Sample Cookies Policy

Do you remember a time when the web was just a fun place to hang out and list your products or services? Well, those days are long gone.

Now, as a website owner, you need to inform your users about how they are being tracked and ways through which data is being collected. You're likely to come across websites that alert you of their use of cookies either as a banner ad or a pop-up notification.

Let's look at what cookies are, what the law says about the use of cookies, and what you need to do to comply with the EU Cookie Law.

What is a Cookie?

A cookie is a tiny text file that gets stored on a laptop or PC. Cookies are used for various reasons. Some uses of cookies include:

  • Keeping track of what sites users have visited and provide them with targeted advertising.
  • Assist a person shopping online with their shopping cart.
  • To collect visitor traffic so you as a site owner can tell where your visitors are coming from.
  • Recall a user's choice for a specific website.

The European Union was concerned about targeted advertising and on providing information on where web traffic is coming from. This is the reason the law required site owners to inform their users of why they use cookies.

What Does The Cookie Law Say?

The Cookie law started as a European Union directive in May 2011. This was an update to the Privacy and Electronic Communications Regulations in the UK.

The law states that website owners need to let the users know they use cookies to retrieve their information. Also, they need to give their visitors a chance to refuse the use of cookies that may interfere with their online privacy.

A good example of a website that complies with the Cookie Law is The BBC which provides a banner notification and also offers a link to their detailed cookies page giving further information on what cookies are, how they are used, and ways to disable them.

BBC Cookies Notice

You also need a separate Cookies Policy if you operate in the EU.

Cookies and the GDPR

GDPR refers to the General Data Protection Regulation out of the EU.

This law became enforceable in May 2018. It's meant to enable people to take control of their personal data.

You'll need to act in accordance with these new rules if you collect data on citizens in the EU, and most cookies data falls under its scope as being protected data.

Under the GDPR, you need to use the clickwrap method to obtain a user's consent to place cookies. This means you need your user to actively click something to show they consent. You can't just assume "by browsing this site you agree to cookies" anymore.

MoPub has a banner notification that alerts their visitors of how the site use cookies. It requests users either accept or decline, which lets users opt out if they wish.

MoPub website Cookie Notice with accept and decline options

The GDPR doesn't require a separate Cookies Policy.

US Websites and Cookies Laws

As a US website owner, you may be wondering whether or not to obey the Cookie Law or the GDPR. A case in which Belgium had attempted to fine Facebook was overturned on the grounds that Belgium doesn't have authority to regulate the platform.

Belgium had argued that Facebook, despite serving people across the world uses cookies to trace anyone that visits its site.

The court argued that Belgium lacked authority to regulate the social platform as its operations in the EU are based in Ireland. This meant that directive must occur in each state.

Based on the above ruling, this could mean two things.

  • If you have a site with its servers in the United States, you may be exempted from the EU Cookie Law.
  • If you have a site with its servers in the European Union, you may need to act in accordance with the laws governing that particular state.

But the directive signed between the European Union and United States, referred to as the Privacy Shield could affect this interpretation. The agreement generates compliance agreements on companies operating in the Atlantic.

While you may be exempted from fines if you don't have servers in the EU, a person in the European Union may file an objection under the Privacy Shield agreements.

The GDPR applies regardless of whether you have a physical presence in the EU. All you need to do to fall under its scope is to collect personal data from anyone in the EU, regardless of where you're located.

What Should Your Cookies Policy Contain?

A comprehensive Cookies Policy should inform users of:

  • What cookies are and why they are in use
  • The type of cookies that are in use
  • How the cookies are being used and for what purpose
  • Ways through which the user can disable these cookies on his devices

Examples of Cookies Policies

Nestle has a detailed Cookies Policy that goes on to explain what cookies are, the cookies used, and how the user can change their settings to disable the cookies.

This is essential as it helps the users know which cookies to allow or disallow.

Here's just an excerpt from the Policy:

Nestle Cookies Policy: Excerpt of intro clauses

LinkedIn lets its users know that it does use cookies and goes on to define cookies for the reader:

LinkedIn Cookies Policy: Excerpt of Intro clauses

A chart is included that breaks down exactly what cookies are used for:

LinkedIn Cookies Policy: Excerpt of what cookies are used for chart

Complying with the Law

Here are some tips on what your website can do to stay compliant. Remember that you don't need to do anything if your site doesn't use cookies.

Here are a few ways to comply:

  • Use a banner or pop-up message to let users know cookies are used, that they can disable this
  • Obtain clickwrap consent to place cookies
  • Have a Cookies Policy in place and accessible if you fall under the Cookie Law
  • Have a Privacy Policy that discloses your use of cookies if you aren't required to have a separate Cookie Policy

This website uses cookies, and also collects some information using Google Analytics. By continuing to use this website, you agree to our Privacy Policy, Terms of Use, and Disclaimer.