A cookie policy is required by law in the EU. In this guide you can read more about the requirements and what you need to include in the cookie policy.
Disclaimer (14th December 2020): The information on this page is not intended as legal advice and shouldn’t be considered as such. We strongly recommend that you seek legal advice if you’re unsure as to how to become compliant. Please also keep in mind that this guide is not exhaustive and that more requirements might be applicable.
In this ultimate guide to writing a cookie policy, you can learn all about the cookie policy basics, requirements and how to implement a cookie policy on your website.
In this guide you can read more about:
A cookie policy is where you communicate to your website visitors, e.g., how you use cookies, for what purpose, what types of cookies you are using, and when the cookies expire.
You must inform your users about the cookies when they visit your website and make sure that you give them detailed information about your cookies. You can often find this information in or as a part of your privacy policy or as a separate cookie policy.
Your cookie policy is where you communicate to your website visitors the details about how you use cookies on your website. You need a cookie policy because you are legally required to give people this information.
In Europe there are two relevant laws to be aware of in relation to your cookie policy:
The ePrivacy Directive is a minimum set of rules that apply across Europe. This means that local guidelines and rulings may also apply depending on which country your user is located in. These rules are generally enforced by data authorities, e.g. CNIL (in France), ICO (in the UK), and Datatilsynet (in Denmark). You can read more: about the cookie laws and cookie authorities in Europe in this article.
The ePrivacy Directive is where you find the cookie rules and:
GDPR regulates what the rules and requirements are for obtaining a lawful consent. Because IP addresses are regarded as personal data the GDPR is applicable.
You need a cookie policy to fulfill the obligation requirements in Art 13. You have to inform people:
The ePrivacy requires you to tell people how and why you are using cookies, which is why you need to include this in your cookie policy.
A cookie policy and a privacy policy are both documents that communicate to your website visitors, customers, and users different aspects of how you use their personal information. A cookie policy can be included as a section in the privacy policy, or can be a policy in itself. Please note that some countries require that it's two separate documents and that’s why you should consider having two - but with links to each other.
A privacy policy contains information like why you need people's personal data, what you are using it for, and how long you're going to keep it for.
A cookie policy is a document, which contains information about e.g., how you use cookies, for what purpose, and which cookie types you are using.
Read also: A guide to writing your privacy policy
The cookie policy, whether it's incorporated into your privacy policy or a separate policy, needs to be accessible in your cookie banner or pop-up, and from on your website. You can place it either at the top or bottom of your website.
Don’t hide the page on your website. You have to make sure that your users can find it - and find it easily - otherwise your cookie setup won’t be compliant.
Although the general focus here is on data as a whole, how a company treats a website visitors cookies is a visible way of seeing how a company treats its data more generally.
Read more about website legal requirments
There are a number of elements you need to include in your cookie policy. See the checklist below for an overview of what you need to include in your cookie policy.You cookie policy needs to include:
People need to be informed about this in the cookie policy. An example of how we write this in our cookie policy is: “A cookie is a small piece of data that a website stores on your device when you visit it and which is then read when you later revisit the site.“. This description also needs to include a description of which kind of information a cookie contains.
The description of what a cookie is, needs to be followed by why, how and what you use them for, e.g., “Cookies are used to enable certain features such as logging in to our website, to track site usage via analytics, and to store your user settings.”
You need to inform your website visitors and users, about what it is that they are consenting to e.g.,: “By accepting our use of cookies, apart from necessary cookies, you consent to our use of cookies as described under "Types of cookies and how we use them" below. You may at any time change or withdraw your cookie consent - See the section “How you can change your cookie settings, incl. opting out” below.”
You need to include a description of the different types of cookies you have on your website and how you use them, including but not limited to:
One of the requirements for compliant consent is that people can withdraw the consent as easily as they gave it. You need to include this information in the cookie policy, and also make the option to change the settings easily accessible. How to change the consent should be included in the cookie policy as well.
You need to include information about:
The way you write your cookie policy is important. You need to draft your cookie policy in a way that people can actually understand it - and avoid complex and lengthy sentences. Think about your intended audience. Who are you writing for? Is the information in the policy accessible to them?
You must consider the following when writing a cookie policy:
Many authorities, including the ICO and the Danish authorities, recommend that policies be split into sections that can be “unfolded” making it easier for the user to read and understand the content of the policy. A wall of text should be avoided.
Your cookie policy needs to be added to your website on an easy to find page The cookie policy should also be embedded in your cookie pop-up, so that your website users have easy access to it, when they give consent.
How to install cookie consent with Openli?
Many cookie pop-ups include a cookie policy as part of the pop-up design, which is usually unfoldable. You can see in the example how Openli cookie policy is included in the widget.
Get a vetted cookie policy template with Openli
Easily create your cookie policy using templates together with Openli's cookie solution. Your GDPR cookie policy is automatically embedded and displayed in your Openli cookie pop-up.
Solve your GDPR and ePrivacy cookie compliance challenges easily with our automated cookie pop-up and policy generator. The cookie policy stays compliant where you do business and is vetted by law firms in 18 countries.
Get a vetted cookie policy template with Openli
Think about the design of your cookie policy. Many authorities, including the ICO and the Danish authorities, recommend that policies should be split up into sections so that each section can be “unfolded”, instead of being a 10 page wall of text. This is to make it easier for the user to read and understand the content of the policy.
Many cookie widgets include an unfoldable cookie policy in the widget design. You can see in the example how Openli cookie policy is included in the widget.
