GDPR Cookies Policy

GDPR Cookies Policy

The EU General Data Protection Regulation (GDPR) came into full force in May of 2018. Businesses have been scrambling to comply - rewriting their Privacy Policies, deleting all traces of unnecessary personal data, and emailing their existing customers to refresh marketing consent.

Perhaps the most noticeable sign of privacy practices changing, though, has been the treatment of cookies.

The GDPR contains over 50,000 words, and only one of them is "cookie." Despite this, the GDPR has significant implications for your website's Cookies Policy.

The law isn't spelled out in simple terms, and many websites remain non-compliant. It's very easy to get this wrong. But when you understand the law, it's not that hard to get it right, and we're here to help with that.


Does EU Privacy Law Apply to You?

You may be reading this from outside the EU and wondering why you should care about complying with a foreign law. Well, whether you're physically present in the EU or not, the GDPR applies if you're:

  • Offering goods and services to people in the EU, or
  • "Profiling" people in the EU (monitoring their behavior).

"Profiling" means collecting information about people's activities and characteristics in order to predict their behavior.

This is a lot less sinister than it might sound - many website admins want to know what sorts of people are visiting their website so they can target their ads towards a particular group of consumers.

These are exactly the sorts of things that cookies can help you to do.

It doesn't matter if you're a multi-million dollar transnational corporation or a local charity that runs analytics or ads on its website - if you want people to visit your website from inside the EU, you need to obey EU privacy law.

Do You Need a Privacy Policy, a Cookies Policy, or Both?

A Privacy Policy is mandatory under EU law if you're processing the personal data of anyone in the EU. This includes using cookies.

Under Article 12 of the GDPR, you're required to provide information about all the personal data you process "in a concise, transparent, intelligible and easily accessible form, using clear and plain language."

Whilst this does mean you need to provide information about cookies, you don't necessarily need a separate Cookies Policy for this. You could just include the information about cookies as a section in your main Privacy Policy.

Many companies do choose to present cookies information in a separate Cookies Policy, and this is a good solution. Just make sure you include reference to this separate policy wherever you need to - most importantly, within your main Privacy Policy.

Here's how Invesco does this by combining its Privacy Notice and Cookies Policy into one legal agreement:

Invesco Online Privacy Notice and Cookies Policy with Cookies Policy reference highlighted

Creating Your Cookies Policy

Your Cookies Policy will need to comply both with the GDPR and another EU law, the ePrivacy Directive. These two laws work in tandem to create some quite demanding conditions around cookies.

Your Cookies Policy should be tailored to your website. Some websites use only very basic session cookies that perform essential functions. Some websites have sophisticated marketing cookies that allow them to target their users with ads.

However you use cookies, you need to let your users know exactly how you do it.

Here are some sections you should include in your Cookies Policy.

What are Cookies?

All privacy information must be given in "clear and plain language." You can't assume that your users will know what a "cookie" is. This is especially important if your website is geared towards children.

The first thing you should do is explain what cookies are, and what they do.

Here's how The Independent does this:

The Independent's Cookie Policy: Clause with definition of cookies

Here's a less clear example from The Arts Council:

The Arts Council Cookie Policy: Clause with definition of cookies

This isn't necessarily a bad way of explaining what cookies are, but imagine you're someone who's never heard the word "cookie" used outside of a culinary context before.

The Independent's explanation would be a lot easier to understand.

It's impossible to avoid using technical language entirely, but do your best to put it all in a simple context.

How You Use Cookies

Using simple language, break down the types of cookies that you use, and the purposes for which you use them. This should include any essential session cookies for which you won't be seeking consent.

Here's an example from Macmillan:

Macmillan's How we use cookies: How do we use cookies on the website clause

Be very specific here and list out all the ways you will be using cookies.

Third Party Cookies

Article 13 of the GDPR requires that you disclose "the recipients or categories of recipients of [your users'] personal data." This means you must let your users know if their data will be shared with any third parties.

It's very common for websites to allow third parties to place cookies on visitors' devices that collect information. If you use a tool like Google AdSense, Google's Terms and Conditions require that you inform your users that Google places targeted ads on your website:

Google AdSense Online Terms of Service US version with Privacy clause highlighted

There could be many other instances in which your users might come into contact with third-party cookies, as explained by Three:

Three Cookies Policy: Third party cookies clause

You'll notice that Three informs its users how to control consent for individual third-party cookies, as is required by Google.

