Cookies Policy vs Cookie Consent

Cookies Policy vs Cookie Consent

First thing's first. A Cookie Policy and Cookie Consent are not the same thing.

The first is a public statement that provides information to your website visitors about the user data your cookies track, why that information is being tracked, and where it is sent.

The second is when website users give you permission to obtain, use, and process their data through cookies.

A common method for doing so, which is compliant with the European Union's General Data Protection Regulation (GDPR), is through a cookie consent notice, including banners, pop-ups, or screens.

Below, we'll go over the specific differences between a Cookies Policy and Cookie Consent so that you can avoid confusion and implement what's necessary according to laws in various geographic regions.


What are Cookies?

Cookies are small files that websites use to identify and remember users, gather data, and track user behavior. In many instances, they contain a user's private, personal information.

Some cookies are required for basic website functionality, while others are used exclusively in marketing.

Examples of standard cookies include:

  • Session Cookies - Temporary cookies that help websites recognize individual users and the data provided when those users navigate the website. These cookies only keep data about user activities for as long as the user is actually on the website. Once the user leaves and the browser is closed, these cookies are deleted. They are commonly used on E-commerce and other shopping websites.
  • Third-Party Cookies - These types of cookies are installed most often by marketing companies to collect personal information about the user, such as habits, demographics, and overall behavior. They are commonly used to ensure that services and products are marketed toward the right audience.
  • Permanent Cookies - Also known as persistent cookies, these types stay operating even when the user has closed out of the browser completely. For instance, permanent cookies can retain data, such as login details and passwords, so users don't have to manually re-enter them when they return to the website.

What is a Cookies Policy?

What is a Cookies Policy?

As noted above, a Cookies Policy is a public statement that gives specific information to your website visitors about the user data your cookies track, why that information is being tracked, and where that information is sent.

A Cookies Policy statement should also give website visitors information on how they can change their settings when it comes to which cookies they allow on their computers and how they can opt-out of allowing the use of cookies altogether.

It's important to note that many companies create a section within their Privacy Policies (legal documents that outline your methods of data collection, use, storage, how you protect the data, whether you sell or share it, and more) and place the information that would normally go in a separate Cookies Policy within.

However, it's a best practice to create a stand-alone Cookies Policy that's separate from your Privacy Policy and is posted prominently on your website.

Whether you choose to create a separate Cookies Policy or you include its information as a section within your Privacy Policy, both Europe's GDPR and California's Consumer Privacy Act (CCPA) demand that you make one available to your website's visitors.

Finally, a Cookies Policy contains information that should be updated on a regular basis. Its information is considered dynamic and could frequently change since the type of cookies you use might change as business needs shift.

What is Cookie Consent

When your website's users give you explicit consent to activate cookies and other trackers that process personal data on their computers, that's cookie consent. Obtaining cookie consent or stating how you use cookies are requirements under many data privacy and protection laws.

For example, the following laws either demand explicit cookie consent or strongly imply the need for explicit consent. These laws are:

  • The European Data Protection Regulation (GDPR)
  • The California Consumer Privacy Act (CCPA)
  • Canada's Personal Information Protection and Electronic Documents Act (PIPEDA)
  • Japan's Act on the Protection of Personal Information (APPI)
  • Argentina's Personal Data Protection Act (APDP)
  • The Brazilian General Data Protection Law (LGPD)
  • Nigeria's National Information Technology Development Agency Act 2007

As noted above, it's now common to obtain explicit cookie consent, which is in line with the GDPR (and thus, compliant with most of the laws listed above by default) through the use of cookie consent notices.

These notices can take the form of:

  • Banners
  • Pop-ups
  • Screens

All of these types of cookie consent notices are based on technology, which gives your website's users the opportunity to decide whether they wish to provide you with their consent to use cookies. They also allow your users to make up their minds about what types of tracking and which categories of cookies they'll accept.

When implemented correctly, all of these types of cookie consent notices allow you to be in compliance with the law. The New York Times provides an excellent example in its popup bottom banner cookie notice as seen here:

New York Times Cookie Notice - Tracker Settings

The cookie consent notice reads:

"We use cookies and similar methods to recognize visitors and remember their preferences. We also use them to measure ad campaign effectiveness, target ads and analyze site traffic.

To learn more about these methods, including how to disable them, view our Cookie Policy. Starting on July 20, 2020 we will show you ads we think are relevant to your interests, based on the kinds of content you access in our Services. You can object. For more info, see our privacy policy.

By tapping 'accept,' you consent to the use of these methods by us and third parties. You can always change your tracker preferences by visiting our Cookie Policy."

In addition to being written in clear, plain language that is easy to understand, cookie consent notices of all types, whether banners, screens, or pop-ups, are not allowed to push website users into making one decision over another.

In other words, your cookie consent notice will be non-compliant if, say, you provide a statement about agreeing to your Cookies Policy and place a pre-ticked mark in a checkbox as if it were a foregone conclusion that the user will give consent.

In contrast, a compliant cookie consent notice must give users a real choice about what cookies they will and will not accept and the ability to refuse to give consent entirely. Moreover, even if the user gives permission once, that individual must be presented with the option to revoke consent at any time.

Do I Need a Cookie Policy or Cookie Consent Notice If I Don't Collect Personal Data Via Cookies?

Regardless of the cookies you use, you'll need a Cookies Policy and a cookie consent notice to stay compliant with the major privacy and data protection legislation.

