The first is a public statement that provides information to your website visitors about the user data your cookies track, why that information is being tracked, and where it is sent.
The second is when website users give you permission to obtain, use, and process their data through cookies.
A common method for doing so, which is compliant with the European Union's General Data Protection Regulation (GDPR), is through a cookie consent notice, including banners, pop-ups, or screens.
Below, we'll go over the specific differences between a Cookies Policy and Cookie Consent so that you can avoid confusion and implement what's necessary according to laws in various geographic regions.
Cookies are small files that websites use to identify and remember users, gather data, and track user behavior. In many instances, they contain a user's private, personal information.
Some cookies are required for basic website functionality, while others are used exclusively in marketing.
Examples of standard cookies include:
As noted above, a Cookies Policy is a public statement that gives specific information to your website visitors about the user data your cookies track, why that information is being tracked, and where that information is sent.
It's important to note that many companies create a section within their Privacy Policies (legal documents that outline your methods of data collection, use, storage, how you protect the data, whether you sell or share it, and more) and place the information that would normally go in a separate Cookies Policy within.
Finally, a Cookies Policy contains information that should be updated on a regular basis. Its information is considered dynamic and could frequently change since the type of cookies you use might change as business needs shift.
For example, the following laws either demand explicit cookie consent or strongly imply the need for explicit consent. These laws are:
As noted above, it's now common to obtain explicit cookie consent, which is in line with the GDPR (and thus, compliant with most of the laws listed above by default) through the use of cookie consent notices.
These notices can take the form of:
When implemented correctly, all of these types of cookie consent notices allow you to be in compliance with the law. The New York Times provides an excellent example in its popup bottom banner cookie notice as seen here:
The cookie consent notice reads:
In addition to being written in clear, plain language that is easy to understand, cookie consent notices of all types, whether banners, screens, or pop-ups, are not allowed to push website users into making one decision over another.
In other words, your cookie consent notice will be non-compliant if, say, you provide a statement about agreeing to your Cookies Policy and place a pre-ticked mark in a checkbox as if it were a foregone conclusion that the user will give consent.
In contrast, a compliant cookie consent notice must give users a real choice about what cookies they will and will not accept and the ability to refuse to give consent entirely. Moreover, even if the user gives permission once, that individual must be presented with the option to revoke consent at any time.
Regardless of the cookies you use, you'll need a Cookies Policy and a cookie consent notice to stay compliant with the major privacy and data protection legislation.
For example, "Personal Data" under laws in the EU, Canada, and the United States, as well as other nations listed above, include information that cookies typically collect, such as geolocation, device information, and IP addresses in the definition of personal information.
Moreover, even if your cookies don't collect that kind of information, users still have the right under these laws to know what kind of cookies you do use and what they're used for.
Users also still have the right to provide or withhold consent for the cookies you use regardless of what they're used for.
Finally, under the GDPR, cookie use has nothing to do with whether you gather personal information. (In other words, whether you collect personal data or not is entirely beside the point.)
Because the GDPR is considered the gold standard in laws that govern data privacy and protection, we'll focus on how it impacts the formation and use of both Cookies Policies and cookie consent notices. Bear in mind that legislation, such as the CCPA and others listed above, are similar in their requirements.
The GDPR gives the right to receive particular information that is current and accurate to your website's visitors.
According to the law, you must be able to provide website visitors with any data about them, at any time, that you've collected, and that you intend to use along with an explanation for why you've collected it, how you store it, how you protect it, and whether you share or sell it.
Additionally, you must give visitors the right to opt-out of having their data collected as well as a way to ask for their data, correct their data, and delete their data.
These rules affect both cookie policies and cookie consent.
The short answer is yes.
Your cookie consent notice must be separate from other legal documents.
Common places to put a Cookies Policy include:
Something to bear in mind is that no matter where you choose to link to your Cookies Policy or to place it, it must stand out from the rest of the website. For example, if you are linking to your Cookies Policy from the footer or from the cookie consent notice, be sure that its font contrasts with the text around it.
Also, make sure that your Cookies Policy is accessible from the "about" menu or "settings" on your apps.
Here's an example from The Guardian in the UK that shows them linking to their CP from their footer.
In contrast to your Cookies Policy, which you can simply link to from your website's footer, a cookie consent notice is almost always displayed immediately upon reaching the website. In other words, it appears instantly once a visitor lands on a website's homepage.
Whether it's a banner, pop up, or full-page screen, it should contain the following components:
An excellent example of an explicit cookie consent notice displayed prominently on its company website comes from Adidas UK, which throws up a huge pop-up when someone arrives at their homepage.
Remember that if your company has a website and it's live on the internet, it's a surety that you're using cookies of one type or another. They're everywhere collecting information about your users and everything they're doing.
It's your responsibility to let your website's users know that you're using cookies, what kind of cookies you're using, why you're using them, where you send the data those cookies collect, and more. You can accomplish all of that through the use of a prominently displayed Cookies Policy.
Before processing any data collected by cookies, you must also ensure that you gain explicit consent from individual users. You can accomplish this by using a cookie consent notice, which should appear the moment visitors hit your site.
Adhere to the following guidelines, and you should keep both your Cookies Policy and cookie consent notice in full compliance with the primary pieces of legislation governing data privacy and protection in the world today.
Your Cookies Policy should provide the following information to be compliant with the GDPR and the CCPA:
GDPR guidelines within the European Union regarding the need for businesses to obtain explicit, informed consent from their website's users before cookies are activated, are essentially written in stone.
While other laws in most nations aren't as clear-cut, the fact of the matter is that if you follow the GDPR's rules, you'll be compliant with most other laws by default.
With that said, how you acquire cookie consent must be: