Cookies are a common tool used online to learn about and respond to user website activities. They are stored on your device's web browser by the websites you visit. Most websites, web applications and mobile applications use cookies to improve your user experience and deliver relevant ads to you.

If your website uses cookies, which is very likely, you must disclose this.

In this article, we'll explore Cookies Policies in more detail.

We'll also look at the important details you should include in your Cookies Policy, as well as some examples of websites with Cookies Policies.


What are Cookies?

What are Cookies?

In the context of computers, cookies are small files that contain information about browsing activity.

Whenever you visit a website, the website sends a cookie to the device you're using to access the website. Your device automatically stores the cookie in a file that's located within your web browser.

When you revisit a site, the website will respond in a more personalized way, remembering your preferences, providing faster page load times and so forth.

How are Cookies Used?

Cookies have many uses. Let's take a look at some.

Membership websites and social media platforms like Facebook and Twitter use cookies to remember login credentials (username and password) so you don't have to enter them manually every time you access the website.

Here's how Twitter explains cookies and how they're used to improve Twitter services:

Twitter Privacy Policy: Cookies clause

Cookies can also be used to display custom advertisements based on your previous search history and web browsing behavior. If you've been browsing the Internet searching for travel mugs, then you'll probably see ads for travel mugs on sites that implement custom banner advertisements.

Amazon's Privacy Notice includes a section for how cookies are used.

Amazon Privacy Notice: What About Cookies clause

Some websites use cookies to improve the site's performance and the user experience it delivers.

When you visit Netflix, for example, and view certain categories or programs, Netflix uses cookies to remember your preferences. When you revisit the site, Netflix will make viewing suggestions based on what you viewed previously.

Here's how Netflix explains the ways cookies personalize the user experience:

Netflix Privacy Policy: Performance and Functionality Cookies clause-updated

Some businesses run marketing campaigns that are designed so that first-time visitors on the website are shown certain information, while returning visitors are shown different information.

Cookies can determine whether you're a first-time visitor or a returning visitor so that the website can display the ads that are most relevant to you.

Generic clause about functionality cookies with information highlighted

What is a Cookies Policy?

What is a Cookies Policy?

A Cookies Policy is used to inform your site's visitors that you're using cookies on your website, web app, or mobile app. It should include information about the types of cookies you're using, how you're using them, and how users can control the way cookies are managed on their devices.

Most Privacy Policies include a section on Cookies that explains all of this information.

However, if your business is based in the European Union (EU), the EU Cookies Directive requires you to have a separate Cookies Policy. You also must acquire informed consent from website users before placing cookies on their devices.

In the following sections we'll take a closer look at the different clauses that websites include in their Cookies Policies. But before we do that, let's quickly go over why it's useful to post a Cookies Policy to your website, especially if your business is based in the EU.

Why is a Cookies Policy Useful?

Why is a Cookies Policy Useful?

In the United States, if you use cookies you're required by law to have a Privacy Policy posted on your website that discloses your use of cookies. You are not required to have a separate Cookies Policy if your website only attracts non-EU citizens.

However, if you are doing business that targets EU member states, then you are required to comply with the EU's laws regarding cookies.

According to the EU Cookies Directive, you must post a Cookies Notice on your website that is separate from your Privacy Policy.

Your use of cookies must also be compliant with the EU Cookies Law. In addition to this, anyone who visits your website should be:

  • Notified that you're using cookies
  • Given information about the type of cookies you're using
  • Informed of what options are available to them if they want to opt out of having your website's cookies stored on their devices

From the context of the EU's General Data Protection Regulation (GDPR), cookies that contain enough information to identify an individual are categorized under personal data. Cookies that are used for advertising, gathering analytics, and other functional services (such as chat tools) fall under the category of personal data.

It is important to understand the following:

  • You must acquire consent before placing cookies on a user's device. User consent must be given through affirmative action. This means that you must ask for consent through an opt-in checkbox or by allowing users to configure cookies preferences from the Settings section of your site. You cannot assume user consent.
  • It must be easy to opt out of your use of cookies. Your website must give users an easy way to opt out of cookies, even after consent has been given. If you ask for consent through options in the Settings section, make it possible to withdraw consent in the same section.

Some companies based in the United States aren't required by law to comply with the EU cookie law or post a separate Cookies Policy on their website. However, companies that do business with EU citizens are required by law to comply with the cookie law.

A good example of this distinction can be seen by comparing Amazon's US website with its UK website.

The footer of Amazon's US website links to the company's Conditions of Use, Privacy Notice, and Interest-Based Ads.

Amazon US website footer

On the other hand, Amazon's UK website links to Conditions of Use & Sale, Privacy Notice, and Cookies & Internet Advertising.

