Your website needs a cookie policy because, under laws like the General Data Protection Regulation (GDPR) and the recently amended California Consumer Protection Act (CCPA), internet cookies qualify as personal data and are subject to specific legal requirements.
- To add a cookie policy to your website, you first need to create the policy, publish it on your site, and link to it from your footer, cookie banner, and privacy center.
- To make a cookie policy for your website, you can either write your own, use a Cookie Policy Generator, or customize our Cookie Policy Template to fit your business needs.
In this brief guide, we’ll help you learn why websites need cookie policies, explain relevant data privacy laws, and then discuss how to add a cookie policy in your preferred format to your website using a generator, a template, and a do-it-yourself approach.
Why Do Websites Use Cookie Policies
Websites use cookie policies to explain their cookie usage to visitors because it’s a legal requirement under laws like the GDPR and the CPRA and because being honest about what types of personal information you’re tracking is the right thing to do.
But before we dive into this any deeper, let’s quickly define what cookies actually are:
- Cookies are small text files of data that usually contain a unique identifier or cookie ID
Because cookie IDs can be used to identify an individual, cookies are considered personal information under some data privacy laws, including the GDPR and the CCPA/CPRA.
These laws set additional legal guidelines businesses must follow to collect, use, store, share, or sell personal information collected from your users, which we’ll discuss later in this article.
Data Transparency Is The Right Thing to Do
Even if you don’t fall under any data privacy laws, we believe being transparent with users about what personal data you’re tracking is the right thing to do, which means listing the different types of internet cookies you use in a cookie policy.
Consumers today care about their privacy more than ever. If we can’t convince you, just look at these eye-opening data privacy statistics:
- 63% of internet users believe most companies aren’t transparent about how their data gets used (Tableau)
- 92% of Americans are concerned about their privacy using the internet (TrustArc)
- 48% of users have stopped shopping with a company over privacy concerns (Tableau)
- 33% of users terminated their relationship with companies over data issues — i.e., social media companies, ISPs, retailers, credit card providers, etc. (Cisco)
When Does Your Website Need a Cookie Policy?
Your website needs a cookie policy if it uses cookies to track user data and if your business meets the thresholds of any data privacy laws.
In the table below, we’ve summarized the legal thresholds for several data privacy laws so you can determine if your business falls under their jurisdictions.
| Data Privacy Law | Legal Threshold |
| General Data Protection Regulation (GDPR) | Any business targeting data subjects in the European Union (EU) that:
|
| California Consumer Protection Act (CCPA) & California Privacy Rights Act (CPRA) |
For-profit organizations doing business in California that meet one or more of the following:
|
| Virginia Consumer Data Protection Act (CDPA) | Any organization conducting business in Virginia or targeting products and services to residents of Virginia and controls or processes the personal data of at least:
|
If you meet any of these thresholds, there are specific obligations you must follow under each law to use cookies to collect, store, and process user personal data, which we’ve summarized for you in the next section.
Which Laws Require a Cookie Policy?
All of the following data privacy laws require businesses to post cookie policies or affect cookie usage in some way:
- The General Data Protection Regulation (GDPR)
- The ePrivacy Directive (EU Cookie Law)
- The California Consumer Protection Act (CCPA)
- The California Privacy Rights Act (CPRA)
- The Virginia Consumer Data Protection Act (CDPA)
In the next sections, we compare the requirements for cookie usage set by each piece of legislation.
GDPR
Because cookies legally qualify as personal information, you must follow very specific requirements to use cookies under the GDPR.
The basic guidelines you must follow include:
- Knowing what cookies your website uses and which category they fall under
- Outline your cookie use in a privacy policy and a cookie policy
- Make users aware of both policies using clear language
- Get clear, explicit consent from users before placing any cookies on their browsers
- Allow users to change their cookie preferences or opt out of the tracking at any time
- Honor your users’ consent preferences
- Keep a recoverable log of the cookie consent preferences of your users
The GDPR states under Article 7 that where processing is based on consent, business needs to be able to demonstrate that the users have consented to processing of their personal data. Therefore, consent under the GDPR does not mean pre-ticked checkboxes for cookies.
