Canada, Cookies and Consent

Canada, Cookies and Consent

What are cookies?

Unlike the tempting baked good that inspired the world’s most universally loved blue muppet character… Internet or HTML cookies are small non-executable computer files installed on your computer that identify you as a visitor, track your preferences and overall personalize your time spent on a new website. These files do not contain viruses or malware, but allows the website to recognize you when you return to the site, remembering those preferences, and customizing your online experience.

Where cookies become a concern, is the potential for 3rd parties to obtain this information without your consent.

The EU introduced the GDPR (General Data Protection Legislation) in 2018 to protect the rights of internet users whose personal, and oftentimes, sensitive data is stored on websites. This has sparked an influx of consent and privacy policy pop-ups on websites to ensure compliance.

CASL (Canada’s Anti-Spam Legislation)

Although in Canada, we don’t have legislation that targets cookies specifically, it does fall under the anti-spam and national privacy law. CASL protects users and businesses from harmful effects of spam and other electronic threats.

This legislation targets those individuals or businesses who send email to users without their consent, as well as prohibiting the installation of any files onto a user’s computer, such as viruses or malware through spam messages, infected links, etc.

The rules/guidelines followed in Canada to obtain that consent is very similar to our EU counterparts. Those seeking consent must, at an absolute minimum, clearly identify the party seeking the consent and the purpose for which the consent is sought.

However, in some circumstances, and based on your actions and activity on a website, it can already be assumed that you have given consent without it specifically being requested. Along the likes of HTML and Javascript, cookies do not specifically require consent to be installed. Although, for example, if the person disables cookies in their browser, you would not be considered to have consent, under CASL, to install them.

This being said, considering the heavy penalties that can be levied under CASL, the EU’s approach to obtaining consent is still advisable.


Canadian Privacy Law

Canadian Privacy Laws stipulate that expressed informed consent is required to collect, use and disclose personal information. Unless the information collected is sensitive in nature, implied consent can be assumed for reasonable purposes. That being said, there is a limit on the effectiveness of implied consent.

The Federal Privacy Commissioner expects organizations to be guided by the following principles:

  • Organizations must be clear and transparent about the purpose of gathering information so that it is easily understood by the user, without burying it in a privacy policy

  • Consider other effective forms of communicating their intent and purpose, such as interactive tools, banners, etc.
    Users are informed of this purpose either before, or at least at the time of collection. This includes the disclosure of all parties involved in the use/storage of this information.
  • The user is provided an opportunity at that time to opt-out of the practice, and if they so choose so, the opt-out takes effect immediately and is persistent.
  • Limit the collection of information to non-sensitive information whenever practicable, avoiding overly personal information such as health/medical records.
  • Destroy or de-identify the information collected as soon as it is possible.
  • If sensitive information is collected or, alternatively, the information is needed for an unanticipated activity, express consent is required.

The Privacy Commission also states that a child (in all but exceptional circumstances, this applies to anyone under the age of 13) does not possess the maturity to meaningfully provide expressed consent to the collection of their information. Instead, this consent must come from their parents or legal guardians. With respect to youth, companies must take the user’s maturity into consideration and be prepared to demonstrate that their process leads to meaningful and valid consent. It is strongly advised, especially on websites that target children, that tracking technology and collection of information be avoided all together.


Retention of Information

The Federal Privacy Commission states that your organization may use or disclose personal information only for the identified purposes for which it was collected. Although not related specifically to cookies, Privacy Laws in Canada, in general, also limit the amount of time that personal information can be retained.

PIPEDA (Personal Information Protection and Electronics Document Act) states that companies must “Dispose of personal information that does not have a specific purpose or no longer fulfills its intended purpose” This is also subject to statutory retention periods.

Web users have the option and ability to delete cookies from their browser at any point in time, but can rest assured that privacy law requires that the information be deleted/destroyed at some point in the given future.

Variety of Internet Cookies

“Supercookies” – similar to typical web cookies, but are permanently stored on your device and not your browser, making them much more difficult to find, remove and/or delete. Advertisers love them, as it allows them to send you targeted ads, but privacy advocates loathe them as it makes it almost impossible for users to protect their privacy when surfing the net. When a ISP receives a request from a user to access a website, they attach a Unique Header Identifier (a data profile) to the information before providing it to the website host. This host can then disclose this information to third parties, allowing them to track visitors without them ever knowing. Given that users can not generally opt-out of these practices, the Privacy Commissioner of Canada is against the use of supercookies as the tracking violates CASL and does not comply with PIPEDA.

