Note that we are not a law firm. Please view this as informational—not legal advice—and speak to a lawyer before coming to a conclusion.
The proposed Digital Charter Implementation Act (DCIA) in Canada borrows some key elements of the European Union’s General Data Protection Regulation (GDPR).
As such you may wonder if Canadians are soon about to see it everywhere. That “Accept Cookies” banner you see when you happen upon a European or British website.
Moreover if you manage a website, are you going to have to implement the consent request as well?
Within the Exceptions to Requirement for Consent section of the bill’s first reading it states:
Research and development
21 An organization may use an individual’s personal information without their knowledge or consent for the organization’s internal research and development purposes, if the information is de-identified before it is used.https://parl.ca/DocumentViewer/en/43-2/bill/C-11/first-reading#ID0EFBA
If your website is only running an analytics platform that enforces IP address anonymization, this would imply that it is exempt from a consent request. That includes Google Analytics 4 where IP-address anonymization is always enabled.
If you are using Google’s legacy Universal Analytics platform, you will need to specifically implement anonymization or require the consent of the user. See IP Anonymization (or IP masking) in Analytics for technical details.
The vast majority of Canadian corporate websites will likely be able to avoid the dreaded banner—either by upgrading, if necessary, to Google Analytics 4—or by opting-in to IP-anonymization for their Analytics platform.
However if you monetize your website using an ad platform such as Google AdSense, you would not be exempt from the consent requirements:
18 (1) An organization may collect or use an individual’s personal information without their knowledge or consent if the collection or use is made for a business activity described in subsection (2) and
(a) a reasonable person would expect such a collection or use for that activity; and
(b) the personal information is not collected or used for the purpose of influencing the individual’s behaviour or decisions.
This means that Canadians will likely face the cookie consent banner from most news media publishers. When your organization does have to implement such a banner, please:
- Ensure it’s also compliant with the Accessibility for Ontarians with Disabilities Act (AODA).
- Take into account user exhaustion from the aggregate reading of every other cookie banner. State what data you collect and why in clear and simple language.
- Audit your opt-in/out mechanism to ensure that it actually works for the particular configuration within your website or app.
There’s more to come on this so stay tuned!