Canada, Cookies and Consent

What are cookies?jimmy dean 8GclU6e4F2E unsplash scaled

Unlike the tempting baked good that inspired the world’s most universally loved blue muppet character… Internet or HTML cookies are small non-executable computer files installed on your computer that identify you as a visitor, track your preferences and overall personalize your time spent on a new website. These files do not contain viruses or malware, but allows the website to recognize you when you return to the site, remembering those preferences, and customizing your online experience.

Where cookies become a concern, is the potential for 3rd parties to obtain this information without your consent.

The EU introduced the GDPR (General Data Protection Legislation) in 2018 to protect the rights of internet users whose personal, and oftentimes, sensitive data is stored on websites. This has sparked an influx of consent and privacy policy pop-ups on websites to ensure compliance.

CASL (Canada’s Anti-Spam Legislation)

Although in Canada, we don’t have legislation that targets cookies specifically, it does fall under the anti-spam and national privacy law. CASL protects users and businesses from harmful effects of spam and other electronic threats.

glenn carstens peters npxXWgQ33ZQ unsplash scaled

This legislation targets those individuals or businesses who send email to users without their consent, as well as prohibiting the installation of any files onto a user’s computer, such as viruses or malware through spam messages, infected links, etc.

The rules/guidelines followed in Canada to obtain that consent is very similar to our EU counterparts. Those seeking consent must, at an absolute minimum, clearly identify the party seeking the consent and the purpose for which the consent is sought.

However, in some circumstances, and based on your actions and activity on a website, it can already be assumed that you have given consent without it specifically being requested. Along the likes of HTML and Javascript, cookies do not specifically require consent to be installed. Although, for example, if the person disables cookies in their browser, you would not be considered to have consent, under CASL, to install them.

This being said, considering the heavy penalties that can be levied under CASL, the EU’s approach to obtaining consent is still advisable.


Canadian Privacy Law

Canadian Privacy Laws stipulate that expressed informed consent is required to collect, use and disclose personal information. Unless the information collected is sensitive in nature, implied consent can be assumed for reasonable purposes. That being said, there is a limit on the effectiveness of implied consent.

The Federal Privacy Commissioner expects organizations to be guided by the following principles:

  • Organizations must be clear and transparent about the purpose of gathering information so that it is easily understood by the user, without burying it in a privacy policy

    dan nelson ah HeguOe9k unsplash scaled

  • Consider other effective forms of communicating their intent and purpose, such as interactive tools, banners, etc.
    Users are informed of this purpose either before, or at least at the time of collection. This includes the disclosure of all parties involved in the use/storage of this information.
  • The user is provided an opportunity at that time to opt-out of the practice, and if they so choose so, the opt-out takes effect immediately and is persistent.
  • Limit the collection of information to non-sensitive information whenever practicable, avoiding overly personal information such as health/medical records.
  • Destroy or de-identify the information collected as soon as it is possible.
  • If sensitive information is collected or, alternatively, the information is needed for an unanticipated activity, express consent is required.

The Privacy Commission also states that a child (in all but exceptional circumstances, this applies to anyone under the age of 13) does not possess the maturity to meaningfully provide expressed consent to the collection of their information. Instead, this consent must come from their parents or legal guardians. With respect to youth, companies must take the user’s maturity into consideration and be prepared to demonstrate that their process leads to meaningful and valid consent. It is strongly advised, especially on websites that target children, that tracking technology and collection of information be avoided all together.


linkedin sales solutions 0QvTyp0gH3A unsplash scaledRetention of Information

The Federal Privacy Commission states that your organization may use or disclose personal information only for the identified purposes for which it was collected. Although not related specifically to cookies, Privacy Laws in Canada, in general, also limit the amount of time that personal information can be retained.

PIPEDA (Personal Information Protection and Electronics Document Act) states that companies must “Dispose of personal information that does not have a specific purpose or no longer fulfills its intended purpose” This is also subject to statutory retention periods.

Web users have the option and ability to delete cookies from their browser at any point in time, but can rest assured that privacy law requires that the information be deleted/destroyed at some point in the given future.

Variety of Internet Cookies

cookies 956823“Supercookies” – similar to typical web cookies, but are permanently stored on your device and not your browser, making them much more difficult to find, remove and/or delete. Advertisers love them, as it allows them to send you targeted ads, but privacy advocates loathe them as it makes it almost impossible for users to protect their privacy when surfing the net. When a ISP receives a request from a user to access a website, they attach a Unique Header Identifier (a data profile) to the information before providing it to the website host. This host can then disclose this information to third parties, allowing them to track visitors without them ever knowing. Given that users can not generally opt-out of these practices, the Privacy Commissioner of Canada is against the use of supercookies as the tracking violates CASL and does not comply with PIPEDA.

“Zombie cookies” – these cookies effectively come back to life after originally being deleted, usually from backups stored outside of the web browser’s typical cookie storage, or multiple locations on a user’s device. As the cookies may remain active until every last one has been located, it becomes quite hard for a user to remove and/or delete them all. As with supercookies, the user does not have the opportunity to op-out of the process and as such, the Privacy Commissioner is also against the usage of zombie cookies, as it violates CASL and does not comply with PIPEDA.


bill oxford OXGhu60NwxU unsplash scaledPenalties and Fines

In 2020 Canada introduced the Digital Charter Implementation Act, which can see companies fined up to 5% of their global revenue for serious infractions. If also found to be in violation of CASL, you may be required to pay an AMP (Administrative Monetary Penalty) which can carry a maximum penalty (per violation) of up to $1 Million for individuals, and $10 Million for businesses.

Accordingly, as irritating as the EU style pop-up cookie consent boxes may be, it is a relatively simple way to avoid the risk of violating CASL and their hefty penalties.


This article provides only general information about legal issues and developments, and is not intended to provide specific legal advice. Please see our disclaimer for more details.

Live Help