What do I need to know about using “Cookies” on my dealership website?

What is a cookie is and how they can be used on your website and elsewhere?

A cookie is essentially a small storage unit that gathers data or information about you when you are on a website. Cookies are used to monitor your activity on a website to allow the website to remember things about you for the next time you visit that website. The use of cookies allows websites to tailor the service it provides around you and your needs, as observed through cookies. This includes targeting ads to you, autofill search terms in a search bar, provide recommended items on e-commerce websites, and so on.

Given the different activities that you can perform on websites, there are different types of cookies which have different functions:

• Session cookies are used only while an individual is navigating an active session on a website and promptly disappear once you leave the site.
• Permanent or persistent cookies remain even after you close a web browser. These cookies are what allow websites to remember things like search terms or log in details. These cookies expire after a set time, or they must be manually deleted by the individuals.

Does the website visitor need to know they are being used?

Not necessarily.

In Canada, website cookies attract “deemed consent” under Section 10(8) of Canada’s anti-spam legislation (CASL), so long as the person’s conduct is such that you can reasonably believe that they consent. According to guidance from the Canadian Radio-Television and Telecommunications Commission, you generally need express consent to install computer programs. However, for certain types of programs, including website cookies, you are considered to already have express consent without requesting it. The issue is that there is no explicit guidance on when it is “reasonable” to believe that a person consents to the use of website cookies in such a way that you can rely on the “deemed consent” provision, and so the safest approach is still to obtain such consent. Further, obtaining express consent with respect to using website cookies is required by law in the European Union, pursuant to the General Data Protection Regulation (GDPR). Thus, if you are designing a website for the European market and are expecting visitors from the EU, the safest approach is to still obtain consent (e.g., using a “cookie banner”).

What should visitors to your website be told?

Typically, consent for the use of website cookies is obtained through pop-ups or “cookie banners” that appear when you open a website. Under Canadian anti-spam legislation, when obtaining consent for the installation of a computer program, the request for consent must set out: (1) the purpose for which consent is sought; and (2) the identity of who is seeking the consent. Note that at present, Bill C-11, which attempts to enact the Consumer Privacy Protection Act, has been proposed in Canada. While Parliament has yet to pass the bill, it would introduce a handful of new requirements to obtain consent, including setting out:

1. the purposes for, the methods of, and any foreseeable consequences of collection of personal information and the uses and disclosure of this information;
2. the specific type of personal information to be collected, used, or disclosed; and
3. the names or types of any third parties to which the organization may disclose the personal information.

The addition of these new requirements would also comply with the GDPR in Europe, which has very strict requirements for obtaining consent from users with respect to the collection of personal information and the use of cookies. This typically includes a notice that sets out:

1. an explanation of the use of cookies and the cookies that the website uses;
2. an option for users to opt-in or opt-out of the collection of their data; and
3. how to access further information about the collection of data, the use of that data, and any related third-party activity (g., through a cookie policy).

Why?

Given that consent to the use of cookies is not as strictly required in Canada, the purpose of such disclosure ought to be viewed in the grander scheme of Canada’s privacy laws. Canada’s anti-spam legislation (CASL) is designed “to promote the efficiency and adaptability of the Canadian economy by regulating commercial conduct that discourages the use of electronic means to carry out commercial activities”. The general rationale for the requirement to obtain consent when collecting personal information is to protect users. By obtaining consent, the users are informed of the collection of their personal information and given the option to agree to that collection. Further, by obtaining this express consent, those operating websites can ensure compliance with Europe’s GDPR.

What if the visitor refuses to use cookies? What are the consequences for the visitor and for the website?

If a user chooses to opt out of the use of cookies, there are not very many consequences that can result. Consequences for the visitor could include:

• an inability to use the website, as many websites require that a user accept the use of cookies to continue to use the site;
• impaired performance due to a website’s inability to rely on cookies to quickly load pages; and
• the lack of personalized service on that website.

There may also be consequences for the website host seeking to rely on the use of cookies. This is the case for website hosts who need to be able to track or follow a user’s movement across their website. Without the use of cookies, website hosts will tend to run into issues with two common features of websites:

• Website hosts may not be able to use a “log in” feature that requires users to input a username and password to access parts of the website. This is because cookies are relied on to be able to track and manage an individual’s session on a website and ensure that they stay “logged in” while they navigate the different web pages.
• Website hosts may not be able to participate in e-commerce by providing an online shopping feature. Cookies are relied on to ensure that a “cart” stays updated and is consistent with a visitor’s activities on a website and so refusal of cookies would mean that the “cart” feature would reset to an empty cart each time a visitor clicks on a different link.

