The European Union has issued a Privacy and Communication
Directive regarding the collection and use of "cookies"
through websites and other applications. Cookies are small files
placed on a user's computer when the user visits a website;
they are used to remember the user's preferences, or
automatically log the user in to the website, or direct advertising
at the user
Some countries, such as the United Kingdom, have issued their
own laws to implement the EU directive. The U.K. legislation came
into effect this summer, and has prompted changes in how websites
in the U.K. interact with their users.
Interestingly, despite the fact that the legislation is based on
protection of personal information and privacy, it applies even
when a cookie is not being used to collect any
personally-identifiable information. The rules apply to all
cookies, and are intended to prevent information from being stored
on users' computers without their informed consent.
As is the case with privacy consents in general, the preferred
approach for cookies is to obtain explicit consent. This can be
achieved, for example, by providing a notice to the user explaining
what cookies are, how they will be used, what they will do, and
asking the user to click "I agree."
Explicit consent is the best legal way to ensure that the user
has really consented to the issuance and acceptance of cookies.
However, it is onerous and irritating, especially if it is done
each time the user visits the website. That's why implied
consent is also acceptable, at least in the U.K.
Implied consent involves providing information to the user and
looking for some action by the user which indicates that the user
has consented. For example, a website may post a clear and
unavoidable notice when the user first visits the site, advising
the user that cookies will be used, and explaining what cookies
are. If the user clicks on any other pages within the site after
the notice has been displayed, the user may be deemed to have given
implied consent to receiving the cookies described in the notice.
The requirements and wording of the notice may vary depending on
the audience, such as how tech savvy it is.
Failing to comply with the rules may result in a number of
actions. In the U.K., those actions range from an information
notice and request to comply (on the low end), to a monetary
penalty of up to £500,000 (on the high end).
The U.K. law applies to all companies in the U.K., even if their
websites are hosted elsewhere. Likewise, the U.K. Information
Commissioner's Office has taken the position that Canadian and
other foreign companies should comply with the legislation if their
websites are designed for the European market, or if they provide
products or services to European customers. Practically, it may be
difficult for EU authorities to enforce this law against Canadian
companies that have no assets in the EU; however, there are good
domestic reasons for Canadian companies to comply with the
legislation as well.
In particular, Canada's anti-spam legislation, which has
been passed but not yet implemented, contains similar rules
regarding cookies in Canada. The starting point in Canada is that
express consent is required to install a computer program on
anyone's computer system.
Obtaining consent requires: (a) clearly and simply explaining
the purposes for which the consent is being sought; (b) describing
the function and purpose of the program and providing all other
prescribed information; and (c) obtaining the user's consent.
The legislation permits implied consent for cookies if the
user's conduct is such that it is reasonable to believe that
they have consented to the installation of the cookies.
The steps to ensure compliance with cookies legislation are
similar to the steps to comply with Canadian privacy law in
First, website operators should determine how and why they
adjusting or ceasing the use of some cookies if they are
unnecessary or if they are overly intrusive and may upset users
when they are disclosed to them. The next step is to draft a
cookies notice and implement a form of consent, whether explicit or
implied. The final step is to implement a system to allow users to
withdraw their consent in the future, and to provide information to
users regarding that system.
Canadian companies should implement these steps now, both to
comply with domestic and international legislation, and also to
conform to what are soon to become the industry standards for
cookie usage online.
Originally published inThe Lawyers Weekly,
September 28 2012.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Business leaders are under tremendous pressure to maximize the value of their company's IT and data, and cloud-based computing can have numerous advantages and be accomplished successfully if all the legal considerations are taken into account.
On May 28, 2013, the Canadian Radio-television and Telecommunications Commission (CRTC or Commission) issued its highly anticipated decision renewing the broadcasting licences for Canada’s national public broadcaster, the Canadian Broadcasting Corporation (the CBC).