The commercial utility of cookies, and other online tracking devices that store information about a user between Internet browsing sessions, has helped make them a nearly ubiquitous feature of websites worldwide. But while the use of cookies may be common across borders, their regulation is not. Businesses should be aware that Canada and the European Union have developed starkly different rules governing the use of cookies.

In Canada, the regulation of online tracking devices like cookies is based on a relatively relaxed “opt-out” framework. Canada's new anti-spam law (CASL), not yet in force, expressly allows cookies to be installed on a user's computer provided the user's behaviour suggests he or she would consent to the installation.  And CASL takes precedence where there is a conflict with federal privacy legislation.

This laissez-faire approach is in sharp contrast with the European Union's E-Privacy Directive, which came into force last year. This directive mandates an “opt-in” scheme for cookies so strict that many commentators have noted the considerable practical difficulties that are associated with full compliance. Under the European Directive, businesses must provide a full and transparent explanation of the type and function of cookies employed by the website and obtain a user's explicit consent before installing a cookie—a far cry from what is required of businesses in Canada.

Regulation beyond borders

Although not as rigorously regulated as their European counterparts, it is important for Canadian businesses to consider best practices when using cookies, particularly when these cookies are being used as part of a comprehensive online behaviour-tracking strategy. Recent comments by the federal privacy commissioner emphasized that businesses hoping to operate under the “opt-out” model need to make users aware of the tracking devices that may be employed by a website before a user's personal information is collected, and give users the option to opt out of the tracking.

The growing popularity of cookies and other online tracking devices has led to greater scrutiny of their use by regulatory bodies, including the Office of the Privacy Commissioner. As of yet, however, Canada has made no move to implement the stringent regulation seen in Europe.

This does not mean, however, that Canadian businesses whose online strategies reach into Europe can simply ignore the new European Directive. The draft regulations suggest that Canadian businesses, to the extent they process and use data about individuals in the European Union, through websites that offer goods and services to European viewers or use cookies to monitor European viewer behaviour, will need to comply with the more stringent directive.