Clear clauses in your user documents that describe aspects of your cookie usage and the rights users have regarding this can help you comply with these laws. They can also help you build trust with potential customers.
Here's what you need to know about cookies opt-out and management clauses and how to draft them.
The most prominent laws covering cookies come from Europe. As we'll cover, there's a good chance that you are covered by these laws even if you are outside of Europe.
If you aren't covered by these laws, you may not specifically need to address cookie use, though the data you collect or process through cookies could come under data privacy laws in your country.
The European Union has two separate laws that address cookies:
The Privacy and Electronic Communications Directive 2002 (commonly called the ePrivacy Directive) contains measures which individual EU countries have incorporated into their domestic laws. Whether and how they apply to you may vary from country to country.
The General Data Protection Regulation (GDPR) applies automatically in all European Union countries. Its scope means that it applies when you process data in any of three circumstances:
- You (the data processor) are in the European Union
- The person the data is about (the data subject) is in the European Union, or
- The physical data processing (eg in a data center) takes place in the European Union
The GDPR's scope is not so much about cookies but rather the information they contain.
The GDPR applies where this information could be combined with other data in a way that identifies an individual. If this is the case, you can only use the cookie for specific reasons, most commonly that you have consent.
The specific requirements for consent for cookies under both the ePrivacy Directive and the GDPR has developed over time through court and regulatory rulings.
Key points to remember are as follows:
- Consent must be active and meaningful, based on the user having clear information about the cookie.
- Active means the user gives a positive, unambiguous indication of consent (also known as clickwrap).
- Users must be able to withdraw consent and have you immediately stop any processing based on this consent.
- You cannot refuse to let the user access the site if they don't accept cookies other than strictly necessary ones. This approach, known as a cookie wall, means the user doesn't have a meaningful choice about accessing cookies.
- You cannot say that continuing to use the site constitutes consent. (This is browsewrap, and not valid under the GDPR.)
- You cannot take scrolling down a page as a sign of consent.
- You cannot use pre-ticked checkboxes or toggles set to "yes" when asking for consent.
What to Include in Cookies Opt-Out and Management Clauses
Types of Cookies Used
The most comprehensive approach to detailing cookie use is to list every cookie you use. This can be helpful though does risk being overwhelming if you use a lot of cookies. It will also make it harder to keep the information up to date and avoid inadvertently misleading users.
A more common approach is to summarize the types of cookies you use. You have several ways to do this, including:
- First party (issued by you) vs third party (issued by somebody else)
- Essential vs non-essential
- Session (removed when the users logs out or closes their browser) vs persistent
However, when you are thinking about users giving specific consent for cookies and data use, it's best to group the cookies by their function, such as:
- Necessary (for example, security cookies)
- Functionality (for example, to customize the site content for users)
- Analytical (for example, to track usage statistics)
- Marketing (for example, to customize the ads a user sees on the site)
Remember that at the absolute minimum, you must have an option to accept all cookies and reject all cookies, and the buttons to exercise these two options should be equally prominent. However, users should still be able to choose specific settings for different types of cookie without too much extra time or effort.
Buhler details four types of cookies and then lists which category each individual cookie falls into:
How You Use the Data Cookies Collect
To comply with the GDPR, you need to explain how you use any data in cookies that can be linked to an identifiable individual. If you are relying on consent to make data processing legal, you must list all purposes for which you will use the data. You cannot use the data for a different purpose later on without fresh consent.
For both the GDPR and many other data laws, you must also say whether you will share the data with any third parties and, if so, who will get it.
Under the GDPR, if you plan to transfer the data to a country outside of the European Union you must say how you will make sure it remains protected. This could be through the country having an "equivalency" agreement with the EU, or by you having a binding contract with the recipient.
Either way, users must have a reasonable opportunity to read the information relating to the cookies before they decide whether to give or withhold consent.
Scientific American gives a clear list of the ways it uses information from cookies:
How Users Can Opt Out and Change Cookie Settings
You must explain clearly how users can change settings after initially giving consent to cookies. Remember that in principle this should be as easy as giving consent, and in practice it should be as straightforward as possible.
You could build the cookie settings menu directly into the clause via a link or interactive tool. You can also explain how users can block cookies through their browser. You could give specific instructions, though this risks being confusing, particularly if you don't keep the details up to date. Instead, it may be simpler to link to the relevant pages on major browser developer websites.
Remember that this is purely information to help users. You cannot rely on users altering browser settings to indicate giving or withdrawing consent for cookies or data use. This is because browser settings don't usually offer enough granular controls over the different types of cookies on a particular website to allow users to exercise a meaningful choice.
The Business & Human Rights Resource Centre clearly explains how to adjust cookie settings on its website as well as noting the browser settings option:
Civica links to information about specific browser settings plus general advice:
NOw that you know what content to include in a cookies opt-out and management clause, let's look at where you should display this clause to the public to make it most effective and legally compliant.
Where Should Cookie Clauses Appear?
Exactly where you must put cookie clauses may depend on which laws apply and what information you are giving. The key principles are as follows.
You must ask for consent before placing cookies. This is why most sites use a pop-up window (a cookie consent notice) that appears as soon as somebody visits the site for the first time. As consent must be specific, sites often give users a choice to accept or reject different types of cookie.
You must give clear information about how you use the cookie and the data you collect. You could show this as part of the pop-up window, though it may be too detailed and become cumbersome.
The Information Commissioner's Office uses a pop-up menu which covers the key information and links to full details:
Let's recap what you need to know about cookie consent and management clauses:
- Many laws, particularly in Europe, require you to inform users or get consent when you issue cookies.
- These laws include the ePrivacy Directive and the GDPR and can apply to businesses outside of Europe.
- The ePrivacy Directive requires consent to issue non-essential cookies. The GDPR requires consent to use data collected through cookies if it can be linked to an identifiable person.
- In both cases, consent must be clear and active.
- You should list the types of cookies you use. It's best to categorize them by what they do, giving users a better opportunity to give or withhold specific consent for specific purposes of data processing.
- You should also explain how you use data from cookies, whether you share it (and who with), and how you protect it when you transfer it to other countries.
- You should explain how to change cookie settings and withdraw consent through the site. You can also explain how to block cookies through browser settings, though this isn't a replacement for site settings.