Cookies are one of the building blocks of your website. You would lose a huge portion of your site functionality without them. At the same time, they require the sharing of information between your website and your visitors' computers, and those relationships have more legal protection than ever.

Thanks to new privacy laws like the GDPR, you need to notify users when you use certain (but not all) types of cookies. If you use cookies to track behavior or you allow third-party cookies (like Google Analytics), then you collect personal data.

All website owners who use cookies should be aware of three main ways to notify their users about cookies. The first notification comes up upon the visitors' arrival to your site. Then, you should cover cookies in your Privacy Policy, and finally in a Cookies Policy if one is required (or you simply wish to have one for the sake of being extra thorough and transparent).

Why and how should you share your cookie use? We put together a complete guide to cookie notifications including examples from sites who have done so perfectly.


What Are Cookies?

A computer cookie, internet cookie, or just cookie for short is a packet of data exchanged between websites and computers.

When you visit a website, the site sends a bundle of information (a cookie) to your computer. Your computer then stores it in your web browser, like Google Chrome or Safari.

Cookies are tools that make browsing the web simpler. For example, when you shop online, the retailer sends cookies to your computer to keep track of the items you put in your cart. If it doesn't, you would lose your cart every time you navigated away from checkout.

You can use cookies to track all kinds of data about a user's visit and activity on your site. They store passwords, provide helpful hints, and track logins. Because the cookie doesn't change, it won't impact your computer's security.

At the same time, malicious malware and viruses can take on the appearance of cookies. Zombie cookies and supercookies are problematic for computer security.

First-Party vs. Third-Party Cookies

Cookies fall under one of two domains - first- or third-party.

First-party cookies are those provided by the page you visit. They are set by the web server, and their domains match. You expect these cookies when you visit a new site

Third-party cookies are stored by a domain that isn't the one you visited on your own volition. You might encounter third-party cookies when a web page references files outside its domain.

If a site owner allows third-party tracking, it allows those parties to track the site's users without telling users who is watching them and what behaviors they're watching.

Cookies, Personal Data, and the GDPR

Cookies, Personal Data, and the GDPR

Almost all websites use cookies in some way. Sites would be frustrating and almost impossible to navigate without them. Used correctly, the average visitor to your site has no idea that they receive cookies.

Because cookies store information, you must notify users that you use cookies.

If you operate in Europe or accept European site visitors, then your need to notify users began in 2002 with the ePrivacy Directive, otherwise known as the Cookie Law. The Cookie Law was the first to require websites seek informed consent BEFORE allowing any cookie-related scripts to run on the site.

However, the General Data Protection Regulation (GDPR) is the most recent privacy law to cover the use of cookies, and it directly changed the way websites must seek consent. So, it's the one we'll focus on here.

The GDPR only mentions cookies once across 88 pages, but the essence of the law still touches cookie use. The regulation concerns itself with protecting the privacy of users by protecting their personal day, so when cookies identify individuals and behaviors, the GDPR considers cookies to be personal data.

Because cookies are personal data under the GDPR, they receive the same protection as names, email addresses, bank details and other forms of protected personal data.

One of the ways the GDPR changed the personal data collection landscape is through the recognition of six legal bases for processing personal data. The six bases are a contract, legal obligations, public interest, legitimate interest, vital interests of the subject and consent.

Valid legal consent or legitimate interest are the legal bases under which you can use cookies. If you rely on legal consent, you need to seek the consent of all users the first time they land on your site.

Consent also changed under the GDPR. The regulation requires consent mechanisms to be more robust and fair than they often were before. Article 7 of the GDPR outlines the conditions for consent.

What are the new rules?

First, when you use cookies with consent, you need to be able to demonstrate that you have the data subject's affirmative consent. That means consent needs to happen in a verifiable way. Implied consent will not be sufficient.

When you ask for consent, it also needs to be:

  • Written in plain language
  • Easy to read for your target customer
  • Written in an accessible font and font size
  • Displayed prominently

In other words, you need to ask for consent to use cookies in a way that makes it 100 percent clear that you're asking for consent to process data.

Second, you need to provide a way for users to withdraw their consent whenever they want. You should provide this information right up front. No one should have to dig through your Privacy Policy to learn that they can withdraw consent.

The GDPR says, "It shall be as easy to withdraw as to give consent."

Third, you need to make it clear that consenting to cookie use isn't a condition of accessing the service. You can't punish a user for not using cookies. If they want to remember their log-in details and enter them manually whenever they arrive on your site, then it's their choice.

Do You Need Consent for All Cookies?