Instead, use a cookie consent banner that features the clickwrap consent method to help get and track your users’ cookie consent preferences in a GDPR-compliant way.
The ePrivacy Directive
A piece of privacy legislation in the EU, the ePrivacy Directive — or EU Cookie Law — requires websites to get consent from users before retrieving or storing their personal information, including through the use of cookies.
This law gives consumers the right to say no to having their data collected, stored, and used.
If you have a website users from the EU and you track any of their personal data, you’re required to do all of the following under the EU Cookie Law:
- Refrain from putting cookies on users’ browsers until they give consent
- Ask for consent to all trackers and cookies on your site
- Provide users with detailed information about all trackers and cookies on your site
- Give users a way to opt out or withdraw consent as easily as they opt in
To comply with the ePrivacy Directive, you need to ask for explicit user consent before placing any cookies on their browsers’, respect your users’ consent preferences, and provide them with a comprehensive cookie policy.
CCPA/CPRA
The CPRA amends parts of the CCPA, so the two laws work together to provide a single set of obligations for businesses and privacy rights for California consumers.
These amendments specifically classify cookie IDs as personal information, which is defined in Section 1798.140 of the law as:
“…information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
You are not required to get explicit consent from users before using cookies under the CCPA and CPRA. One exception is when targeting and processing information about children under 13.
But you must notify users that you’re using the cookies and provide them with details like:
- What categories of cookies you use and why
- If the cookies collect sensitive personal information and what their purpose is
- How to opt out of the use of cookies
- What third parties you sell or share personal information collected from cookies with
- Additional details about opt-in rights for children under 13
The CPRA defines sensitive personal information as:
- ID numbers (social security, driver’s license, state IDs, passport numbers)
- Account log-in information in combination with any required security access codes, passwords, or other credentials to access the account
- Precise geolocations
- Racial or ethnic origin
- Religious or philosophical beliefs
- Union memberships
- Contents of consumers’ mail, emails, and text messages
- Genetic data
- Biometric data
- Health data
- Sex life and sexual orientation
Both CCPA and CPRA-cookie compliance can be achieved by having a proper cookie banner settings and linking to a cookie policy that clearly outlines all of the details mentioned above.
But remember, the CPRA grants consumers the right to opt out of or limit the use of their sensitive personal information for targeted advertising, which typically involves the use of tracking cookies.
So you must also provide an easy way for users to act on this opt-out right and honor their consent preferences.
Virginia CDPA
Cookies qualify as personal data under the Virginia Consumer Data Protection Act (CDPA), which is defined in Section 59.1-571 as:
“…any information that is linked or reasonably linkable to an identified or identifiable natural person.”
The law also has a separate category of sensitive personal data subject to even more user rights. You need to obtain user consent before processing it, including what you collect through cookies.
The CDPA defines sensitive personal data as any of the following details:
- Racial or ethnic origin
- Religious or philosophical beliefs
- Mental or physical health diagnosis
- Sexual orientation
- Citizenship or immigration status
- Genetic data
- Biometric data
- Precise geolocation
- Personal data collected from a known child
Under this law, you’re also required to have a privacy notice and cookie policy that outlines all of the following information in a clear, reasonably accessible, and meaningful way:
- The purpose for collecting personal information
- What categories of personal data you process
- If any categories of personal information are shared with or sold to any third parties
- Explain how users can submit requests
- Provide a way for users to appeal decisions related to their requests
- Clearly disclose the processing of personal data for targeted advertising
- Provide opt-out rights for the processing of data
How To Properly Add a Cookie Policy to Your Website
You can add a cookie policy to your website by using a cookie policy generator, customizing a free template, or taking a do-it-yourself approach.
Let’s go over all three methods in a little more detail:
Use Termly’s Cookie Policy Generator
The easiest way to make a cookie policy for your website is by using our Cookie Policy Generator.
