In the Complianz plugin, we recently have added Full support for the privacy regime in Canada.
There are two main privacy laws for Canada:
- Canada’s Anti-Spam Legislation (CASL)
- Personal Information Protection and Electronic Documents Act (PIPEDA)
To comply with these laws a website operator is required to:
(1) Make use of a cookie statement to clearly explain the function and purpose of the cookies and to provide all other relevant information; and
(2) obtain the user’s consent, whether explicit or implied.
This means there are two relevant types of consent:
- Express consent. This type of consent is given explicitly, through a person’s action. For example, by clicking on a “I agree” button on a cookie banner.
- Implied consent. This type of consent can be inferred through a person’s actions or inaction. For example, where a user has not opted out after seeing the pre-ticked boxes on a cookie banner.
Although CASL actually requires that a website operator gets “Express consent” to install a cookie on anyone’s computer system, Implied consent for cookies is also allowed if the user’s conduct is such that it is reasonable to believe that they have consented to the installation of the cookies.
According to the Canadian Radio-television and Communications Commission a person that disables cookies in their browser is an indication that they do not consent to install cookies. The Complianz legal team assumes that the same is possibly true for a person whose browser sends out a Do Not Track signal.
By providing proper information, providing an opt-out process, and respecting people’s browser settings, a website operator can assume that he has a visitors’ express consent to set cookies. It is however inappropriate to rely on implied consent if a cookie makes it possible to use sensitive personal information for the purpose of remarketing tailored advertising. An individual’s online activity related to the viewing of health-related websites already constitutes sensitive personal information. In that case Express consent is required. This is why we have added an additional question in the Complianz Wizard regarding the use of sensitive personal information. If our cookiescan discovers the use of marketing or tracking cookies on a website, dynamically a cookie banner will be shown to the visitors based on opt-in instead of opt-out.
Privacystatement PIPEDA for WordPress
In our Privacystatement (available in Premium) we not only focus on the specific privacyrights PIPEDA gives to Canadian citizens, such as access to personal information in an alternative format to an individual with a sensory disability, but we also take into account PIPEDA obligations such as mentioning in the Privacystatement the person who is accountable for the organization’s policies and practices and to whom complaints or inquiries can be forwarded.
As a bonus we also created a specific Canadian Privacy statement for Children.
Last but not least we also made sure that our databreach notification wizard follows the PIPEDA obligations.