The EU doesn't require you to ask for consent for all cookies - far from it. The EU advisory body on data protection notes that there are cookies that are "clearly exempt from consent."

These cookies include:

  • Authentication cookies (session cookies that identify users when they login)
  • Load-balancing cookies (session cookies)
  • Multimedia content player cookies (session cookies that store technical data for playing content)
  • Third-party social plug-in content sharing cookies (session cookies for social network members)
  • User-centric cookies (session cookies that detect authentication abuses)
  • User-input cookies (session-id cookies that track forms, shopping carts, etc.)
  • User interface customization cookies (session cookies that store language preferences)

Why do these cookies not require consent? Because the cookies listed here carry out communication transmissions and are explicitly required for providing the service visitors expect. They don't collect or store personally identifying information.

Notifying Users of Third Party Cookies

Notifying Users of Third Party Cookie

Sites like yours use third party cookies all the time. Many of these cookies relate to marketing and advertising and others perform other essential functions like preventing fraud.

When you use third party cookies, you not only need to declare your use but you must also comply with the third party's Terms and Conditions agreements.

Google Analytics is a good example of a third party that requires all users to disclose the use of its data collection. According to its Terms of Service, all users must:

  • Have and uphold a Privacy Policy
  • Provide a cookie notice
  • Disclose your use of Google Analytics (and explain how it works)

Google Analytics Terms of Service Privacy clause

Google also encourages you to link to its sites when you do so, so that everyone has the information they need to make informed choices.

Should You Get Rid of Cookies?

There is no reason to remove cookie scripts from your site. No legislation even hints at this, and what is more, the idea isn't practical.

The only way to successfully get rid of cookies is to run a static HTML website. Any site more complicated than this will mean getting rid of important functionality, and some of those functions will cut right to the core of your site.

Telling visitors about cookies is comparatively painless compared to removing cookies entirely.

Here's how easy it is to notify users about your cookie use.

How to Notify Users About Cookies

How to Notify Users About Cookies

Specific kinds of cookies carry personal data that can pose a risk to user privacy. New laws say that all data subjects have the right to know when you use them.

You also need to go further than just saying, "We use cookies here." The combination of the ePrivacy Directive (the Cookie Law) and the GDPR means that you also need to:

  • Provide information on the use of cookie data
  • Show users how to accept and withdraw consent for cookies
  • Explain that denying or withdrawing consent doesn't impact their rights

There are three ways that you can notify users about cookies: in a Privacy Policy, Cookies Policy, and a cookie consent notice.

Cookies in Your Privacy Policy

Because cookies count as personal data, you need to include information about them in your Privacy Policy. If you have a separate Cookies Policy you won't need to go into too much detail in your Privacy Policy. Instead, you can just give a quick notice that you use cookies and link the reader to your full Cookies Policy.

You should, however, note the following items in your Privacy Policy:

  • That you use cookies
  • Why you use cookies
  • How the user can turn off/disable cookies

Let's look at a few good examples.

The BBC added a distinct section to its Privacy Policy to specifically cover its cookie use.

BBC Privacy Policy: Cookies and Similar Tracking Technologies clause: What and Why sections

It answers the following questions:

  • What are cookies?
  • How does the BBC use cookies?
  • How long do cookies last?
  • How can users control cookies?

You can see how the BBC uses lists and separate sections within this clause to address a lot of information while making it streamlined and easy to follow. A link is provided for where users can go to change cookie settings at any time, and they're reminded that they may also be able to adjust cookie settings on their personal devices:

BBC Privacy Policy: Cookies and Similar Tracking Technologies clause: How long do cookies last and how to control cookies sections

As you can see, the cookie section of the Privacy Policy is lengthy, particularly considering the BBC has a Cookies Policy in place, too.

You don't have to be quite so inclusive in your own Privacy Policy.

Here's another example.

American Airlines limits its cookie section within its Privacy Policy, but it does include all the essential components, including links that show users how to manage cookies.

American Airlines Privacy Policy: Excerpt of Cookies clause

It does, however, go into detail about the types of cookies used.

American Airlines Privacy Policy: Cookies clause - Types of cookies used

American Airlines uses four: essential, preference, performance, and content/advertising cookies.

What about notifying users about third party cookie collection? The airline chose to do that in a separate section where it covers all third party information, which is a fine approach.

If you prefer to keep it simple, you can shorten your cookie section to a few descriptive sentences. Choosing this route works well for businesses that don't do much in the way of aggressive marketing or analytics or use a long list of third party vendors.