If your website interacts with social networks, this might also have implications for your Cookies Policy as something you should disclose.

Here's how Rock Hopper HR makes its users aware of this:

Rock Hopper HR Cookie Policy: Social media and third-party cookie clause

Analytics

Analytics is a way for you to track how users interact with your site. There are several different analytics services, and many different ways you can use analytics - all with different implications for your users' privacy.

Your use of analytics should be explained in your Cookies Policy or Privacy Policy.

Here's how HarperCollins does this:

HarperCollins Cookie Policy: Analytics Cookies clause

GOV.UK lists the names of the Google Analytics cookies it uses and informs its users how to withdraw consent for Google Analytics:

Gov UK Cookies Policy: Google Analytics clause

Remarketing

Remarketing (also known as "retargeting") is a very powerful advertising tool. It allows you to "follow" users who have left your website and display your ads on other sites they visit.

If you use remarketing, this requires a special mention in your Cookies Policy.

Here's what Google Ads has to say about this:

Google Ads Help: What to include in your privacy policy for remarketing

This is how Launchmetrics complies with Google's requirements:

Launchmetrics Cookie Policy: Google Adwords remarketing and cookies clause

Other Tracking Technologies

Many websites use other technologies to track and identify their users, such as web beacons and pixel tags. These are not cookies, but they have privacy implications and they interact with cookies. These technologies should also be discussed in your Cookies Policy.

Here's how Ever Accountable does this:

Ever Accountable Cookie Policy: Other Tracking Technologies clause

Let users know:

  • You use these technologies
  • Briefly what they are
  • How you use them (for what purpose)
  • How users can limit any of this

We've seen examples of Cookies Policies that name the cookies used by analytics services and third parties. It's also good practice to include a full list of all the different cookies you use on your website, including first-party cookies, together with an explanation of what each one does.

Here's an excerpt from Fitbit's list:

Excerpt from Fitbit's Cookies Used chart and list

How to Control Cookies

Many websites include a "privacy center" or a control panel where users can allow, refuse and withdraw consent for various types of cookies. Here's an example of one such interface from the BBC:

BBC's page for changing cookies settings with toggle choices

Note that "strictly necessary" cookies cannot be turned off. We'll discuss this in more detail below.

Whether or not you provide such an interface, you should also explain how users can control their consent for cookies in your Cookies Policy.

Here's a section of Pearson's Cookies Policy which offers advice on controlling cookies via the settings of various browsers:

Pearson Cookie Policy: How to manage cookies section with menus of instructions for how to check if cookies are enabled

Users can select which browser they're using in the menu and get step-by-step instructions for how to do a cookies check. Here's what you'll be shown if you select the Google Chrome instructions:

Pearson Cookie Policy: Instructions to check if cookies are enabled on Google Chrome

Simpler websites may only need to provide basic information about controlling cookies if only basic cookies are used. Here's how DHL Interactive does this:

DHL Interactive Cookies Policy: How to control cookies clause

DHL only uses one type of cookie that's necessary for the website to function and is deleted as soon as the web browser is closed, so it can get away with a simpler Cookies Policy. In fact, here's its policy in its brief entirety:

Screenshot of DHL Interactive's complete and simple cookie policy

Under Recital 25 of the ePrivacy Directive, "users should have the opportunity to refuse to have a cookie or similar device stored on their terminal equipment." This means that you need to get consent before you can use most cookies.

When the EU says "consent," it really means it.

Some privacy laws, such as CAN-SPAM in the United States, allow businesses to assume that they have a person's consent unless they opt out. The GDPR doesn't allow "opt-out" consent. It operates a strictly "opt-in" model of consent.

Similarly, some privacy laws, such as Canada's Anti Spam Law, allow businesses to infer that they have a person's "implied" consent. For example, if they have an existing business relationship with that person. The GDPR doesn't recognize implied consent. It only recognizes "express" consent.

Under Article 7 of the GDPR, consent must be:

  • Freely given,
  • Given via a clear, affirmative act, and
  • Easy to withdraw at any time

Most websites request cookie consent via a pop-up banner or landing page. It's important that you build facilities into your website that allow your users to accept, refuse and withdraw consent for different types of cookies.


The idea of freely-given consent has big implications for your Cookies Policy. Recital 42 of the GDPR states that consent is not freely given if it can't be refused or withdrawn without detriment.