First, your website is scanned using our cookie scanner.
The scanner will automatically categorize your cookies into six types, which you can then review and edit as needed:
- Essential
- Performance and function
- Analytics and customization
- Advertising
- Social networking
- Unclassified
Then your cookie policy is automatically generated, saving you time and simplifying the process.
You’ll then be walked through the process of customizing a consent banner, as shown in the screenshot below.
We provide some consent banner themes in our builder for you, but you can also add your own so it seamlessly matches the aesthetics of your brand, as shown below.
Our tools even block third-party cookies and scripts until your users consent to them, which keeps you in compliance with the laws we covered above and more.
It also keeps a log of the consent preferences set by your users for at least 180 days, which is recommended to stay compliant with the GDPR. You can set a date range and export the user consent log at any time directly in the Termly dashboard, shown for you below.
Once created, select the Add To Website button in the top right corner of the screen:
You’ll be presented with three options for adding the policy to your website, as shown in the screenshot below.
Choose your preferred method, then click the green Copy To Clipboard button, and add the code or URL directly to the relevant places you want to host the agreement in the backend of your website.
For example, we link ours in a few spots, but it always appears in the footer of our website, which you can see in the screenshot below.
Use Our Free Cookie Policy Template
Another easy way to add a cookie policy to your website is to use our free downloadable cookie policy template.
It only takes a few minutes to fill out, especially if you use our free cookie scanner to scan, categorize, and review the cookies your website uses.
After that, all you need to do is customize the purple sections of the policy to reflect the cookies, information, and specific details relevant to your business, screenshotted for you below.
The screenshot below shows you one of the multiple sections in the template where you can list the type of cookies your website uses based on the category they fit under.
Then you can publish the policy on your website or convert it to the code format you prefer and link it whenever you want your users to access it, like the footer of your website and in a cookie notification.
Remember, you’re still responsible for tracking the consent preferences of your users and, if you fall under the GDPR, maintaining a consent log for at least 180 days.
Do Everything Manually
You could choose to write your own cookie policy, but you should expect this method to take up a lot of time, energy, and resources, as you’d be required to:
- Conduct a cookie audit on your website
- Make a cookie policy from scratch
- Build your own consent banner
- Maintain an accurate consent log
A do-it-yourself approach is only recommended for people with the proper technical skills and significant legal and data privacy knowledge. Leaving something out could get you in legal trouble.
Summary
A cookie policy is a necessary document under laws like the GDPR and CPRA that informs users about what cookies your website uses and outlines their rights over how that data gets tracked, processed, shared, sold, or used.
But linking to a well-written cookie policy is only one facet of compliance under most of these laws. For example, you must also obtain and honor user consent under the Virginia CDPA and the GDPR.
Plus, you must provide your users with ways to follow through on their rights, like:
- The right to opt into the use of cookies that collect personal data and are used for targeted advertising under the GDPR
- The right to opt out of the sale or sharing of certain categories of data under the CPRA
- The right to opt out of the processing of personal data under the Virginia CDPA
While you could do it all yourself, we recommend using our Cookie Policy Generator or template to achieve cookie compliance on your website, which will help ensure you’re using cookies in accordance with all relevant data privacy laws.
Mmm. Now is all this cookie talk making anyone else hungry?
More about the author
Written by Masha Komnenic CIPP/E, CIPM, CIPT, FIP
Masha is an Information Security and Data Privacy Specialist and a Certified Data Protection Officer. She has been a Data Protection Officer for the past six years, helping small and medium-sized enterprises achieve legal compliance. She has also been a privacy compliance mentor to many international business accelerators. She specializes in implementing, monitoring, and auditing business compliance with privacy regulations (HIPAA, PIPEDA, ePrivacy Directive, GDPR, CCPA, POPIA, LGPD). Masha studied Law at Belgrade University, and she passed the Bar examination in 2016. More about the author
