Your website needs a cookie policy because internet cookies qualify as personal data and are subject to specific legal requirements under nearly every data privacy law.
Below, I explain more about why websites need cookie policies and discuss how to add one in your preferred format using a generator, a template, and a do-it-yourself approach.
How to Properly Add a Cookie Policy to Your Website
You can add a cookie policy to your website by using a cookie policy generator, customizing a free template, or taking a do-it-yourself approach.
- To add a cookie policy to your website, you first need to create the policy, publish it on your site, and link to it from your footer, cookie banner, and privacy center.
- To make a cookie policy for your website, you can either write your own, use a Cookie Policy Generator, or customize our Cookie Policy Template to fit your business needs.
Let’s go over all three methods in a little more detail:
Use Termly’s Cookie Policy Generator
The easiest way to make a cookie policy for your website is by using our Cookie Policy Generator.
First, your website is scanned using our cookie scanner.
The scanner will automatically categorize your cookies into six types, which you can then review and edit as needed:
- Essential
- Performance and function
- Analytics and customization
- Advertising
- Social networking
- Unclassified
Then your cookie policy is automatically generated, saving you time and simplifying the process.
You’ll then be walked through the process of customizing a consent banner, as shown in the screenshot below.
We provide some consent banner themes in our builder for you, but you can also add your own so it seamlessly matches the aesthetics of your brand, as shown below.
Our tools even block third-party cookies and scripts until your users consent to them, which keeps you in compliance with the laws we covered above and more.
It also keeps a log of the consent preferences set by your users for at least 180 days, which is recommended to stay compliant with the GDPR. You can set a date range and export the user consent log at any time directly in the Termly dashboard, shown for you below.
Once created, select the Add To Website button in the top right corner of the screen:
You’ll be presented with three options for adding the policy to your website, as shown in the screenshot below.
Choose your preferred method, then click the green Copy To Clipboard button, and add the code or URL directly to the relevant places you want to host the agreement in the backend of your website.
For example, we link ours in a few spots, but it always appears in the footer of our website, which you can see in the screenshot below.
Use Our Free Cookie Policy Template
Another easy way to add a cookie policy to your website is to use our free downloadable cookie policy template.
It only takes a few minutes to fill out, especially if you use our free cookie scanner to scan, categorize, and review the cookies your website uses.
After that, all you need to do is customize the purple sections of the policy to reflect the cookies, information, and specific details relevant to your business, screenshotted for you below.
The screenshot below shows you one of the multiple sections in the template where you can list the type of cookies your website uses based on the category they fit under.
Then you can publish the policy on your website or convert it to the code format you prefer and link it whenever you want your users to access it, like the footer of your website and in a cookie notification.
You’re still responsible for tracking the consent preferences of your users and, if you fall under the GDPR, maintaining a consent log for at least 180 days.
Do Everything Manually
You could choose to write your own cookie policy, but you should expect this method to take up a lot of time, energy, and resources, as you’d be required to:
- Conduct a cookie audit on your website
- Make a cookie policy from scratch
- Build your own consent banner
- Maintain an accurate consent log
A do-it-yourself approach is only recommended for people with the proper technical skills and significant legal and data privacy knowledge. Leaving something out could get you in legal trouble.
Why Do Websites Use Cookie Policies
Websites use cookie policies to explain their cookie usage to visitors because it’s a legal requirement under laws like the GDPR and the CPRA and because being honest about what types of personal information you’re tracking is the right thing to do.
But before I dive into this any deeper, let’s quickly define what cookies actually are:
- Cookies are small text files of data that usually contain a unique identifier or cookie ID
Because cookie IDs can be used to identify an individual, cookies are considered personal information under some data privacy laws, including the GDPR and the CCPA/CPRA.
These laws set additional legal guidelines businesses must follow to collect, use, store, share, or sell personal information collected from your users.
Data Transparency Is the Right Thing to Do
Even if you don’t fall under any data privacy laws, I believe being transparent with users about what personal data you’re tracking is the right thing to do, which means listing the different types of internet cookies you use in a cookie policy.
Consumers today care about their privacy more than ever, just look at these eye-opening data privacy statistics:
- 63% of internet users believe most companies aren’t transparent about how their data gets used (Tableau)
- 92% of Americans are concerned about their privacy using the internet (TrustArc)
- 48% of users have stopped shopping with a company over privacy concerns (Tableau)
- 33% of users terminated their relationship with companies over data issues — i.e., social media companies, ISPs, retailers, credit card providers, etc. (Cisco)
When Does Your Website Need a Cookie Policy?
Your website needs a cookie policy if it uses cookies to track user data and if your business meets the thresholds of any data privacy laws.
In the table below, I’ve summarized the legal thresholds for several data privacy laws so you can determine if your business falls under their jurisdictions.
