Do Canadian Websites Need an “Accept Cookies” Popup?

cookie monster letter C is for cookie

I am going to say it: “One of the stupidest things some Canadian so-called web designers do is place an ‘accept cookies notice’ on websites.”

Seriously. It is stupid, it is annoying, and it is not legally required in Canada.

It is especially stupid and annoying on mobile devices, where the dumb notice covers up images or complete blocks of text on the website. And one must actually click the “Accept” button to remove it. And there is absolutely no need for it, and there should not be a need for it in any part of the world, for reasons we’ll get into.

Web designers who create websites aimed at Canadian markets and not primarily European are either trying to appear to be “sophisticated” or they are actually ignorant of Canadian internet regulations regarding cookies. Why else would they do they do this when they are adding unnecessarily, a layer of total annoyance to end users?

Canadian Internet Regulations & Cookies

In Canada, privacy on the Internet is regulated by Canadian “anti-spam” legislation (CASL). There has been some confusion with regard to the section that came into effect on January 15, 2015 that requires consent from the end-user to install a program on the user’s device without their consent. This however, even according to the Government’s own interpretation, does not apply to website cookies as there is already “implied consent.” The concept of implied and explicit consent appears to be lost on many Canadian web developers (or perhaps they are trying to appear “sophisticated” to their clients while remaining ignorant of the actual law).

The law requiring explicit consent in regard to computer programs is mostly and generally about the installation of programs that are executable, which cookies are not and therefore would be hard-pressed to even call them “programs.”

For very clear clarification, let’s see exactly what the Government of Canada’s own interpretation of the law means:

Do I need consent to install certain types of programs like cookies or operating systems?


Yes, if CASL applies, then you need express consent to install computer programs. However, for certain types of programs, you are considered to already have express consent without requesting it. If your program is included in the following list, you do not need to request consent prior to the installation:

Cookies
HTML
Javascript
An operating system
Any other program that is executable through another program that was already consented to
If you are a telecommunications service provider (as defined in CASL; see below for an explanation) and you are installing software to:
protect the security of all or part of your network from a current and identifiable threat; or
update or upgrade all or part of your network
Software installed solely to correct a failure in a computer system (e.g., bug fixes)
Note that you are only considered to have consent for these types of computer programs as long as the person’s conduct indicates that they consent to it. For example, if the person disables Javascript in their browser, you would not be considered to have consent under CASL since their conduct would not indicate that they consent to that type of program. Similarly, if the person disables cookies in their browser, you would not be considered to have consent to install cookies.

~Government Of Canada – CRTC

If that is not enough, we can read the following from the same CRTC webpage:

What’s a cookie?

Cookies are non executable computer programs that cannot carry viruses and install malware. As described above, under CASL, a person is considered to consent to the installation of a cookie if the person’s conduct is such that it is reasonable to believe that they consent.

The entire idea of “considered to consent” is really important when you examine the technicalities of website browsing in the first place, and this is what makes the European and UK regulations so entirely stupid in the first place.

Let’s Look At Web Browsers

Web browsing requires a web browser. There are many types of web browsers including text-based which very few use today. A system administrator of a Unix/Linux/BSD variant might fire up a text-based browser from the command line to check if a page exists, or simply because the admin loves the speed of text-based web browsing.

These types of browsers are also especially popular with those who have visual impairments as text to speech software work very well with text-based browsers. Examples of such text-based browsers include “Lynx,” “Links,” & “Elinks” to name a few. Most of these browsers will prompt you to accept individual cookies as or after the page has loaded.

Most of us use what is called a “graphical browser” – a browser that displays both text and images. Firefox, Chrome, and Opera are all common examples of this. ALL of these browsers have settings and one of those settings is a choice whether to allow cookies or not. Now, it is not our responsibility to ensure every single user of internet software including browsers, understand the software they are using. That’s up to them, but with all the press and media attention that has been given to web cookies over the years, it’s safe to assume the vast majority of Internet users know that there is an option to turn off cookies in their browser.

If the web browser is set to not accept cookies, then indeed, if it were possible to still make or force that user’s browser to accept a cookie, indeed, explicit consent would be required. But this is silly because if cookie acceptance is turned off, then no cookies will be set!

Of course, with cookies turned off, many websites simply would not be as enjoyable to browse and many inconvenient things occur to those who do have cookies turned off while they are browsing.

The Stupidity Of Explicitly Asking Visitors To Accept Cookies

We can see that it is up to the user to configure their browser to either accept or not accept cookies. If the user has not turned off this setting, then it ought to be logical to assume that the user (or owner of the device that the browser is on) has implicitly decided to accept cookies. So we can see just how stupid regulators are when they put the onus on website owners and expect them to have the added expenses that are incurred (no matter how small) to have these silly notices and requirements of explicit permission, where the law demands it (Hello United Kingdom – when will you get over your need to regulate everything?).

