If your business website or mobile app uses cookies, you should have either a Cookie Policy in place or cookies clauses included within your Privacy Policy agreement, depending on the nature of your business and whether your clientele is UK or US-based.
If you're including cookies clauses in your Privacy Policy, there are few clauses you're going to want to include. We'll cover these and include examples. This same information will be found in your Cookie Policy if you have one.
The first time a visitor lands on your website, a cookie is downloaded onto their device.
On the user's next visit to your site, the device recognises that it has a cookie from the site. The user's device then sends the information that the cookie contains back to the originating site.
Your website recognises that the user is a return visitor, and then presents them with information that it considers to be relevant and helpful. For example, cookies can be used to remember useful information such as password and username information, saving the visitor the hassle of having to re-enter all their login information on every site visit.
Cookies can also be used to present custom adverts or announcements to site visitors based on their interests and searches they have made within your site, or to enhance the overall site experience by storing certain custom settings, such as video streaming.
A Cookie Policy is the policy that your business uses to inform your site visitors that your website or mobile app uses cookies to capture information about them.
It is also important to explain that a user could disable cookies on their PC or device's browser if they wanted to.
The law on cookies disclosure varies depending on where your company is based and the nationality of your target audience.
It should be noted that the EU Cookies Directive insists on disclosures of cookies use for any business located in the EU or any foreign business that interacts with EU citizens.
All EU businesses whose websites use cookies must have a Cookie Policy in place. Anyone visiting your site must be warned that you use cookies. You must also tell them what kind of cookies you use, for example, to remember passwords or the visitor's location.
Importantly, you must also give your site visitors the opportunity to decline having cookies placed on their PC or mobile device.
One useful mechanism for alerting site visitors to the use of cookies on your site is to use pop-up boxes or banners. However, your site must also include a stand-alone Cookie Policy where your site's use of cookies is set out in detail.
The ITV website displays the banner shown below as a header on every page. The visitor is repeatedly given the option to accept the site's use of cookies by clicking the "continue" button, but before doing so, they are offered a link to the company's Cookie Policy where detailed information is contained about the site's use of cookies.
Businesses that are based in the US and interact with EU clients are required to comply with EU cookies laws.
However, US-based companies that solely target other US businesses and clients are not required to comply with this law.
The Federal Trade Commission (FTC) is responsible for enforcing data security and privacy regulations for US businesses. However, it is important to note that a site's use of cookies can be covered under a section in their general Privacy Policy, rather than in a dedicated Cookie Policy.
Therefore, if you do not want to have a separate Cookie Policy, you can choose to cover cookies in your site's Privacy Policy instead, perhaps dedicating a whole section exclusively to cookies.
In contrast, EU-based companies often mention cookies in both a Privacy Policy and a stand-alone Cookie Policy.
As you will see below, the EU-based ITV website offers visitors a link to their Privacy Policy section and another to its stand-alone Cookie Policy at the bottom of its website's home page. Although both policies contain the same information regarding the site's use of cookies, they are kept totally separate.
US-based news channel CNN offers visitors to the international version of their site an opportunity to agree or decline its use of cookies via a pop-up that appears on the site's home page. The pop-up also contains links to its Privacy Policy and to the section on cookies within it.
Whether you are using a stand-alone Cookie Policy or you are including clauses relating to cookies within your Privacy Policy, you must include the same basic information. As a bare minimum, you must provide your site users with the following data:
Most websites immediately alert visitors to their use of cookies by presenting them with a pop-up or banner. This mechanism will often include internal links to the site's policies on the use of cookies. There will generally be a highlighted button, allowing users to accept or decline cookies before they continue to browse the site.
Under the EU Cookie Directive, companies are required to tell their users that cookies are used on the site and that they have a Cookie Policy in place.
Santander UK presents site visitors with a clear banner at the top of the site's landing page. There is an option to read how the company uses cookies via a link to its policy.
Other companies favor using a pop-up box to alert site users to the use of cookies on their sites.
Pop-ups immediately alert the user to the site's use of cookies, provide a link to the site's Cookies or Privacy Policies, and offer a clickable link or other term that clearly tells the user that their continued use of the site intimates their acceptance of cookies.
As long as you let users know you're using cookies before you place any, you can use a banner or pop-up at your preference.
You should also note in your Privacy Policy that you use cookies, like this clause from ITV's Privacy Policy. Note that it links to the full Cookie Policy.
The first cookies clause in your Privacy Policy should explain what cookies are. At this stage, it's important to keep the language simple and easy-to-understand. This ensures that no confusion can arise, which could potentially be used in a claim for alleged non-compliance against your company.
Blackmilk Clothing starts its cookie clause by giving a short definition of what cookies are and generally what they do.
Let users know what cookies your site is using and what you use them to do.
The Times has clauses that outline the different types of cookies that are used and explains what they are used for.
Users can see here that, for example, advertising cookies are used to help the site deliver advertisements based on web browsing activities.
British Airways goes one step further, providing their site users with a detailed table, giving definitive information alphabetically on every cookie their site uses.
The extract below shows only the first few lines of the table.
This might not make sense to most users but it's good to include as much information as possible to be transparent.
Note that you must provide your site users with information on how to disable cookies, whether this information pertains specifically to your website or is more general.
As you can see below, ITV's Cookie Policy includes clear information on how users can disable or turn certain cookies off. There's also a helpful link to the relevant section in the Policy.
This is again important from a legal standpoint, as users cannot then retrospectively complain that they were unable to prevent ITV from placing unwanted cookies on their devices.
As well as being a legal requirement, enabling users to easily access instructions on how to disable cookies also represents transparency and honesty where site users are concerned, presenting your company with an image of integrity and trustworthiness.
The Times presents very clear information on how users can manage or disable certain cookies.
The TImes provides links to sources of information about each specific type of cookie, which site visitors may find useful.
When implementing cookies, remember the following key points:
If you deal primarily with US-based companies and clients, you can include information on your use of cookies in your Privacy Policy alone.
However, if you want to, you can have both a Privacy Policy and a separate Cookie Policy. This may be useful if you decide to expand your operation in the future to encompass an EU audience.