Cookie Clauses For Your Privacy Policy

If your website or app uses cookies, your Privacy Policy must address cookies. This applies no matter where your business is located, or where you transact business.

However, if your business is located in the EU or is directed towards people located in the EU and uses cookies, you'll need to meet additional requirements beyond a cookie clause in your Privacy Policy. In fact, you may need a separate Cookies Policy.

This article will outline why you need to disclose your use of cookies in a Privacy Policy and show examples of such clauses to help you create your own. We'll also consider when you may need a Cookies Policy in addition to a cookie clause in your Privacy Policy.

What are Cookies?

Cookies are small data files stored on a user's computer or mobile device. Cookies may retain log-in information, save preferences, and even direct users to the spot where they last browsed.

Almost every website or app uses cookies to track data and create personal experiences for users. They're also a key component of analytics functionality.

Cookies may be enabled or disabled within browsers or indicating preferences in the settings section on mobile devices. Since cookies have privacy implications, their use needs to be addressed in the Privacy Policy of any website or app that uses them.

Before these files can be placed on a user's device, at a bare minimum, notice must be provided to the user. With certain types of cookies, some sort of permission or consent, whether active or passive, must be obtained.

These requirements are part of the California Online Privacy Protection Act (CalOPPA) as well as the EU Cookies Directive, both of which affect any website or mobile app that can be used by any resident of California, or any citizen of any EU country, respectively.

Do You Need to Address Cookies in a Privacy Policy?

Yes, you do. While cookies do not collect data as extensively as online forms or a sign-up process would, they do often collect some type of personal information, and users may still find them to be intrusive. That is why it is important to address them in your Privacy Policy.

When cookies are in use, it's normal to see Privacy Policies that contain an entire section or subheading addressing cookies.

There are two main reasons why you would want cookie clauses in your Privacy Policy:

• To be transparent

  Even if you wouldn't be required to inform users, it's still a good idea to let them know you use cookies.

  Discussing cookies in your Privacy Policy allows you to explain which cookies you use, why you use them, and the benefits they offer users. This transparency will help users stay informed, while making your site look much more trustworthy and professional.

• To comply with privacy laws

  Privacy laws require that you disclose what personal information you collect. Because some cookies do collect personal information, they are considered to be covered by privacy laws even when not explicitly mentioned in the law's text. To ensure you don't violate any privacy laws that you may have to comply with, you should always disclose your use of cookies in your Privacy Policy.

Do You Need a Separate Cookies Policy or are Cookies Clauses Enough?

You most likely do not need a separate Cookies Policy, but having one can help with legal compliance.

Because some types of cookies collect protected personal information, they fall under the scope of privacy laws and their use must be disclosed. One method of disclosing them is through a Cookies Policy.

Cookies Policies are especially helpful for businesses that use a lot of cookies on their websites, as they allow for the disclosure of a lot of informatiin in a more organized, easy-to-understand way.

Content for Cookies Clauses: Examples

Your cookie clause should explain what cookies are, let users know that you use them for specific purposes, and what they can do in regard to disabling or rejecting cookies being used.

Cookies information in your Privacy Policy should clearly labeled under its own section or subheading. This keeps the information transparent and easy to find which is important since some users may feel uncomfortable with cookies technology.

If you provide a Table of Contents in your Privacy Policy, include a link to your cookies chapter or section. This makes it easier to find.

Amazon offers this to its visitors:

As noted, your cookies clause should address why you use cookies, what they do, and how to disable them. That helps you meet the goals listed above regarding transparency, consent, and liability.

Explanations regarding your cookies usually start at the beginning. Other tracking software may also be mentioned in this section, so feel free to include mention of web beacons and other technology.

Apple explains that its websites and online services use cookies for providing services, customizing advertisements, and providing interactive applications. This is all mentioned in the beginning of its section on cookies:

Lenovo, an international computer and software company, takes the same approach. In the U.S. version of its Privacy Policy, it also explains that it collects information and stores it in log files:

Sometimes there may be more detailed covering of cookies. This is especially true with businesses that have an international presence or simply use many types of cookies and user tracking technology.

Lenovo offers this further explanation of cookie usage right after its introductory paragraph in the cookies section. It also mentions that cookies may be turned off in the user's web browser:

Apple explains to users how to turn off cookies in both its Safari browser and its mobile devices:

If an app or website uses unique tracking features, cookie provisions can address those as well. Apple has an ad tracking process that customizes advertisements to consumer preferences. Its cookies provision addresses turning that off:

Assess your cookie usage before you finalize a cookies provisions in your company's Privacy Policy.

If you use cookies that are controlled by processes other than browser or mobile device settings, include links or instructions that address them.

The Cookies Policy

If you are based in the EU or have EU customers, you should have a Cookies Policy in addition to the cookie provisions in your company's Privacy Policy. It can also be helpful to have for businesses that use a large number of cookies, as it will keep your Privacy Policy from becoming too long or complicated.

A Cookies Policy is basically an entire policy dedicated to disclosing your use of cookies, why you use them, and how your users can control this. It can be linked to your website footer or anywhere else your other legal agreements (Privacy Policy, Terms of Use, etc.) are included.

The EU Cookies Directive places additional requirements on your use of cookies on an app or website.

EU Cookies Directive

The EU Cookies Directive is part of an ePrivacy Directive amended in May 2011.

In the U.S., acceptance of cookies is implied through the acceptance of the Privacy Policy. There are no notice requirements. In contrast, the EU places extensive notice requirements on companies.

The EU Cookies Directive requires that:

• You must notify users that cookies are being used on your website, including which cookies, why they are used, and how,
• Users must indicate consent to the cookies, usually by clicking an "I Agree" button or checkbox, or
• If you provide a visible notice on your site that cookies are being used and if the user continues to browse, they accept the cookies.

Most EU companies provide a cookie consent notice or active consent platform when it comes to cookies and create a separate Cookies Policy agreement.

Here's how BuzzFeed has a cookie consent notice that lets users make choices, while also linking to its full Privacy and Cookie Policy:

And here's how Tinder displays a cookie consent notice that requests consent while allowing users to personalize cookie choices if they wish, or decline cookies outright:

The Independent includes information within its Cookie Policy about managing cookies on a number of different popular web browsers, which helps give users control:

Like Disclaimers and Return Policies, the Cookie Policy is a separate document on its own but it reflects similar provisions in the Privacy Policy.

This allows users who are interested in cookies to navigate directly to where they receive the most information on how and why you use them.

Summary

No matter where you do business, you need cookies provisions in your Privacy Policy. These clauses should explain that you use cookies, what cookies are, and what types of cookies you use for what purposes. If you offer users any rights regarding settings and preference changes, you should note this as well.

If you do business in the EU, simply having a cookies clause in your Privacy Policy will not be enough to meet the EU Cookies Directive. It doesn't give the appropriate notice, so you will need at minimum a cookie consent notice in place.

You will need to provide clear links to your Privacy Policy, and to your Cookies Policy if you have one. This is so that users can access the agreements at any time if they wish to view how you handle cookies. And don't forget about cookie consent if applicable.