It may also be a key component in gaining valid consent for data processing.
Here's what you need to know about this type of clause, including tips on writing your own and properly displaying it to the public.
- Answer a few questions about your business:
- Enter the country and click on the "Next Step" button:
- 1. Privacy Laws That May Require Cookie Clauses
- 5.2. Categories of Cookies You Use
- 5.4. The Information You Collect Through Cookies
- 5.5. How to Block or Opt Out of Cookies
- 6. Summary
Privacy Laws That May Require Cookie Clauses
Different privacy laws have different requirements regarding cookies. Generally, these requirements fall into two categories:
- You must inform the site visitor that you are using cookies
Privacy laws can also vary in how they address cookies:
- Some laws lay down specific rules for cookies
- Some laws implicitly treat cookies as personal information that comes under the general rules for data handling
The reason for the latter is that although a cookie is stored on the user's computer, it's effectively a set of data created by and accessible by the website. It may also be accessible by a third party.
Some of the data in the cookie may constitute personal information. This could be identifying information such as names or addresses, or behavioral information such as the sites a user visits or the purchases they make.
The bottom line is that a combination of laws could require you to communicate up to four different points to site users:
- Asking for consent to issue cookies
- Informing them that you collect and use personal information (including through cookies)
- Asking for consent to collect and use personal information (including through cookies)
Remember that following the applicable laws about issuing a cookie will not always be enough to meet applicable laws about collecting or using the information contained in that cookie.
- GDPR: This European law treats cookies as personal data if they either identify an individual or can be combined with other data (such as customer records) to identify them.
- Privacy and Electronic Communications Directive: This European rule, sometimes called the ePrivacy Directive, specifically addresses cookies. It makes them an opt-in system unless "strictly necessary." It's likely (but not certain) it will be replaced in the coming years by a tougher law dubbed the "ePrivacy Regulation."
- CCPA: This California law says businesses must say what data they collect, including through cookies, and how they use it. Note that the CCPA was amended by the CPRA, which expanded it in a number of ways.
Where you detail your use of data collected through cookies may depend on the relevant privacy laws. Some have specific requirements to display the information before you issue the cookie, particularly where you need to get consent for the cookie.
Beyond such requirements, the most useful approach is as follows:
Detailing your use of cookie data serves two distinct but connected purposes:
- It satisfies data protection laws that say you must give users sufficient detail about how you use their personal data
- It satisfies laws that say consent is only valid for specified purposes that the user knows about in advance. With most laws, you will need fresh consent to use the data for a different purpose later on. You cannot simply get a blanket consent to cover all data use.
Whether you are following specific guidelines or the broad principles of a data protection rule, you normally need to find a balance when listing the ways in which you use data. Most laws describe these categories of uses as "purposes."
- If you go into too much detail you may have an exceptionally long list of purposes to the point it stops being practically useful information
- If you use purposes too broadly, the user won't have enough detail to make an informed decision about whether to provide information, to allow cookies or to use your site
Instead, list your data use in logical categories. For example, using somebody's address to deliver a one-off online order and using a subscribers address to post a monthly magazine could fall under the same category, for example, of "fulfilling orders."
However, using somebody's address to send promotional material such as a brochure would not fit into this category and instead would come under a category such as "direct marketing."
One rule of thumb here is that your categorization needs to feel reasonable. Another is to make sure that if somebody has read your list of purposes, any specific way you then use their data shouldn't come as a surprise.
In short, you need to address:
- The information you collect through cookies
- Why and how you use the cookies and the data they collect
- How users can block or opt out of cookies
Fortum does this in a clear and concise manner:
Categories of Cookies You Use
Websites will often break cookies down into categories as part of their compliance with laws about consent to issue cookies. The idea here is to let users easily give consent for some types of cookies while refusing others.
Depending on the categories you use, this could help satisfy the need to give clear information about the data you collect and process through cookies. This is only the case if you are explaining why you use the data rather than the technical side of how you use the cookies.
For example, a distinction between session cookies (which are deleted when the user leaves the site or closes their browser) and persistent cookies (which remain on the user's computer) isn't enough to satisfy laws that require information about the purpose for using data.
Similarly, a distinction between first-party and third-party cookies isn't in itself enough to explain what the first or third party does with the data.
Another common set of categories could be more useful, namely breaking down cookies as:
- Strictly necessary, meaning the site won't work at all without them
- Functional, meaning they help site features work
- Performance, meaning you use them to track how well the site is doing
- Advertising, meaning you or third parties collect data to personalize advertising
The key here is whether your explanation of the cookies is enough to give people a reasonable understanding of what data you'll collect and how you'll use it.
It then links to a more detailed explanation of the purpose for each individual cookie:
ICO Cookies Use page: Chart with Purpose column highlighted
Many privacy laws say you must explain why and how you use personal information, including data gathered through cookies. This reason is known as a purpose.
As we'll cover below, you may give users the option to accept some cookies and reject others. If so, it's helpful to use the same categories to break down the purposes of processing.
In the following example, Nature gives a clear list of the purposes for using cookies and the information it collects:
Scientific American details both the technical function categories of the different cookies it uses and the purposes for using the information collected through cookies:
TSL Timing uses a brief clause that covers several points including the purposes of the cookies and the interaction with third parties:
The Information You Collect Through Cookies
To make things clearer, you could explain which parts of the information you can specifically link to the individual and any procedures you use for making the information anonymous or de-identified.
Tixio lists enough examples to give a good picture of the information it collects:
How to Block or Opt Out of Cookies
Your cookie clause should explain how a user can block or opt out of cookies that they have previously accepted. The only exception is those cookies that are strictly necessary for the website to work.
Depending on the complexity of your site and cookies, your cookie clause could include the controls for changing cookie settings. Alternatively, you could link to the page that contains the controls.
If you let users accept or reject cookies on a category-by-category basis, your cookie clause is a good place to explain in more detail what each category contains.
In theory, you could give users the ability to accept or reject individual cookies. This won't necessarily be helpful as it can be too overwhelming and time-consuming to make it easy for users to exercise their choice. In particular, you should never set cookies to be accepted by default and then require users to opt out of each one individually.
Some websites cover how users can block all cookies through their browser settings, either by explaining the steps or linking to instructions from the browser developer. This can be useful but doesn't override the need to let users control the specific cookie settings on your site, and to tell them how to do so. That's because browser cookie settings are a crude method that can make websites less functional or even non-functional, undermining the right of users to make a meaningful choice about cookies.
NTT Data gives straightforward instructions on how to change cookie settings and withdraw consent:
Let's recap what you need to know about cookie use clauses.
- You must get consent to issue cookies and people need the information to make an informed choice to give consent.
- You must give users a way to consent to some types of cookies but not to others.
- You must inform users about your collection and use of personal data, including that collected through cookies.
- You must get consent to collect and use personal data, including through cookies. The person must know how you will use the data before they can give valid consent.
- Most privacy laws that cover your use of personal information include information you collect through cookies. The GDPR says the key is whether this information can be combined with other data to link it to an identifiable person.