What Is Cookie Consent & Does Your Website Need It?

  • Best Practices
  • Ethical Web Design

Author

Stephanie Beasse

Date

April 10, 2024

You have likely seen a lot of pop-up banners while entering websites that ask whether you accept or deny cookies. This, in tandem with Quebec’s Law 25 and Canada’s PIPEDA, might have you wondering what cookie consent is and if you need to add a cookie banner to your website. The short answer is, yes you definitely should.

If you have website users residing in Quebec, Canada, it is required by law to be expressly given consent before tracking and recording their personal information. Whether Law 25 directly applies to your organization or not, it is considered best practice to disclose how you collect and use your user’s personal information.

Building trust with your audience is incredibly important as 63% of internet users believe most users aren’t transparent with how their data is used. By having clear communication on how you store, use and share users’ data, you can provide your users with the peace of mind that their data is being processed lawfully and fairly.

What Is Cookie Consent?
Quebec’s Law 25 and Cookie Consent
PIPEDA and Cookie Consent
What Do I Need To Know About Cookie Consent?
How Do I Integrate a Consent Management Platform?

Cookie consent is given by your users through a cookie banner where they can accept or deny how your website tracks, shares, and processes their data. Cookies are small text files that assist in the data collection of your users through their online activities.

There are various types of cookies including:

  • Strictly necessary cookies: these cookies, regardless of consent, are always applied as they are essential to access certain features of a site or for it to function properly. These can be features like logging into a website or saving customized preferences. These are most likely first-party cookies and are not shared with other parties.
  • Statistics cookies: these cookies are required for web performance but do not collect identifiable information. This can include data collected by third parties such as Google Analytics to analyze statistical data.
  • Marketing cookies: these cookies are used for targeted advertising and are most likely using third-party cookies. They follow users from website to website or even social platforms to display advertising banners.

Law 25 updated the existing Act Respecting the Protection of Person Information in the Private Sector (what some lawyers call the “Private Sector Act”) which covers the data privacy of Quebec individuals visiting your website, requiring that consent is expressly given before their data is processed and recorded. It also requires that you provide information on the data being collected, how it will be used, and how it will be shared. Most importantly, the consent of these individuals must be given freely and not be coerced.

Who Does Law 25 Apply To?

This law applies to organizations (what the Private Sector Act calls “enterprises”) that are headquartered in Quebec or that have users who live in Quebec. Any interaction between your organization and someone from Quebec requires you to comply with Law 25 and the Private Sector Act.

Read the Private Sector Act

The Personal Information Protection and Electronic Documents Act (PIPEDA) outlines that an organization should obtain an individual’s consent when they collect, use or disclose a user’s personal information. PIPEDA is less stringent compared to Law 25 as implied consent is allowed in some situations where consent can be assumed such as adding items to your cart or finalizing a purchase.

Who Does PIPEDA Apply To?

PIPEDA applies to all private-sector organizations within Canada who are engaged in commercial activities. Although provincial laws might differ across provinces and territories, PIPEDA will also generally apply, though the situation is a bit complicated! But you should know that generally, organizations in Quebec must comply with Law 25 and PIPEDA where applicable.

Read more on Canada’s PIPEDA.

There are several requirements to provide users with cookie consent and ensure your website respects their data and privacy, including:

Include a Privacy Policy

Your privacy policy is a document or web page that outlines how you collect, use, and share your users’ personal information. It covers the treatment of personally identifiable information, i.e. any information that identifies an individual or can be used in conjunction with other information to identify an individual. It should cover your organization’s treatment of any personal information that you may share with business partners or other third parties.

Include a Cookie Policy

Your cookie policy is a document or web page that outlines all the tracking technology such as tags, pixels, and web beacons on your website and how they are used. It should outline all the different types of cookies used.

Integrate a Cookie Consent Banner

A cookie consent banner is a pop-up that appears when a user first enters your site which prompts them to agree or deny the use of cookies. To comply with Quebec’s Law 25, it is important to create a banner that follows an opt-in approach, meaning that no non-essential cookies are used unless your website user gives their express permission. This is different from PIPEDA, which allows data collection practices that follow an opt-out approach.

Apply Cookie Auto-blocking

Before obtaining user consent, you must add a cookie auto-blocker that blocks non-essential cookies such as Google Analytics and YouTube.

Have a Consent Log

A consent log is a record of the users that have opted into cookie use. This is collected through a consent management platform where you can retrieve proof and records upon request. Ability to request their data in a structured format. Although Quebec’s Law 25 on Right to Data Portability goes into effect on September 22, 2024, it is best to plan ahead and make sure you have this in place beforehand.

The easiest and best way to integrate all the tools above is to use a Consent Management Platform. It will allow you to store and provide documentation of handling each user’s personal information and a variety of other features that can aid the overall management of personal information.

Required Information for Your Consent Management Platform

When choosing a consent management platform, this is the information you should know to choose the tool that best suits your needs:

  • Determine the average monthly traffic of your website.
  • Determine the languages and regions of your users.
  • Scan your website for cookies and identify “unassigned” cookies. 
  • Choose the platform and tier that suits your traffic and website needs.

Steps to Integrating Your Consent Management Platform

Here are some of the steps you will need to take when integrating your CMP:

  • Identify the regions you are targeting with your website
  • Identify the third-party services and social media platforms used on your website
  • Customize and embed a cookie consent notice.
    • Buttons can be customized as long as they follow an opt-in approach for non-essential cookies.
    • Each cookie description should include a cookie label, duration of consent, description, and the ability for the user to enable/disable tracking of non-essential cookies.
  • Implement auto-blocking for third-party cookies until user consent is given.
  • Attach your privacy statement and cookie consent policy.
  • Make sure to enable Records of Consent.

The most important thing to remember is that being transparent about how you handle your users’ personal information is important for building trust among your users and crucial if they reside in Quebec.

Please note that this blog is for informational purposes only, and is not in any way to be considered legal advice. If you need help with Law 25 or any other privacy law, we recommend consulting an attorney.

Read More

Read More