The General Data Protection Regulation (GDPR) is the main law covering the way organizations handle personal data relating to individuals in the European Union. It is a regulation rather than a directive, which means it took legal effect across the 28 European Union member countries without having to be built into domestic legislation.

The law applies to both controllers and processors of personal data. Controllers are the people or organization who decide how and why data is processed. Processors must directly comply with the GDPR, but controllers are also legally responsible for making sure the processors they use comply with the GDPR.

The GDPR applies whenever you collect personal data about somebody who is in an EU country. It doesn't matter if you are based outside the EU or where you physically store or process the data.

Let's find out how it affects your Cookies Policy.


Do I need a Privacy Policy and a Cookies Policy under the GDPR?

The GDPR dictates some information that you must provide to anyone whose personal data you are collecting. The GDPR also says that any information you provide must:

"be concise, easily accessible and easy to understand, and that clear and plain language and, additionally, where appropriate, visualisation be used."

A Privacy Policy is the only practical method of meeting these requirements.

The way the GDPR applies to cookies is not as obviously clear-cut. The wording of the legislation says that cookies are relevant where they could be:

"combined with unique identifiers and other information received by the servers [that] may be used to create profiles of the natural persons and identify them."

In other words, if a cookie (by itself or combined with other information) makes it possible to identify an individual, it counts as personal data that falls under the protection of the GDPR.

This means it is possible to detail what cookies you use, and how you use them, within the Privacy Policy itself. In this example from The Telegraph, a combined Privacy and Cookie Policy has a specific section on cookies but also refers to them elsewhere in the document where relevant:

Telegraph UK Privacy and Cookie Policy: What information do we gather clause

Should I Have A Separate Cookies Policy Even Though the GDPR Doesn't Require It?

For several reasons, having a separate Cookies Policy makes sense.

Better Visibility

Better Visibility

When somebody visits your site, there's a good chance that the issue of cookies will arise before they provide any personal data that could trigger the GDPR. This means the visitor may need to make an informed decision about accepting cookies before they've had any real need to read through a Privacy Policy.

Having a separate cookie policy will save them time hunting through a Privacy Policy for the relevant section. This will create a favorable impression and show you are being clear and open with users.

More Manageable Information

More Manageable Information

Cookies Policies sometimes need to be relatively detailed. Incorporating them into a Privacy Policy may create a particularly long document that is off-putting and even overwhelming to users. This could undermine the point of providing clear, actionable information.

If your Privacy Policy is already rather long and your section on cookies would be very long because you use a number of them, consider having a separate Cookies Policy to make things easier for your readers to understand.

Other Regulations

Even where the GDPR doesn't apply to cookies, you may still be covered by other legislation.

For example, in the United Kingdom, the directive covering cookies was adopted through the Privacy and Electronic Communications Regulations.

While the European rules are arguably the most stringent, other countries either have or may introduce regulations for cookies. The nature of the internet means your business or website may be affected by such regulations regardless of where you are physically based.

Having a separate Cookies Policy will greatly reduce the risk that you inadvertently breach any of these laws and regulations, particularly if you move from a domestic business to an international one.

What Should I Include in a Cookies Policy?

What Should I Include in a Cookies Policy?

Cookies Policies aren't as in-depth and long or detailed as a standard Privacy Policy. They can get longer if you use a lot of cookies for a lot of things, but typically speaking they only have a few parts. Let's take a look at some of the parts yours should have.

Introduction

An effective Cookies Policy will often begin by simply saying that your site uses cookies and explaining what cookies are. If you operate a website, this may seem incredibly obvious from your perspective, but it's easier to err on the side of caution. A clear explanation can set the user's mind at rest and reduce concern.

Sage gives an overview of cookies before going into the specifics of which cookies it uses:

Sage Privacy Notice and Cookie Policy: Cookies, analytics and traffic data clause intro

This section tends to be more standard across the board and defines what cookies are and generally what they do.

What Cookies You Use and Why

What Cookies You Use and Why

In theory you could have separate sections with one detailing the specific range of cookies you use and the other explaining why you are using them. In practice this can be unwieldy and leave the user having to cross-reference back and forth to make sense of things.

Instead it's usually better to detail each cookie individually and briefly explain what the cookie is for and what information it covers. It's also worth detailing whether it's you who creates and operates the cookie or if a third party does it.

Pearson uses drop-down links to cover its wide range of cookies in an accessible manner:

Pearson UK Cookie Policy: Types of cookies used and how clause

You can structure this section any way you want to, as long as it's informative and easy to read. The drop-down styling here is helpful and makes things seem more organized for readers, but it isn't necessary.

How to Opt Out

How to Opt Out

Give clear details of how a user can opt out of cookies. In particular, say what the user needs to do to opt out of one cookie or type of cookie while still accepting the others.

It's perfectly fine - and in fact a good idea - to make clear what the consequences of opting out of a cookie will be. You shouldn't exaggerate or mislead, but it's fine to point out that functionality could be restricted.

Amazon not only explains why blocking its cookies will make its site effectively unusable but also details why:

Amazon UK Cookies Policy: Reject cookies clause

Medela gives a clear overview of cookies, pointing to third party guides rather than attempting to cover all browser instructions (which could become outdated):

Medela Privacy Policy: Managing Your Cookie Settings clause

Conde Nast uses a more detailed approach, covering how to opt out of receiving cookies from specific sources, as well as how to block them within a web browser:

Conde Nast Cookie Notice: Opting Out of Cookies clause

The more informative you are with this clause, the better. Make it easy for your users to opt out if they'd like to.