“Zombie cookies” – these cookies effectively come back to life after originally being deleted, usually from backups stored outside of the web browser’s typical cookie storage, or multiple locations on a user’s device. As the cookies may remain active until every last one has been located, it becomes quite hard for a user to remove and/or delete them all. As with supercookies, the user does not have the opportunity to op-out of the process and as such, the Privacy Commissioner is also against the usage of zombie cookies, as it violates CASL and does not comply with PIPEDA.


Penalties and Fines

In 2020 Canada introduced the Digital Charter Implementation Act, which can see companies fined up to 5% of their global revenue for serious infractions. If also found to be in violation of CASL, you may be required to pay an AMP (Administrative Monetary Penalty) which can carry a maximum penalty (per violation) of up to $1 Million for individuals, and $10 Million for businesses.

Accordingly, as irritating as the EU style pop-up cookie consent boxes may be, it is a relatively simple way to avoid the risk of violating CASL and their hefty penalties.


This article provides only general information about legal issues and developments, and is not intended to provide specific legal advice. Please see our disclaimer for more details.

Do You Need a Privacy Policy on Your Website?

Do You Need a Privacy Policy on Your Website?

Do You Need a Privacy Policy on Your Website? Answers this question & provides
a Cost-Effective Option!

A quick look at Google and Facebook conversations concerning their security breaches plus GDPR arriving and it is pretty easy to see online privacy is something at the front of people’s minds. If you are the owner of a website or business here in Canada, this makes your Website Privacy statement something you shouldn’t skip over. No worries, at we would love to give you some Canadian thoughts on the subject, backed by experience, while we provide links that can help you create, update, or re-evaluate your privacy policy.

The obvious first question is…Privacy Policy for website in Canada

Don’t people just ignore website privacy policies anyway?

Honestly, privacy policies aren’t something that attracts a ton of attention. In fact, a 2016 study from York University here in Canada revealed that 77% of people never even look at privacy policies. The same study showed that 98% of visitors said “Yes” to a Privacy Policy which included a clause pay with their eldest child for visiting the website. And no one even noticed!

So the facts agree, not many visitors to your website will read your Privacy Policy. But that isn’t why you have one, as you’ll see below.

The Top Three Reasons Why You NEED a Privacy Policy on Your Site (Even if Few Read It!):

  1. Boost Customer Trust: If your customers DO come up with a privacy concern they can quickly see it is an issue you have thought about and addressed. This builds trust in a proactive way, the way that matters most.
  2. Cut Liability and Decrease Risk: Make no mistake by having a Privacy Policy published, most would agree, you have taken a big first step towards meeting the legal obligations surrounding the management of customer data. This can protect your customers as well as protect you should a customer decide they want to question your commitment to privacy.
  3. It Builds Internal Privacy Awareness: By writing an effective privacy policy, you need to actively consider Privacy issues. This exercise will reveal organizational weaknesses you can address that you are likely to be very grateful for in the future.


PIPEDA: Canada’s Major Privacy Requirements

If you are a Canadian company or you collect information from Canadian visitors, then you need to understand PIPEDA: the Personal Information Protection and Electronic Documents Act of Canada.

PIPEDA explains what they consider personal information and delivers ten principles that every business active in Canada needs to address.

According to PIPEDA, there are two types of personal information you need to be concerned with:

Customer Information –  financial and shipping.

Employee Information –  SIN numbers, employment records, and applications & resumes.

PIPEDA talks about very important things if you collect this information like the need for consent before the collection of personal information and how you can use and dispose of this information. PIPEDA also includes audit and compliance procedures.

Importantly, for the subject of this article from your friends at HostedInCanada, if you gather either of these two types of information, you need to develop a privacy policy.

The good news is the Privacy Commissioner’s website has a guide that walks you through each of the ten principles and how to can handle them. There’s even an archive with examples for each.  So as far as the red tape goes this is far from the worst a business has to address, thankfully.

BUT keep reading for a link to the EASIEST and best way to create a Privacy Policy, Terms and Conditions and Cookie Policy that keeps you safe.

Other Website Owner & Entrepreneur Privacy Considerations

 Some of PIPEDA’s ten principles worth spending some extra thought on.

Subscription and Spam

There’s no way around it - If you are collecting emails for a contact list in Canada, you are considered to be collecting personal information. This means Canada’s Anti-Spam Legislation (CASL) which dictates how to gather, maintain and use this type of information applies. This legislation has rules you need to follow regarding consent to join your email list, how you need to provide ways to unsubscribe easily, your data protection and explicit use provisions. Explore their Fast Facts page to learn more and make sure you are doing what you need to be doing to make sure your email marketing is on point.


