Cookies are small text files that websites place and store on the computers and mobile devices of their users. These files are generally used to improve the user experience, but may contain personal information about the user or their behavior on the website.
- Cookie Policies Explained
- Are You Legally Required to Have a Cookies Policy?
- Getting User Consent for Your Cookies Policy
- Examples of Cookie Policies
- FAQs About Cookie Policies
Cookie Policies Explained
The collection of tracking information needs to be presented to users, along with the ability to opt out of having information tracked. If this is not an option, your users may choose not to continue on your site, and you may violate certain laws.
Step 2: Review the cookie scan report and add or edit cookie information as needed.
Are You Legally Required to Have a Cookies Policy?
Cookie policies are required in both the US and the EU.
This added precaution regarding transparency and consent is an excellent way to stay ahead of impending changes in state, federal, and international laws.
If you have existing or potential consumers in California, you might need to comply with the California Consumer Privacy Act (CCPA). This broad state privacy law requires that you present a cookies policy that explains the cookies you collect and store and how you or third parties may use them.
The CCPA applies to businesses that operate in California that meet any of the following:
- Have a gross annual revenue of over $25 million
- Buy, receive, or sell the personal information of 50,000 or more California residents
- Derive at least 50% of their annual revenue from selling personal information
In November 2020, an addendum to the CCPA was put in place. The California Privacy Rights Act (CPRA) is a state-wide data privacy law that amends and expands the CCPA, tightening business regulations and strengthening data privacy rights.
The CPRA applies to businesses that operate in California that meet any of the following:
- Have a gross annual revenue of over $25 million in the preceding calendar year
- Buy, sell, or share the personal information of 100,000 or more Californians
- Derive at least 50% of their annual revenue from selling or sharing personal information
The significant addition in the CPRA is the increase in the volume of consumers and adding the sharing, rather than just the selling, of consumer personal information. While the number of threshold consumers has increased in the CPRA, the inclusion of “sharing” related to deriving 50% or more of annual revenue will likely increase the number of businesses that must comply with the CPRA.
The CPPA is authorized to enforce and penalize a business’s failure to:
- Reasonably limit the collection of personal information, including sensitive data, to what is necessary for the purpose for which it was collected.
- Limit the retention of personal information to the least amount of time necessary to fulfill the purpose for which it was collected.
With regard to consent, the CCPA doesn’t require prior consent. Therefore, you can collect, store, and use the cookie data right away without confirmation from the user.
Consent rules under the CPRA go further in safeguarding against the use of data from consumers under 16. Prior consent is required to sell or share a minor’s personal information.
Technically, cookies are mentioned only once under GDPR Recital 30. Despite that limited reference, the regulations regarding cookies affect any business that uses personal cookie identifiers to track browser activity. When cookies keep data that can identify an individual, it is considered personal data, and you must inform users of their rights regarding cookie collection.
If you use cookie identifiers, the GDPR requires that you:
- Identify any third-party services that may collect cookies.
- Clearly explain what and how cookies work.
- Explain why and how you use the cookies.
- Provide information on adjusting or opting out of cookies.
- Obtain informed consent before storing those cookies on the user’s device.
Having pre-ticked boxes or accepting a user’s silence is insufficient to obtain consent.
All users in the European Economic Area (EEA) must consent to non-essential cookies before a site can use them. Websites risk enormous fines if they are subject to the requirements of the EEA or GDPR and do not get a user’s consent or permission before they collect cookies that can personally identify them.
In the EU, consent for cookies is also required by the European Cookie Directive (known as the EU Cookie Law or the ePrivacy Directive). The Cookie Law requires websites to get consent from visitors to store or retrieve any information on a smartphone, computer, or tablet. The Cookie Law was designed to protect online privacy by making consumers aware of how their information is collected and used online and giving them a choice whether or not to consent.
- An explanation of what cookies are
- The types of cookies in use by you or third parties
- How you collect information (e.g., forms, sign-ups, subscriptions)
- Why you or a third party is collecting the information
- How a user can opt out of having cookies placed on a device
- Detailed instructions on how users can set their cookie preferences or opt out from them
If users have navigated to your cookies policy, they likely want to know specific information about the cookies you use and what rights they have as consumers.
Inform Users What Cookies Are
You should further explain that cookies enable websites to retrieve this information when users revisit them to tailor the page content for each user based on data related to prior browsing experiences, habits, and preferences.
If your business shares or discloses personal information to third parties for cross-context behavioral advertising, the CPRA requires that you inform your users by posting a “Do Not Share My Personal Information” link and provide consumers the ability to opt out.
Under CPRA, consumers also have a new right to limit the use and disclosure of sensitive personal information, like race or sexual orientation. They can direct you to use the data only to perform a necessary service.
In terms of informing users, businesses have to provide a clear and conspicuous link on their website homepage titled “Limit the Use of My Sensitive Personal Information.”
Inform Users What Kind of Cookies You Use
You need to inform your users exactly what type of cookies are being used on your website. Some examples of the various types of internet cookies include:
- Session cookies
- Persistent cookies
- Tracking cookies
- Advertising Cookies
- Analytics Cookies
- Personalization Cookies
- Security/Authentication Cookies
Inform Users How They Can Opt Out of Cookies or Adjust Cookie Settings
Your cookie template must inform a user how they can opt out and control the use of the data collected by a particular site. You can also inform users that it’s possible to opt out of some third-party cookies through the Network Advertising Initiative’s Opt-Out Tool.
Privacy laws strive to give users as much control as possible over their data and how it is being used. For example, the recent CPRA law allows California consumers to opt out of both the sale and the sharing of their data.
Consumers can take further steps by adjusting cookie settings to select which cookies are acceptable to the consumer. These steps include:
- Unsubscribing to the particular website that is collecting cookies
- Deleting the application requesting cookie collection
- Unchecking a marked box
- Directly withdrawing consent by contacting the website owner
- Choosing not to proceed with that particular online activity
Inside Current Legal Policies
Informational Menus or Sections
You may use informational menus or dedicated sections to guide an interested user to more information on your cookies policy. However, the location of the menu or section must still be prominent to allow users to navigate to the various parts they wish to learn more about.
Website footers that appear along the bottom of your site can provide links to areas of user interest. For example, your website footer can list items like company contact information or a link to your website’s cookies policy.
Banners and Pop-Ups
Banners and pop-ups have gained popularity as a method of maintaining privacy compliance. Website owners are required to obtain the prior consent (GDPR) from users to legally process their personal data, or they need to create opt-out mechanisms so users can be removed from cookie placement (CCPA).
Cookie notification messages, as well as pop-ups, can be seen on many websites today. Below is a typical cookie banner that alerts users to cookie usage and provides options to customize cookie settings:
Pop-ups are also a convenient method of informing users and ensuring that users are moving forward with both knowledge and consent.
For example, the global furniture company, Ikea, uses a pop-up feature on their UK website where users are directly provided with a choice to accept all cookies or customize settings.
Getting User Consent for Your Cookies Policy
Consent for your cookies policy requires that a user affirmatively check a box, provide information to proceed onto the website, or click on cookie settings to acknowledge they have read, understood, and wish to proceed with the accompanying policy. You can check out some consent banner examples for inspiration on how to display your cookie notice.
Examples of Cookie Policies
An effective cookies policy is designed to alert users of the existence of cookies and the fact that your website collects data in this manner. In addition, the best cookie policies describe how a user can manage their preferences and require affirmative consent.
Last updated [Date]
Additional Template Download Options
FAQs About Cookie Policies