How and why you use cookies is a key piece of information about your personal data handling. Many privacy laws explicitly or implicitly require you to give users this information.
It may also be a key component in gaining valid consent for data processing.
Here's what you need to know about this type of clause, including tips on writing your own and properly displaying it to the public.
Our Free Privacy Policy Generator helps you create a custom Privacy Policy for your website and mobile app. Just follow these few simple steps and your Privacy Policy will be ready to display in minutes.
- Click on the "Free Privacy Policy Generator" button, located at the top of the website.
- Select where your Privacy Policy will be used:
- Answer a few questions about your business:
- Enter the country and click on the "Next Step" button:
- Continue with building your Privacy Policy while answering on questions from our wizard:
-
Almost done. Now enter your email address where you'd like your new Privacy Policy sent and click on the "Generate" button and you're done.
That's it. Now you can copy and paste your Privacy Policy code into your website, or link to your hosted Privacy Policy.
- 1. Privacy Laws That May Require Cookie Clauses
- 2. Where to Place a Cookie Clause in a Privacy Policy
- 3. Why is it Important to Disclose How You Use Cookie Data in a Privacy Policy?
- 4. How to Draft Your What Cookies are Being Used For Clause in a Privacy Policy
- 5. What to Include in a What Cookies are Being Used For Clause in a Privacy Policy
- 5.1. The Fact You Use Cookies
- 5.2. Categories of Cookies You Use
- 5.3. Why and How You Use Cookies
- 5.4. The Information You Collect Through Cookies
- 5.5. How to Block or Opt Out of Cookies
- 6. Summary
Privacy Laws That May Require Cookie Clauses
Different privacy laws have different requirements regarding cookies. Generally, these requirements fall into two categories:
- You must inform the site visitor that you are using cookies
- You must inform the site visitor that you want to use cookies and then get consent before you do so
Privacy laws can also vary in how they address cookies:
- Some laws lay down specific rules for cookies
- Some laws implicitly treat cookies as personal information that comes under the general rules for data handling
The reason for the latter is that although a cookie is stored on the user's computer, it's effectively a set of data created by and accessible by the website. It may also be accessible by a third party.
Some of the data in the cookie may constitute personal information. This could be identifying information such as names or addresses, or behavioral information such as the sites a user visits or the purchases they make.
The bottom line is that a combination of laws could require you to communicate up to four different points to site users:
- Informing them that you use cookies
- Asking for consent to issue cookies
- Informing them that you collect and use personal information (including through cookies)
- Asking for consent to collect and use personal information (including through cookies)
Remember that following the applicable laws about issuing a cookie will not always be enough to meet applicable laws about collecting or using the information contained in that cookie.
These are some of the data privacy laws that explicitly or implicitly cover cookies and could affect the content of your Privacy Policy or similar documents:
- GDPR: This European law treats cookies as personal data if they either identify an individual or can be combined with other data (such as customer records) to identify them.
- Privacy and Electronic Communications Directive: This European rule, sometimes called the ePrivacy Directive, specifically addresses cookies. It makes them an opt-in system unless "strictly necessary." It's likely (but not certain) it will be replaced in the coming years by a tougher law dubbed the "ePrivacy Regulation."
- CalOPPA: This California law says businesses must link to a clear Privacy Policy explaining how they use personal data. This can include data collected through cookie use.
- CCPA: This California law says businesses must say what data they collect, including through cookies, and how they use it. Note that the CCPA was amended by the CPRA, which expanded it in a number of ways.
- CDPA: This Virginia law says consumers have the right to know what personal data a business holds on them. It also says the business must publish a Privacy Policy that details the purpose or purposes for which they collect and process data.
- PIPEDA: This Canadian law requires meaningful consent to collect and use personal data, including through cookies. An "openness" principle says you must publish a Privacy Policy detailing your use.
