Cookies Clauses in a Privacy Policy

If your business website or mobile app uses cookies, you should have either a Cookie Policy in place or cookies clauses included within your Privacy Policy agreement, depending on the nature of your business and whether your clientele is UK or US-based.

If you're including cookies clauses in your Privacy Policy, there are few clauses you're going to want to include. We'll cover these and include examples. This same information will be found in your Cookie Policy if you have one.

How Do Cookies Work?

The first time a visitor lands on your website, a cookie is downloaded onto their device.

On the user's next visit to your site, the device recognises that it has a cookie from the site. The user's device then sends the information that the cookie contains back to the originating site.

Your website recognises that the user is a return visitor, and then presents them with information that it considers to be relevant and helpful. For example, cookies can be used to remember useful information such as password and username information, saving the visitor the hassle of having to re-enter all their login information on every site visit.

Cookies can also be used to present custom adverts or announcements to site visitors based on their interests and searches they have made within your site, or to enhance the overall site experience by storing certain custom settings, such as video streaming.

What is a Cookie Policy?

A Cookie Policy is the policy that your business uses to inform your site visitors that your website or mobile app uses cookies to capture information about them.

It is also important to explain that a user could disable cookies on their PC or device's browser if they wanted to.

The law on cookies disclosure varies depending on where your company is based and the nationality of your target audience.

Cookies Disclosure Requirements in the EU

It should be noted that the EU Cookies Directive insists on disclosures of cookies use for any business located in the EU or any foreign business that interacts with EU citizens.

All EU businesses whose websites use cookies must have a Cookie Policy in place. Anyone visiting your site must be warned that you use cookies. You must also tell them what kind of cookies you use, for example, to remember passwords or the visitor's location.

Importantly, you must also give your site visitors the opportunity to decline having cookies placed on their PC or mobile device.

One useful mechanism for alerting site visitors to the use of cookies on your site is to use pop-up boxes or banners. However, your site must also include a stand-alone Cookie Policy where your site's use of cookies is set out in detail.

The ITV website displays the banner shown below as a header on every page. The visitor is repeatedly given the option to accept the site's use of cookies by clicking the "continue" button, but before doing so, they are offered a link to the company's Cookie Policy where detailed information is contained about the site's use of cookies.

Cookies Disclosure Requirements in the US

Businesses that are based in the US and interact with EU clients are required to comply with EU cookies laws.

However, US-based companies that solely target other US businesses and clients are not required to comply with this law.

The Federal Trade Commission (FTC) is responsible for enforcing data security and privacy regulations for US businesses. However, it is important to note that a site's use of cookies can be covered under a section in their general Privacy Policy, rather than in a dedicated Cookie Policy.

Therefore, if you do not want to have a separate Cookie Policy, you can choose to cover cookies in your site's Privacy Policy instead, perhaps dedicating a whole section exclusively to cookies.

In contrast, EU-based companies often mention cookies in both a Privacy Policy and a stand-alone Cookie Policy.

As you will see below, the EU-based ITV website offers visitors a link to their Privacy Policy section and another to its stand-alone Cookie Policy at the bottom of its website's home page. Although both policies contain the same information regarding the site's use of cookies, they are kept totally separate.

US-based news channel CNN offers visitors to the international version of their site an opportunity to agree or decline its use of cookies via a pop-up that appears on the site's home page. The pop-up also contains links to its Privacy Policy and to the section on cookies within it.

Cookies Clauses for your Privacy Policy

Whether you are using a stand-alone Cookie Policy or you are including clauses relating to cookies within your Privacy Policy, you must include the same basic information. As a bare minimum, you must provide your site users with the following data:

• That you use cookies on your website
• What cookies are and how they work
• What type of cookies are used by you and/or third parties on your site
• Why and how you and/or third parties use the cookies
• How a site visitor can opt-out of accepting cookies or revoke consent

Informing Users That Cookies are Used

Most websites immediately alert visitors to their use of cookies by presenting them with a pop-up or banner. This mechanism will often include internal links to the site's policies on the use of cookies. There will generally be a highlighted button, allowing users to accept or decline cookies before they continue to browse the site.

Under the EU Cookie Directive, companies are required to tell their users that cookies are used on the site and that they have a Cookie Policy in place.

Santander UK presents site visitors with a clear banner at the top of the site's landing page. There is an option to read how the company uses cookies via a link to its policy.

Other companies favor using a pop-up box to alert site users to the use of cookies on their sites.

Pop-ups immediately alert the user to the site's use of cookies, provide a link to the site's Cookies or Privacy Policies, and offer a clickable link or other term that clearly tells the user that their continued use of the site intimates their acceptance of cookies.

As long as you let users know you're using cookies before you place any, you can use a banner or pop-up at your preference.

You should also note in your Privacy Policy that you use cookies, like this clause from ITV's Privacy Policy. Note that it links to the full Cookie Policy.

Define What Cookies Are and How They Work

The first cookies clause in your Privacy Policy should explain what cookies are. At this stage, it's important to keep the language simple and easy-to-understand. This ensures that no confusion can arise, which could potentially be used in a claim for alleged non-compliance against your company.

Blackmilk Clothing starts its cookie clause by giving a short definition of what cookies are and generally what they do.

What Types of Cookies You Use and How

Let users know what cookies your site is using and what you use them to do.

The Times has clauses that outline the different types of cookies that are used and explains what they are used for.

Users can see here that, for example, advertising cookies are used to help the site deliver advertisements based on web browsing activities.

British Airways goes one step further, providing their site users with a detailed table, giving definitive information alphabetically on every cookie their site uses.

The extract below shows only the first few lines of the table.

This might not make sense to most users but it's good to include as much information as possible to be transparent.

How to Opt-out and Manage Cookies

Note that you must provide your site users with information on how to disable cookies, whether this information pertains specifically to your website or is more general.

As you can see below, ITV's Cookie Policy includes clear information on how users can disable or turn certain cookies off. There's also a helpful link to the relevant section in the Policy.

This is again important from a legal standpoint, as users cannot then retrospectively complain that they were unable to prevent ITV from placing unwanted cookies on their devices.

As well as being a legal requirement, enabling users to easily access instructions on how to disable cookies also represents transparency and honesty where site users are concerned, presenting your company with an image of integrity and trustworthiness.

The Times presents very clear information on how users can manage or disable certain cookies.

The TImes provides links to sources of information about each specific type of cookie, which site visitors may find useful.

In Summary

When implementing cookies, remember the following key points:

1. If your business deals primarily with EU-based companies and clients, you must have a stand-alone Cookie Policy in place.

2. If you deal primarily with US-based companies and clients, you can include information on your use of cookies in your Privacy Policy alone.

   However, if you want to, you can have both a Privacy Policy and a separate Cookie Policy. This may be useful if you decide to expand your operation in the future to encompass an EU audience.

3. Your Cookie Policy and/or Privacy Policy must be clear and easy to understand. It must also contain sufficient detail that your users know what cookies are, why your site uses cookies, and how visitors can opt-out or manage which cookies they accept.
4. Your Privacy Policy or Cookie Policy must include information regarding any cookies placed by third parties.
5. If you fall under EU laws, you need to alert your site visitors to your Cookie Policy as soon as they land on your homepage or landing pages and get consent to use cookies. Banner bars or pop-up notifications are popular methods of doing this. Be sure to include links to your Cookie Policy within these notices, so that users can easily find information on how to opt-out of cookies.
6. Include a link to your Cookie Policy and/or Privacy Policy in the footer or header of your website.