Data Privacy Law | Legal Threshold |
General Data Protection Regulation (GDPR) | Any business targeting data subjects in the European Union (EU) that:
|
California Consumer Protection Act (CCPA) & California Privacy Rights Act (CPRA) |
For-profit organizations doing business in California that meet one or more of the following:
|
Virginia Consumer Data Protection Act (VCDPA) | Any organization conducting business in Virginia or targeting products and services to residents of Virginia and controls or processes the personal data of at least:
|
If you meet any of these thresholds, there are specific obligations you must follow under each law to use cookies to collect, store, and process user personal data, which I summarized for you in the next section.
Which Laws Require a Cookie Policy?
All of the following data privacy laws require businesses to post cookie policies or affect cookie usage in some way.
GDPR
Because cookies legally qualify as personal information, you must follow very specific requirements to use cookies under the GDPR.
The basic guidelines you must follow include:
- Knowing what cookies your website uses and which category they fall under
- Outline your cookie use in a privacy policy and a cookie policy
- Make users aware of both policies using clear language
- Get clear, explicit consent from users before placing any cookies on their browsers
- Allow users to change their cookie preferences or opt out of the tracking at any time
- Honor your users’ consent preferences
- Keep a recoverable log of the cookie consent preferences of your users
The GDPR states under Article 7 that where processing is based on consent, business needs to be able to demonstrate that the users have consented to processing of their personal data. Therefore, consent under the GDPR does not mean pre-ticked checkboxes for cookies.
Instead, use a cookie consent banner that features the clickwrap consent method to help get and track your users’ cookie consent preferences in a GDPR-compliant way.
The ePrivacy Directive
A piece of privacy legislation in the EU, the ePrivacy Directive — or EU Cookie Law — requires websites to get consent from users before retrieving or storing their personal information, including through the use of cookies.
This law gives consumers the right to say no to having their data collected, stored, and used.
If you have a website users from the EU and you track any of their personal data, you’re required to do all of the following under the EU Cookie Law:
- Refrain from putting cookies on users’ browsers until they give consent
- Ask for consent to all trackers and cookies on your site
- Provide users with detailed information about all trackers and cookies on your site
- Give users a way to opt out or withdraw consent as easily as they opt in
To comply with the ePrivacy Directive, you need to ask for explicit user consent before placing any cookies on their browsers’, respect your users’ consent preferences, and provide them with a comprehensive cookie policy.
CCPA/CPRA
The CPRA amends parts of the CCPA, so the two laws work together to provide a single set of obligations for businesses and privacy rights for California consumers.
These amendments specifically classify cookie IDs as personal information, which is defined in Section 1798.140 of the law as:
…information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
You are not required to get explicit consent from users before using cookies under the CCPA and CPRA. One exception is when targeting and processing information about children under 13.
But you must notify users that you’re using the cookies and provide them with details like:
- What categories of cookies you use and why
- If the cookies collect sensitive personal information and what their purpose is
- How to opt out of the use of cookies
- What third parties you sell or share personal information collected from cookies with
- Additional details about opt-in rights for children under 13
The CPRA defines sensitive personal information as:
- ID numbers (social security, driver’s license, state IDs, passport numbers)
- Account log-in information in combination with any required security access codes, passwords, or other credentials to access the account
- Precise geolocations
- Racial or ethnic origin
- Religious or philosophical beliefs
- Union memberships
- Contents of consumers’ mail, emails, and text messages
- Genetic data
- Biometric data
- Health data
- Sex life and sexual orientation
Both CCPA and CPRA-cookie compliance can be achieved by having a proper cookie banner settings and linking to a cookie policy that clearly outlines all of the details mentioned above.
But remember, the CPRA grants consumers the right to opt out of or limit the use of their sensitive personal information for targeted advertising, which typically involves the use of tracking cookies.
So you must also provide an easy way for users to act on this opt-out right and honor their consent preferences.
Virginia CDPA
Cookies qualify as personal data under the Virginia Consumer Data Protection Act (CDPA), which is defined in Section 59.1-571 as:
…any information that is linked or reasonably linkable to an identified or identifiable natural person.
The law also has a separate category of sensitive personal data subject to even more user rights. You need to obtain user consent before processing it, including what you collect through cookies.
The CDPA defines sensitive personal data as any of the following details:
- Racial or ethnic origin
- Religious or philosophical beliefs
- Mental or physical health diagnosis
- Sexual orientation
- Citizenship or immigration status
- Genetic data
- Biometric data
- Precise geolocation
- Personal data collected from a known child
Under this law, you’re also required to have a privacy notice and cookie policy that outlines all of the following information in a clear, reasonably accessible, and meaningful way:
- The purpose for collecting personal information
- What categories of personal data you process
- If any categories of personal information are shared with or sold to any third parties
- Explain how users can submit requests
- Provide a way for users to appeal decisions related to their requests
- Clearly disclose the processing of personal data for targeted advertising
- Provide opt-out rights for the processing of data
Summary
A cookie policy is a necessary document that informs users about what cookies your website uses and outlines their rights over how that data gets tracked, processed, shared, sold, or used.
Having one is a major facet of compliance under most of privacy laws, along with adequately obtaining and honoring user consent.
While you could do it all yourself, our Cookie Policy Generator or template can help you achieve cookie compliance on your website in accordance with applicable data privacy laws.