Out-Law News 2 min. read
18 Jun 2003, 12:00 am
Canada's Privacy Commissioner issued the findings in April this year, following a complaint against the unnamed airline.
A cookie is a small text file that a web site puts on a visitor's hard disk, usually so that site can remember something about the visitor at a later time.
Most internet browsers by default allow sites to install cookies on a visitor's hard drive. The user can instead set his or her browser to disable cookies or to give an option to accept or reject a cookie every time a site offers one.
The airline's web site used both permanent and temporary cookies. The site was approached by means of a "splash page", which allows the user to indicate which language, or country he wishes the site to cover. A permanent cookie on this page stored the information, and automatically transferred returning visitors to the correct page.
The complainant however had disabled his browser for permanent cookies, and the airline's web site would not let him proceed beyond the splash page.
According to the case summary, the airline said that this was caused by an "application glitch" and took steps to ensure that visitors with disabled permanent cookies could use the site. But glitch or not, the Commissioner found that access was still denied to the complainant. The airline was therefore in violation of Canada's Personal Information Protection and Electronic Documents Act (PIPEDA).
The relevant Principle in PIPEDA states that:
"An organization shall not, as a condition of the supply of a product or service, require an individual to consent to the collection, use, or disclosure of information beyond that required to fulfil the explicitly specified, and legitimate purposes."
The Commissioner's view was that, because the information was collected to allow a user merely to access the site, the airline was in breach of the Act.
With regard to the second complaint, the airline accepted that its web site privacy policy did not include information about the use of cookies. Nor was this information to be found elsewhere on the site.
The airline confirmed that it was now creating a policy to cover the use of cookies, which would be available shortly. This reflects the position in a new European law.
Under a Directive on privacy in electronic communications, which is due to be implemented across the EU this year, information must be given by web sites about the use of cookies. Fortunately for web site operators, the Directive does not require that this information is given prior to sending a cookie to a user's computer.
But Canada appears to go further.
In terms of PIPEDA:
"The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate."
According to the Commissioner, the airline failed to meet this requirement - i.e. consent is required before sending a cookie. He was satisfied that the information stored by the temporary and permanent cookies qualified as personal information for the purposes of the Act.
The Commissioner, who acts as an ombudsman under PIPEDA and the Canadian Privacy Act, has no power to make orders or enforce penalties. The Commissioner did say, however, that he was pleased that the airline was now developing an appropriate policy.