PIPEDA / CPPA and Cookie Consent

In our last post we looked at PIPEDA and CPPA from a general point of view. Now let’s take a deeper look on what is required for websites regarding Cookies, privacy notices and similar topics.

Cookie Consent in PIPEDA

Consent to the collection of personal data in PIPEDA

Information on the collection, use and disclosure of personal data must be provided in a complete form. To facilitate understanding of Cookie Consent in Pipeda, some elements should be emphasized.

The Personal Information Protection and Electronic Documents Act requires that consumers quickly understand the nature and purpose of what they are giving consent to via Cookie Consent in PIPEDA. For consent to be considered valid and meaningful, organizations must provide information about their privacy rules and regulations in a comprehensive and understandable manner. This, in turn, means that organizations must provide information about their privacy rules and regulations in a form that is easily accessible to individuals.

Unfortunately, the reality shows that important information about privacy policies is often buried in terms and conditions. Those with little time and energy to review privacy information, derive no practical benefit from the information overload. To gain meaningful consent, organizations need to enable website visitors to quickly and directly review key elements of privacy terms. This is important, for example, when the use of the service or product offered requires the purchase or download of an app.

Consumers and customers expect that, even with Cookie Consent in PIPEDA, their personal data will not be passed on to another organization without their knowledge and consent. This aspect must also be taken into account with Cookie Consent in PIPEDA. For this reason, disclosure to third parties must be clearly indicated. Particular attention should be paid to disclosure to third parties who may use the information for their own purposes, as opposed to simply providing services.

For what purposes is personal information collected, used or disclosed? Customers and consumers must be informed of all purposes for which information is collected and used. They must be able to understand what they are being asked to consent to. This purpose should be described in a simple language. Vague purposes and phrases such as “service optimization” should be avoided. What is essential to the delivery of a service should be distinguished from data that is not. All available options should be explained clearly.

Risks of data misuse and data loss

Damages and consequences

When a business or an organization designs potential scenarios for losses that may result from the collection, use, or disclosure of personal information, the Personal Information Protection and Electronic Documents Act requires that this risk be responsibly minimized. In some cases, proactive mitigation efforts can significantly reduce the risk. In other cases, however, the risk will remain almost unchanged.

The consumer must always be informed about significant residual risks with significant losses. For purposes of the Personal Information Protection and Electronic Documents Act, a significant risk is one that has more than a minimal likelihood of occurring. Significant risk includes physical damage, humiliation, damage to reputation, loss of job, business or professional opportunities, as well as financial losses.

Identity theft and negative impact on credit ratings are also among these risks. The risk of damage should therefore be defined broadly. In addition to damage that occurs directly, it is reasonable to include foreseeable damages that may be caused by malicious actors or other parties.

Provide clear opportunities for individuals to say “yes” or “no.”

Before using a product or service, consumers must be provided with a choice. This choice should be clearly explained and easily accessible. Whether each choice is best described as “opt-in” or “opt-out” depends on the factors given with Cookie Consent in Pipeda.

Be innovative and creative

Organizations should design and/or implement innovative consent processes for Cookie Consent in PIPEDA that can be implemented just-in-time, are context-specific, and fit the type of interface being used.

Cookie Consent in PIPEDA

Informed consent in the form of cookie consent in PIPEDA is an ongoing process that changes as circumstances change; organizations should not rely on a static point in time, but should rather treat consent as a dynamic and interactive process.

Changes in data privacy regulation

If an organization plans to make significant changes to its privacy rules and regulations under the GDPR for Canada, it must notify users and obtain their consent before the changes take effect. Substantive changes include the use of personal data for a different purpose that was not originally agreed upon or a disclosure of personal data to a third party for a purpose other than the one necessary to provide the service.

Privacy Reminders

Organizations should consider regularly reminding individuals of their privacy options under the GDPR for Canada and asking them to review them. Finally, as a best practice, organizations should regularly review their information management rules and regulations to ensure that personal data continues to be processed as agreed upon with the individual.

Demonstrate compliance

Upon request the organizations should be able to demonstrate compliance, and specifically a clear and unambiguous nature of the consent process they implement from the general perspective of their audience(s) to ensure a valid and meaningful consent.

To obtain explicit consent and fulfill their obligations under the Canada Privacy Act, the organizations should be able to:

  • Provide privacy information in a complete form, highlighting or drawing attention to four key elements:
  • What personal data will be collected?
  • Who will personal information be shared with?
  • For what purposes will personal data be collected, used or shared?
  • What are the risks of damage and other consequences?
  • Form of consent – Cookie Consent in the PIPEDA.
  • Obtain explicit consent for information collection, use or disclosure.

Personal Information Protection and Electronic Documents Act

The legislative ground for PIPEDA came into effect on January 1, 2004. The Personal Information Protection and Electronic Documents Act was enacted to address legitimate consumer privacy concerns and to enable the Canadian business community to compete in the global digital economy. The policy goal of the reform is to build trust in e-commerce.

  1. Accountability
  2. Identifying purposes
  3. Consent
  4. Limiting data collection
  5. Use, process, and retention
  6. Accuracy
  7. Integrity and confidentiality
  8. Transparency
  9. Individual Access
  10. Challenging Compliance

The Personal Information Protection and Electronic Documents Act (PIPEDA) is the federal privacy law for commercially active organizations in Canada. PIPEDA serves to bring Canada's reporting requirements in line with the country's trading partners, namely the EU.

The Personal Information Protection and Electronic Documents Act (PIPEDA) is the federal privacy law for private sector organizations. It sets the ground rules for how companies should process personal information in the course of business transactions.

Privacy legislation for the private sector requires companies to create and publish easily accessible privacy policies. This should outline how personal information about customers is collected, used and shared. This also means that privacy policies should be shared online if the company has an online presence.


Not sure if you need a CMP?

If you are unsure if your company needs a CMP or not, please get in touch with us – we will help you find the right solution for your company!

Get In Touch