In Canada, the regulation of online tracking devices like cookies is based on a relatively relaxed “opt-out” framework. Canada's new anti-spam law (CASL), not yet in force, expressly allows cookies to be installed on a user's computer provided the user's behaviour suggests he or she would consent to the installation. And CASL takes precedence where there is a conflict with federal privacy legislation.
This laissez-faire approach is in sharp contrast with the European Union's E-Privacy Directive, which came into force last year. This directive mandates an “opt-in” scheme for cookies so strict that many commentators have noted the considerable practical difficulties that are associated with full compliance. Under the European Directive, businesses must provide a full and transparent explanation of the type and function of cookies employed by the website and obtain a user's explicit consent before installing a cookie—a far cry from what is required of businesses in Canada.
Regulation beyond borders
Although not as rigorously regulated as their European counterparts, it is important for Canadian businesses to consider best practices when using cookies, particularly when these cookies are being used as part of a comprehensive online behaviour-tracking strategy. Recent comments by the federal privacy commissioner emphasized that businesses hoping to operate under the “opt-out” model need to make users aware of the tracking devices that may be employed by a website before a user's personal information is collected, and give users the option to opt out of the tracking.
The growing popularity of cookies and other online tracking devices has led to greater scrutiny of their use by regulatory bodies, including the Office of the Privacy Commissioner. As of yet, however, Canada has made no move to implement the stringent regulation seen in Europe.