Post-graduate law degree, CIPP/E from the International Association of Privacy Professionals (IAPP). Privacy and Data Protection Research Writer at TermsFeed.
On this page
- 1. Cookies Policy: Frequently Asked Questions
- 1.1. Do I Need a Cookies Policy?
- 1.3. Do I Need a Cookies Policy for My Mobile App?
- 1.4. What If I Don't Collect Personal Information Via Cookies?
- 2. Sections of Your Cookies Policy
- 2.1. 1. What are Cookies?
- 2.3. 3. Types of Cookies You Use
- 2.3.1. Overview of Cookies
- 2.3.2. List of Cookies
- 2.4. 4. How to Manage Cookies
- 3. How to Display Your Cookies Policy
- 4. Summary
Cookies have infiltrated every corner of the internet. They're on all of our devices, gathering information about where we shop, what we read, and pretty much everything else we do online.
If you operate a website or app, the chances are that you'll be using cookies. You need to let your users know what cookies are, why you use them, and how they can control the cookies you place on their devices. You can do this by writing a Cookies Policy.
Our Cookies Policy Generator can create a custom and professional Cookies Policy for your website.
At Step 1, add in information about your website.
Answer some questions about your business.
Enter an email address where you'd like to receive your Cookies Policy and click "Generate."
Done! You'll be able to instantly access and download your new Cookies Policy.
Cookies Policy: Frequently Asked Questions
Before we walk you through all the information you need to include in your Cookies Policy, let's answer a few FAQs about when a Cookies Policy is required.
Do I Need a Cookies Policy?
Do I Need a Cookies Policy for My Mobile App?
If your app runs personalized ads using programs such as Google AdMob, or analytics software such as Google Analytics for Firebase or Crashlytics, you'll need to make your users aware of the privacy implications.
What If I Don't Collect Personal Information Via Cookies?
Firstly, you might be surprised to learn what constitutes "personal information." Under privacy laws in the U.S., Canada, and the EU (plus many other places) personal information can include data such as a person's IP address, device information, and location.
Secondly, even if the cookies you use don't collect personal information, you still need to let users know about this. And bear in mind that if you have users in the EU, the law on cookies doesn't actually concern personal information at all.
Sections of Your Cookies Policy
Here's how we recommend you structure your Cookies Policy. We've included four sections that will help explain cookies to your users and meet most countries' legal requirements.
1. What are Cookies?
Your Cookies Policy should begin with an overview of what cookies are. Try to use non-technical language. To comply with EU law, you need to specify that cookies are stored on the user's device.
Here's how The Guardian does this:
The Guardian's short and simple explanation is a good introduction to the company's Cookies Policy. This short explanation is fine because the company provides further information about the purposes and types of cookies it users later in the policy.
Here's a longer explanation from Automattic:
Automattic's longer explanation is well-written but more technical, and it incorporates information about the purposes and types of cookies the company uses. We recommend that you split this information up into multiple sections to make it easier to understand.
If you use other tracking technologies in addition to cookies, such as beacons and pixels, you should make it clear that your Cookies Policies also applies to these technologies.
Once you've explained what cookies are, you should briefly explain why you use them. This should be another short section that helps your users understand cookies. It will be supplemented by further information in later sections of your Cookies Policy.
Here's an example from Google:
- Remembering user settings
- Personalizing ads
- Measuring engagement
- User interface purposes
- Security purposes
This brief overview covers hundreds of different cookies and cookie functions. Google will need to go into more detail, but this introductory paragraph helps get the basic information across to its users.
3. Types of Cookies You Use
You need to explain the types of cookies you use. We recommend you divide this section into two subsections:
- Start with an overview of the types of cookies you use, categorized by their purpose
Then, provide a list of the specific cookies you use, together with more information about:
- Their function
- How long they are stored on users' devices
- The third parties who can access them
Overview of Cookies
The overview of cookies you use is another short, simple section of your Cookies Policy that helps your users understand cookies.
Most Cookies Policies divide their cookies into three or four types. It's important to distinguish between the types of cookies you use, as different rules apply to different cookie types.
Necessary cookies: People often use the phrase "necessary cookies" to describe cookies that do not require consent under EU law. They include:
- Cookies to keep a user logged in as they browse a website
- Cookies that set user interface preferences
- Load-balancing cookies to enable the website to load properly
- Cookies to remember the contents of a shopping basket
- Analytics cookies: These cookies track user behavior and engagement on a website or app for the benefit of the website operator. Analytics cookies do require consent under EU law (whether first or third-party). You might also need to allow California users to reject third-party analytics cookies.
- Advertising cookies: These cookies track user behavior across your website or app (and often across other websites and apps) to deliver personalized ads. They can also collect personal information such as a user's IP address, browser version, advertising ID, etc. Advertising cookies also require consent under EU law. You might also need to allow California users to reject advertising cookies.
Want to know more about which cookies require consent?
Use our Cookie Consent all-in-one solution (Privacy Consent) for cookies management to comply with GDPR & CCPA/CPRA and other privacy laws:
- For GDPR, CCPA/CPRA and other privacy laws
- Apply privacy requirements based on user location
- Get consent prior to third-party scripts loading
- Works for desktop, tables and mobile devices
- Customize the appearance to match your brand style
Create your Cookie Consent banner today to comply with GDPR, CCPA/CPRA and other privacy laws:
Start the Privacy Consent wizard to create the Cookie Consent code by adding your website information.
At Step 2, add in information about your business.
At Step 3, select a plan for the Cookie Consent.
You're done! Your Cookie Consent Banner is ready. Install the Cookie Consent banner on your website:
Display the Cookie Consent banner on your website by copy-paste the installation code in the
</head>section of your website. Instructions how to add in the code for specific platforms (WordPress, Shopify, Wix and more) are available on the Install page.
Read our articles on cookie consent, including:
- Analytics Tools and GDPR Consent
- CCPA: Does Using Third-Party Cookies Count as Selling Personal Information?
- Cookie Consent Outside of the EU
Here's an example from Age UK of how to explain the different types of cookies:
Note that Age UK splits "necessary cookies" into two categories: "strictly necessary cookies" and "functionality cookies." The charity also uses the term "performance cookies" instead of "analytics cookies."
This is fine, as long as you explain the function of each type of cookie.
List of Cookies
Your Cookies Policy should include a table listing all the cookies you use on your website or app. This is where your Cookies Policy becomes substantially more detailed.
Many websites and apps use hundreds of different cookies, so listing them all might be a daunting task. However, it's crucial that you know what cookies you're using, and you must explain each of them to your users.
If you're not sure which cookies you use, you should conduct a "cookies audit." Here are some steps you can take to conduct a cookies audit:
- Identify each cookie operating on your website using browser tools and/or code review
- Confirm the purpose of each cookie and whether you need to continue using it
- Check whether each cookie requires consent
- Confirm whether each cookie is a "session" or "persistent" cookie
- Determine how long each persistent cookie is stored
- Consider whether this is an appropriate length of time given the cookie's function
- Check whether each cookie can be linked to other information about users (e.g. username) or other involve the processing of personal information (e.g. IP addresses)
- Check what other types of data each cookie processes
- Determine whether each cookie is first or third-party
- For each third-party cookie, determine who is setting
- The name of the cookie
- Its purpose
- Its duration
- What data it processes
There are several approaches to providing this information. Many companies provide a list of first-party cookies followed by a list of third-party cookies.
Here's an example from BBVA:
Note that although BBVA provides information about whether a cookie is "persistent" or "session," it doesn't specify the duration for which persistent cookies are stored.
Here's an example from the European Commission's Cookies Policy which provides more precise information about each cookie's duration:
4. How to Manage Cookies
This part of your Cookies Policy should contain the following information:
Details of how to withdraw consent or opt out via your cookie consent solution
- Under the GDPR, this might be a cookie banner
- Under the CPPA, this should include your "Do Not Sell My Personal Information" page
- Information about how your website responds to "Do Not Track" signals (this is a legal requirement under the California Online Privacy Protection Act, CalOPPA)
A link to a recognized consumer advice site, such as:
- Instructions on how users can clear or opt out of cookies via their browser or app
- Links to relevant service providers' opt-out tools (for example, the Google Analytics browser opt-out tool)
Here's how Tesco links users to its cookie consent tool via its Cookies Policy:
Here's how Twitter explains some of the ways users can opt out of personalized ads:
Here's an example from Safe Passage of how to address "Do Not Track" signals in your Cookies Policy:
Note that California law doesn't actually require you to honor Do Not Track signals. It only requires you to inform users about how your website treats Do Not Track signals.
How to Display Your Cookies Policy
You must display your Cookies Policy prominently. Here are some tips for how to do this:
Provide a link to your Cookies Policy in a persistent header, footer, or sidebar on your website.
- If a webpage contains large amounts of text, it might be best to display a link via a header as it is unlikely that users will want to scroll to the bottom of the page.
- Make sure you present your Cookies Policy to users whenever cookies are active.
- Display a link to your Cookies Policy as part of your cookie banner or consent solution.
- When formatting your Cookies Policy link, make sure it stands out. Use a font that contrasts with the background and is at least as big as the surrounding text.
Here's how The Guardian displays a link to its Cookies Policy in a footer on its website:
Here's an example from the Information Commissioner's Office of how to link to your Cookies Policy as part of your cookie consent solution:
Your Cookies Policy should explain:
- What cookies are
What types of cookies you use, including:
- An overview of different cookie types
- A list of all the cookies you use, including their name, purpose, duration. In the case of third-party cookies, you should also explain who sets these cookies.
You should display a link to your Cookies Policy prominently wherever cookies are active on your website, and as part of your cookie consent solution.