More often than not, we now see websites popping up with a message saying, “This website uses cookies…” and options to accept, reject or manage them. With regard to privacy and security, cookie consent has become a major cause of concern for business owners and users. This article discusses cookies and cookie laws in Canada and the USA.

Cookies Consent Law In Canada And USA

What Are Cookies & How Do They Work?

Cookies are text files containing small pieces of user data sent to your browser by any website you visit. These work on tracking your activities and preferences, aiming to make the whole experience more fulfilling for both the site and the user. While most cookies are generally safe, some of them may be used to track in-depth data without consent.

Any website that uses cookies to track or collect personal data must comply with all the cookie laws that are relevant in the country or wherever the website is operating. A cookie law compels websites to inform any visitor of the usage of cookies and grant their consent to the same before browsing the site.

What Is A Cookie Law?

What Is A Cookie Law

A cookie law refers to a set of guidelines that websites need to follow while using cookies. These cookies are normally used to track website visitors and their browsing habits, based on which the site seeks to provide a better user experience. However, not all users are open to being tracked on their online activities and preferences, which is a major cause of concern related to the invasion of privacy. This is why specific laws governing the usage of websites and tracking were created.

Cookie laws prevent websites from storing cookies without informing users or receiving their consent. The primary reason for introducing these laws was to protect the privacy of users and also to prevent cookie-collected information from being misused. The GDPR (General Data Protection Regulation), passed by the EU (European Union), is the most strict privacy & security law.

Cookie Law in Canada

Cookie Law In Canada

While Canada’s laws for cookie consent are not as strict as the GDPR, there are certain regulations binding the use of cookies for websites. These regulations guarantee the user’s right to privacy. Canada’s two main privacy laws include PIPEDA and CASL. 


In effect from 2000 and with the latest amendment in 2015, PIPEDA (Personal Information Protection and Electronic Documents Act) is a Canadian law related to data privacy. According to this law, websites are required to obtain consent from users to track, collect and use their data.

With PIPEDA, Canadian users are empowered to manage their personal information, correct it and also challenge the website’s PIPEDA compliance through the Privacy Commissioner. Further, the Canadian federal privacy law regulates the private sector’s collection, usage and disclosure of personal information.

To Whom Does PIPEDA Apply?

Based on the 10 Fair Information Principles, this law applies to any website operating in Canada and across the world that obtains and uses personal information related to Canadian residents for commercial use.

Who Is An Exception For PIPEDA?

PIPEDA does not apply to:

  • Non-Profit & Charity Organizations;
  • An Organization of The Federal Government listed under the Privacy Act;
  • A Provincial or Territorial Government;
  • Political Parties & Associations;
  • Hospitals, Schools, Universities & Municipalities (since these are governed by provincial laws. However, PIPEDA may apply under certain conditions)

Businesses that are subject to the provincial privacy laws of Alberta, Quebec and British Columbia may also be an exception to PIPEDA.


Canada’s Anti-Spam Legislation (CASL) deals with spam and other electronic risks & threats. It aims to protect the privacy of Canadian users while allowing businesses to compete globally. This federal law prohibits the installation of any computer program and software on another user’s device for commercial purposes without the device owner’s express consent.

CASL also prohibits websites from automatically installing or updating an installed software on a user’s computer without their consent. However, in cases where program owners and businesses are already considered to have the user’s consent without requesting it, additional requirements are to be met based on the program.

CASL applies to any business that:

  • Sends or helps send a CEM (Commercial Electronic Message) to any Canadian user;
  • Sends a CEM from Canada; or if their CEM is accessed from a device in Canada.

Regarding CASL exceptions, this federal law does not apply to apps and programs downloaded, installed or updated on their devices by the users themselves.

Based on PIPEDA and CASL, it is given that websites must provide clear and precise information on cookies before collecting them. There must also be a provision for users to withdraw their consent to cookies.

Cookie Law in The USA

Cookie Law In The USA

COPPA (Children’s Online Privacy Protection Act) is a federal law in the USA regulating the use of cookies. This law places strict restrictions on website activities and online services collecting personal data from children below 13 years old. COPPA requires websites to obtain verifiable parental consent before collecting personal data from children under 13. 

Besides this, there are no other federal laws as such governing the use of cookies in the US and essentially, there is no cookie consent required. However, there are state-level laws like the CCPA (California Consumer Privacy Act) and the Virginia CDPA (Consumer Data Protection Act) that consider cookies as personal data.


California Consumer Privacy Act is a data protection law regulating the use of Californian residents’ personal information (PI) by global businesses. This state-wide regulation applies to any for-profit business, irrespective of its global location, that obtains and processes PI of California residents.

CCPA empowers California residents with the right to opt out of their cookie consent and to request disclosure or deletion of previously collected data. It also affirms that businesses covered by the act must provide users with a “Do Not Sell My Personal Information” option via which they can disallow their data sales to third parties.

Virginia CDPA

With Virginia’s CDPA, users are empowered with the right to know, access, correct and delete their personal information collected by websites using cookies. Virginia residents can also opt out of third-party data sales.

While cookies are an important part of the online experience, users’ personal data must be collected with proper consent and used for the right purposes. With the introduction of data privacy laws, it is vital for businesses to maintain their cookie policy and legal pages with regular updates, to remain compliant.

Give Us a Heart
WordPress Development