Your website needs a Cookies Policy if you use cookies to collect personal data from visitors and your visitors are located within the EU (even if you aren't). Cookies are small text files that act as a short-term memory for the web. A site can easily remember bits of information between visits or pages as the cookies are stored in the user's browser.
Cookies are mainly used to:
While cookies are meant to enhance a user's web experience, sometimes cookies collect information across different sites. The data collected is then used to create behavioral profiles which are used to determine what adverts or content the user views.
A Cookies Policy is a detailed guideline that tells a user how cookies are used, the different types of cookies your website uses, and how the user can prevent or control cookies placed on their browser.
If you run your business within the EU or direct it towards people in the EU, you need to have a separate Cookies Policy even though a Privacy Policy includes a section that covers Cookies.
The Cookie Law began as an EU order and was made law in 2011. The law was designed to inform users of how data about them is gathered and utilized online. Also, the directive gives users the privileges to decline the use of cookies that interfere with their privacy while online. This law was designed to protect online privacy.
If you have a website, you need to ensure that it complies with this directive. This could mean making some changes.
Failure to comply with the Cookie Law could risk enforcement action from the regulators. You could also part with a fine. The Information Commissioner's Office provides a detailed brief on what you need to do to comply with the Cookie Law and how these rules affect applications.
As a website owner, you need to comply with the EU Cookies Law if run any EU business. This means that you need to have a Cookie Policy if your website is based in the EU or targets an EU audience.
Your visitors need to know that your site uses cookies and which type of cookies are in use. Also, you need to provide the users with a chance to limit placement of these cookies on their devices.
A Cookies Policy provides comprehensive information about your use of cookies to your visitors. Although banner and pop-up boxes notify your users that cookies are in place, having a Cookies Policy gives further information to the users.
If you run a US-based business and you mostly target businesses located in the United States, you don't need to comply with the EU Cookies Law. However, if you have a US-based company and your main target is the European Union countries, then you must comply with the EU Cookies Law.
In the US, cookies are not separated from privacy laws like in the EU. The Federal Trade Commission implement data and privacy security laws and regulations in the US. You're likely to see a general privacy policy with most US-based business that highlight cookies as a section.
All EU-based websites have a Cookies Policy and a separate Privacy Policy.
A great example of a website that has a separate Cookie and Privacy Policy is LinkedIn.
You'll notice that LinkedIn's Cookie Policy is separate from their Privacy Policy.
Your Cookie Policy should have simple information. A compliant policy should inform your users of:
The policy needs to use easy to understand, basic language for the user to understand the information being conveyed.
Below is an example of Unilever's Cookie Notice. Even though it's called a "Notice" and not a "Policy" it functions in the same way as a Policy. Note how short and straightforward the Policy is, and how the site defines cookies and provide useful links at the bottom.
Unilever defines what cookies are, why they are used the type of cookies used, and how users can control or delete cookies.
You need to let your visitors know that cookies are in use and that there is a Cookie Policy in place that they can easily access.
Different sites use a variety of ways to inform users of cookies and their Cookie Policies. Some of the efficient, yet convenient methods for issuing this notification include:
Banner pop-ups appear at the top of the website and are hard to miss. You can use these notifications to alert a user that your site uses cookies, link to your Cookie Policy, and ask for a user's consent with clear language and some sort of clickable button or box.
The Food Network website features a prominent banner pop-up notification that lets the users know that cookies are used. Note how they provide a link to their Cookies Policy and ask for users to click an Accept button to allow cookies to be used.
Intrum uses a pop-up message as a banner. While a user can continue accessing the site and viewing their different products, the pop-up does not disappear from the top of the website until the user accepts cookies.
The Hemming Group has a very short and simple pop-up message. It says that the site uses cookies, tells the user what to do to accept this, and links to the Cookie Policy.
Vodafone informs site visitors that cookies are used by both Vodafone and its partners. A way to accept cookies is provided as well as a way to manage cookies to adjust and customize which ones are allowed.
General pop-up messages appear anywhere on your site. The messages need to be visible and clear. You also need to let the user know why the message appears and what your intentions are.
You can also provide a link to your Cookies Policy in the pop-up box message. This allows users to learn more about cookies and ways to control them in the cookies settings.
BT has its cookie notification front and center on its site. The pop-up comes up when you're browsing and it's meant to notify you of its Cookie Policy. It's impossible to miss as the rest of the website is greyed out until the visitor clicks something in the notice.
Zara displays its Cookies Notice at the bottom left part of the screen to notify users of their use of cookies. It doesn't link users to a Cookie or Privacy Policy, though, and from this page, no policies are accessible.
This isn't a very good method because it makes your site visitors make a decision about cookies without being informed enough to do so.
Footer pop-up messages appear at the bottom of the site. This notification can have a link to your Cookies Policy as well as a link to continue or accept for the visitor to give their consent.
eBay UK's cookies notice appears at the bottom of the website. It scrolls with visitors so it's always present at the bottom until Accept is clicked. This makes it hard to miss.
John Lewis places its Cookies Notice at the bottom of its site as well. Visitors are told they can manage the use of cookies via browser settings, and the Cookie Policy is linked.
Premier League provides a brightly colored Cookie Notice in the website's footer. A Find Out More button links to its Cookie Policy, and the Accept button is very clearly labeled with text saying "I accept cookies from this site." This is a great Cookie Notice.
Sainsbury's has a footer Cookie Notice that stays in place until the user clicks Accept and close. The Find out more link goes to its Cookie Policy so users can make informed decisions before accepting cookies here.
By having a Cookie Policy and linking it to your Cookie Notification that you display on your website, you'll be complying with the Cookie Law.
Other privacy laws (like the GDPR) require you to get consent before using cookies and disclose your use in a Privacy Policy rather than a Cookie Policy. However, if you plan on doing international business, we highly recommend that you: