Understanding Axeptio and Cookie Compliance in Canada

Axeptio is a software suite that offers different functions: “Cookies” for managing cookies or “connection witnesses,” “Subscriptions” for collecting personal information while following the law, and “Terms” for contract versioning. It’s basically a consent management platform for cookies.

Axeptio Cookies is a tool that helps businesses collect and handle user cookie preferences in line with data protection laws.

GDPR is the General Data Protection Regulation of the European Union. In the European Union, it’s like a federal law for the 27 member countries, similar to how we have federal laws in Canada.

In Canada, the main corresponding law is the Personal Information Protection and Electronic Documents Act (PIPEDA) or, in French, Loi sur la protection des renseignements personnels et les documents électroniques (LPRPDE).

Both laws aim to protect people’s personal data.

How are cookies treated in Canada?

Only the Anti-Spam Legislation (CASL) specifically mentions cookies. According to the law, you can’t install or get someone to install a computer program on someone else’s computer system without their express consent for commercial activities. However, if it’s reasonable to believe that they consent to the program’s installation based on their behavior, their consent is considered presumed.

PIPEDA and other data protection laws don’t have explicit provisions for cookie banners. They simply outline privacy principles that companies can use to ask users for cookie consent.

What are the main principles of personal information protection in Canada?

The principles are almost the same as those in the European Union:

1. Accountability of the entity collecting the information.
2. Determining the purposes of collecting information.
3. Consent of individuals to the collection (depending on the situation).
4. Limiting the collection of information.
5. Limiting its use, communication, and retention.
6. Ensuring the accuracy of collected information.
7. Implementing security measures to protect the information.
8. Being transparent about the collection operations.
9. Providing access to personal information for individuals concerned.
10. Allowing individuals to file complaints for non-compliance.

Axeptio helps you respect these rights by configuring actions that inform visitors and/or customers about their rights and how to exercise them.

How do federal and provincial laws on cookies work together in Canada?

If you follow provincial laws, you’re likely complying with the federal Personal Information Protection and Electronic Documents Act (PIPEDA) and the data protection laws of other provinces too.

A provincial law is considered “essentially similar to PIPEDA” when it adheres to the principles in the federal law.

What are the main principles regarding cookies in Canada?

When it comes to cookie banners, three things are important:

1. Clearly stating the purposes of collecting personal data (referred to as “personal information” in Canada). You need to explain why you’re processing personal information.
2. Obtaining consent from the individual when necessary.
3. Being transparent about the collection of information.

Managing consent is not easy, but the main principle is implicit consent.

When is explicit consent required for cookies?

The rules for cookie deposition are less strict in Canada compared to Europe. In most cases, implicit consent is enough. However, there are situations where you need to justify obtaining explicit consent:

1. When you work with sensitive personal information.
2. When the collection, use, or disclosure goes beyond what the user reasonably expects.
3. When collecting, using, or disclosing personal information poses a significant risk of harm.

The notion of “reasonable expectations” is uncertain because it can be debated in court. It’s always safer to obtain explicit consent or consult your legal team.

Is Axeptio compliant with the Canadian Anti-Spam Legislation (CASL)?

Yes, Axeptio complies with CASL (Canadian Anti-Spam Legislation). According to the law, explicit consent is required to install computer programs on users’ devices, unless it’s reasonable to believe that users consent to the installation.

How does Axeptio help my company comply with CASL?

Axeptio provides a tool to collect explicit consent for using cookies and ensures that consent is obtained appropriately and according to the law. You can set it up in a few minutes using the administration console.

How does Axeptio help my company comply with PIPEDA?

Axeptio helps you comply with PIPEDA by ensuring that you obtain explicit consent before collecting data, providing transparency about data usage, and defining the purposes of data collection. All this information is consolidated in our widget, available in one place.

How does Axeptio manage consent according to PIPEDA?

Axeptio ensures that the obtained consent is valid according to PIPEDA. For marketing and advertising cookies, explicit consent is obtained. For other cookies, implicit consent is considered valid as long as it’s reasonable for individuals to expect their personal data to be collected. The consent is timestamped, and you can justify it to the regulatory authorities if needed.

