Cookie banners are increasingly prevalent on internet sites. A section about cookies may appear in privacy policies and, sometimes, even an entire policy is devoted exclusively to them.
But what is a "cookie"? Also known as "HTTP cookies", "browser cookies" or "web cookies", a cookie is a small piece of digital data in the form of a text file sent by a website and saved locally on the user's device (computer, tablet, cell phone) through the web browser used while browsing on the Internet, often without the user's knowledge.
Cookies perform what are often essential functions. For example, authentication cookies1 track when a user has logged into a website and under what name.2 Without such a mechanism, the site would not know, for example, if it should require the user to identify themself when logging in. Tracking cookies, especially third-party tracking cookies, which belong to a different domain than the one indicated in the address bar,3 unlike first-party cookies which are related to the domain appearing in the address bar, are being used at an exponential rate. This type of cookie appears when web pages present content from third-party sites, such as publicity banners, and track the user's browsing history to suggest relevant advertising adapted to the user's profile.
But can a cookie be considered personal information?
1. Situation in Canada
(a) Concept of "personal information"
As there is currently no legislation in Canada that directly refers to cookies, can a cookie be considered "personal information" under Canadian laws regarding personal information, in which case privacy laws would apply? In other words, can a cookie be "information about an identifiable individual,"4 or is there a "serious possibility that an individual could be identified through the use of that information, alone or in combination with other available information"?5 While, in principle, Canadian case law requires a broad interpretation of the concept of personal information,6 up to now it is silent regarding the interpretation of both the provincial and federal laws as to whether cookies meet the definition of personal information.
In 2011, the Office of the Privacy Commissioner of Canada (the "Commissioner") released its guidelines about this issue concerning tracking cookies. It stated that online behavioural advertising and the tailoring of advertisements based on the user's browsing activities, which include purchasing patterns, "shopping cart" items saved via online shopping platforms and search histories, involves the collection of information by third parties receiving these tracking cookies. As such, "[g]iven the scope and scale of information collected, the powerful means available for gathering and analyzing disparate pieces of data and the personalized nature of the activity, it is reasonable to consider that there will often be a serious possibility that the information could be linked to an individual."7
In other words, the information collected and saved through cookies as part of online tracking and targeting for the purpose of providing personalized advertising, "will generally constitute personal information"8 as defined under the Personal Information Protection and Electronic Documents Act9(the "PIPEDA").
It should be noted that the PIPEDA, just like the other provincial laws in this area, generally requires consent in order to collect, use and disclose personal information. This consent may be express or implied, depending on the circumstances and certain factors such as the sensitivity of the information involved.
As such, because "zombie cookies,"11 "super cookies"12 and third-party cookies do not provide the user with the opportunity to control the information, and therefore no opportunity for the individual to consent or withdraw their consent, the Commissioner feels that this type of tracking should not be undertaken because it cannot be done in compliance with the PIPEDA.
In sum, cookies that allow an individual to be identified are considered personal information and are therefore subject to Canadian privacy laws. Is this very different from the situation in Europe?
2. Situation in Europe
(a) Considering cookies as personal information
In Europe, the situation is somewhat different because of a certain text designed to apply to cookies through the notion of information storage: the e-Privacy Directive.13 It provides, among other things, that cookies cannot be inserted without first informing the user and obtaining their consent.14 However, this directive does not specify whether a cookie is considered personal data.
To resolve this issue, we should examine the GDPR,15 which provides that "[n]atural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them."16
In other words, a cookie by itself would not be considered personal data, but it would, when combined with other elements. This is basically the definition of personal data under article 4(1) of the GDPR which states that "a natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person."
This position was recently confirmed by the Court of Justice of the European Union:17
"45. [...]cookies likely to be placed on the terminal equipment of a user participating in the promotional lottery organised by Planet49 contain a number which is assigned to the registration data of that user, who must enter his or her name and address in the registration form for the lottery. The referring court adds that, by linking that number with that data, a connection between a person to the data stored by the cookies arises if the user uses the internet, such that the collection of that data by means of cookies is a form of processing of personal data."
"67. As stated in paragraph 45 above, according to the order for reference, the storage of cookies at issue in the main proceedings amounts to a processing of personal data."
