Canada’s Anti-Spam Legislation Requirements for Installing Cookies
If your business installs cookies on other people’s computer systems, you must comply with new requirements as of January 15, 2015. CASL prohibits the installation of cookies to another person’s computing device (e.g., laptop, smartphone, desktop, gaming console or other connected device) in the course of commercial activity without the express consent of the device owner or an authorized user (e.g., other family member or employee).
Usually, CASL requires you to obtain consent from the owner or another authorized user of the computer or device prior to the installation. However, when it comes to the use of cookies, you are considered to already have consent without having to request it. This is the case as long as the person’s conduct indicates that they consent to it. For example, if the person disables Javascript in their browser, you would not be considered to have consent under CASL since their conduct would not indicate that they consent to that type of program. Similarly, if the person disables cookies in their browser, you would not be considered to have consent to install cookies.
Depending on what a cookie does, and the type of information you collect via your website, you may also need to meet additional requirements. This certainly is the case when sensitive personal information is being used on your website. This is information that is more significantly related to the notion of a reasonable expectation of privacy. Medical or financial information is often considered sensitive personal information, but other types of personal information might be as well. For example, pieces of information that, if procured by the wrong individuals, could result in serious cases of identity theft, might also be considered sensitive personal information.
An individual’s online activity related to the viewing of health-related websites (e.g., research concerning a device for treating sleep apnea) constitutes sensitive personal information. It is inappropriate to rely on implied consent to use such information for the purpose of remarketing tailored advertising. Express consent is required.
Express consent requires the owner or authorized user to take an active step in giving consent, for example by checking a previously unchecked box.
Complianz can help you meet these requirements from CASL and Pipeda.
(PIPEDA Report of Findings #2014-001 Use of sensitive health information for targeting of Google ads raises privacy concerns)