It is even more absurd and silly to have these notices and requests for explicit permission when the law does not require it. Why on earth make a website unfriendly by requiring visitors to do this when there is no need for it? STOP THAT ALREADY!

Are There Laws & Regulations I & My Web Designer Should Know About?

We’ve discussed above how requiring explicit permission for website cookies in Canada is not a requirement and that it’s just plain silly to ask for it. But, what about other laws that website owners and web developers should know about?

The Law Says You Need A Privacy Policy

Every business and organization is required to have a privacy policy and a way for individuals to inquire about what information the business or organization has stored about them, along with a requirement to delete any information that the individual requests to be deleted. In Canada, the requirements of a privacy policy and related regulations come under PIPEDA – the Personal Information Protection and Electronic Documents Act. You can read more about it here.

Long before PIPEDA even existed, we always thought it was a good idea to have a Privacy Policy on our websites.

Every Web Designer Should Understand Ontario’s Accessibility Regulations

Another set of regulations that we know many of Ontario’s web design businesses have no clue about are the Ontario AODA – (Accessibility for Ontarians with Disabilities Act) regulations that apply to websites. The AODA came into effect in 2005 with the goal of making Ontario (both Government and Business) completely “accessible” to those who have a disability by 2025.

We’ll save our thoughts on the merits of regulations for another post (it’s our belief that both individuals and businesses are far far over-regulated in this country) but for now, we’ll point out that there are some very important aspects of web design that most of the web design companies we speak with have no clue about. That’s not good if you are a large business with more than 50 employees or organization that accepts public funding as many of you are already subject to the accessibility regulations. If your web designer is not familiar with the regulations, you’ll probably want to find another one who is. Or you might end up facing penalties that you are totally responsible for because it’s your website.

For many small businesses, they are not yet subject to all the regulations but there is an expectation that by the year 2025, all businesses and organizations must comply with accessibility regulations that will include website accessibility.

Actually, many of the regulations are part of good website design in the first place. Regardless of whether or not there are laws and regulations that need to be followed, there are some regulations that are actually important design considerations that a web designer ought to be thinking about in the first place; things such as the contrast between font colour and background colour, readability, and the use of image alt tags for those that require text-based web browsers and text to speech software, in order to browse a webpage.

Getting into the details of the AODA and how it might affect your business or organizational website is an article for another day but keep in mind the law has existed since 2005 so there is really no excuse for any web designer to not know about its existence.

We will write a separate post about the requirements but if you want to do your own reading, you can find the official Ontario act here.

In Summary “My Web Designer Says I Need To Have Explicit Cookies Permission Request On My Site

Get a new web designer. Not only is it not required in Canada, it is stupid and annoying. It would still be stupid and annoying even if it was required like it is in the UK and Europe, but at least there, web designers have a reason – complying with a stupid law – to do stupid and annoying things to websites.

We have discussed some laws and regulations that you as a business owner, and your website developer, should be aware of with regard to privacy and website design.

Having a stupid annoying and ridiculous explicit ‘accept cookies’ request on your website is certainly not required in Canada, and there should be zero confusion about the matter as the Government of Canada has provided us with it’s own interpretation of the regulations. Look, why not also ask for permission to have the visitor accept javascript? Or even HTML, for that matter?

So, to summarize, “Just stop doing that!”

14 Comments

  1. RIchard Gauder on January 23, 2020 at 11:51 am

    Thanks for this post. As a web development company specializing in accessibility, your comments were bang on.

    • admin on March 14, 2020 at 1:52 pm

      So sorry for the late reply, Richard! Have been very busy here. Thanks so much for your comment, and good to know there are other developers out there who agree that accessibility is important!

  2. Brian Lacouvee on March 11, 2020 at 1:22 am

    Great article, I was looking at Cookie Policy plugins and I came across your website. Great #’s on GTMetrix by the way. Ha! 🙂

    Thanks for the advise.

    If you would like another Google Review, just say the word.

    • admin on March 14, 2020 at 1:47 pm

      Thanks for your comment, Brian. Best advice if your website focusses on Canadian visitors – don’t bother with a Cookie Policy plugin 🙂

      Reach out if you need any other advice or assistance!

  3. Allison Shirlaw on June 29, 2020 at 6:35 pm

    My website is completely aimed at local Canadian visitors but I have noticed that I have had some traffic from UK IP addresses do I need to have the annoying cookies banner just so that I conform to European regulations for when people in the EU accidentally navigate to my site?

    • Ian Scott on July 2, 2020 at 6:46 pm

      Hi Allison, No – you do not need annoying cookies banners or notices on your website. You of course might want to get your own legal opinion on this, but your Canadian website is subject to Canadian laws and Canada has no reciprocal agreements in place, as far as I know at this time, with regard to European privacy and ridiculous internet cookie notifications.

      Now, if you were also doing business in Europe, and had some kind of presence there as a registered business in the European Union, this might change some things, but assuming by what you wrote that they are “accidental” navigation (or even purposeful visits seeking information), you can fully be confident you have no need for cookie notices.