Where to Place a Cookie Clause in a Privacy Policy
Where you detail your use of data collected through cookies may depend on the relevant privacy laws. Some have specific requirements to display the information before you issue the cookie, particularly where you need to get consent for the cookie.
Beyond such requirements, the most useful approach is as follows:
- Detail all the reasons for which you generally collect or use data in your Privacy Policy
- Link to the Privacy Policy when you are either seeking consent or giving information before issuing a cookie
- If you want to collect data through cookies for a specific reason not covered in your Privacy Policy, make sure to clearly tell the user before you issue the cookie
Why is it Important to Disclose How You Use Cookie Data in a Privacy Policy?
Detailing your use of cookie data serves two distinct but connected purposes:
- It satisfies data protection laws that say you must give users sufficient detail about how you use their personal data
- It satisfies laws that say consent is only valid for specified purposes that the user knows about in advance. With most laws, you will need fresh consent to use the data for a different purpose later on. You cannot simply get a blanket consent to cover all data use.
How to Draft Your What Cookies are Being Used For Clause in a Privacy Policy
Whether you are following specific guidelines or the broad principles of a data protection rule, you normally need to find a balance when listing the ways in which you use data. Most laws describe these categories of uses as "purposes."
- If you go into too much detail you may have an exceptionally long list of purposes to the point it stops being practically useful information
- If you use purposes too broadly, the user won't have enough detail to make an informed decision about whether to provide information, to allow cookies or to use your site
Instead, list your data use in logical categories. For example, using somebody's address to deliver a one-off online order and using a subscribers address to post a monthly magazine could fall under the same category, for example, of "fulfilling orders."
However, using somebody's address to send promotional material such as a brochure would not fit into this category and instead would come under a category such as "direct marketing."
One rule of thumb here is that your categorization needs to feel reasonable. Another is to make sure that if somebody has read your list of purposes, any specific way you then use their data shouldn't come as a surprise.
What to Include in a What Cookies are Being Used For Clause in a Privacy Policy
Whether you have a cookie clause in your Privacy Policy or you have a dedicated Cookie Policy, the points to cover are largely the same.
In short, you need to address:
- The fact you use cookies
- The information you collect through cookies
- Why and how you use the cookies and the data they collect
- How users can block or opt out of cookies
The Fact You Use Cookies
You can usually cover this very briefly. This line in your Privacy Policy will often just be a reminder as many businesses will already have been legally required to inform users about cookies when they first visited the website.
Fortum does this in a clear and concise manner:
Categories of Cookies You Use
Websites will often break cookies down into categories as part of their compliance with laws about consent to issue cookies. The idea here is to let users easily give consent for some types of cookies while refusing others.
Depending on the categories you use, this could help satisfy the need to give clear information about the data you collect and process through cookies. This is only the case if you are explaining why you use the data rather than the technical side of how you use the cookies.
For example, a distinction between session cookies (which are deleted when the user leaves the site or closes their browser) and persistent cookies (which remain on the user's computer) isn't enough to satisfy laws that require information about the purpose for using data.
Similarly, a distinction between first-party and third-party cookies isn't in itself enough to explain what the first or third party does with the data.
Another common set of categories could be more useful, namely breaking down cookies as:
- Strictly necessary, meaning the site won't work at all without them
- Functional, meaning they help site features work
- Performance, meaning you use them to track how well the site is doing
- Advertising, meaning you or third parties collect data to personalize advertising
The key here is whether your explanation of the cookies is enough to give people a reasonable understanding of what data you'll collect and how you'll use it.
None of this is to say that these various categories are not useful in cookie consent menus where you are getting permission to issue cookies. However, they may not be enough to adequately explain what information you collect through cookies and why you use it. That's why you may need to provide additional detail in your Privacy Policy.
The Information Commissioner's Office strikes a useful balance. Its cookie banner gives an overview of the ways it uses cookies and the data collected through the cookies:
It then links to a more detailed explanation of the purpose for each individual cookie:
ico-cookies-use-page-chart-purpose-column-highlighted
ICO Cookies Use page: Chart with Purpose column highlighted
Why and How You Use Cookies
Many privacy laws say you must explain why and how you use personal information, including data gathered through cookies. This reason is known as a purpose.
