Legal and data protection research writer at TermsFeed.
On this page
- 1. What are Cookies?
- 2. What is a Cookies Policy?
- 3. What is Cookie Consent
- 3.1. What are the Rules for the Different Types of Cookie Notices?
- 6. Should I Use a Separate Cookies Policy and Cookie Consent Notice?
- 8. Summary
- 8.1. Requirements for Cookie Policies
- 8.2. Requirements for Cookie Consent Notices
The first is a public statement that provides information to your website visitors about the user data your cookies track, why that information is being tracked, and where it is sent.
The second is when website users give you permission to obtain, use, and process their data through cookies.
A common method for doing so, which is compliant with the European Union's General Data Protection Regulation (GDPR), is through a cookie consent notice, including banners, pop-ups, or screens.
Below, we'll go over the specific differences between a Cookies Policy and Cookie Consent so that you can avoid confusion and implement what's necessary according to laws in various geographic regions.
What are Cookies?
Cookies are small files that websites use to identify and remember users, gather data, and track user behavior. In many instances, they contain a user's private, personal information.
Some cookies are required for basic website functionality, while others are used exclusively in marketing.
Examples of standard cookies include:
- Session Cookies - Temporary cookies that help websites recognize individual users and the data provided when those users navigate the website. These cookies only keep data about user activities for as long as the user is actually on the website. Once the user leaves and the browser is closed, these cookies are deleted. They are commonly used on E-commerce and other shopping websites.
- Third-Party Cookies - These types of cookies are installed most often by marketing companies to collect personal information about the user, such as habits, demographics, and overall behavior. They are commonly used to ensure that services and products are marketed toward the right audience.
- Permanent Cookies - Also known as persistent cookies, these types stay operating even when the user has closed out of the browser completely. For instance, permanent cookies can retain data, such as login details and passwords, so users don't have to manually re-enter them when they return to the website.
What is a Cookies Policy?
As noted above, a Cookies Policy is a public statement that gives specific information to your website visitors about the user data your cookies track, why that information is being tracked, and where that information is sent.
It's important to note that many companies create a section within their Privacy Policies (legal documents that outline your methods of data collection, use, storage, how you protect the data, whether you sell or share it, and more) and place the information that would normally go in a separate Cookies Policy within.
Finally, a Cookies Policy contains information that should be updated on a regular basis. Its information is considered dynamic and could frequently change since the type of cookies you use might change as business needs shift.
Our Cookies Policy Generator can create a custom and professional Cookies Policy for your website.
At Step 1, add in information about your website.
Answer some questions about your business.
Enter an email address where you'd like to receive your Cookies Policy and click "Generate."
Done! You'll be able to instantly access and download your new Cookies Policy.
What is Cookie Consent
For example, the following laws either demand explicit cookie consent or strongly imply the need for explicit consent. These laws are:
- The European Data Protection Regulation (GDPR)
- The California Consumer Privacy Act (CCPA)
- Canada's Personal Information Protection and Electronic Documents Act (PIPEDA)
- Japan's Act on the Protection of Personal Information (APPI)
- Argentina's Personal Data Protection Act (APDP)
- The Brazilian General Data Protection Law (LGPD)
- Nigeria's National Information Technology Development Agency Act 2007
As noted above, it's now common to obtain explicit cookie consent, which is in line with the GDPR (and thus, compliant with most of the laws listed above by default) through the use of cookie consent notices.
These notices can take the form of:
When implemented correctly, all of these types of cookie consent notices allow you to be in compliance with the law. The New York Times provides an excellent example in its popup bottom banner cookie notice as seen here:
The cookie consent notice reads:
Use our Cookie Consent all-in-one solution (Privacy Consent) for cookies management to comply with GDPR & CCPA/CPRA and other privacy laws:
- For GDPR, CCPA/CPRA and other privacy laws
- Apply privacy requirements based on user location
- Get consent prior to third-party scripts loading
- Works for desktop, tables and mobile devices
- Customize the appearance to match your brand style
Create your Cookie Consent banner today to comply with GDPR, CCPA/CPRA and other privacy laws:
Start the Privacy Consent wizard to create the Cookie Consent code by adding your website information.
At Step 2, add in information about your business.
At Step 3, select a plan for the Cookie Consent.
You're done! Your Cookie Consent Banner is ready. Install the Cookie Consent banner on your website:
Display the Cookie Consent banner on your website by copy-paste the installation code in the
</head>section of your website. Instructions how to add in the code for specific platforms (WordPress, Shopify, Wix and more) are available on the Install page.
What are the Rules for the Different Types of Cookie Notices?
In addition to being written in clear, plain language that is easy to understand, cookie consent notices of all types, whether banners, screens, or pop-ups, are not allowed to push website users into making one decision over another.
