Findings under the Personal Information Protection and Electronic Documents Act (PIPEDA)

PIPEDA Case Summary #2003-162

Customer complains about airline's use of "cookies" on its Web site

[Principles 4.3 and 4.3.3]

Complaint

An individual made two allegations against an airline company: (1) that it denied him access to its Web site because his browser was configured to disable "cookies"; and (2) that the company collects the personal information of its Web site visitors without their knowledge and consent by placing a cookie on their computers' hard drives.

Summary of Investigation

Cookies are small text files that can collect and store a variety of information. Permanent cookies are stored indefinitely on a user's hard drive unless manually deleted, while temporary cookies are automatically deleted from the user's browser upon logging out of a Web site. Web browsers typically allow users to disable permanent and/or temporary cookies.

The airline uses both permanent and temporary cookies on its Web site. The permanent cookies are used to collect the user's language and country of choice, so that every time a customer visits the site he or she is greeted in his or her preferred language and sees the version (either Canadian or U.S.) of the site previously selected. The temporary cookie allows the customer to switch between secure and non-secure pages without signing in each time. The information stored is taken from fields in the customer's profile, which is created when the customer signs in, and includes the customer's name, mileage balance, residing country code, and language preference. The information is deleted when the customer logs off.

When a customer first enters the site, the initial page that appears is a "splash page," which asks for the language of choice and country. Once the customer chooses, he or she is directed to the appropriate home page. In this instance, the complainant, who had disabled permanent cookies, was unable to proceed to the home page because the Web site was coded in such a way that it would not allow him to proceed until the cookie had been stored. The company acknowledged that this was caused by an "application glitch" and took steps to ensure that visitors with disabled permanent cookies could use the site.

As for the second allegation, the company admitted that it did not include in its privacy policy nor on its Web site information about the cookies it uses. The company, however, indicated that it was in the process of creating a comprehensive policy on its use of cookies and that it would be publishing it in the near future.

Commissioner's Findings

Issued April 16, 2003

Jurisdiction: As of January 1, 2001, the Personal Information Protection and Electronic Documents Act (the Act) applies to any federal work, undertaking, or business. The Commissioner had jurisdiction in this case because an airline is a federal work, undertaking, or business as defined in the Act.

Application: Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate. Principle 4.3.3 establishes that an organization shall not, as a condition of the supply of a product or service, require an individual to consent to the collection, use, or disclosure of information beyond that required to fulfil the explicitly specified, and legitimate purposes.

The Commissioner was satisfied that the information stored by the temporary and permanent cookies qualified as personal information for the purposes of the Act.

On the first count of the complaint, the Commissioner noted that although the company did not intentionally deny access to its Web site to individuals who refused to consent to the collection of their personal information by disabling permanent cookies, and that it had taken steps to rectify the problem, it nonetheless denied the complainant access and was therefore in contravention of Principle 4.3.3.

The Commissioner found that the first count of the complaint was well-founded and resolved.

On the second count, the Commissioner found that the company had failed to meet the requirement for knowledge and consent regarding its use of cookies on its Web site, and thus had contravened Principle 4.3.

The Commissioner found that the second count of the complaint was well-founded.

Further Considerations

The Commissioner was pleased that the company was planning on publishing a comprehensive policy on its Web site regarding cookies.