Reminder

When you're deciding what to include in a Cookie Policy and how to write it, don't forget the main purpose of the policy: to give users clear information that lets them make an informed decision whether or not to accept or opt out of the cookies.

How to Display a Cookie Policy

Common and effective ways to display a Cookie Policy fall into three main categories.

A clear link from every page on your site to the cookie policy is a simple option and works well next to links for other similar documents such as a Privacy Policy or Terms and Conditions page. Links could go in a header or sidebar, but a footer link is often the best way to make the links clearly visible without obstructing the main body of the page.

Goodwin Proctor uses its footer to cover legal notices including Cookie Policy, a sign-up link and its social media links:

Goodwin Proctor website footer with links

Another benefit to placing a link here is that people are accustomed to seeing footer links and intuitively know to look there for legal information or other important links.

You can include the Cookie Policy link alongside related links in a drop-down menu. This is more suited to a mobile-friendly page or mobile app where the width of the page is narrower than a computer screen, so a horizontal set of links or a sidebar menu could be unwieldy.

It's worth thinking about your audience. Tech-lovers may be more familiar with "conventions" such as three dots or lines being the icon for revealing a drop-down menu. More casual or less confident internet users might need clearer signposting.

Facebook's Lite Messenger app uses two layers of drop down menu to reduce clutter:

Facebook Lite Messenger app: Privacy and Terms links menu

Consider naming your menu something like in the image above, or something like Settings, Legal Agreements or something else that lets users know that they can find important things in the menu.

Pop-Up Notice

A pop-up notice is the best way to be very confident a user will have the opportunity to see your Cookie Policy. It can be very effective in raising the cookie issue just before the point where a particular cookie will be put on the user's machine.

Most Cookie Policies will be too long to fit adequately in a pop-up window, particularly on a mobile device, so it's fine to simply have a couple of lines saying your site uses cookies and offering a link to the full policy.

Here's how the BBC uses a pop-up notice to display useful cookies information as well as a link to a Settings interface and the full Cookies Policy:

BBC Cookie Consent Notice

It's better to display your Cookies Policy too much than to not display it enough. The best way to approach displaying it is by adding a static footer link that's always there, as well as using pop-ups and other one-off display methods at relevant times (like right before you place a cookie on a user's device).

GDPR and Consent

A pop-up screen is particularly useful if you are seeking active consent (such as asking users to click to say they are happy to have the cookie) rather than implied consent (telling the user to stop using the site if they don't want to accept cookies).

Remember that if you are using a cookie that collects or uses personal data of an individual in the EU, that cookie's use will fall under GDPR jurisdiction. The same applies if the cookie can combine with other data (such as an IP address) to identify an individual, in which case the GDPR classifies the cookie as personal data.

In such cases, you must use the cookie in a way that complies with GDPR. This means:

  • Making sure the user is fully informed about the cookie and related personal data
  • Collecting active consent from the user to place the cookie and process the related personal data
  • Allowing the user to withdraw their consent at any time
  • Allowing the user to ask you to delete the related personal data later on

The specific wording in the GDPR about active consent is that the consent must be "clear and affirmative." This means the user must carry out an action such as clicking an acceptance button to confirm they are happy to proceed. It also means that the user is confirming they've had the opportunity to see the relevant information to make that choice.

Choosing the information you show at the point of asking the user for consent to cookies is a balancing act. You don't want to miss out important details that mean the user's consent is not genuinely informed. On the other hand, you don't want to overwhelm the user with information to the point they just click through to make it go away.

For these reasons having your entire Cookie Policy pop up by default isn't usually the best option. Instead, consider including a brief summary that covers the main points, namely that you collect cookies, why you do so, and what you do with the resulting data. You can then include a link or drop-down option to show your Cookie Policy in full.

If relevant, this summary could include boxes for the user to accept some cookies while opting out of others. Again, the full details could go in a drop-down options menu.

FedEx combines all of these techniques in a clear but detailed pop-up:

FedEx Cookies Notice with Settings checkboxes and option to accept all

However, you don't need to be this elaborate when requesting consent for cookies. Here's a simpler way that the University of Brighton gets consent for cookies with a clearly-labeled "Accept Cookies" button:

University of Brighton Cookies Consent notice

Notice how links are also provided to the full Cookie Policy as well as the Cookie Settings interface.


Summary

Let's recap what you need to know and do when it comes to the GDPR and cookies.

  • The GDPR applies whenever you handle personal data about somebody in a European Union country.
  • Having a standalone Cookie Policy isn't required under the GDPR but having one helps increase transparency for your users, which is a huge point of the GDPR. It may also help you comply with other laws in Europe and elsewhere.
  • An effective Cookie Policy explains what cookies are, what cookies you use, why you use them, and how to opt out.
  • You can display your Cookie Policy on a separate page and link to it from a footer or settings menu. You can also link it to a pop-up where you request consent to place cookies.
  • Under the GDPR, you must get active consent from users before placing certain types of cookies. This means they'll need to see the relevant information at the point of giving consent. The best option is to display a brief summary with a link to the full Cookie Policy.
  • Use a clickwrap checkbox format to get the best form of consent.