The world of digital privacy is ever-evolving, and Quebec’s Law25 (originating from Bill 64) has positioned itself at the forefront of this change in Canada. One area that’s been impacted significantly by this legislation is the use of cookies and similar tracking technologies on websites. With the relevant provisions coming into effect on September 22, 2023, it is high time to look at the significant changes you may have to make to how you are presenting cookie banners and operationalizing consent requirements.
Law25 contains 2 provisions relevant to the use of cookies. Section 8.1 which says that profiling, identification, and locating technology must be turned off by default, and section 9.1, according to which an exemption applies to browser cookies from the requirement that a technological product’s privacy setting must be set to the highest level of confidentiality by default.
- 8.1 In addition to the information that must be provided in accordance with section 8, any person who collects personal information from the person concerned using technology that includes functions allowing the person concerned to be identified, located or profiled must first inform the person
- (1) of the use of such technology; and
- (2) of the means available to activate the functions that allow a person to be identified, located or profiled.
- “Profiling” means the collection and use of personal information to assess certain characteristics of a natural person, in particular for the purpose of analyzing that person’s work performance, economic situation, health, personal preferences, interests or behaviour.
And
- 9.1 Any person carrying on an enterprise who collects personal information when offering to the public a technological product or service having privacy settings must ensure that those settings provide the highest level of confidentiality by default, without any intervention by the person concerned.
- The first paragraph does not apply to privacy settings for browser cookies.
Section 8.1 applies to cookies as cookies fall squarely within the definition of technologies used to profile, identify, or locate website visitors using their personal information.
The Quebec privacy commissioner has released draft guidelines on valid consent which include the commissioner’s interpretation on section 8.1. Since the law required that, by default, the profiling technology must be turned off, the commissioner reads this as an express consent requirement. In other words, cookies may not be dropped on the device of a website visitor unless express consent is first obtained. Without an exception for necessary cookies, that is, cookies that are placed on the device of an individual upon the loading of the website and that ensure the proper functioning thereof, compliance with this provision, as interpreted by the commissioner, is going to be challenging. For example, the display of a cookie pop-up usually requires the dropping of a cookie, so that the pop-up is not displayed every time an individual visits the website but that the choice the individual made is remembered.
Furthermore, an argument can be made that these two provisions 8.1 and 9.1 are contradictory. While the former requires the cookie technology to be turned off by default, the latter exempts cookies from the maximum privacy by default requirement of technology products with privacy settings. It can thus be expected that upon coming into force of these provisions, the right implementation will be subject to debate.
If the privacy commissioner’s guidance remains as is, the express consent requirement for the use of cookies constitutes a departure from the implied or passive consent models used in the past. For cookies:
- Users must be provided clear information about the types of cookies being used, their purposes, and the data they collect.
- Consent mechanisms should be straightforward, allowing users to actively opt-in rather than relying on pre-checked boxes or passive acceptance.
If we were to obtain an exception from the express consent requirement for essential cookies from the Quebec regulator, non-essential cookies, especially those related to advertising or tracking, will likely remain under scrutiny. It would therefore be prudent to make a clear distinction between essential and non-essential cookies and to allow users to reject non-essential cookies without impacting their browsing experience.
Transparency and Accessibility:
Websites must present their cookie policies and usage in a clear and accessible manner. This means:
- Having a dedicated cookie policy or a section within the privacy policy that details cookie usage.
- Regular updates to the cookie list, ensuring users are aware of any new or removed cookies.
Data Minimization:
- Collect only the necessary data required for their stated purpose. This requires you to also check what information third-party cookies that you use collect.
- Limit data retention periods, ensuring that information isn’t stored indefinitely without reason, by you as well as third-party cookies.
Given Law25’s strict stance on data transfers, particularly outside of Quebec:
- Users should be made aware of any third-party cookies that might transfer data to other jurisdictions.
- Sites should ensure that third-party cookie providers adhere to Law25’s principles, especially if data is being transferred out of province or country.
To maintain compliance:
- Organizations should periodically audit their cookie usage, ensuring that all active cookies have been declared and have valid consent mechanisms in place.
- Reviews should also ensure that obsolete cookies are removed and that users are informed of any significant changes in cookie usage.
Right to Withdraw Consent:
- This extends to cookies, where users should have the option to change their cookie preferences or withdraw consent entirely.
- Mechanisms should be in place to respect these choices in real time, ensuring that once consent is withdrawn, the tracking ceases immediately.
While cookies are a cornerstone of the modern web, offering personalized user experiences and valuable analytics to website operators, the introduction of Law25 in Quebec means businesses must tread carefully. Balancing functionality with privacy is the new challenge, ensuring that the digital footprints users leave behind are both voluntary and as minimal as necessary. This new era of digital cookie consent, ushered in in Canada by Law25, emphasizes a user-centric approach, empowering individuals to have a say in their online journey.
Get started with PrivateGPT today:
