Google Analytics is the most widely used web analytics service on the internet.
This free service from Google that lets you see detailed statistics about how users interact with your website/app including traffic, average time on site, geographic location of visitors and other useful metrics.
It also incorporates marketing tools such as AdWords and remarketing advertising capabilities.
2. Google Terms of Service
If you sign up to use Google Analytics, you need to agree to the Google Analytics Terms of Service.
It also requires you to "comply with all applicable laws, policies, and regulations relating to the collection of information from Visitors."
One of these "applicable laws" is the EU Cookies Directive.
3. The EU Cookies Directive
This directive applies to any website/app that's:
Owned by a business in the EU, or
Directed towards EU citizens
If cookies are used by any such website/app, it requires that:
Users are informed that cookies are used and how they're used,
Consent is obtained before cookies can be used, and
An opt out method is made available
Google Analytics' Terms of Service requires you to comply with applicable laws, which in this case means you must comply with the EU Cookies Directive.
If your business falls under the EU Cookies Directive and uses Google Analytics, you're going to need a Cookies Policy.
4. Your Cookies Policy
You have two options here.
Either method will work, as long as you let users know:
How/why you use them,
Any third parties that you allow to use them, and
That users can opt out of this
It's also common for a Cookies Policy to include a clause that explains to users what a cookie is in simple, understandable terms.
4.1. A Separate Cookies Policy
Having a separate Cookies Policy comes with some perks.
It lets you add a link to your footer or link lists so your users can easily notice it. This is good for compliance purposes as well as user satisfaction.
You can also add your link to a link list, as seen here.
For example, YuMe's Cookies Policy agreement is very thorough, including a mix of charts and text:
The chart breaks down types of cookies used, by what party, and how a user can opt out of this.
Note that this is only about 1/5th of YuMe's Cookies Policy.
The Cookies Policy has detailed cookies-specific information, including a breakdown of the different types of cookies used and what each one does.
Having separate policies where you reference each one in the other and include links to each one helps users stay informed and access your policies easily.
There's a second clause that covers website cookies and opting out.
Remember, under the EU Cookies Directive, if cookies are used, your website/app must:
Inform users that cookies are used and how they're used,
Obtain consent before cookies can be used, and
Provide an opt out method
The second - obtaining consent - can be met through clickwrap, browsewrap and notification banners or pop-ups.
5. Obtaining Consent for Using Cookies
To get consent, you can include a pop-up or banner message when a user first visits your website.
In this message:
Inform users what will constitute agreement/consent for cookies
This example from WeTransfer lets users know cookies are used, links to the Cookies Policy and makes users click an "I Agree" button to show consent.
The BBC uses a banner that lets users know that cookies are used, links to cookie settings and has a "Find Out More" link, and has a user click "Continue" to show consent to this.
Some websites/apps use a more passive browsewrap method of obtaining consent, such as this example that lets users know that by continuing to use the website, they're showing they're ok with cookies being used.
A notification box like this will typically remain visible to users until they've clicked a few times to show they plan to continue using the website.
6. Staying Compliant Summary
If you use Google Analytics and fall under the scope of the EU Cookies Directive, you need to do the following to stay legally compliant:
Have a banner/pop-up notification regarding your cookies usage