What is considered valid consent according to PIPEDA?

Valid consent in Canada is defined similarly to the European Union:

1. Manifest: clear, certain, and unmistakable.
2. Free: given without pressure or coercion.
3. Informed: specific and detailed. The company must explain what information will be collected, who it will be shared with, why, how, and what the consequences are. The person giving consent must have enough information to make an informed decision about the extent of consent.
4. Given for specific purposes and for the necessary duration. The duration doesn’t have to be a specific number of days, months, or years. It can be related to a specific event or situation.

For connection witnesses, consent is considered valid if the cookie is placed in a situation where it’s reasonable for the person to expect it.

Explicit consent is generally needed when collecting sensitive information, exceeding user expectations, or posing a significant risk of harm.

The rules for consent are the same as in the European Union.

Here’s an infographic that the Office of the Privacy Commissioner of Canada has made available to the public to help them better understand the rules. Axeptio is fully compliant with every requirement.

How does Axeptio help my company comply with the principles of PIPEDA regarding determining purposes and transparency?

Axeptio allows your company to clearly define the purposes of data collection and provides complete transparency to users about the types of data collected and how they are used.

What happens if my company doesn’t comply with cookie requirements?

The consequences vary depending on the province. If your company doesn’t comply, it may face investigation, legal action, and fines up to CAD 100,000 per violation by the Office of the Privacy Commissioner (OPC), the federal regulatory body.

In Quebec, with Law 25, the Commission d’accès à l’information du Québec (CAI), the supervisory body similar to CNIL in France, can impose fines up to CAD 25 million or 4% of the company’s global revenue.

Other provinces may have their own regulatory authorities.

How does Axeptio manage implicit and explicit consent?

Axeptio offers flexibility to collect implicit and explicit consent based on the situation and configuration you choose. For sensitive data, you can configure Axeptio to collect explicit consent. For other common and predictable uses, implicit consent may be enough.

What’s the deal with “Law 25” in Quebec and its staggered implementation in September 2023 and 2004?

“The ‘Law modernizing legislative provisions on the protection of personal information’ is a regulation specific to Quebec that makes rules regarding the collection of personal information stricter than in the rest of Canada. Some provisions of Law 25 came into effect on September 22, 2022, but there is little or no mention of cookies, which are always indirectly addressed by the texts, and Law 25 is no exception. The law is applied progressively to allow the relevant entities to have time to comply.

New features that bring Quebec legislation closer to that of the European Union are expected, as shown by the Quebec government when it indicates on its website: ‘Article 63.7 of the Access Act introduces the principle of default protection. When a public body collects personal information by offering the public a technological product or service with privacy settings, it must ensure that, by default, these settings provide the highest level of privacy without any intervention from the concerned individual.

In other words, the user should not have to modify the settings to enhance the protection of their personal information. Protection must be optimal as soon as the individual starts using the technological product or service.

This obligation only applies to products and services offered to the public, which excludes those used internally by staff or intended for other public organizations or businesses. Moreover, default protection does not apply to the privacy settings of a connection cookie.’

This echoes the notion of ‘Privacy by default’ applied in Europe.”

Is Axeptio compliant with other international data protection regulations?

Yes, Axeptio not only complies with Canadian PIPEDA but also with all national data protection laws worldwide.

The GDPR is considered the most stringent regulation for personal data protection worldwide. Therefore, adjusting Axeptio’s settings slightly can make it suitable for use in other countries.

What are the benefits of using Axeptio to manage my cookies?

The European Union has had strict regulations since 2018, so we have experience with compliance. Our consent management platform has proven its compliance during audits, giving our clients peace of mind.

Using Axeptio allows you to quickly and efficiently comply with Canadian cookie laws, whether federal or provincial. It’s a ready-to-use solution that ensures compliance with data protection legislation while you focus on your core activities.

Is Axeptio compliant with Quebec’s Private Sector Privacy Act?

Yes, Axeptio fully complies with the protection of personal information in the private sector. The platform allows you to provide information to visitors and customers, ensuring transparent use of collected personal information with their consent.