How to Write a Cookies Policy

Cookies have infiltrated every corner of the internet. They're on all of our devices, gathering information about where we shop, what we read, and pretty much everything else we do online.

If you operate a website or app, the chances are that you'll be using cookies. You need to let your users know what cookies are, why you use them, and how they can control the cookies you place on their devices. You can do this by writing a Cookies Policy.

This article will tell you everything you need to know about how to write a Cookies Policy, including how to explain your use of cookies, what information to provide, and how to ensure your Cookies Policy complies with major privacy laws.

Cookies Policy: Frequently Asked Questions

Before we walk you through all the information you need to include in your Cookies Policy, let's answer a few FAQs about when a Cookies Policy is required.

Do I Need a Cookies Policy?

Yes, you need a Cookies Policy, or at least a "cookies" section in your main Privacy Policy, if you operate a website or app that uses cookies.

Providing information about your use of cookies is a legal requirement in many places, including the EU and UK, under the General Data Protection Regulation (GDPR), and across the U.S., for example, under the California Consumer Privacy Act (CCPA).

Also, if you use third-party advertising or analytics cookies, your agreements with service providers may require that you provide certain information about your use of cookies. You can do this via a Cookies Policy.

Do I Need a Separate Cookies Policy and Privacy Policy?

No, you don't necessarily need a separate Cookies Policy, as long as you already have a Privacy Policy. Many companies choose to operate a separate Cookies Policy because they use a lot of cookies.

If you use cookies, you should provide all the information we've listed below to you users. But you can do so as a section in your main Privacy Policy, if you prefer.

Do I Need a Cookies Policy for My Mobile App?

If your app runs personalized ads using programs such as Google AdMob, or analytics software such as Google Analytics for Firebase or Crashlytics, you'll need to make your users aware of the privacy implications.

Again, you can do this via a Cookies Policy or as a section in a longer Privacy Policy.

What If I Don't Collect Personal Information Via Cookies?

You'll need a Cookies Policy or Privacy Policy regardless of which types of cookies you use.

Firstly, you might be surprised to learn what constitutes "personal information." Under privacy laws in the U.S., Canada, and the EU (plus many other places) personal information can include data such as a person's IP address, device information, and location.

Secondly, even if the cookies you use don't collect personal information, you still need to let users know about this. And bear in mind that if you have users in the EU, the law on cookies doesn't actually concern personal information at all.

Sections of Your Cookies Policy

Here's how we recommend you structure your Cookies Policy. We've included four sections that will help explain cookies to your users and meet most countries' legal requirements.

1. What are Cookies?

Your Cookies Policy should begin with an overview of what cookies are. Try to use non-technical language. To comply with EU law, you need to specify that cookies are stored on the user's device.

Here's how The Guardian does this:

The Guardian's short and simple explanation is a good introduction to the company's Cookies Policy. This short explanation is fine because the company provides further information about the purposes and types of cookies it users later in the policy.

Here's a longer explanation from Automattic:

Automattic's longer explanation is well-written but more technical, and it incorporates information about the purposes and types of cookies the company uses. We recommend that you split this information up into multiple sections to make it easier to understand.

If you use other tracking technologies in addition to cookies, such as beacons and pixels, you should make it clear that your Cookies Policies also applies to these technologies.

2. Why You Use Cookies

Once you've explained what cookies are, you should briefly explain why you use them. This should be another short section that helps your users understand cookies. It will be supplemented by further information in later sections of your Cookies Policy.

Here's an example from Google:

Google's brief overview explains that it uses cookies for:

• Remembering user settings
• Personalizing ads
• Measuring engagement
• User interface purposes
• Security purposes

This brief overview covers hundreds of different cookies and cookie functions. Google will need to go into more detail, but this introductory paragraph helps get the basic information across to its users.

3. Types of Cookies You Use

You need to explain the types of cookies you use. We recommend you divide this section into two subsections:

• Start with an overview of the types of cookies you use, categorized by their purpose

• Then, provide a list of the specific cookies you use, together with more information about:

  • Their function
  • How long they are stored on users' devices
  • The third parties who can access them

Overview of Cookies

The overview of cookies you use is another short, simple section of your Cookies Policy that helps your users understand cookies.

Most Cookies Policies divide their cookies into three or four types. It's important to distinguish between the types of cookies you use, as different rules apply to different cookie types.

For example:

• Necessary cookies: People often use the phrase "necessary cookies" to describe cookies that do not require consent under EU law. They include:

  • Cookies to keep a user logged in as they browse a website
  • Cookies that set user interface preferences
  • Load-balancing cookies to enable the website to load properly
  • Cookies to remember the contents of a shopping basket
• Analytics cookies: These cookies track user behavior and engagement on a website or app for the benefit of the website operator. Analytics cookies do require consent under EU law (whether first or third-party). You might also need to allow California users to reject third-party analytics cookies.
• Advertising cookies: These cookies track user behavior across your website or app (and often across other websites and apps) to deliver personalized ads. They can also collect personal information such as a user's IP address, browser version, advertising ID, etc. Advertising cookies also require consent under EU law. You might also need to allow California users to reject advertising cookies.

