PIPEDA and Cookie Consent
Since PIPEDA requires you to obtain consent from your users before collecting and sharing their personal information, the law also applies to cookies. Although this definition is still evolving, the fact is that organizations must obtain clear consent before tracking data.
When an organization asks for consent, they must indicate whether those details will be shared with another organization or third party. Likewise, they must describe why the information is being collected and the purpose it will be used for.
To comply with this legislation, the users must also have access to the privacy rules and regulations that will govern how the organization manages its data.
What does this look like in practice?
In simple terms, users must have a clear opportunity to say yes or no to cookies. You must provide users with the choice right away before they use the product or service, and you should explain the terms plainly. If you would like to know more about the types of cookies, then read our article: What are cookies ?
What is the CPPA?
In November 2020, the Canadian government introduced the CPPA – or the Consumer Privacy Protection Act. This legislation is very similar to the GDPR in Europe and aims to enhance the protections under PIPEDA to further protect residents.
While the governing principles of PIPEDA will remain unchanged, it will establish new rules about how businesses can collect, use, and disclose personal information. It will be enforced starting in late 2021 and will apply to all organizations that access the information of Canadian citizens for commercial gain.
Other enhancements under this new regulation will allow individuals to control the transfer of personal information between organizations. They will also have the right to request this data be deleted if they chose to withdraw their consent.
Even if users consent to share their data, the CPPA will require the business to remove specific identifiers – like names – from the data that they hold.
Under the CPPA, express consent to collect cookies will be considered the default requirement. Although that doesn’t mean implied consent through notice will not be acceptable in certain circumstances, it will require businesses to take extra measures to comply.
For instance, implied consent might work if the website owner only uses cookies to improve the user experience or gather usage data for themselves. On the other hand, if the cookies will collect data to share with third parties to develop targeted ads, they will likely need prior express consent.