Here's an example of a cookie consent landing page from Washington Post which seems to contradict this rule:

Washington Post subscribe page with different options and consent to cookies highlighted

Unless you pay to subscribe, Washington Post only allows you to access its website if you consent to having advertising cookies placed on your device.

You may have some sympathy with what Washington Post is trying to do here. Their business model depends partly on ad revenue, after all. However, it goes against the spirit of this part of the GDPR to "barter" with people's privacy consent in this way.

Here's an example of a consent request that's far more in line with the GDPR's spirit and would constitute being "freely given."

Dream in Code's cookie consent notice gives users the option to accept or not accept cookies. They're also informed that they can change their minds at any time and change or withdraw their consent choice:

Dream in Code: Notification about use of cookies with "I Accept" or "I do not Accept" options

This example is a good transition into the next consent requirements.

Your users must consent to cookies via a clear, affirmative act. When you ask if they consent to cookies, they should be able to click "I accept" or "OK," or something to that effect.

This cookie banner from Shopify represents a very common approach to requesting "consent" which seems to contradict this:

Shopify UK's cookies notice banner

The user has no way to meaningfully refuse consent, other than to navigate away from the website. This is not considered good practice under the GDPR. If you have a cookie banner like this, you ideally should change it to comply with the GDPR's consent requirements, like the previous example from Dream in Code.

Easily Withdrawn

The Article 7 of the GDPR says: "it shall be as easy to withdraw as to give consent." How does this work in practice?

It's difficult to obey the "letter of the law" on this one. You can do all the right things with your cookie banner, but it's probably going to have to be a little harder for your users to withdraw their consent than it was to for them to give it.

Here's one option from the BBC. A "Cookies" link is on persistent display in the website's footer:

BBC website footer with link to cookies policy highlighted

Clicking the link takes you to this page, which allows you to opt in and out of different types of cookies:

BBC's Cookie and Browser settings control page

This principle arguably applies in another way that is much easier to implement: refusing consent shouldn't be any more difficult than accepting consent.

Take a look at this cookie banner from Pandora, for example:

Pandora UK cookie notice banner

Visiting the "Information and Settings" page to adjust cookie settings and refuse consent is hardly back-breaking labor. But it is just a little bit more effort and inconveniencing to a website visitor than clicking "I'm fine with this."

Here's a good example of equally-weighted options from HellermannTyton:

HellermannTyton UK cookie notice banner

This banner provides a genuinely equal free choice to accept or to refuse cookies.

Not all cookies require you to obtain consent in order to use them. The law is not black-and-white here, and the best you can do is adhere to authoritative guidance.

The UK's data protection authority, the Information Commissioner's Office, suggests that consent is "unlikely" to be required for cookies that are essential for you to provide a service or fulfill the request of a user.

Examples include cookies that:

  • Store a user's purchases in a shopping cart as they move around that same ecommerce site
  • Provide security on internet banking or other secure websites
  • Allow you to ensure the smooth running of your website (e.g. "load-balancing cookies")

It may be in your legitimate interests (or may even be a legal requirement) to use such cookies. Your users cannot meaningfully refuse consent for them without impeding the effective functioning of your website. Therefore, you only need to inform your users that you employ these cookies - you don't need to ask for their consent to do so.

An example of this would be the DHL Interactive cookie situation in an earlier example where only one necessary and temporary cookie is used. DHL Interactive would not need to obtain consent to use that one cookie for that necessary purpose.

Your GDPR-Compliant Cookies Policy - Summary

Transparency and fairness is at the heart of the GDPR. Although it may seem arduous to comply with the EU's rules around cookies, it's the law - and you owe your users the respect of treating their privacy seriously.

Make sure you have a Cookies Policy that:

  • Explains what cookies are and what they do;
  • Explains how you use cookies, for example to improve your website or advertise to your users;
  • Gives details of any third-party cookies that your users might encounter on your site;
  • Explains your use of analytics and remarketing, and the privacy implications of these tools;
  • Gives details of any other tracking technologies you use such as web beacons;
  • Provides a full list of the cookes you use on your website;
  • Tells users how they can control their consent over the various first and third-party cookies on your website.

If you don't create a separate Cookies Policy, make sure all the above is included in a Cookies section within your Privacy Policy.

Robert B.

Robert B.

Legal writer.

This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.