In other words, your cookie consent notice will be non-compliant if, say, you provide a statement about agreeing to your Cookies Policy and place a pre-ticked mark in a checkbox as if it were a foregone conclusion that the user will give consent.
In contrast, a compliant cookie consent notice must give users a real choice about what cookies they will and will not accept and the ability to refuse to give consent entirely. Moreover, even if the user gives permission once, that individual must be presented with the option to revoke consent at any time.
Regardless of the cookies you use, you'll need a Cookies Policy and a cookie consent notice to stay compliant with the major privacy and data protection legislation.
For example, "Personal Data" under laws in the EU, Canada, and the United States, as well as other nations listed above, include information that cookies typically collect, such as geolocation, device information, and IP addresses in the definition of personal information.
Moreover, even if your cookies don't collect that kind of information, users still have the right under these laws to know what kind of cookies you do use and what they're used for.
Users also still have the right to provide or withhold consent for the cookies you use regardless of what they're used for.
Finally, under the GDPR, cookie use has nothing to do with whether you gather personal information. (In other words, whether you collect personal data or not is entirely beside the point.)
Because the GDPR is considered the gold standard in laws that govern data privacy and protection, we'll focus on how it impacts the formation and use of both Cookies Policies and cookie consent notices. Bear in mind that legislation, such as the CCPA and others listed above, are similar in their requirements.
The GDPR gives the right to receive particular information that is current and accurate to your website's visitors.
According to the law, you must be able to provide website visitors with any data about them, at any time, that you've collected, and that you intend to use along with an explanation for why you've collected it, how you store it, how you protect it, and whether you share or sell it.
Additionally, you must give visitors the right to opt-out of having their data collected as well as a way to ask for their data, correct their data, and delete their data.
These rules affect both cookie policies and cookie consent.
Should I Use a Separate Cookies Policy and Cookie Consent Notice?
The short answer is yes.
Your cookie consent notice must be separate from other legal documents.
Common places to put a Cookies Policy include:
- A persistent banner in the website header
- A persistent sidebar
- Being linked to from the cookie consent notice
Something to bear in mind is that no matter where you choose to link to your Cookies Policy or to place it, it must stand out from the rest of the website. For example, if you are linking to your Cookies Policy from the footer or from the cookie consent notice, be sure that its font contrasts with the text around it.
Also, make sure that your Cookies Policy is accessible from the "about" menu or "settings" on your apps.
Here's an example from The Guardian in the UK that shows them linking to their CP from their footer.
In contrast to your Cookies Policy, which you can simply link to from your website's footer, a cookie consent notice is almost always displayed immediately upon reaching the website. In other words, it appears instantly once a visitor lands on a website's homepage.
Whether it's a banner, pop up, or full-page screen, it should contain the following components:
- A "Cookies Preference" option - The cookie consent notice must give users the opportunity to change which cookies they allow as well as the chance to refuse consent completely.
An excellent example of an explicit cookie consent notice displayed prominently on its company website comes from Adidas UK, which throws up a huge pop-up when someone arrives at their homepage.
Remember that if your company has a website and it's live on the internet, it's a surety that you're using cookies of one type or another. They're everywhere collecting information about your users and everything they're doing.
It's your responsibility to let your website's users know that you're using cookies, what kind of cookies you're using, why you're using them, where you send the data those cookies collect, and more. You can accomplish all of that through the use of a prominently displayed Cookies Policy.
Before processing any data collected by cookies, you must also ensure that you gain explicit consent from individual users. You can accomplish this by using a cookie consent notice, which should appear the moment visitors hit your site.
Adhere to the following guidelines, and you should keep both your Cookies Policy and cookie consent notice in full compliance with the primary pieces of legislation governing data privacy and protection in the world today.
Requirements for Cookie Policies
Your Cookies Policy should provide the following information to be compliant with the GDPR and the CCPA:
- What type of cookies are used
- How long cookies last in the user's browser
- What kind of data is tracked and the categories of personal information that are collected
- Why the cookies are used (e.g., marketing, statistics, functionality, performance)
- The parties with whom you share the data
- Where you send the data
- How website visitors can change the settings for cookie use
Requirements for Cookie Consent Notices
GDPR guidelines within the European Union regarding the need for businesses to obtain explicit, informed consent from their website's users before cookies are activated, are essentially written in stone.
While other laws in most nations aren't as clear-cut, the fact of the matter is that if you follow the GDPR's rules, you'll be compliant with most other laws by default.
With that said, how you acquire cookie consent must be:
- Delivered to the user in an up-front and unambiguous manner before any processing of data takes place (known also as prior consent)
- Documented and stored securely as evidence that you've acquired consent
- Reversible: Your website's users must have the ability to take back their consent at any time
- Renewable: You must re-acquire the consent of your website's users every year. (However, a best practice is to obtain consent more frequently in six-month intervals.)