If your business is based in the EU or is directed toward EU citizens, you are required by law to comply with the EU Cookies Directive. That means that you have to notify your site's visitors that you're using cookies, and you must obtain their consent for cookie usage.
There are a number of ways you can go about displaying a cookies consent notification on your website. You can use a simple banner notification such as a header notification or a fixed footer notification. You also could use a pop-up notice.
In this post, we'll take a look at examples of cookies notices. We will also look at the wording they use. But before we begin, let's quickly discuss what a Cookies Policy is and why it's required.
When you visit a website that uses cookies, these cookies will get placed on your device. Cookies can contain information about actions you take on the page. The information is specific to you and the website you visited.
When you visit the website again, the site automatically looks for the cookie on your device and reads its contents to tailor your browsing experience based on how you interacted with the website in the past.
The benefit of cookies is a more personalized and often faster browsing experience. However, some consumers may not want you to track their browsing behaviors.
Therefore, some privacy laws require you to disclose and explain your Cookies Policy to your site visitors.
The strictest laws require you to get informed consent from users before using cookies.
What is a Cookies Policy?
The purpose of a Cookies Policy is to let your end users know that you're using cookies on your website or app.
At minimum, your Cookies Policy should address the following:
- The types of cookies you're using
- How you're using the cookies
- How your end users can manage cookie settings on their device(s)
Simply put, your Cookies Policy is where your end users can find detailed information about your cookies usage and how they can manage cookie settings on their devices.
Why You Need a Cookies Policy
Unless your business is based in the EU or is specifically targeted at EU citizens, you're not required by law to post a Cookies Policy on your website. Simply having a clause that addresses your cookies usage in your Privacy Policy is enough.
However, if your business is based in the EU or targets EU-based citizens, you're required by the EU Cookies Directive to post a separate Cookies Policy on your website.
The GDPR also has requirements for businesses that collect or use the personal information of people in the EU, and most cookies collect personal information.
In the European Union (EU)
The EU Cookies Directive requires you to post a fully separate Cookies Policy on your website and requires that your cookies usage is compliant with the EU Cookies Law.
For example, Amazon's UK website has a separate Cookies Notice linked from the homepage footer.
The law requires you to notify your end users and visitors that you're using cookies, let them know why you're using cookies, and obtain informed consent from them before you can place cookies on their devices.
Let's take a closer look at each requirement.
You can notify your end users that you're using cookies on your website by displaying a banner-style notice across the top of your website.
This notice should be written in easy-to-understand language and not legalese. You should include information about which types of cookies you're using, why you're using them, and how they're being used.
In addition to this, the notice should link to your complete Cookies Policy.
You have to obtain the user's consent before you can place cookies on their devices and access information about them, their interaction with your website, or their devices.
Here's a nice example from Mikesdotnetting of a compliant Cookies Notice in banner form that collects informed consent from the user before placing cookies on a device:
In this example, users are informed about the site's use of cookies to "personalize content and adverts, to provide social media features and to analyze traffic." Additionally, users are given the choice to click an I'm happy with this button or, instead, a Learn more button.
Most importantly, the site will not place cookies on the user's device unless and until the "I'm happy with this" button is clicked.
Businesses based in the EU usually embed a similar button or a checkbox in their cookies notice. A checkbox requires the user to click to provide consent to the website's cookie usage. Doing this ensures active consent to your use of cookies and complies with the EU law.
The European Commission offers a Cookie Consent Kit here to assist with complying with requirements to collect informed consent from users before placing cookies on a device and for allowing users the option to refuse cookies:
In the United States
Businesses and companies based in the United States aren't required to post a separate Cookies Policy on their website or comply with the EU Cookies Directive unless they're doing business directed toward EU citizens.
Most businesses based in the US choose to include a Cookies clause in their Privacy Policy agreements to let their end users know they use cookies. Others, however, add information about their cookie usage to their Information We Collect section.
For instance, ALDO's US Privacy Policy includes a Cookies section. It describes briefly what cookies are and how they're used:
Examples of Websites with Cookie Notifications
Most EU businesses have taken appropriate measures to ensure compliance with the EU Cookies Directive. They have done this by posting a separate Cookies Policy on their website in addition to displaying a banner or pop-up notification to collect informed consent from website visitors.
Let's take a look at some examples of websites that use cookies and see how they approach the cookie notification. This way, you'll have a better idea about how you can display cookie notifications on your own website.
Banners are eye-catching, which makes them an excellent way of displaying cookie notifications. You can use the banner space to display a simple yet informative notice that you're using cookies on your website and link to your complete Cookies Policy from there.
What to Do
The New York Times' cookies banner includes a brief description of what cookies are used for, a link to the full Cookie Policy, and the information that by clicking I Accept, the X or by using the site, consent to cookies will be given.
What Not to Do
This example from The Co-Operative bank shows an outdated, passive approach to assuming cookies consent.
The banner explains in clear terms that the website uses cookies to give users the best possible experience, and that by using the site, users are providing their consent to having cookies placed on their device. The banner also briefly explains what cookies are and that the cookies used by The Co-operative bank website do not collect personal information. Additionally, it provides a link to the Privacy Policy, which contains a section dedicated to Cookies.
Much of this is good. However, this example falls short of complying with the EU Cookies Directive because it does not require active and informed consent from the user.
Links to Your Cookies Policy
In addition to a Cookies notice, you should include a link in your website's footer that redirects to your Cookies Policy. Note that skipping a Cookies notice and only adding a footer link is not compliant because it doesn't acquire active consent from users to place cookies on their devices.
Here's how Vimeo includes a Cookies link in its website footer:
Summary
The design and wording of your cookies notice is important. It's recommended that the text you include in your cookies notice is easy to understand and written in plain language. For this reason, most websites simply state that they use cookies and provide a link to their complete Cookies Policy for further information.
Additionally, your cookies notice should be very easy for first-time visitors to see. Because visitors might land on a page that's not the homepage, it's a good idea to display the notification on all pages on your website.
Finally, you should provide an easy-to-find link to your Cookies Policy and simple instructions for opting out of your cookies use.
Compliance with the EU Cookies Directive means you'll need to display a cookies notice on your website or mobile app that:
- Informs your end users that you're using cookies
- Explains what cookies are and why you use them
- Obtains the user's active and informed consent to place cookies on a device