What do I need to know about using “Cookies” on my website?
What is a cookie is and how they can be used on your website and elsewhere?
Given the different activities that you can perform on websites, there are different types of cookies which have different functions:
- Session cookies are used only while an individual is navigating an active session on a website and promptly disappear once you leave the site.
- Permanent or persistent cookies remain even after you close a web browser. These cookies are what allow websites to remember things like search terms or log in details. These cookies expire after a set time, or they must be manually deleted by the individuals.
Does the website visitor need to know they are being used?
In Canada, website cookies attract “deemed consent” under Section 10(8) of Canada’s anti-spam legislation (CASL), so long as the person’s conduct is such that you can reasonably believe that they consent. According to guidance from the Canadian Radio-Television and Telecommunications Commission, you generally need express consent to install computer programs. However, for certain types of programs, including website cookies, you are considered to already have express consent without requesting it. The issue is that there is no explicit guidance on when it is “reasonable” to believe that a person consents to the use of website cookies in such a way that you can rely on the “deemed consent” provision, and so the safest approach is still to obtain such consent. Further, obtaining express consent with respect to using website cookies is required by law in the European Union, pursuant to the General Data Protection Regulation (GDPR). Thus, if you are designing a website for the European market and are expecting visitors from the EU, the safest approach is to still obtain consent (e.g., using a “cookie banner”).
What should visitors to your website be told?
Typically, consent for the use of website cookies is obtained through pop-ups or “cookie banners” that appear when you open a website. Under Canadian anti-spam legislation, when obtaining consent for the installation of a computer program, the request for consent must set out: (1) the purpose for which consent is sought; and (2) the identity of who is seeking the consent. Note that at present, Bill C-11, which attempts to enact the Consumer Privacy Protection Act, has been proposed in Canada. While Parliament has yet to pass the bill, it would introduce a handful of new requirements to obtain consent, including setting out:
- the purposes for, the methods of, and any foreseeable consequences of collection of personal information and the uses and disclosure of this information;
- the specific type of personal information to be collected, used, or disclosed; and
- the names or types of any third parties to which the organization may disclose the personal information.
- an option for users to opt-in or opt-out of the collection of their data; and
- impaired performance due to a website’s inability to rely on cookies to quickly load pages; and
- the lack of personalized service on that website.
- Website hosts may not be able to participate in e-commerce by providing an online shopping feature. Cookies are relied on to ensure that a “cart” stays updated and is consistent with a visitor’s activities on a website and so refusal of cookies would mean that the “cart” feature would reset to an empty cart each time a visitor clicks on a different link.
What are web beacons or clear gifs?
Web beacons, which are also known as clear GIFs, record, or capture, a visitor’s activity on a particular webpage. They are typically not activated until a web page is loaded. Web beacons are often used in conjunction with website cookies, but they do not collect any personal information on their own. Rather, they are transparent, invisible graphic images that are on websites, which act as a tag or identifier that then interacts with website cookies to allow dealers to monitor a visitor’s activities on a website. Although you cannot disable web beacons, disabling cookies will keep web beacons from tracking your activity.
How can a website host best use web beacons?
Web beacons are best used for tracking advertising, downloads, and the general monitoring of the website’s analytics. Web beacons can be used by website hosts to know how many users visit a particular website, or web page of that site. Essentially, they allow website hosts to know where visitors are spending their time. Web beacons can also be used in conjunction with ads so that advertisers can track how often a particular advertisement is viewed, as well as whether individuals are interacting or responding to ads (e.g., by clicking on it).
Web beacons can also be used by website hosts who send purely promotional emails. If you embed a web beacon in the email graphics of your promotional emails, those beacons will not activate unless the email is opened, allowing website hosts to track if users are opening their promotional emails.
Should the visitor to your website be warned that web beacons are in use?
In 2011, the Privacy Commissioner of Canada took a strong stance against the use of web beacons generally. In releasing a set of guidelines, they stated that
If an individual can’t say no to the technology being used for tracking or targeting, then the industry shouldn’t use that technology for behavioural advertising purposes. So, in the current online behavioural advertising environment, that means no use of web bugs or web beacons, no super cookies, no pixel hacks, no device fingerprinting and no to any new covert tracking technique of which the user is unaware and has no reasonable way to decline.
This explicit prohibition against web beacons did not actually make it into the guidelines. The guidelines only state the following:
[I]f an individual is not able to decline the tracking and targeting using an opt-out mechanism because there is no viable possibility for them to exert control over the technology used, or if doing so renders a service unusable, then organizations should not be employing that type of technology for online behavioural advertising purposes.
What options should the visitor to your website have – if any?
As mentioned, with respect to tracking and targeting through data collection, the Office of the Privacy Commissioner of Canada requires that visitors are given the option to decline or opt out of the collection and use of their personal information on websites. Thus, while “cookie banners” are not explicitly required in Canada, website hosts will need to use one if they seek to make use of web beacons or clear GIFs. Remember, that in the case of web beacons, the only way for visitors to “opt out” of the tracking and targeting function is if they opt out or decline the use of website cookies.
What if the visitor refuses to use web beacons or clear gifs? What are the consequences for the visitor and for the host of the website?
Visitors cannot refuse the use of web beacons. Given that web beacons or clear GIFs are just transparent, invisible images on a web page, they cannot just be removed. To disable tracking/targeting functions that are of concern with respect to web beacons, a visitor would have to opt out of or decline the use of website cookies. Thus, any consequences for the visitor or website hosts would be the same as the effects of refusing or opting out of the use of website cookies.
Making this information readily available for visitors and giving them the option to opt-out of the collection and use of their personal information will allow website hosts to cover all their bases and ensure compliance with all the various—and complex—privacy requirements.