With some laws, such as the GDPR, consent to process data only covers processing for the purpose you state at the time of collection. This includes the purposes you state in your Privacy Policy, as long as you link to this before collecting the data. You cannot use the data for another purpose without getting fresh consent.
As we'll cover below, you may give users the option to accept some cookies and reject others. If so, it's helpful to use the same categories to break down the purposes of processing.
Automattic gives clear explanations of the different ways it uses cookies and the data it collects. It opted for a dedicated Cookie Policy rather than try to fit this into a Privacy Policy clause:
In the following example, Nature gives a clear list of the purposes for using cookies and the information it collects:
Scientific American details both the technical function categories of the different cookies it uses and the purposes for using the information collected through cookies:
TSL Timing uses a brief clause that covers several points including the purposes of the cookies and the interaction with third parties:
WindowWorx uses a creative approach of not only listing the ways it uses cookies, but also some potential ways that it does not:
The Information You Collect Through Cookies
Normally this can be an overview rather than a specific list. If you want or need to do a cookie-by-cookie breakdown, this normally works better in a dedicated Cookie Policy.
The goal is that if somebody has read the cookie clause in your Privacy Policy, they should reasonably expect any use you make of the information you gather through cookies.
To make things clearer, you could explain which parts of the information you can specifically link to the individual and any procedures you use for making the information anonymous or de-identified.
Tixio lists enough examples to give a good picture of the information it collects:
How to Block or Opt Out of Cookies
Your cookie clause should explain how a user can block or opt out of cookies that they have previously accepted. The only exception is those cookies that are strictly necessary for the website to work.
Depending on the complexity of your site and cookies, your cookie clause could include the controls for changing cookie settings. Alternatively, you could link to the page that contains the controls.
If you let users accept or reject cookies on a category-by-category basis, your cookie clause is a good place to explain in more detail what each category contains.
In theory, you could give users the ability to accept or reject individual cookies. This won't necessarily be helpful as it can be too overwhelming and time-consuming to make it easy for users to exercise their choice. In particular, you should never set cookies to be accepted by default and then require users to opt out of each one individually.
Some websites cover how users can block all cookies through their browser settings, either by explaining the steps or linking to instructions from the browser developer. This can be useful but doesn't override the need to let users control the specific cookie settings on your site, and to tell them how to do so. That's because browser cookie settings are a crude method that can make websites less functional or even non-functional, undermining the right of users to make a meaningful choice about cookies.
Remember that a user blocking or opting out of cookies doesn't automatically affect the information you have already gathered through the cookies. The user may have the right to tell you to stop using this previously-gathered information or even to delete it, for example if it is no longer necessary or relevant. Normally you should have addressed how to exercise this right elsewhere in your Privacy Policy, but it can be worth including a reminder in your cookies clause.
NTT Data gives straightforward instructions on how to change cookie settings and withdraw consent:
Summary
Let's recap what you need to know about cookie use clauses.
-
Many privacy or website laws cover cookies in one way or another. Often you will need to tell people what you use cookies for. This could be because:
- You must get consent to issue cookies and people need the information to make an informed choice to give consent.
- You must give users a way to consent to some types of cookies but not to others.
- You must inform users about your collection and use of personal data, including that collected through cookies.
- You must get consent to collect and use personal data, including through cookies. The person must know how you will use the data before they can give valid consent.
- Sometimes you can give all the required information at the point you issue cookies (and sometimes you must do so). In other cases, you may need to give the information in your Privacy Policy.
- Most privacy laws that cover your use of personal information include information you collect through cookies. The GDPR says the key is whether this information can be combined with other data to link it to an identifiable person.
- You should list the ways you use cookies using meaningful and logical categories that give enough detail without overwhelming the reader.