Canada’s Anti-Spam Legislation Requirements for Installing Cookies
If your business installs cookies on other people’s computer systems, you must comply with new requirements as of January 15, 2015. CASL prohibits the installation of cookies to another person’s computing device (e.g., laptop, smartphone, desktop, gaming console or other connected device) in the course of commercial activity without the express consent of the device owner or an authorized user (e.g., other family member or employee).
Depending on what a cookie does, and the type of information you collect via your website, you may also need to meet additional requirements. This certainly is the case when sensitive personal information is being used on your website. This is information that is more significantly related to the notion of a reasonable expectation of privacy. Medical or financial information is often considered sensitive personal information, but other types of personal information might be as well. For example, pieces of information that, if procured by the wrong individuals, could result in serious cases of identity theft, might also be considered sensitive personal information.
An individual’s online activity related to the viewing of health-related websites (e.g., research concerning a device for treating sleep apnea) constitutes sensitive personal information. It is inappropriate to rely on implied consent to use such information for the purpose of remarketing tailored advertising. Express consent is required.
Express consent requires the owner or authorized user to take an active step in giving consent, for example by checking a previously unchecked box.
Complianz can help you meet these requirements from CASL and Pipeda.
(PIPEDA Report of Findings #2014-001 Use of sensitive health information for targeting of Google ads raises privacy concerns)