The European Union has issued a Privacy and Communication Directive regarding the collection and use of "cookies" through websites and other applications. Cookies are small files placed on a user's computer when the user visits a website; they are used to remember the user's preferences, or automatically log the user in to the website, or direct advertising at the user

Some countries, such as the United Kingdom, have issued their own laws to implement the EU directive. The U.K. legislation came into effect this summer, and has prompted changes in how websites in the U.K. interact with their users.

The rules

Interestingly, despite the fact that the legislation is based on protection of personal information and privacy, it applies even when a cookie is not being used to collect any personally-identifiable information. The rules apply to all cookies, and are intended to prevent information from being stored on users' computers without their informed consent.

As is the case with privacy consents in general, the preferred approach for cookies is to obtain explicit consent. This can be achieved, for example, by providing a notice to the user explaining what cookies are, how they will be used, what they will do, and asking the user to click "I agree."

Explicit consent is the best legal way to ensure that the user has really consented to the issuance and acceptance of cookies. However, it is onerous and irritating, especially if it is done each time the user visits the website. That's why implied consent is also acceptable, at least in the U.K.

Implied consent involves providing information to the user and looking for some action by the user which indicates that the user has consented. For example, a website may post a clear and unavoidable notice when the user first visits the site, advising the user that cookies will be used, and explaining what cookies are. If the user clicks on any other pages within the site after the notice has been displayed, the user may be deemed to have given implied consent to receiving the cookies described in the notice. The requirements and wording of the notice may vary depending on the audience, such as how tech savvy it is.

Failing to comply with the rules may result in a number of actions. In the U.K., those actions range from an information notice and request to comply (on the low end), to a monetary penalty of up to £500,000 (on the high end).

Canadian companies

The U.K. law applies to all companies in the U.K., even if their websites are hosted elsewhere. Likewise, the U.K. Information Commissioner's Office has taken the position that Canadian and other foreign companies should comply with the legislation if their websites are designed for the European market, or if they provide products or services to European customers. Practically, it may be difficult for EU authorities to enforce this law against Canadian companies that have no assets in the EU; however, there are good domestic reasons for Canadian companies to comply with the legislation as well.

Canadian Law

In particular, Canada's anti-spam legislation, which has been passed but not yet implemented, contains similar rules regarding cookies in Canada. The starting point in Canada is that express consent is required to install a computer program on anyone's computer system. 

Obtaining consent requires: (a) clearly and simply explaining the purposes for which the consent is being sought; (b) describing the function and purpose of the program and providing all other prescribed information; and (c) obtaining the user's consent. The legislation permits implied consent for cookies if the user's conduct is such that it is reasonable to believe that they have consented to the installation of the cookies.

Compliance steps

The steps to ensure compliance with cookies legislation are similar to the steps to comply with Canadian privacy law in general.

First, website operators should determine how and why they currently use cookies. Next, website operators should consider adjusting or ceasing the use of some cookies if they are unnecessary or if they are overly intrusive and may upset users when they are disclosed to them. The next step is to draft a cookies notice and implement a form of consent, whether explicit or implied. The final step is to implement a system to allow users to withdraw their consent in the future, and to provide information to users regarding that system.

Canadian companies should implement these steps now, both to comply with domestic and international legislation, and also to conform to what are soon to become the industry standards for cookie usage online. 

Originally published in The Lawyers Weekly, September 28 2012.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.