Amazon UK website footer

The website aimed at UK customers has different legal requirements than the version of the same company's website that's aimed at customers in the United States.

Elements of a Compliant Cookies Policy

Elements of a Compliant Cookies Policy

Whether you're adding a cookies section to your existing Privacy Policy or creating a separate Cookies Policy, it's important that the information is easy to access and covers all of the necessary bases. This allows you to be transparent with your customers.

To be compliant with privacy and cookies laws, your Cookies Policy or cookies clause should:

  • State that you use cookies on your website and explain briefly what cookies are.
  • Disclose what types of cookies you (or any third parties) are using.
  • Inform users why you use cookies.
  • Let users know how they can opt out of having cookies placed on their devices.

The "What Are Cookies" Clause

Most Cookies Policies begin by letting the reader know that the website uses cookies and briefly explains what cookies are.

For example, the Cookies page for the BBC's website has a table of contents that starts off by linking to a page titled What do I need to know about cookies?

BBC's Cookies Policy About Cookies page

Similarly, Barclay's website also starts out with a one-line statement that says it uses cookies and similar technologies on both the website and mobile application. The first paragraph of the Cookies Policy explains briefly what cookies are, using simple, easy-to-understand, language.

Barclay Cookies Policy describing what cookies are

The "How We Use Cookies" Clause

It's important for your Cookies Policy to address how your business uses cookies. The purpose of this is to let your visitors know exactly what's happening with their information so they can decide whether they want to allow your website to store cookies on their device or not.

Most websites collect several different types of cookies (for example site performance cookies, advertising cookies, analytics cookies, etc.) though not all of them specify all of the types of cookies they use. Specifying each individual cookie type is not required by law.

Tesco's Privacy and Cookies Policy lists the different ways cookies are used on the website, which includes improving the way the site/mobile app works, improving site performance, delivering relevant ads, and measuring the effectiveness of marketing efforts.

Tesco Privacy and Cookies Policy: How cookies are used clause

WM Morrison's Cookie Policy explains in detail the different types of cookies it uses - strictly necessary cookies, functionality cookies, performance cookies, targeting/advertising cookies, and third-party cookies - along with what they're used for and other information about them.

WM Morrison Cookie Policy: How do we use cookies clause

The "How to Disable Cookies" Clause

To comply with the GDPR, it's important that your Cookies Policy explain in clear terms how your website's users can disable cookies. This information could be specific to your website or just a general process for disabling cookies from being stored on a device.

For example, Standard Life's Cookie Policy has a section that explains how users can opt out of cookies. Resource links are included.

Standard Life Cookie Policy: Opting out clause

Vodafone's Cookie Policy has a Controlling Your Cookies section that helps users disable cookies through a linked Cookies Settings interface.

Vodafone Cookie Policy: Controlling your cookies clause

Examples of Cookies Notices

Examples of Cookies Notices

You should provide a cookies notice to users as soon as they arrive at your website. This notice should include:

  • Information about your use of cookies,
  • A link to your Privacy Policy and/or Cookies Policy,
  • Information about how cookies settings can be adjusted, and
  • A method for users to consent to or decline your use of cookies

By now, most EU businesses have taken measures to inform their visitors of their cookie usage and how to access the complete Cookie Policy. These measures typically include banner pop-ups.

Let's look at some examples.

Displaying a banner pop-up box on your website is an effective way of letting your visitors know that you're using cookies. It's important that the information in the pop-up is clear and easy to understand.

Here's an example of a thorough and legally compliant cookies notice banner from The New York Times:

NYTimes cookies banner notice with Accept button

Here's how Linden Lab provides a thorough cookies notice banner that asks for clear user consent.

Linden Lab cookies notice with active consent: Agree and Proceed

Notice how these websites link to their Cookies Policy or Privacy Policy from within the notice.

Remember

Having a separate Cookies Policy is required by law if your business is based in the European Union or is targeted to EU member nations. Otherwise, you will need to include a cookies clause within your Privacy Policy if you use cookies.

At minimum, your Cookies Policy or cookies clause should address:

  • What are cookies. This typically consists of a brief statement about what cookies are and that you use them on your website. The purpose is to inform and educate consumers about cookies.
  • How you use cookies. This should explain how and why you use cookies. This could be to improve the user experience, display relevant ads or remember user login credentials. You also might itemize the types of cookies you use.
  • How users can disable cookies. This should contain clear instructions on how users can opt out of your use of cookies or disable cookies on their own. You can link to helpful resources that explain the process.

Additionally, you should implement a checkbox, toggle or settings preferences method for collecting informed consent from users before placing cookies on their devices and present it in a cookies notification banner or pop-up.

Finally, you should allow users a simple way to opt out of your use of cookies even if they previously provided their consent to your Cookies Policy.