Canada PIPEDA Cookie Banner

The PIPEDA cookie banner requirements (see cookie banner examples) are probably the trickiest part of PIPEDA compliance. The Canadian data protection law leaves a lot up to interpretation and the context in which the law is applied.

This article will explain this and help you determine the following:

• Does PIPEDA apply to your business?
• Do the data privacy laws of Canadian provinces apply to you?
• What are the PIPEDA-compliant cookie banner requirements?
• What happens if you do not comply?
• How to comply with the PIPEDA cookie banner requirements
  

Does PIPEDA Apply to Your Business?

PIPEDA applies to your business and its website if:

• You are based in Canada, or
• You collect and process the personal data of Canadians, regardless of where you are based.

If you or your users are Canadian, you must comply with PIPEDA. Aside from PIPEDA, you may be required to follow the data privacy laws of individual Canadian provinces.

Do the Data Privacy Laws of Canada Provinces Apply to Your Business?

If you or your users are located in any of the Canadian provinces (see more on the Bristish Columbia Personal Information Privacy Act, Quebec's Bill 64 and the newly proposed Consumer Privacy Protection Act - CPPA.), the data privacy laws of those provinces apply to your business. The territorial principle is the same as that of the PIPEDA.

If you have users all over Canada, you may think that complying with all of the laws would be a huge undertaking. However, it is not that difficult.

The PIPEDA and the laws of the Canadian provinces were designed to be similar to each other to streamline business compliance. If you comply with the province law, you are likely to follow federal PIPEDA and other provinces' data protection laws as well. However, make sure you thoroughly review all of the requirements before assuming that you are compliant.

What Are the PIPEDA Cookie Banner Requirements?

A cookie consent banner is required to collect meaningful consent from users for each specific purpose of processing. 

PIPEDA, like many other data protection laws, does not make explicit provisions for cookie banners. It simply lays out data privacy principles that any business can use to request cookie consent from users.

PIPEDA is based on ten principles. They are as follows:

1. Accountability
2. Identifying Purposes
3. Consent
4. Limiting Collection
5. Limited Use, Disclosure, and Retention
6. Accuracy
7. Safeguards
8. Openness
9. Individual Access
10. Challenging Compliance

It is crucial to incorporate all the ten principles in your privacy practices. Still, when it comes to cookie banners, three things must be considered: identifying purposes, consent, and openness.

Identifying Purposes

The principle of identifying the purpose requires you to determine why you process personal data. You must understand why you collect and process data, and you must explain this to your users.

If you have collected users' data for one purpose and now need it for another, you need to obtain consent again.

Openness

Telling your users why you collect data and what data you collect will make you compliant with the openness principle. You'll incorporate this principle by providing them with an up-to-date privacy policy.

Consent

This is arguably the most important cookie banner principle. The manner in which PIPEDA requires you to collect consent will determine the appearance of your cookie banner.

PIPEDA differs from other data privacy laws by the requirement to obtain meaningful consent. The consent is meaningful if the use of cookies is reasonable in the circumstances. 

This means that you may need to obtain implied consent at times and explicit consent at other times. According to the Privacy Commissioner, in general, you must obtain explicit consent when:

• You work with sensitive personal information
• The collection, use, or disclosure is beyond the user's reasonable expectation, or
• The collection, use, or disclosure of personal information poses a significant risk of harm.

Furthermore, the Privacy Commissioner explains that unless the circumstances allow for implied consent, the obtained consent should be explicit.

What is Required from Your PIPEDA-Compliant Cookie Banner

Your PIPEDA-compliant cookie banner should ensure the following:

• You obtain explicit consent unless the user would reasonably expect the processing
• You inform the user of your processing purposes and categories of data processed at the time of collection

You may be wondering what situations require implied consent and which require explicit consent. Nobody knows for certain. We can safely assume that you need consent for data processing for marketing and advertising purposes because public awareness of this type of processing has grown significantly in recent years, and users are not always fond of such cookies.

On the other hand, would the user reasonably expect their data to be processed in order for the website to remember their language preferences? It is up to you to make that decision based on the specific circumstances.

How Do the PIPEDA Cookie Banner Requirements Compare to the GDPR and the CCPA Cookie Banner Requirements?

The PIPEDA requirements fall somewhere between the GDPR and the CCPA. The PIPEDA requirements are stricter than those of the CCPA but less stringent than those of the GDPR.

The CCPA does not require any kind of consent. GDPR requires explicit consent for every non-essential cookie. The PIPEDA's concept of meaningful consent requires explicit consent for marketing and advertising cookies, but businesses can probably rely on implied consent in many other cases.

Consequences for Non-Compliant Cookie Banners?

Penalties are imposed for failure to comply with the cookie banner requirements. The Commissioner may conduct an investigation, summon you to court, and fine you up to CAD 100,000 per violation.

How to Comply with the Canadian PIPEDA Cookie Banner Requirements?

The fastest way to comply with the PIPEDA cookie banner requirements is to integrate a ready-made and compliant cookie banner on your website. Secure Privacy can provide you with one that incorporates PIPEDA requirements.