"Use of Cookies" clause in a Privacy Policy

While cookie consent banners get a lot of attention, many websites also have a dedicated clause about cookies in their Privacy Policy.

That's because you don't just need to think about permission to issue cookies: you also need to take into account the privacy implications of the data you collect through cookies.

Here's what you need to know.

Cookies and Privacy Laws

These are some of the laws that may mean you need to cover cookies in your Privacy Policy:

  • Europe's GDPR (which applies if you, the data subject or the data processing itself is in the EU) treats cookies as an "online identifier." It says they count as personal data if they can be combined with other information to identify an individual.
  • California's CCPA treats the data collected through cookies as personal data
  • Canada's PIPEDA also includes cookie data in the scope of personal data

Cookie Consent Confusion

Whether you are a website creator or website user, you're likely familiar with cookie consent banners and other pop-up messages that inform or ask users about issuing cookies. Because these are so prominent and usually seen by every visitor to a site, you might wonder why your Privacy Policy also needs to address cookies.

The reason is that privacy laws around the world address cookies in two different ways. The better known are the laws that require user consent to issue a cookie in the first place, such as Europe's Privacy and Electronic Communications Directive also known as the ePrivacy Directive.

However, the content of cookies (specifically the information they gather) also has legal implications. In many cases, a cookie can be linked to an identifiable individual. That means many aspects of the information will count as personal data under privacy laws. In turn you may need to:

  • Get consent to collect or use the information from the cookie
  • Show another lawful reason to collect or use the information from the cookie
  • Tell the person you are using the information, even if you don't need consent

Do I Need A Cookie Clause?

Most privacy laws require you to publish some information about your use of personal data, including that collected through cookies. This can be because:

  • You are relying on consent to make your data collection lawful. This consent must be an informed choice with the user understanding how you will use the data.
  • The law requires consent for some forms of data use (such as selling or sharing) but not others. Giving clear details of how you use the data will help people make an informed decision.
  • The law doesn't require consent but does say you must inform people about your data use.

How best to present the information about your use of data from cookies will depend on what other information you need to present. Options include:

Cover it as part of your overall data use information. For example, where your Privacy Policy details the types of information you collect, mention the cookie data.

List it as a separate clause in your Privacy Policy. This works well if you also want to include some basic information about the fact you issue cookies and the ways users can block or delete cookies.

List it in a dedicated Cookie Policy. This can work well if you use a lot of cookies and need to detail the cookies themselves as well as the data you gather through the cookies. At the very least your Privacy Policy will need to link to this cookie policy and make clear it includes details of your data use. Be very wary of making it too complicated and burdensome for a user to get the full picture of how you use their data.

Dedicated Cookie Policies

Instead of having a cookie clause in your Privacy Policy, you could have a dedicated Cookie Policy page. This is most appropriate if you have a large number of cookies that require detailed explanations, to the point that it would disrupt the flow of your Privacy Policy.

If you do have a dedicated Cookie Policy, you should make sure users know it exists and where to find it. It usually makes sense to have it in the same navigation section (or even on the same web page) as your Privacy Policy.

You should also make sure your Privacy Policy links directly to the cookie policy when you are detailing the personal information you collect and use.

The Guardian uses a brief clause in its Privacy Policy to highlight its use of cookies and then link to a dedicated cookie policy:

The Guardian Privacy Policy: Cookies and similar technologies clause

Summary

Let's recap what you need to know about cookie clauses in your Privacy Policy:

  • Getting consent to issue cookies (such as with a cookie consent banner) is not the only legal point to consider. You also need to think about the data you collect through cookies.
  • This data often counts as personal information under privacy laws, particularly if it can be combined with other information to identify somebody. Depending on the privacy law you need to get consent to collect and use this information, or at least inform users that you do so.

    You can cover the way you use this information as part of your Privacy Policy. In many cases, a separate cookie clause works well.

  • The cookie clause should address:

    • Whether you use cookies
    • What data you collect through cookies
    • How and why you use this data
    • How to opt out or block cookies, including users changing their minds and withdrawing consent later on
  • You could have a separate Cookie Policy. This works best if you need to detail a lot of cookies. Make sure your Privacy Policy either still covers the information you collect through cookies, or clearly links to the Cookie Policy.