For example, "Personal Data" under laws in the EU, Canada, and the United States, as well as other nations listed above, include information that cookies typically collect, such as geolocation, device information, and IP addresses in the definition of personal information.

Moreover, even if your cookies don't collect that kind of information, users still have the right under these laws to know what kind of cookies you do use and what they're used for.

Users also still have the right to provide or withhold consent for the cookies you use regardless of what they're used for.

Finally, under the GDPR, cookie use has nothing to do with whether you gather personal information. (In other words, whether you collect personal data or not is entirely beside the point.)

How Does the GDPR Affect Cookie Policy and Cookie Consent?

Because the GDPR is considered the gold standard in laws that govern data privacy and protection, we'll focus on how it impacts the formation and use of both Cookies Policies and cookie consent notices. Bear in mind that legislation, such as the CCPA and others listed above, are similar in their requirements.

The GDPR gives the right to receive particular information that is current and accurate to your website's visitors.

According to the law, you must be able to provide website visitors with any data about them, at any time, that you've collected, and that you intend to use along with an explanation for why you've collected it, how you store it, how you protect it, and whether you share or sell it.

Additionally, you must give visitors the right to opt-out of having their data collected as well as a way to ask for their data, correct their data, and delete their data.

These rules affect both cookie policies and cookie consent.

Should I Use a Separate Cookies Policy and Cookie Consent Notice?

The short answer is yes.

As noted above, you don't actually have to have a Cookies Policy document because you can simply put a clause in your Privacy Policy with the same information that would otherwise be written separately.

In contrast, since your cookie consent notice must be obvious, unambiguous, and a bit "in-your-face," you can't place a cookie consent notice in your Privacy Policy.

Your cookie consent notice must be separate from other legal documents.

Where to Display Your Cookie Policy and Cookie Consent Notice

If you choose not to simply place a clause about your Cookies Policy in your Privacy Policy, which itself must be displayed prominently on your website, then you must show it in a conspicuous location.

Common places to put a Cookies Policy include:

  • Your website's footer along with other standard legal documents (e.g., Privacy Policy, Terms & Conditions)
  • A persistent banner in the website header
  • A persistent sidebar
  • Being linked to from the cookie consent notice

Something to bear in mind is that no matter where you choose to link to your Cookies Policy or to place it, it must stand out from the rest of the website. For example, if you are linking to your Cookies Policy from the footer or from the cookie consent notice, be sure that its font contrasts with the text around it.

Also, make sure that your Cookies Policy is accessible from the "about" menu or "settings" on your apps.

Here's an example from The Guardian in the UK that shows them linking to their CP from their footer.

The Guardian website footer with Cookie Policy link highlighted

In contrast to your Cookies Policy, which you can simply link to from your website's footer, a cookie consent notice is almost always displayed immediately upon reaching the website. In other words, it appears instantly once a visitor lands on a website's homepage.

Whether it's a banner, pop up, or full-page screen, it should contain the following components:

  • A link to your Privacy Policy - A link to your Cookies Policy or to your Privacy Policy (if that's where your Cookies Policy text is located) should be prominently displayed.
  • A "Cookies Preference" option - The cookie consent notice must give users the opportunity to change which cookies they allow as well as the chance to refuse consent completely.
  • A "Consent to Cookies" option, which provides users with the ability to explicitly consent to the use of cookies on their computers.

An excellent example of an explicit cookie consent notice displayed prominently on its company website comes from Adidas UK, which throws up a huge pop-up when someone arrives at their homepage.

Adidas UK cookie wall

Summary

Remember that if your company has a website and it's live on the internet, it's a surety that you're using cookies of one type or another. They're everywhere collecting information about your users and everything they're doing.

It's your responsibility to let your website's users know that you're using cookies, what kind of cookies you're using, why you're using them, where you send the data those cookies collect, and more. You can accomplish all of that through the use of a prominently displayed Cookies Policy.

Before processing any data collected by cookies, you must also ensure that you gain explicit consent from individual users. You can accomplish this by using a cookie consent notice, which should appear the moment visitors hit your site.

Adhere to the following guidelines, and you should keep both your Cookies Policy and cookie consent notice in full compliance with the primary pieces of legislation governing data privacy and protection in the world today.

Your Cookies Policy should provide the following information to be compliant with the GDPR and the CCPA:

  • What type of cookies are used
  • How long cookies last in the user's browser
  • What kind of data is tracked and the categories of personal information that are collected
  • Why the cookies are used (e.g., marketing, statistics, functionality, performance)
  • The parties with whom you share the data
  • Where you send the data
  • How website visitors can change the settings for cookie use
  • How website visitors can reject the use of cookies altogether

GDPR guidelines within the European Union regarding the need for businesses to obtain explicit, informed consent from their website's users before cookies are activated, are essentially written in stone.

While other laws in most nations aren't as clear-cut, the fact of the matter is that if you follow the GDPR's rules, you'll be compliant with most other laws by default.

With that said, how you acquire cookie consent must be:

  • Informed and transparent (e.g., through the use of a cookies consent notice, which includes specific information on data types and the reasons you use cookies)
  • Delivered to the user in an up-front and unambiguous manner before any processing of data takes place (known also as prior consent)
  • Documented and stored securely as evidence that you've acquired consent
  • Reversible: Your website's users must have the ability to take back their consent at any time
  • Renewable: You must re-acquire the consent of your website's users every year. (However, a best practice is to obtain consent more frequently in six-month intervals.)
William B.

William B.

Legal writer.

This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.