While cookie consent banners get a lot of attention, many websites also have a dedicated clause about cookies in their Privacy Policy.
That's because you don't just need to think about permission to issue cookies: you also need to take into account the privacy implications of the data you collect through cookies.
Here's what you need to know.
These are some of the laws that may mean you need to cover cookies in your Privacy Policy:
Whether you are a website creator or website user, you're likely familiar with cookie consent banners and other pop-up messages that inform or ask users about issuing cookies. Because these are so prominent and usually seen by every visitor to a site, you might wonder why your Privacy Policy also needs to address cookies.
The reason is that privacy laws around the world address cookies in two different ways. The better known are the laws that require user consent to issue a cookie in the first place, such as Europe's Privacy and Electronic Communications Directive also known as the ePrivacy Directive.
However, the content of cookies (specifically the information they gather) also has legal implications. In many cases, a cookie can be linked to an identifiable individual. That means many aspects of the information will count as personal data under privacy laws. In turn you may need to:
Most privacy laws require you to publish some information about your use of personal data, including that collected through cookies. This can be because:
How best to present the information about your use of data from cookies will depend on what other information you need to present. Options include:
Cover it as part of your overall data use information. For example, where your Privacy Policy details the types of information you collect, mention the cookie data.
List it as a separate clause in your Privacy Policy. This works well if you also want to include some basic information about the fact you issue cookies and the ways users can block or delete cookies.
List it in a dedicated Cookie Policy. This can work well if you use a lot of cookies and need to detail the cookies themselves as well as the data you gather through the cookies. At the very least your Privacy Policy will need to link to this cookie policy and make clear it includes details of your data use. Be very wary of making it too complicated and burdensome for a user to get the full picture of how you use their data.
Instead of having a cookie clause in your Privacy Policy, you could have a dedicated Cookie Policy page. This is most appropriate if you have a large number of cookies that require detailed explanations, to the point that it would disrupt the flow of your Privacy Policy.
If you do have a dedicated Cookie Policy, you should make sure users know it exists and where to find it. It usually makes sense to have it in the same navigation section (or even on the same web page) as your Privacy Policy.
You should also make sure your Privacy Policy links directly to the cookie policy when you are detailing the personal information you collect and use.
The Guardian uses a brief clause in its Privacy Policy to highlight its use of cookies and then link to a dedicated cookie policy:
Let's recap what you need to know about cookie clauses in your Privacy Policy:
You can cover the way you use this information as part of your Privacy Policy. In many cases, a separate cookie clause works well.
The cookie clause should address: