Last updated on 19 May 2021 by Robert Bateman (Privacy and Data Protection Research Writer at TermsFeed)
Cookies have infiltrated every corner of the internet. They're on all of our devices, gathering information about where we shop, what we read, and pretty much everything else we do online.
If you operate a website or app, the chances are that you'll be using cookies. You need to let your users know what cookies are, why you use them, and how they can control the cookies you place on their devices. You can do this by writing a Cookies Policy.
Before we walk you through all the information you need to include in your Cookies Policy, let's answer a few FAQs about when a Cookies Policy is required.
If your app runs personalized ads using programs such as Google AdMob, or analytics software such as Google Analytics for Firebase or Crashlytics, you'll need to make your users aware of the privacy implications.
Firstly, you might be surprised to learn what constitutes "personal information." Under privacy laws in the U.S., Canada, and the EU (plus many other places) personal information can include data such as a person's IP address, device information, and location.
Secondly, even if the cookies you use don't collect personal information, you still need to let users know about this. And bear in mind that if you have users in the EU, the law on cookies doesn't actually concern personal information at all.
Here's how we recommend you structure your Cookies Policy. We've included four sections that will help explain cookies to your users and meet most countries' legal requirements.
Your Cookies Policy should begin with an overview of what cookies are. Try to use non-technical language. To comply with EU law, you need to specify that cookies are stored on the user's device.
Here's how The Guardian does this:
The Guardian's short and simple explanation is a good introduction to the company's Cookies Policy. This short explanation is fine because the company provides further information about the purposes and types of cookies it users later in the policy.
Here's a longer explanation from Automattic:
Automattic's longer explanation is well-written but more technical, and it incorporates information about the purposes and types of cookies the company uses. We recommend that you split this information up into multiple sections to make it easier to understand.
If you use other tracking technologies in addition to cookies, such as beacons and pixels, you should make it clear that your Cookies Policies also applies to these technologies.
Once you've explained what cookies are, you should briefly explain why you use them. This should be another short section that helps your users understand cookies. It will be supplemented by further information in later sections of your Cookies Policy.
Here's an example from Google:
This brief overview covers hundreds of different cookies and cookie functions. Google will need to go into more detail, but this introductory paragraph helps get the basic information across to its users.
You need to explain the types of cookies you use. We recommend you divide this section into two subsections:
Then, provide a list of the specific cookies you use, together with more information about:
The overview of cookies you use is another short, simple section of your Cookies Policy that helps your users understand cookies.
Most Cookies Policies divide their cookies into three or four types. It's important to distinguish between the types of cookies you use, as different rules apply to different cookie types.
Necessary cookies: People often use the phrase "necessary cookies" to describe cookies that do not require consent under EU law. They include:
Want to know more about which cookies require consent?
Read our articles on cookie consent, including:
Here's an example from Age UK of how to explain the different types of cookies:
Note that Age UK splits "necessary cookies" into two categories: "strictly necessary cookies" and "functionality cookies." The charity also uses the term "performance cookies" instead of "analytics cookies."
This is fine, as long as you explain the function of each type of cookie.
Your Cookies Policy should include a table listing all the cookies you use on your website or app. This is where your Cookies Policy becomes substantially more detailed.
Many websites and apps use hundreds of different cookies, so listing them all might be a daunting task. However, it's crucial that you know what cookies you're using, and you must explain each of them to your users.
If you're not sure which cookies you use, you should conduct a "cookies audit." Here are some steps you can take to conduct a cookies audit:
There are several approaches to providing this information. Many companies provide a list of first-party cookies followed by a list of third-party cookies.
Here's an example from BBVA:
Note that although BBVA provides information about whether a cookie is "persistent" or "session," it doesn't specify the duration for which persistent cookies are stored.
Here's an example from the European Commission's Cookies Policy which provides more precise information about each cookie's duration:
This part of your Cookies Policy should contain the following information:
Details of how to withdraw consent or opt out via your cookie consent solution
A link to a recognized consumer advice site, such as:
Here's how Tesco links users to its cookie consent tool via its Cookies Policy:
Here's how Twitter explains some of the ways users can opt out of personalized ads:
Here's an example from Safe Passage of how to address "Do Not Track" signals in your Cookies Policy:
Note that California law doesn't actually require you to honor Do Not Track signals. It only requires you to inform users about how your website treats Do Not Track signals.
You must display your Cookies Policy prominently. Here are some tips for how to do this:
Provide a link to your Cookies Policy in a persistent header, footer, or sidebar on your website.
Here's how The Guardian displays a link to its Cookies Policy in a footer on its website:
Here's an example from the Information Commissioner's Office of how to link to your Cookies Policy as part of your cookie consent solution:
Your Cookies Policy should explain:
What types of cookies you use, including:
You should display a link to your Cookies Policy prominently wherever cookies are active on your website, and as part of your cookie consent solution.
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.
19 May 2021