Cookies Policy for Google Analytics

10 May 2019
Cookies Policy for Google Analytics

If your EU-based or EU-directed website or mobile app uses Google Analytics, you're required to have a Cookies Policy in place.

In short, this is because the EU Cookies Directive requires a Cookies Policy, and the Google Analytics Terms of Service agreement requires users of the service to follow applicable laws.


1. What is Google Analytics

Google Analytics is the most widely used web analytics service on the internet.

This free service from Google that lets you see detailed statistics about how users interact with your website/app including traffic, average time on site, geographic location of visitors and other useful metrics.

It also incorporates marketing tools such as AdWords and remarketing advertising capabilities.

To provide these services, Google Analytics uses cookies. These cookies help Google identify unique users, identify unique sessions, gather information and store information. If your website/app uses remarketing, third party cookies, or DoubleClick cookies, can be used as well.

2. Google Terms of Service

If you sign up to use Google Analytics, you need to agree to the Google Analytics Terms of Service.

The Terms of Service requires you to have a Privacy Policy.

Google Analytics Terms of Service requires a Privacy Policy

It also requires you to "comply with all applicable laws, policies, and regulations relating to the collection of information from Visitors."

Google Analytics Terms of Service requires compliance with applicable laws

One of these "applicable laws" is the EU Cookies Directive.

3. The EU Cookies Directive

This directive applies to any website/app that's:

  • Owned by a business in the EU, or
  • Directed towards EU citizens

If cookies are used by any such website/app, it requires that:

  • Users are informed that cookies are used and how they're used,
  • Consent is obtained before cookies can be used, and
  • An opt out method is made available

Because Google Analytics uses cookies, this would trigger the requirements of the EU Cookies Directive.

Google Analytics' Terms of Service requires you to comply with applicable laws, which in this case means you must comply with the EU Cookies Directive.

If your business falls under the EU Cookies Directive and uses Google Analytics, you're going to need a Cookies Policy.

4. Your Cookies Policy

You have two options here.

You can either create a separate Cookies Policy or include a Cookies Policy clause in your existing Privacy Policy.

Either method will work, as long as you let users know:

  • Your website/app uses cookies,
  • How/why you use them,
  • Any third parties that you allow to use them, and
  • That users can opt out of this

It's also common for a Cookies Policy to include a clause that explains to users what a cookie is in simple, understandable terms.

Vimeo

4.1. A Separate Cookies Policy

Having a separate Cookies Policy comes with some perks.

It lets you add a link to your footer or link lists so your users can easily notice it. This is good for compliance purposes as well as user satisfaction.

Vimeo

You can also add your link to a link list, as seen here.

Slack

Having separate policies also lets you add very thorough information without overloading your Privacy Policy and overwhelming your users with one long, intimidating legal agreement.

For example, YuMe's Cookies Policy agreement is very thorough, including a mix of charts and text:

The chart breaks down types of cookies used, by what party, and how a user can opt out of this.

YuMe

The text has additional general information about the site’s use of cookies.

A sample of clauses from YuMe

Note that this is only about 1/5th of YuMe's Cookies Policy.

YuMe's Privacy Policy then includes just one short summary clause about cookies and links to this robust Cookies Policy.

YuMe

LinkedIn has a Cookies Policy agreement that's separate from its Privacy Policy.

LinkedIn

In its Cookies Policy, LinkedIn links to its Privacy Policy and the section within it that covers cookies.

LinkedIn

When you visit the LinkedIn Privacy Policy agreement, you'll see a section on cookies that includes a summary of all of the relevant information, as well as a link to the full Cookies Policy.

LinkedIn

Vimeo has a separate Cookies Policy agreement that lets users know right away that it's part of their Privacy Policy.

Introduction clause of Vimeo

The Cookies Policy has detailed cookies-specific information, including a breakdown of the different types of cookies used and what each one does.

Vimeo

Vimeo's Privacy Policy agreement also includes thorough cookies information, as well as multiple links to the Cookies Policy throughout it.

Vimeo

Having separate policies where you reference each one in the other and include links to each one helps users stay informed and access your policies easily.

4.2. Privacy Policy with a Cookies Policy Clause

You may choose to simply go with a cookies section in your current Privacy Policy and skip the separate Cookies Policy.

Here's how Drift adds a short clause about cookies to its Privacy Policy.

Drift

Medallia has added a more robust and extensive cookies section to its Privacy Policy. It includes one clause for its survey and reporting cookies.

Medallia

There's a second clause that covers website cookies and opting out.

Medallia

Oracle includes a Cookies clause in its Privacy Policy.

Oracle

Some businesses may choose to combine both policies into a Privacy & Cookie Policy, such as how Ascarii did.

Ascarii combines a Privacy and Cookie Policy

Remember, under the EU Cookies Directive, if cookies are used, your website/app must:

  • Inform users that cookies are used and how they're used,
  • Obtain consent before cookies can be used, and
  • Provide an opt out method

Of these three requirements, the first and the third can be met through your Cookies Policy or cookies clause in your Privacy Policy.

The second - obtaining consent - can be met through clickwrap, browsewrap and notification banners or pop-ups.

To get consent, you can include a pop-up or banner message when a user first visits your website.

In this message:

  • Let users know that you use cookies,
  • Link to your Cookies Policy/Privacy Policy with cookies clause, and
  • Inform users what will constitute agreement/consent for cookies

This example from WeTransfer lets users know cookies are used, links to the Cookies Policy and makes users click an "I Agree" button to show consent.

WeTransfer: I agree button

The BBC uses a banner that lets users know that cookies are used, links to cookie settings and has a "Find Out More" link, and has a user click "Continue" to show consent to this.

BBC Notification: Cookies on website

Some websites/apps use a more passive browsewrap method of obtaining consent, such as this example that lets users know that by continuing to use the website, they're showing they're ok with cookies being used.

Mirror UK newspaper usage of cookies

A notification box like this will typically remain visible to users until they've clicked a few times to show they plan to continue using the website.

6. Staying Compliant Summary

If you use Google Analytics and fall under the scope of the EU Cookies Directive, you need to do the following to stay legally compliant:

  • Have a Privacy Policy
  • Have a Cookies Policy/Cookies clause within Privacy Policy
  • Have a banner/pop-up notification regarding your cookies usage
  • Get consent for using cookies
  • Provide an opt out method
Categories:

Sara Pegarella

Law school graduate, B.A. in English/Writing. In-house writer.

This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.