  4. Marie on July 2, 2020 at 6:31 pm

    Hello! Quick question : what about a website that targets Canadian visitores, but still attracts a large number of European visitors? Would the cookie consent banner be relevant for this kind of situation?

    Thanks!

    • Ian Scott on July 2, 2020 at 6:39 pm

      Hi Marie – yes, unfortunately, all European websites are subject to European laws, as crazy as they can be. This also includes complying with other regulations including the ability for any European registered with the site to have all their data removed.

      I am not an expert on European law, although we’ve had to deal with some of its requirements with some clients. Of course, this article specifically related to the stupid cookie notices, and how ridiculous they are, even if required by a law. 🙂

      Part of the answer to your question would probably depend on where your domain is registered, where the site is hosted, and do you ask visitors to register for anything, login as users, or sell goods through your site. Perhaps there are also other considerations that directly relate to European laws I have not thought of at this moment.

  5. Sona on September 28, 2020 at 2:07 pm

    Hi Ian, we have a Shopify website and sell our products in Canada and the US. Do I need to put a cookie consent? (I am not a Web developer, please help)

  6. Bob John on January 14, 2021 at 11:39 am

    I believe you’re wrong. Based on the 2015 policy position by the Office of the Privacy Commissioner of Canada (https://www.priv.gc.ca/en/privacy-topics/technology/online-privacy-tracking-cookies/tracking-and-ads/bg_ba_1206/), there needs to be a meaningful consent and opt-out available when you are using tracking technologies for the purposes of OBA, with a specific focus on cookies.

    Some key excerpts of the position:
    “Individuals are made aware of the purposes for the practice in a manner that is clear and understandable – the purposes must be made obvious and cannot be buried in a privacy policy. Organizations should be transparent about their practices and consider how to effectively inform individuals of their OBA practices, by using a variety of communication methods, such as online banners, layered approaches, and interactive tools;”

    “Individuals are informed of these purposes at or before the time of collection and provided with information about the various parties involved in OBA;”
    The last point in particular draws attention to a banner being the best use. How else are you going to push the information required for meaningful consent at or before the collection without a banner? To be clear, the banner doesn’t need to be “opt-in” meaning to say “accept” or “decline” as it does for the GDPR, but it does need to have attention drawn to the fact that you’re consenting to it by being there.

    • Ian Scott on January 30, 2021 at 2:21 pm

      Hi Bob,

      No, we’re not wrong. I bring your attention to this sentence:

      “The following policy position addresses the application of the Personal Information Protection and Electronic Documents Act’s (PIPEDA) to the collection and use of data about individuals’ web activities by means of such technology as cookies, web beacons, supercookies, zombie cookies, device data, for the purposes of online behavioural advertising (OBA) only. OBA is defined as tracking and targeting of individuals’ web activities, across sites and over time, in order to serve advertisements that are tailored to those individuals’ inferred interests.”

      Our article is directed to business owner’s who have websites, and their only purpose is to attract new clients and/or provide information. If they are not involved in online behavioural advertising with their website, then there is nothing to disclose. There is no need for any “Accept Cookies” popup or frames on their website. They do not need to irritate their visitors with such things.

      • Mae on March 8, 2021 at 7:31 pm

        Hi Ian,
        This seems like a pretty important distinction, and I’m hoping you can clarify further for me. I’m a website owner, trying to understand if my Canadian website needs to address cookie consent in some way. I have a mix of cookies on my site: some are to make the user experience better, some are for tracking (Google Analytics), and others are for advertising/retargeting (Facebook, Twitter, etc.). I’m guessing many websites are like mine, with a similar mix of cookies.
        Social media cookies probably fit under the OBA category, wouldn’t they? In that case, I would need something on the site to inform users, as Bob mentions?
        Thanks!

  7. john on February 22, 2021 at 5:39 am

    Gosh! All these dumb comments from people who are annoyed by having to respect international privacy requirement…. It’s not about what you can or can not do in Canada, but it is about visitors from foreign countries. When you operate an e-commerce site and sell goods to countries outside of Canada, you are subject to their privacy laws. People of other countries may take their online privacy a bit more serious than Canadians do, hence the creation of Europe’s General Data Protection Regulation (GDPR). What’s the big deal of respecting that ? You all sound like you are the only ones on this planet 🙂

    • Ian Scott on May 14, 2021 at 9:48 am

      There is no such concept as “international privacy requirement.” And it is not about visitors from foreign countries.

      I will agree that if you are specifically targeting customers or visitors from the European Union, you may want to delve deeper into what might be expected of you. But as a Canadian website owner/maintainer, you are not obliged to follow silly and dumb European laws and regulations.

      If you’re ever visiting Europe, and browsing only European sites, you will see just how stupid it is, to have to click an “I agree” or “no I don’t agree” button on EVERY single website you visit. It’s honestly, really really stupid.

Leave a Comment