In the Complianz plugin, we recently have added Full support for the privacy regime in Canada.
There are two primary privacy laws for Canada:
- Canada’s Anti-Spam Legislation (CASL)
- Personal Information Protection and Electronic Documents Act (PIPEDA)
To comply with these laws, a website operator is required to:
(1) Make use of a cookie statement to clearly explain the function and purpose of the cookies and to provide all other relevant information; and
(2) obtain the user’s consent, whether explicit or implied.
This means there are two relevant types of consent:
- Express consent. This type of consent is given explicitly through a person’s action. For example, by clicking on a, “I agree” button on a cookie banner.
- Implied consent. This type of consent can be inferred through a person’s actions or inaction; for example, a user has not opted out after seeing the pre-ticked boxes on a cookie banner.
Although CASL requires that a website operator gets “Express consent” to install a cookie on anyone’s computer system, Implied consent for cookies is also allowed if the user’s conduct is such that it is reasonable to believe that they have consented to the installation of the cookies.
According to the Canadian Radio-television and Communications Commission, a person who disables cookies in their browser indicates that they do not consent to install cookies. The Complianz legal team assumes that the same is possibly true for a person whose browser sends out a Do Not Track signal.
By providing proper information, providing an opt-out process, and respecting people’s browser settings, a website operator can assume that he has a visitors’ express consent to set cookies. However, it is inappropriate to rely on implied consent if a cookie makes it possible to use sensitive personal information to remarket tailored advertising. An individual’s online activity related to the viewing of health-related websites already constitutes sensitive personal information. In that case, Express consent is required. This is why we have added an additional question in the Complianz Wizard regarding the use of sensitive personal information. If our cookiescan discovers the use of marketing or tracking cookies on a website dynamically, a cookie banner will be shown to the visitors based on opt-in instead of opt-out.
Privacystatement CPPA & PIPEDA for WordPress
In our Privacystatement (available in Premium), we not only focus on the specific privacy rights PIPEDA gives to Canadian citizens, such as access to personal information in an alternative format to an individual with a sensory disability, but we also take into account PIPEDA obligations such as mentioned in the Privacystatement the person who is accountable for the organization’s policies and practices and to whom complaints or inquiries can be forwarded.
As a bonus, we also created a specific Canadian Privacy statement for Children.
Data breach Notification
Last but not least, we also made sure that our data breach notification wizard follows the PIPEDA obligations.