Except for cookies such as these—which are often deemed “necessary”—a visitor’s decision to opt-out of the use of cookies used primarily for personalization or tracking, will likely not have much of an impact on a website host’s ability to run their website, but monitoring website activity will become more difficult. The impairment of the monitoring function also includes the fact that web beacons (discussed below) would be rendered unusable. Effects on the monitoring function include tracking website traffic, the effectiveness of ads, and other such analytics. That said, it is also important to note that the refusal of the use of cookies allows for better mitigation of the risk of privacy breach for visitors because their personal data is not being collected and stored.

What are web beacons or clear gifs?

Web beacons, which are also known as clear GIFs, record, or capture, a visitor’s activity on a particular webpage. They are typically not activated until a web page is loaded. Web beacons are often used in conjunction with website cookies, but they do not collect any personal information on their own. Rather, they are transparent, invisible graphic images that are on websites, which act as a tag or identifier that then interacts with website cookies to allow dealers to monitor a visitor’s activities on a website. Although you cannot disable web beacons, disabling cookies will keep web beacons from tracking your activity.

How can a website host best use web beacons?

Web beacons are best used for tracking advertising, downloads, and the general monitoring of the website’s analytics. Web beacons can be used by website hosts to know how many users visit a particular website, or web page of that site. Essentially, they allow website hosts to know where visitors are spending their time. Web beacons can also be used in conjunction with ads so that advertisers can track how often a particular advertisement is viewed, as well as whether individuals are interacting or responding to ads (e.g., by clicking on it).

Web beacons can also be used by website hosts who send purely promotional emails. If you embed a web beacon in the email graphics of your promotional emails, those beacons will not activate unless the email is opened, allowing website hosts to track if users are opening their promotional emails.

Should the visitor to your website be warned that web beacons are in use?

In 2011, the Privacy Commissioner of Canada took a strong stance against the use of web beacons generally. In releasing a set of guidelines, they stated that

If an individual can’t say no to the technology being used for tracking or targeting, then the industry shouldn’t use that technology for behavioural advertising purposes. So, in the current online behavioural advertising environment, that means no use of web bugs or web beacons, no super cookies, no pixel hacks, no device fingerprinting and no to any new covert tracking technique of which the user is unaware and has no reasonable way to decline.

This explicit prohibition against web beacons did not actually make it into the guidelines. The guidelines only state the following:

[I]f an individual is not able to decline the tracking and targeting using an opt-out mechanism because there is no viable possibility for them to exert control over the technology used, or if doing so renders a service unusable, then organizations should not be employing that type of technology for online behavioural advertising purposes.

Given that on their own, web beacons have no ability to collect information or track visitors, this would not be an issue. However, when combined with cookies, these functions are available for website hosts to use. Thus, the “warning” of the use of web beacons should accompany any consent sought for the use of cookies given that cookies are what allow web beacons to be used for tracking and targeting purposes.

What options should the visitor to your website have – if any?

As mentioned, with respect to tracking and targeting through data collection, the Office of the Privacy Commissioner of Canada requires that visitors are given the option to decline or opt out of the collection and use of their personal information on websites. Thus, while “cookie banners” are not explicitly required in Canada, website hosts will need to use one if they seek to make use of web beacons or clear GIFs. Remember, that in the case of web beacons, the only way for visitors to “opt out” of the tracking and targeting function is if they opt out or decline the use of website cookies.

What if the visitor refuses to use web beacons or clear gifs? What are the consequences for the visitor and for the host of the website?

Visitors cannot refuse the use of web beacons. Given that web beacons or clear GIFs are just transparent, invisible images on a web page, they cannot just be removed. To disable tracking/targeting functions that are of concern with respect to web beacons, a visitor would have to opt out of or decline the use of website cookies. Thus, any consequences for the visitor or website hosts would be the same as the effects of refusing or opting out of the use of website cookies.

Remember

Given the global nature of the internet, even where website hosts may not anticipate visitors from other jurisdictions, they may still attract foreign visitors. This means that they may still be caught under a foreign jurisdiction such as the European Union, which has strict requirements regarding the collection and use of the personal information of Europeans. Overall, the best approach is to use cookie banners to obtain consent from visitors and to implement a comprehensive “cookie policy” where dealers set out information about the data they are collecting, the purposes for doing so, any third parties involved, and any such information that is pertinent for visitors to know in relation to their privacy and personal information.

Making this information readily available for visitors and giving them the option to opt-out of the collection and use of their personal information will allow website hosts to cover all their bases and ensure compliance with all the various—and complex—privacy requirements.

At Sotos LLP, we have acted for thousands of businesses and trademark owners in every aspect of privacy and intellectual property issues, including, drafting terms of use and privacy terms for their websites, and protecting their intellectual property for more than 40 years.

Please contact John Yiokaris at 416.977.3998 or jyiokaris@sotos.ca to discuss your intellectual property, trademark, and privacy issues.