As a result, if the cookie is not personal data, only the e-Privacy Directive applies. Whereas, if the cookie is personal data, the e-Privacy Directive and the GDPR will both apply. This is not a problem given that the e-Privacy Directive18 already often refers to the GDPR's predecessor, Directive 95/46.19 In fact, the provisions of the e-Privacy Directive and GDPR regarding consent "are not to be interpreted differently according to whether or not the information stored or accessed on a website user's terminal equipment is personal data within the meaning of Directive 95/46 and Regulation 2016/679."20
(b) Consequences in terms of consent and notice
In order to insert cookies on a user's device, the latter's prior consent must be obtained. In this case, consent will constitute the legal basis of the processing operations in question21 and must meet all the requirements of consent as provided under article 5(3) of the e-Privacy Directive and articles 4(11) and 7 of the GDPR,22 namely, that such "consent shall be free, specific and informed and constitutes an unambiguous indication of the data subject's wishes [...].Such consent must be provided separately, for specific purposes [...].Consent must be as easily withdrawn as it is given. The same has to be applied when consent is required to comply with the "ePrivacy" directive [...]."23
The idea behind this decision is that under the GDPR consent is as important as the specific purpose for such consent (the consent must be specific). It is impossible to ensure this through a pre-ticked checkbox or by scrolling. This position was reiterated by the Advocate General Szpunar in his conclusions in Orange Romania.27
If consent must be the result of active behaviour by the user, then the latter must be well informed. This must include information about the duration of the processing since "[i]nformation on the duration of the operation of cookies must be regarded as meeting the requirement of fair data processing provided for in that article in that, in a situation such as that at issue in the main proceedings, a long, or even unlimited, duration means collecting a large amount of information on users' surfing behaviour and how often they may visit the websites of the organiser of the promotional lottery's advertising partners."28
This information must also indicate whether or not third parties will have access to the cookies because it "is information included within the information referred to in Article 10(c) of Directive 95/46 and in Article 13(1)(e) of Regulation 2016/679, since those provisions expressly refer to the recipients or categories of recipients of the data."29
Undoubtedly, information about the cookies must be provided. Some sites have already added a cookies banner with a link to a list identifying its partners.
3. Supra, note 1.
6. On this topic, see in particular: Canada (Information Commissioner) v. Canada (Transportation Accident Investigation and Safety Board), 2006 FCA 157, par. 34.
7. Office of the Privacy Commissioner of Canada, Guidelines on privacy and online behavioural advertising, December 2011
9. Supra, note 4.
10. Supra, note 7.
11. A zombie cookie is a cookie that is automatically recreated after being deleted. To do so, the cookie information is stored in a number of places such as Flash Local shared objects, Web storage in HTML5 as well as in other places that are client side or even server side.
12. A super cookie is a cookie inserted in a first-level domain (such as .com) or a public suffix (such as .co.uk). Regular cookies, however, are inserted in a specific domain, such as ".com." Super cookies are a potential security problem and are therefore often blocked by web browsers. If it is unblocked by the browser, a hacker who controls a malicious website can create a super cookie and potentially disturb or pass itself off as a legitimate user on another web site with the same first-level domain or public suffix as the malicious website.
13. Directive 2002/58/EC of the European Parliament and of the Council of July 12, 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (directive on privacy and electronic communications). Note that this directive is being amended and will become a regulation (Proposalfor a Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/CE ("Regulation on Privacy and Electronic Communications") COM/2017/010 final - 2017/03 (COD)).
14. e-Privacy Directive, art. 5(3): "Member States shall ensure that the use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned is provided with clear and comprehensive information in accordance with Directive 95/46/EC, inter alia about the purposes of the processing, and is offered the right to refuse such processing by the data controller. This shall not prevent any technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network, or as strictly necessary in order to provide an information society service explicitly requested by the subscriber or user."
16. GDPR, Recitals (30).
18. As well as the proposed e-Privacy regulation cited above: "This proposal is lex specialis to the GDPR and will particularise and complement it as regards electronic communications data that qualify as personal data. All matters concerning the processing of personal data not specifically addressed by the proposal are covered by the GDPR. The alignment with the GDPR resulted in the repeal of some provisions, such as the security obligations of Article 4 of the ePrivacy Directive." (Explanatory Memorandum, point 1.2).
19. See, for example, e-Privacy Directive, Recitals (17) "For the purposes of this Directive, consent of a user or subscriber, regardless of whether the latter is a natural or a legal person, should have the same meaning as the data subject's consent as defined and further specified in Directive 95/46/EC. Consent may be given by any appropriate method enabling a freely given specific and informed indication of the user's wishes, including by ticking a box when visiting an Internet website."
20. CJEU, October 1, 2019, Planet 49, par. 71. See also EDPB, Guidelines 05/2020 on consent under Regulation 2016/679, May 4th 2020, par. 6. (PDF)
22. Planet 49., par. 15
23. Ibid., par. 46 and 47.
25. Ibid., par. 59.
27. Conclusions of General Advocate Mr. Maciej Szpunar, March 4, 2020, Case C-61/19, Orange România SA v. Autoritatea Nationala de Supraveghere a Prelucrarii Datelor cu Caracter Personal (ANSPDCP), par. 44 and 45.
29. Ibid., par. 80. See also par. 81.
Originally published 14 May, 2020.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.