That’s How The Cookie Crumbles

Did the word “cookie” catch your eye? Are you now thinking of chocolate chips, oatmeal raisin, white macadamia nut, or peanut butter? Good, we have your attention. Unfortunately, these are not the type of “cookies” we are talking about today.

The types of cookies that are the subject of today’s blog are those that can be found on your computer. These cookies are actually small data files that most websites store, access, and maintain on the hard drive of its users’ computers. You may have noticed when you visit certain websites, that they ask you to click and “accept” cookies to access elements of the website. Cookies can be “allowed” and “restricted” under your browser settings, but you should know that most browsers automatically accept cookies by default.

These cookies allow the website to recognize the computer or user each time they return to the website. Ever notice that when you put items you want to purchase in an online shopping cart and close the webpage, the items magically remain in the cart when you visit the website again? That is the power of cookies!

Cookies also track your web surfing and shopping habits to better customize your browsing experience. Cookies can also be used to share your information with third parties. Ever spent some time admiring a cute pair of shoes on a retail site that you don’t end up buying, only to find the exact pair of shoes being advertised to you on Instagram the next day? Yep, that’s third-party cookies at work. 

As you can imagine, digital cookies can be very useful for businesses. When setting up your own commercial website however, you need to understand and use cookies in compliance with Canadian and international privacy laws.  

For example, Canada’s Anti-Spam Law (“CASL”) is a federal law that regulates unsolicited emails and the installation of computer programs. CASL prohibits a person or company from installing any kind of computer program on another person’s computer, for commercial purposes, without first getting their “express consent.” You would think this means that all users then need to click and “accept” cookies to access a given site. However, CASL also states that you are considered to have expressly consented to the installation of cookies if your conduct makes it reasonable to assume you consented. So, if you haven’t turned off your cookie setting, you are consenting to the website’s use of cookies by default. 

This seems somewhat straightforward right? Well, then there is the General Protection Data Regulation (“GDPR”). This European regulation requires businesses to protect the personal data and privacy of web users in the EU. Unlike CASL, the GDRP requires users to actually click and accept cookies before proceeding. If your website will have users from the EU, you need to comply with both CASL and the GDRP.

While the topic of this blog was “cookies” specifically, don’t be fooled, there are a ton of privacy-related considerations when setting up your own website.

If you currently have a business website or plan to set one up, reach out to us so we can make sure you are compliant with applicable laws.

Okay, go get yourself cookie, we know that’s all you’ve been thinking about since you started reading. 

Robin K. Mann, Associate Lawyer