Want to know more about which cookies require consent?

Read our articles on cookie consent, including:

• Analytics Tools and GDPR Consent
• CCPA: Does Using Third-Party Cookies Count as Selling Personal Information?
• Cookie Consent Outside of the EU

Here's an example from Age UK of how to explain the different types of cookies:

Note that Age UK splits "necessary cookies" into two categories: "strictly necessary cookies" and "functionality cookies." The charity also uses the term "performance cookies" instead of "analytics cookies."

This is fine, as long as you explain the function of each type of cookie.

List of Cookies

Your Cookies Policy should include a table listing all the cookies you use on your website or app. This is where your Cookies Policy becomes substantially more detailed.

Many websites and apps use hundreds of different cookies, so listing them all might be a daunting task. However, it's crucial that you know what cookies you're using, and you must explain each of them to your users.

If you're not sure which cookies you use, you should conduct a "cookies audit." Here are some steps you can take to conduct a cookies audit:

• Cookie types:

  • Identify each cookie operating on your website using browser tools and/or code review
  • Confirm the purpose of each cookie and whether you need to continue using it
  • Check whether each cookie requires consent

• Cookie storage:

  • Confirm whether each cookie is a "session" or "persistent" cookie
  • Determine how long each persistent cookie is stored
  • Consider whether this is an appropriate length of time given the cookie's function

• Cookie data:

  • Check whether each cookie can be linked to other information about users (e.g. username) or other involve the processing of personal information (e.g. IP addresses)
  • Check what other types of data each cookie processes
  • Determine whether each cookie is first or third-party
  • For each third-party cookie, determine who is setting

Once you have a clear picture of your use of cookies, you'll be able to tell users:

• The name of the cookie
• Its purpose
• Its duration
• What data it processes
• In the case of each third-party cookie: who sets it, plus a link to the company's Privacy Policy

There are several approaches to providing this information. Many companies provide a list of first-party cookies followed by a list of third-party cookies.

Here's an example from BBVA:

Note that although BBVA provides information about whether a cookie is "persistent" or "session," it doesn't specify the duration for which persistent cookies are stored.

Here's an example from the European Commission's Cookies Policy which provides more precise information about each cookie's duration:

4. How to Manage Cookies

You must tell users how they can manage your use of cookies. The extent to which you need to allow them to do so will vary, depending on the laws that apply to your website or app.

This part of your Cookies Policy should contain the following information:

• Details of how to withdraw consent or opt out via your cookie consent solution

  • Under the GDPR, this might be a cookie banner
  • Under the CPPA, this should include your "Do Not Sell My Personal Information" page
• Information about how your website responds to "Do Not Track" signals (this is a legal requirement under the California Online Privacy Protection Act, CalOPPA)

• A link to a recognized consumer advice site, such as:

  • The Digital Advertising Alliance's consumer choice tool
  • www.aboutcookies.org
  • The Network Advertising Initiative's consumer opt-out tool
• Instructions on how users can clear or opt out of cookies via their browser or app
• Links to relevant service providers' opt-out tools (for example, the Google Analytics browser opt-out tool)

Here's how Tesco links users to its cookie consent tool via its Cookies Policy:

Here's how Twitter explains some of the ways users can opt out of personalized ads:

Here's an example from Safe Passage of how to address "Do Not Track" signals in your Cookies Policy:

Note that California law doesn't actually require you to honor Do Not Track signals. It only requires you to inform users about how your website treats Do Not Track signals.

How to Display Your Cookies Policy

You must display your Cookies Policy prominently. Here are some tips for how to do this:

• Provide a link to your Cookies Policy in a persistent header, footer, or sidebar on your website.

  • If a webpage contains large amounts of text, it might be best to display a link via a header as it is unlikely that users will want to scroll to the bottom of the page.
• Make sure you present your Cookies Policy to users whenever cookies are active.
• Display a link to your Cookies Policy as part of your cookie banner or consent solution.
• Make your Cookies Policy (or at least your main Privacy Policy) is accessible via the "settings" or "about" menu of your app.
• When formatting your Cookies Policy link, make sure it stands out. Use a font that contrasts with the background and is at least as big as the surrounding text.

Here's how The Guardian displays a link to its Cookies Policy in a footer on its website:

Here's an example from the Information Commissioner's Office of how to link to your Cookies Policy as part of your cookie consent solution:

Skyscanner displays a link to its Cookie Policy within its mobile app cookie consent notice:

Here's how Twitter displays its Cookie Policy in its mobile app About menu:

Summary

For website operators and app developers, a Cookies Policy (or, at least, a "cookies" section in your main Privacy Policy) is a legal requirement in most legal jurisdictions.

Your Cookies Policy should explain:

• What cookies are
• Why you use cookies

• What types of cookies you use, including:

  • An overview of different cookie types
  • A list of all the cookies you use, including their name, purpose, duration. In the case of third-party cookies, you should also explain who sets these cookies.
• How users can manage your use of cookies

You should display a link to your Cookies Policy prominently wherever cookies are active on your website, and as part of your cookie consent solution.