Why Do Websites Use Cookie Policies
Websites use cookie policies to explain their cookie usage to visitors because it’s a legal requirement under laws like the GDPR and the CPRA and because being honest about what types of personal information you’re tracking is the right thing to do.
But before we dive into this any deeper, let’s quickly define what cookies actually are:
- Cookies are small text files of data that usually contain a unique identifier or cookie ID
Because cookie IDs can be used to identify an individual, cookies are considered personal information under some data privacy laws, including the GDPR and the CCPA/CPRA.
These laws set additional legal guidelines businesses must follow to collect, use, store, share, or sell personal information collected from your users, which we’ll discuss later in this article.
Data Transparency Is The Right Thing to Do
Consumers today care about their privacy more than ever. If we can’t convince you, just look at these eye-opening data privacy statistics:
- 63% of internet users believe most companies aren’t transparent about how their data gets used (Tableau)
- 92% of Americans are concerned about their privacy using the internet (TrustArc)
- 48% of users have stopped shopping with a company over privacy concerns (Tableau)
- 33% of users terminated their relationship with companies over data issues — i.e., social media companies, ISPs, retailers, credit card providers, etc. (Cisco)
In the table below, we’ve summarized the legal thresholds for several data privacy laws so you can determine if your business falls under their jurisdictions.
|Data Privacy Law||Legal Threshold|
|General Data Protection Regulation (GDPR)||Any business targeting data subjects in the European Union (EU) that:
|California Consumer Protection Act (CCPA) &
California Privacy Rights Act (CPRA)
|For-profit organizations doing business in California that meet one or more of the following:
|Virginia Consumer Data Protection Act (CDPA)||Any organization conducting business in Virginia or targeting products and services to residents of Virginia and controls or processes the personal data of at least:
All of the following data privacy laws require businesses to post cookie policies or affect cookie usage in some way:
- The General Data Protection Regulation (GDPR)
- The ePrivacy Directive (EU Cookie Law)
- The California Consumer Protection Act (CCPA)
- The California Privacy Rights Act (CPRA)
- The Virginia Consumer Data Protection Act (CDPA)
In the next sections, we compare the requirements for cookie usage set by each piece of legislation.
The basic guidelines you must follow include:
- Knowing what cookies your website uses and which category they fall under
- Make users aware of both policies using clear language
- Get clear, explicit consent from users before placing any cookies on their browsers
- Allow users to change their cookie preferences or opt out of the tracking at any time
- Honor your users’ consent preferences
- Keep a recoverable log of the cookie consent preferences of your users
The GDPR states under Article 7 that where processing is based on consent, business needs to be able to demonstrate that the users have consented to processing of their personal data. Therefore, consent under the GDPR does not mean pre-ticked checkboxes for cookies.
Instead, use a cookie consent banner that features the clickwrap consent method to help get and track your users’ cookie consent preferences in a GDPR-compliant way.
The ePrivacy Directive
This law gives consumers the right to say no to having their data collected, stored, and used.
If you have a website users from the EU and you track any of their personal data, you’re required to do all of the following under the EU Cookie Law:
- Refrain from putting cookies on users’ browsers until they give consent
- Ask for consent to all trackers and cookies on your site
- Provide users with detailed information about all trackers and cookies on your site
- Give users a way to opt out or withdraw consent as easily as they opt in
The CPRA amends parts of the CCPA, so the two laws work together to provide a single set of obligations for businesses and privacy rights for California consumers.
These amendments specifically classify cookie IDs as personal information, which is defined in Section 1798.140 of the law as:
“…information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
You are not required to get explicit consent from users before using cookies under the CCPA and CPRA. One exception is when targeting and processing information about children under 13.
