 25 An Act to modernize legislative provisions as regards the protection of personal information (formerly “Bill 64”), specifically addresses cookies (the new s. 9.1 stating that the obligation to ensure that the privacy settings of a publicly available technological product or service provide the highest level of privacy by default does not apply to cookies), s. 8.1. may be applicable when referring to technologies that identify, locate or profile.

8.1. In addition to the information that must be provided in accordance with section 8, any person who collects personal information from the person concerned using technology that includes functions allowing the person concerned to be identified, located or profiled must first inform the person:

(1) of the use of such technology; and

(2) of the means available, if any, to deactivate the functions that allow a person to be identified, located or profiled.

“Profiling” means the collection and use of personal information to assess certain characteristics of a natural person, in particular for the purpose of analyzing that person’s work performance, economic situation, health, personal preferences, interests or behaviour.

In other words, as of September 22, 2023, any company collecting personal information from the data subject using technology that includes functions that allow the data subject to be identified, located or profiled, i.e. using tracking and retargeting pixels, will have to inform the data subject beforehand:

• of the use of such technology;
• of the methods available to activate the functions allowing identification, location or profiling. In other words, these technologies cannot be activated by default; it will be up to the person concerned to activate them if he or she so wishes.

This raises two points of interest.

First, the introduction of the notion of “cookie” in Act 25 is surprising, as Canadian privacy laws have been accustomed to following a technology-neutral approach. Section 9.1 of this text, which transposes the concept of confidentiality by default into Quebec law, does not refer to the notion of necessity, contrary to Article 25 of the GDPR,^[16] which makes it possible to escape the parameterization of technological products and services. In other words, only the cookie, a technology that is certainly useful, but will one day be replaced, seems to benefit from such an exemption.^[17]

Next, the new s, 8.1 seems destined to have serious consequences for businesses, as it covers a very broad notion of “profiling” – meaning any collection or use of personal information to assess the characteristics of any individual, including employees – but also any technological function that can identify or locate these individuals. This means that things like devices that allow employees to be located via the collection of IP addresses or access cards for security reasons would be subject to this “deactivation” by default. Quebec organizations could therefore find themselves in the unfortunate position of having to request the activation of these functions, despite their necessary nature in certain circumstances.

Depending on how they are used, cookies that allow an individual to be identified are also considered personal information and are therefore subject to Canadian privacy laws. Is this very different from the situation in Europe?

The European Union

Considering cookies as personal information

The situation is somewhat different within the European Union because of a certain text designed to apply to cookies through the notion of information storage: the ePrivacy Directive.^[18] It provides, among other things, that cookies cannot be inserted without first informing the user and obtaining their consent.^[19] However, this directive does not specify whether a cookie is considered personal data.

To resolve this issue we should examine the GDPR,^[20] which provides that “[n]atural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as Internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.”^[21]

In other words, a cookie by itself would not be considered personal data, but it would, when combined with other elements. This is basically the definition of personal data under Article 4(1) of the GDPR which states that “a natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

This position was recently confirmed by the European Court of Justice (ECJ):^[22]

“45. […] the cookies likely to be placed on the terminal equipment of a user participating in the promotional lottery organised by Planet49 contain a number which is assigned to the registration data of that user, who must enter his or her name and address in the registration form for the lottery. The referring court adds that, by linking that number with that data, a connection between a person to the data stored by the cookies arises if the user uses the Internet, such that the collection of that data by means of cookies is a form of processing of personal data.”

“67. As stated in paragraph 45 above, according to the order for reference, the storage of cookies at issue in the main proceedings amounts to a processing of personal data.”

As a result, if the cookie is not personal data, only the ePrivacy Directive applies. But if the cookie is personal data, the ePrivacy Directive and the GDPR will both apply. This is not a problem given that the ePrivacy Directive^[23] already often refers to the GDPR’s predecessor, Directive 95/46.^[24] In fact, the provisions of the ePrivacy Directive and GDPR regarding consent “are not to be interpreted differently according to whether or not the information stored or accessed on a website user’s terminal equipment is personal data within the meaning of Directive 95/46 and Regulation 2016/679.”^[25]

Consequences in terms of consent and prior notice

In order to insert cookies on a user’s device, that user’s prior consent must be obtained. In this case, consent will constitute the legal basis of the processing operations in question^[26]and will have to meet all the requirements of consent as provided under Article 5(3) of the ePrivacy Directive and Articles 4(11) and 7 of the GDPR, ^[27] namely, that such “consent shall be free, specific and informed and constitutes an unambiguous indication of the data subject’s wishes […]. Such consent must be provided separately, for specific purposes […]. Consent must be as easily withdrawn as it is given. The same has to be applied when consent is required to comply with the ‘ePrivacy’ directive […].”^[28]

In these circumstances, a pre-ticked checkbox will, therefore, be considered illegal concerning the use of cookies. The user’s consent can only be proved by an action of that user. Yet, it “would appear impossible in practice to ascertain objectively whether a website user had actually given his or her consent to the processing of his or her personal data by not deselecting a pre-ticked checkbox nor, in any event, whether that consent had been informed. It is not inconceivable that a user would not have read the information accompanying the preselected checkbox, or even would not have noticed that checkbox, before continuing with his or her activity on the website visited.”^[29]