The Humane Society of the United States (HSUS) organizes its Privacy Policy in just this way.

The cookies section falls under the label "Other information:"

HSUS Privacy Policy: Other Information clause - Cookies excerpt

It notes the use of cookies and web beacons and makes sure to note its use of Google Adwords and Analytics to meet Google's Terms of Service.

HSUS Privacy Policy: Other Information clause excerpt - Google AdWords and Cookies section

As you can see, as long as you address the required content, you can structure your cookie clause within your Privacy Policy as you see fit. If you use a lot of cookies, your clause will naturally be longer and more robust than if you only use one or a few of the basic ones.

Creating a Cookie Policy

A Cookie Policy should provide a comprehensive view of the way you use cookies and similar technologies.

You should treat your Cookie Policy like a mini-Privacy Policy dedicated solely to cookies and other similar features (web beacons, mobile identifiers, etc.).

That means listing:

  • What cookies are
  • What similar technologies you use
  • Why you use the technologies
  • Whether you use third party cookies
  • How to manage cookie preferences

Here are a few helpful examples.

Airbnb's standalone Cookie Policy provides an excellent example of how to write a clear, concise statement about cookies.

It begins by providing a short summary of the policy. It notes that it uses cookies, highlights the definition of a cookie, and provides details of other technologies used and how they help Airbnb perform its essential functions:

Airbnb Cookie Policy Intro clause

Airbnb also provides a helpful example of the legitimate purposes by which it uses cookies in its "Why Airbnb Uses These Technologies" clause:

Airbnb Cookie Policy: Why Airbnb Uses These Technologies clause

Finally, Airbnb details the potential for third party cookies on its site. It explicitly notes that it does allow third party cookies from partners and describes the usefulness of doing so:

Airbnb Cookie Policy: Third Parties clause

You'll notice that Airbnb specifically notes Google Analytics and how to opt-out of Google Analytics tracking. The site does so not just for the sake of transparency but also because you'll remember that Google Analytics, like other third parties, requires it to do so within Google's own Terms and Conditions.

Twitter also has a standalone Cookies Policy that takes on a question and answer format. Its intro section lets users know that cookies are in use for a variety of different ways and that more detailed information is available in the rest of the Policy:

Twitter Cookies Policy: Intro clause

The question and answer format is easy to follow and the answers themselves are written in a way that's very reader-friendly. Here's an excerpt of the section dealing with how Twitter uses cookies:

Twitter Cookies Policy: Excerpt of Why Do Our Services Use These Technologies clause - Authentication and Security section

As you can see, a Cookie Policy won't likely be a very long policy, but separating it out of your Privacy Policy helps users find information specific to cookies much easier and helps keep each Policy from being too long and overwhelming to readers.

Creating a Cookie Consent Notice

Before you place cookies on devices of users in the EU, they need to opt-in. The easiest and most common way to get this done is by having a cookie consent notice that displays as soon as a user arrives at your site.

Most sites use a banner alerting the user to cookies as soon as they arrive on the page for the first time. While many sites simply display the cookie notice in a banner, you should have a consent mechanism along with it.

Keep in mind, you also need to record and update consent to comply with the GDPR.

The BBC provides a helpful example of a cookie consent notice. Not only does it title the banner "Let us know you agree to cookies," but it also provides both a confirmation and rejection option within the banner. The rejection takes the user to the settings section, which further empowers them to decide what data they want to provide.

BBC Cookie Consent Notice

MoPub uses a cookie consent notice that clearly provides simple options to Accept or Decline cookies. This is a simple and practically perfect way to get clear consent to place cookies:

MoPub Cookies Consent notice with buttons to accept and decline

Here's another simple but adequate example from Alpha:

Cookies Consent Notice from Alpha: Yes agree and No buttons

A user can either agree/consent, or click to find out more. When clicking to find out more, users will be taken to a cookies information page for the company that details what cookies are used, why, and how this can be adjusted.


Your site uses cookies, and the GDPR wants you to let everyone know. You don't need to report on all your cookies, and the law makes a clear distinction. However, if your cookies could be considered personal data under the new privacy laws, then you need to report their use and can do so with all three methods listed above.

Before you can send some types of cookies to a visitors' computer, you need their consent. Your first cookie notification should occur as soon as they land on your site and include an option for affirmative, legal consent.

You'll also need to cover your cookie use in your Privacy Policy and possibly in a separate Cookies Policy.

All the law requires you to do is treat cookies like any other type of protected personal data. If you do that, you'll be more transparent with your customers and avoid violating privacy and cookie laws.