But you must notify users that you’re using the cookies and provide them with details like:
- What categories of cookies you use and why
- If the cookies collect sensitive personal information and what their purpose is
- What third parties you sell or share personal information collected from cookies with
- Additional details about opt-in rights for children under 13
The CPRA defines sensitive personal information as:
- ID numbers (social security, driver’s license, state IDs, passport numbers)
- Account log-in information in combination with any required security access codes, passwords, or other credentials to access the account
- Precise geolocations
- Racial or ethnic origin
- Religious or philosophical beliefs
- Union memberships
- Contents of consumers’ mail, emails, and text messages
- Genetic data
- Biometric data
- Health data
- Sex life and sexual orientation
But remember, the CPRA grants consumers the right to opt out of or limit the use of their sensitive personal information for targeted advertising, which typically involves the use of tracking cookies.
So you must also provide an easy way for users to act on this opt-out right and honor their consent preferences.
Cookies qualify as personal data under the Virginia Consumer Data Protection Act (CDPA), which is defined in Section 59.1-571 as:
“…any information that is linked or reasonably linkable to an identified or identifiable natural person.”
The law also has a separate category of sensitive personal data subject to even more user rights. You need to obtain user consent before processing it, including what you collect through cookies.
The CDPA defines sensitive personal data as any of the following details:
- Racial or ethnic origin
- Religious or philosophical beliefs
- Mental or physical health diagnosis
- Sexual orientation
- Citizenship or immigration status
- Genetic data
- Biometric data
- Precise geolocation
- Personal data collected from a known child
- The purpose for collecting personal information
- What categories of personal data you process
- If any categories of personal information are shared with or sold to any third parties
- Explain how users can submit requests
- Provide a way for users to appeal decisions related to their requests
- Clearly disclose the processing of personal data for targeted advertising
- Provide opt-out rights for the processing of data
Let’s go over all three methods in a little more detail:
First, your website is scanned using our cookie scanner.
The scanner will automatically categorize your cookies into six types, which you can then review and edit as needed:
- Performance and function
- Analytics and customization
- Social networking
You’ll then be walked through the process of customizing a consent banner, as shown in the screenshot below.
We provide some consent banner themes in our builder for you, but you can also add your own so it seamlessly matches the aesthetics of your brand, as shown below.
Our tools even block third-party cookies and scripts until your users consent to them, which keeps you in compliance with the laws we covered above and more.
It also keeps a log of the consent preferences set by your users for at least 180 days, which is recommended to stay compliant with the GDPR. You can set a date range and export the user consent log at any time directly in the Termly dashboard, shown for you below.
Once created, select the Add To Website button in the top right corner of the screen:
You’ll be presented with three options for adding the policy to your website, as shown in the screenshot below.
Choose your preferred method, then click the green Copy To Clipboard button, and add the code or URL directly to the relevant places you want to host the agreement in the backend of your website.
For example, we link ours in a few spots, but it always appears in the footer of our website, which you can see in the screenshot below.
It only takes a few minutes to fill out, especially if you use our free cookie scanner to scan, categorize, and review the cookies your website uses.
After that, all you need to do is customize the purple sections of the policy to reflect the cookies, information, and specific details relevant to your business, screenshotted for you below.
The screenshot below shows you one of the multiple sections in the template where you can list the type of cookies your website uses based on the category they fit under.
Then you can publish the policy on your website or convert it to the code format you prefer and link it whenever you want your users to access it, like the footer of your website and in a cookie notification.
Remember, you’re still responsible for tracking the consent preferences of your users and, if you fall under the GDPR, maintaining a consent log for at least 180 days.
Do Everything Manually
- Conduct a cookie audit on your website
- Build your own consent banner
- Maintain an accurate consent log
A do-it-yourself approach is only recommended for people with the proper technical skills and significant legal and data privacy knowledge. Leaving something out could get you in legal trouble.
Plus, you must provide your users with ways to follow through on their rights, like:
- The right to opt out of the sale or sharing of certain categories of data under the CPRA
- The right to opt out of the processing of personal data under the Virginia CDPA
Mmm. Now is all this cookie talk making anyone else hungry?