Complete Guide to Cookie Policy for Websites

Cookie Policy for Websites

Last updated on July 27, 2021|Published on May 24, 2021

Your business requires a cookie policy if you use cookies or other similar tracking technologies on your website to collect and store any information about users.

Cookies are small text files placed on a user’s device when they visit a website. They are used primarily to enable sites to operate perfectly. Some cookies are used to collect data from users for personalized, targeted ads, tracking user behaviour, etc. 

Recital 30 of the European Union’s General Data Protection Regulation (GDPR) states:

“Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags.

This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them”.

This supplements Recital 26 which states that any data that can be used to identify an individual either directly or indirectly (on its own or in conjunction with other information) is personal data. Therefore, principles of data protection stated in the GDPR are applicable to any such data concerning an identified or identifiable individual.

Under the California Consumer Protection Act (CCPA) personal information refers to any information that 

“identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

The CCPA defines a non-exhaustive list of data types that come under the scope of this definition. It includes unique personal identifiers, which is defined as:

“…a persistent identifier that can be used to recognize a consumer, a family, or a device…including, but not limited to, a device identifier; an Internet Protocol address; cookies, beacons, pixel tags, mobile ad identifiers, or similar technology…or other forms of persistent or probabilistic identifiers that can be used to identify a particular consumer or device.

In short, as cookies could be used to potentially identify users, they can be considered personal data.

What is a cookie policy? 

A cookie policy is a detailed declaration about the cookies used on a website, how these cookies are used, what data they track, for what purpose, and how users can control the usage of cookies by a website. The cookie policy should also document any other types of tracking technologies that are used by a website, such as web beacons and pixel tags.

In the past, cookie usage was either not mentioned or was vaguely referred to in the privacy policy. A cookie policy circumvents this and brings information about cookies used by a website to the users. Your website’s cookie policy can be a standalone document or can be part of your privacy policy

Do I need a cookie policy on my website?

Most likely, yes. It depends on your intended audience i.e. where your website users are based in? The EU and the US have slightly different regulations regarding cookies. 

European Union

The GDPR and the ePrivacy Directive mandate that users are informed about how their data is collected and processed. Article 13 and Article 14 of the GDPR require that any information or communication relating to the processing of personal data is easily accessible and is available in clear and plain language. As cookies come under the scope of personal data, a cookie policy is required for websites in the EU, or websites that cater to users in the EU. 

Do you need a separate cookie policy and privacy policy? If your website uses cookies, you should have a dedicated cookie policy and it should be disclosed in your privacy policy as well. It is better to have a separate cookie policy if you have a mix of users from different geographies including EU residents. 

United States

In the US, the Federal Trade Commission (FTC) Act requires that businesses have a privacy policy. Websites are required to inform users on how they collect, use, share, and protect their personal information. Cookies fall under the scope of privacy disclosures and should be included in the privacy policy.

While the CCPA does not require cookie consent, it mandates websites to disclose their use of cookies in a privacy policy.

However, the US does not require a separate cookie policy page. Generally, businesses in the US include a cookie usage section within their privacy policy. 

What should a cookie policy contain?

A cookie policy should include the following sections:

  • An explanation that you use cookies and what cookies are
  • Description of the types of cookies used by your site
  • Explanation of any other tracking technologies used
  • An explanation of why these cookies are used
  • Details on how users can opt-out or set their cookie preferences

It should also use plain, easy-to-understand language. Keep in mind that the purpose of providing a cookie policy is to be transparent about the use of cookies.

Let’s take a look at examples of some good practices to follow.

McKinsey avoids legalese and describes their use of cookies and the explanation of what cookies are in the first section.
Accenture cookie policy
Accenture details the categories of cookies they use and how and why they are used in this section.
Mailchimp Cookie Policy
Mailchimp uses a tabular format to describe the different categories of cookies being used, and for what.
ViacomCBS details the different types of tracking technologies they use including cookies.
Vox Media details the choices users have regarding cookies and how users can manage or opt-out of the use of cookies.

Where should I display the cookie policy?

You should display a link to your cookie policy that is accessible from every page of your website. Usually, websites post their legal documents such as terms of use, privacy policy, and cookie policy in the website’s footer. 

You may also choose to link it on your cookie banner so users can be easily directed to the cookie policy page.

On the mobile app, you should display your cookies policy in the menu, under the ‘About’ or ‘Legal’ sections.

How do I create a cookie policy?

Identify the cookies your website uses

Identify all the cookies your website uses and what each cookie does including the different categories of cookies such as first-party cookies, third-party cookies, etc. 

You also must look into the cookies policies of all third parties such as advertisers and web analytics services that are using cookies on your website. 

Plan the content of your cookie policy

As we’ve already seen, a comprehensive cookie policy should include certain mandatory details. It should also be made available in plain and intelligible language. You can use a dynamic cookie policy generator to create a compliant cookie policy for your website.

Check out this free cookie policy generator that will help you create a custom cookie policy in just a few minutes.

Free Cookie Policy Generator
Step 1. Add the types of cookie you use and your cookie declaration.

In the manage preferences section, you can describe how users can opt-out or manage cookies set by your website. You can customize the content of each of these sections to add more details.

Cookie Policy for Websites
Step 2. Add details on how users can set their cookie preferences on you website.

You can add a ‘Revisit consent widget’ to your website which will let users modify or change it at any time. This will help your website get compliant with the right to withdraw, a key requirement under the GDPR. 

Cookie Policy for Websites
Step 3. Preview your cookie policy, copy text/html and add it your site.

You are all set with a compliant cookie policy for your website in just 2 steps!

You can use the in-built version from CookieYes dashboard for a tailored, auto-generated cookie policy that can be set up with minimal to no input. Sit back and let cookie scanner audit your website for cookies automatically and generate the policy for you.

All you need to do, is sign up on CookieYes!

Get compliant with the GDPR and CCPA

Cookie policy is not the only requirement under privacy laws like the GDPR and CCPA. Cookie consent is an important requirement under the GDPR. Websites that collect and process data of EU residents have to display cookie consent banners and get explicit consent from users before they deploy any cookies other than the strictly necessary cookies.

While opt-in consent is not mandated under CCPA, the law requires that websites provide CCPA notices to users so that they can opt out of the sale of their personal information.

It is therefore important that your cookie policy reflect your compliance with the applicable data privacy laws. To achieve this, CookieYes is your go-to cookie compliance solution.

You can easily add a fully customizable cookie consent banner, CCPA notices and make it available in 26 languages. 

CookieYes will scan your website for cookies and add them to your site’s list of cookies. You can automatically block 20+ third-party cookies until you get user consent. 

You can also access a record of users’ consents and their cookie preferences in a consent log. This can help you demonstrate your compliance during audits. The free privacy policy generator allows you to create a Privacy Policy exclusively for your business, all in a few clicks.

Sign up for free today!

Start a 14-day free trial

Trials start with all our features enabled. Cancel anytime. No credit card required.