Likewise, scrolling does not constitute the user’s active consent: “the fact that a user selects the button to participate in the promotional lottery organised by that company cannot therefore be sufficient for it to be concluded that the user validly gave his or her consent to the storage of cookies.”^[30] That means that in Europe the mere act of browsing no longer constitutes valid consent to the use of cookies, as cookie walls and the provision of the service rely on the data subject clicking the “Accept cookies” button. That position has been confirmed by the European Data Protection Board’s recent guidelines on consent.^[31]

The idea behind this decision is that under the GDPR there must be as many consents as specific purposes (the consent must be specific). That cannot be done through a pre-ticked checkbox or by scrolling. This position was reiterated by the Advocate General Szpunar in his conclusions in Orange Romania.^[32]

Since consent must be the result of active behaviour by the user, that user needs to be well informed. This must include information about the duration of the processing since “[i]nformation on the duration of the operation of cookies must be regarded as meeting the requirement of fair data processing provided for in that article in that, in a situation such as that at issue in the main proceedings, a long, or even unlimited, duration means collecting a large amount of information on users’ surfing behaviour and how often they may visit the websites of the organiser of the promotional lottery’s advertising partners.”^[33]

This information must also indicate whether third parties will have access to the cookies because it “is information included within the information referred to in Article 10(c) of Directive 95/46 and in Article 13(1)(e) of Regulation 2016/679, since those provisions expressly refer to the recipients or categories of recipients of the data.”^[34]

Undoubtedly, information about the cookies must be provided. Some sites have already added a cookies banner with a link to a list identifying their partners.

***

This overview of the Canadian and European approaches regulating the use of cookies from a privacy perspective enables us to see the similarities and differences between the two. While they seem to share the same view about possibly defining cookies as “personal information” or “personal data,” the legal effects arising from this definition differ. In Canada, subject to provincial laws as applicable, implied consent is valid depending on several conditions; in Europe, however, active consent is required. Since PIPEDA will be reformed during the upcoming year, it will be interesting to see how the Canadian legislators weigh the drawbacks and, in particular, whether they will follow the European approach. Fasken is here to assist you and is able to find practical solutions that respect both privacy and/or anti-spam laws, both in Canada and in Europe (current and future laws).

[10] Supra, fn. 4.

[11] Commission d’accès à l’information, Publicité ciblée et protection des renseignements personnels https://www.cai.gouv.qc.ca/publicite-ciblee-et-protection-des-renseignements-personnels/

[12] Note that Canada’s anti-spam legislation, which came into effect in 2014 and governs spam and other electronic threats not necessarily related to privacy, prohibits a party from installing any type of computer program on another person’s computer in the course of a commercial activity without first obtaining that person’s express consent, after that person has been informed of the purpose for which consent is being sought and the identity of the party seeking consent. The Act also establishes a presumption of express consent in s. 10(8): a person may also be deemed to have expressly consented to the installation of cookies if his or her conduct is such that it is reasonable, in the circumstances, to believe that he or she has consented.

[13] Supra, fn. 8.

[14] A zombie cookie is a cookie that is automatically recreated after being deleted. In order to do this, the contents of the cookie are stored in several places, such as the Flash Local shared object, HTML5 Web storage, and other client-side and even server-side locations.

[15] A super cookie is a cookie that originates from a top-level domain (such as .com) or a public suffix (such as .co.uk). Ordinary cookies, on the other hand, originate from a specific domain name, such as .com Super cookies can be a potential security problem and are therefore often blocked by Web browsers. If unblocked by the browser, an attacker controlling a malicious website can create a super cookie and potentially disrupt or impersonate a legitimate user for another website that shares the same top-level domain or public suffix as the malicious website.

[16] EDPB, Guidelines 4/2019 on Article 25 Data Protection by Design and by Default: “42. The controller should choose and be accountable for implementing default processing settings and options in a way that only processing that is strictly necessary to achieve the set, lawful purpose is carried out by default. Here, controllers should rely on their assessment of the necessity of the processing with regards to the legal grounds of Article 6(1). This means that by default, the controller shall not collect more data than is necessary, they shall not process the data collected more than is necessary for their purposes, nor shall they store the data for longer than necessary. The basic requirement is that data protection is built into the processing by default.”

[17] In this regard, the parliamentary debates preceding the adoption of an amendment to section 8.1, aimed at enshrining the principle of confidentiality by default with respect to the technological functions set out therein, refer to situations where, although the location functionality is necessary for the provision of a technological service, this activation is deactivated by default (Journal des débats de la Commission des institutions, le mercredi 10 mars 2021 – Vol. 45 N° 123).

[18] Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications). Note that this directive is being amended and will become a regulation (Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC [Regulation on Privacy and Electronic Communications] COM/2017/010 final - 2017/03 [COD]).

[19] ePrivacy Directive, s. 5(3): “5(3). Member States shall ensure that the use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned is provided with clear and comprehensive information in accordance with Directive 95/46/EC, inter alia about the purposes of the processing, and is offered the right to refuse such processing by the data controller. This shall not prevent any technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network, or as strictly necessary in order to provide an information society service explicitly requested by the subscriber or user.”

[20] GDPR, 2016/679.

[21] GDPR, s. 30.