Cookies track visitor website activity, kind of like an identification card. Cookies can add a great deal to users' website experience through increased functionality, but they also cause user privacy concerns since they do often track personal information. Due to the different types of cookies and the diversity of information they can collect, the Canadian Government doesn’t need you to moderate user’s cookies for them. Instead, this is the website visitor's responsibility to manage their cookie preferences, according to the Canadian regulations. More details can be found on web tracking with cookies on the website of the Office of the Privacy Commissioner of Canada.

Making Your Own Privacy Policy

Now that you understand the importance of a Privacy Policy, it is probably time to make your own that makes sure you’re compliant with PIPEDA. recommends developing a privacy policy and internal procedures for your website in Canada by reviewing the contents of the PIPEDA compliance help page for businesses, provided by the Privacy Commissioner, as an easy to follow guide.

Of course, laws and regulations in Canada are dynamic and continue to evolve. This means writing your own privacy policy isn’t the end of the story. You should make sure to review it in light of the most recent guidelines at least once a year.


Other than the legal obligations of a website owner, privacy is important as someone who engages in online communities in a positive way. Following the rules in this area makes things safer for everyone involved – even if you are never dragged into a legal situation.

Building a privacy policy lets you demonstrate your online business principles, your values and your integrity.

Finally here is the best website, in our opinion to build a Canadian based Privacy Policy, Terms and Conditions and we recommend a Cookie policy as well if you have Google Analytics setup or any script collecting data:

Create your Privacy Policy agreement   Create your Terms and Conditions agreement

Let’s help the internet and online businesses thrive in Canada together!

[google-reviews-pro place_photo= place_id=ChIJ66y2CqNvcVMRZdROchKIeYg rating_snippet=true view_mode=list]



Is your WordPress website fast enough?  Google announced that they will be making speed a ranking factor within mobile search results starting July 2018. However, this speed update will affect only the worst pages since the intent of the query is still one of the strongest signals. So slow pages can still enjoy higher ranking if they offer relevant content.  Canadian Web Hosting sites, NEED to make sure you TEST and FIX speed issues.  At we can help you with WordPress website Speed Optimization.


BUT, it’s not just about Google. Speed is a huge factor when it comes to user experience as well. A 2017 Google study revealed that 53% of the visitors abandoned sites that took longer than three seconds to load. It might be a mark that’s hard to achieve, especially if you have high-quality images and videos on your site but you can still work on the aspects that can be improved.

You can use Google’s Test My Site to check your page load time, the approximate percentage of visitors you are losing and other aspects of your site that need improvement.  It’s quick,


It’s worth mentioning that AMP will not enjoy any additional benefits, although it’s very nature allows it to fly high on the page load time and naturally gives it an advantage. But other than that, there will be no special “rewards”.



Need help with improving page speed? We can help. Just reach out to our reps and ask about our 15% summer discount, and let us do the rest. 1-866-730-2040 #207


PSA from Website Hosting Canada Leader on Google Reviews!

PSA from Website Hosting Canada Leader on Google Reviews!


PSA from Website Hosting Canada Leader

Google is struggling hard to keep the reviews trustworthy. They are trying to weed out fake reviews and bring genuine reviews, but they have a long journey ahead. As reported in Google My Business forums, recently, a Kentucky law firm allegedly ran a contest on Facebook, offering people zoo tickets in exchange for positive reviews.

This didn’t go down well with other law firms and businesses and they reported the incident to Google. As a result, Google updated their reviews guideline from:

“Don’t offer or accept money, products, or services to write reviews for a business or to write negative reviews about a competitor.”

to this:

“In addition to Prohibited Content guidelines, text reviews are subject to the following additional requirements:

  • Don’t use reviews for advertising purposes. This includes, but is not limited to, posting email addresses, phone numbers, social media links or links to other websites in your reviews.
  • Don’t include promotional or commercial content.
  • Don’t offer or accept money in exchange for reviews.
  • Don’t solicit reviews from customers in bulk.”

Reviews are important and it is almost as effective as a personal recommendation, but be careful how you collect it.

To help you get more reviews for your business, we highly recommend our review widget. It’s a small piece of code which is placed on your website and helps you get positive reviews on Google, Yelp and Facebook. In addition, it helps to filter out negative reviews too thus ensuring a positive experience for website users. Need more details? Please connect with us.

Canadian Web Hosting company HostedinCanada offer current News and Updates for Canadian’s.

Show Buttons
Hide Buttons