Findings under the Personal Information Protection and Electronic Documents Act (PIPEDA)
PIPEDA Case Summary #2003-162
Customer complains about airline's use of "cookies" on its Web site
[Principles 4.3 and 4.3.3]
An individual made two allegations against an airline company: (1) that it denied him access to its Web site because his browser was configured to disable "cookies"; and (2) that the company collects the personal information of its Web site visitors without their knowledge and consent by placing a cookie on their computers' hard drives.
Summary of Investigation
Cookies are small text files that can collect and store a variety of information. Permanent cookies are stored indefinitely on a user's hard drive unless manually deleted, while temporary cookies are automatically deleted from the user's browser upon logging out of a Web site. Web browsers typically allow users to disable permanent and/or temporary cookies.
The airline uses both permanent and temporary cookies on its Web site. The permanent cookies are used to collect the user's language and country of choice, so that every time a customer visits the site he or she is greeted in his or her preferred language and sees the version (either Canadian or U.S.) of the site previously selected. The temporary cookie allows the customer to switch between secure and non-secure pages without signing in each time. The information stored is taken from fields in the customer's profile, which is created when the customer signs in, and includes the customer's name, mileage balance, residing country code, and language preference. The information is deleted when the customer logs off.
When a customer first enters the site, the initial page that appears is a "splash page," which asks for the language of choice and country. Once the customer chooses, he or she is directed to the appropriate home page. In this instance, the complainant, who had disabled permanent cookies, was unable to proceed to the home page because the Web site was coded in such a way that it would not allow him to proceed until the cookie had been stored. The company acknowledged that this was caused by an "application glitch" and took steps to ensure that visitors with disabled permanent cookies could use the site.
Issued April 16, 2003
Jurisdiction: As of January 1, 2001, the Personal Information Protection and Electronic Documents Act (the Act) applies to any federal work, undertaking, or business. The Commissioner had jurisdiction in this case because an airline is a federal work, undertaking, or business as defined in the Act.
Application: Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate. Principle 4.3.3 establishes that an organization shall not, as a condition of the supply of a product or service, require an individual to consent to the collection, use, or disclosure of information beyond that required to fulfil the explicitly specified, and legitimate purposes.
The Commissioner was satisfied that the information stored by the temporary and permanent cookies qualified as personal information for the purposes of the Act.
On the first count of the complaint, the Commissioner noted that although the company did not intentionally deny access to its Web site to individuals who refused to consent to the collection of their personal information by disabling permanent cookies, and that it had taken steps to rectify the problem, it nonetheless denied the complainant access and was therefore in contravention of Principle 4.3.3.
The Commissioner found that the first count of the complaint was well-founded and resolved.
The Commissioner found that the second count of the complaint was well-founded.
The Commissioner was pleased that the company was planning on publishing a comprehensive policy on its Web site regarding cookies.