Last updated on 25 July 2022 by Jocelyn Mackie (Former civil litigation attorney. Content legal strategist at TermsFeed)
If your website or app uses cookies, your Privacy Policy must address cookies. This applies no matter where your business is located, or where you transact business.
However, if your business is located in the EU or is directed towards people located in the EU and uses cookies, you'll need to meet additional requirements beyond a cookie clause in your Privacy Policy. In fact, you may need a separate Cookies Policy.
This article will outline why you need to disclose your use of cookies in a Privacy Policy and show examples of such clauses to help you create your own. We'll also consider when you may need a Cookies Policy in addition to a cookie clause in your Privacy Policy.
Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:
Enter the email address where you'd like the Privacy Policy delivered and click "Generate."
You'll be able to instantly access and download your new Privacy Policy.
A cookie is a small data file stored on a user's computer or mobile device. Cookies may retain log-in information, save preferences, and even direct users to the spot where they last browsed.
Almost every website or app uses cookies to track data and create personal experiences for users. They're also a key component of analytics functionality.
Cookies may be enabled or disabled within browsers or indicating preferences in the settings section on mobile devices. Since cookies have privacy implications, their use needs to be addressed in the Privacy Policy of any website or app that uses them.
When cookies are in use, it's normal to see Privacy Policies that contain an entire section or subheading addressing cookies.
While cookies do not collect data as extensively as online forms or a sign-up process would, users may still find them to be intrusive. That is why it is important to address them in your Privacy Policy.
There are two main reasons why you would want cookie clauses in your Privacy Policy:
To be transparent
Even if you wouldn't be required to inform users, it's still a good idea to let them know you use cookies.
Discussing cookies in your Privacy Policy allows you to explain which cookies you use, why you use them, and the benefits they offer users. This transparency will help users stay informed, while making your site look much more trustworthy and professional.
To comply with privacy laws
Privacy laws require that you disclose what personal information you collect. Because some cookies do collect personal information, they are considered to be covered by privacy laws even when not explicitly mentioned in the law's text. To ensure you don't violate any privacy laws that you may have to comply with, you should always disclose your use of cookies in your Privacy Policy.
The content within these sections on cookies needs to address these three reasons outlined above.
Here is how to accomplish that.
Cookies information in your Privacy Policy should clearly labeled under its own section or subheading. This keeps the information transparent and easy to find which is important since some users may feel uncomfortable with cookies technology.
If you provide a Table of Contents in your Privacy Policy, include a link to your cookies chapter or section. This makes it easier to find.
Amazon offers this to its visitors:
In the chapter on cookies, address why you use cookies, what they do, and how to disable them. That helps you meet the goals listed above regarding transparency, consent, and liability.
Explanations regarding your cookies usually start at the beginning. Other tracking software may also be mentioned in this section, so feel free to include mention of web beacons and other technology.
Apple explains that its websites and online services use cookies for providing services, customizing advertisements, and providing interactive applications. This is all mentioned in the beginning of its section on cookies:
Lenovo, an international computer and software company, takes the same approach. In the U.S. version of its Privacy Policy, it also explains that it collects information and stores it in log files:
Sometimes, there may be more detailed discussion on cookies. This is especially true with entities that have an international presence or simply use many types of cookies and user tracking technology.
Lenovo offers this further explanation of cookie usage right after its introductory paragraph in the cookies section. It also mentions that cookies may be turned off in the user's web browser:
A further explanation by Lenovo mentions that web beacon and other tracking technology works in conjunction with cookies. If you take the same approach with your website, you may wish to add similar information to your cookie provisions:
The introductory provisions from Lenovo above offer some instruction on disabling cookies. Apple explains to users how to turn off cookies in both its Safari browser and its mobile devices:
If an app or website uses unique tracking features, cookie provisions can address those as well. Apple has an Ad Tracking process that customizes advertisements to consumer preferences. Its cookies provision addresses turning that off:
Lenovo uses Flash cookies to support its cloud storage systems. These are often managed by third parties. It offers instructions for disabling these while also providing a link with further information:
Assess your cookie usage before you finalize a cookies provisions in your company's Privacy Policy.
If you use cookies that are controlled by processes other than browser or mobile device settings, include links or instructions that address them.
The examples above are from Privacy Policies applicable to U.S. customers.
If you are based in the E.U. or have E.U. customers, you need a Cookies Policy in addition to the cookie provisions in your company's Privacy Policy.
The E.U. Cookies Directive places additional requirements on your use of cookies on an app or website.
The E.U. Cookies Directive is part of an e-Privacy Directive amended in May 2011.
In the U.S., acceptance of cookies is implied through the acceptance of the Privacy Policy. There are no notice requirements. The E.U. places extensive notice requirements on companies.
The EU Cookies Directive requires that:
Most E.U. companies provide a banner or active consent platform when it comes to cookies and create a separate Cookies Policy agreement.
When you visit Lenovo's Netherlands site, you first see this dialog. To continue, a user must hit the green "Accept and enter the website" button:
Even if you decide to rely on implied consent, your notice banner must be visible. It should remain until a user clicks on a certain number of pages within your site. Here is an example of how that can work:
Lenovo has different Privacy Policies for the U.S. and Netherlands. When you visit the U.S. version of the Privacy Policy of Lenovo, cookies are not specifically mentioned even though there are provisions about them in the Privacy Policy:
The Netherlands version of the Privacy Policy offers a link to the cookie provision in the Privacy Policy as well as a link to its Cookies Policy:
Another place where you will find differences is the footer section of a website.
Amazon does not offer a link to a Cookies Policy on its U.S. page:
But you will find a link to the Cookies Policy on its U.K. page:
If you are doing business in the E.U., or are based there, you not only have to offer a Cookie Policy but you also must make it visible.
Provide a link to the Cookie Policy in your banner or request active consent, but also add links on a privacy page, in your Privacy Policy, and the web footer.
Like Disclaimers and Return Policies, the Cookie Policy is a separate document on its own but it reflects similar provisions in the Privacy Policy.
This allows users who are interested in cookies to navigate directly to where they receive the most information on how and why you use them.
Lenovo's Netherlands site includes a Privacy Policy that's similar to the one for the U.S. site (translated by Google):
When you visit the Cookies Policy for the Netherlands website, Lenovo adds details to that go beyond the Privacy Policy provisions. However, they act as clarification and do not contradict one another:
This intends to give consumers more information as required not only by the E.U. Cookies Directive but also Netherlands law.
Amazon U.K. takes the same approach with its Cookies Policy.
Its U.K. Privacy Policy contains a linked header on cookies. Its Cookies Policy also acts as an enhancement of those privacy terms:
No matter where you do business, you need cookies provisions in your Privacy Policy.
In the U.S. it's a courtesy more than a legal requirement, but transparency helps with customer relations.
If you do business in the E.U., your Privacy Policy provisions about cookies will not be enough to meet the EU Cookies Directive.
You will need to assess your website and app for proper notices and provide clear links to the cookie provisions in the Privacy Policy and to your Cookies Policy.
Create Privacy Policy, Terms & Conditions and other legal agreements in a few minutes. Free to use, free to download.
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.
25 July 2022