The ultimate guide to writing a cookie policy

A cookie policy is required by law in the EU. In this guide you can read more about the requirements and what you need to include in the cookie policy.

Disclaimer (14th December 2020): The information on this page is not intended as legal advice and shouldn’t be considered as such. We strongly recommend that you seek legal advice if you’re unsure as to how to become compliant. Please also keep in mind that this guide is not exhaustive and that more requirements might be applicable.

In this ultimate guide to writing a cookie policy, you can learn all about the cookie policy basics, requirements and how to implement a cookie policy on your website.

Cookie policy guide agenda

In this guide you can read more about:

What is a cookie policy?

A cookie policy is where you communicate to your website visitors, e.g., how you use cookies, for what purpose, what types of cookies you are using, and when the cookies expire.

You must inform your users about the cookies when they visit your website and make sure that you give them detailed information about your cookies. You can often find this information in or as a part of your privacy policy or as a separate cookie policy.

image

Why do you need a cookie policy?

Your cookie policy is where you communicate to your website visitors the details about how you use cookies on your website. You need a cookie policy because you are legally required to give people this information.

Your cookie policy, the GDPR and cookie laws

In Europe there are two relevant laws to be aware of in relation to your cookie policy:

  • The GDPR
  • The ePrivacy Directive
  • The ePrivacy Directive is a minimum set of rules that apply across Europe. This means that local guidelines and rulings may also apply depending on which country your user is located in. These rules are generally enforced by data authorities, e.g. CNIL (in France), ICO (in the UK), and Datatilsynet (in Denmark). You can read more: about the cookie laws and cookie authorities in Europe in this article.

    The ePrivacy Directive is where you find the cookie rules and:

  • What is a cookie?
  • When do you need to have a cookie banner or pop-up on your website?
  • GDPR regulates what the rules and requirements are for obtaining a lawful consent. Because IP addresses are regarded as personal data the GDPR is applicable.

    GDPR information requirements Art. 13 - Right to information

    You need a cookie policy to fulfill the obligation requirements in Art 13. You have to inform people:

  • Which information you are capturing about them,
  • How you are handling that information,
  • What you are using it for, and
  • What the purpose of collecting and processing peoples data is.
  • ePrivacy requirements

    The ePrivacy requires you to tell people how and why you are using cookies, which is why you need to include this in your cookie policy.

    What is the difference between a cookie policy and a privacy policy?

    A cookie policy and a privacy policy are both documents that communicate to your website visitors, customers, and users different aspects of how you use their personal information. A cookie policy can be included as a section in the privacy policy, or can be a policy in itself. Please note that some countries require that it's two separate documents and that’s why you should consider having two - but with links to each other.

    A privacy policy contains information like why you need people's personal data, what you are using it for, and how long you're going to keep it for.

    A cookie policy is a document, which contains information about e.g., how you use cookies, for what purpose, and which cookie types you are using.

    Read also: A guide to writing your privacy policy

    Where should the cookie policy page be located?

    The cookie policy, whether it's incorporated into your privacy policy or a separate policy, needs to be accessible in your cookie banner or pop-up, and from on your website. You can place it either at the top or bottom of your website.

    Don’t hide the page on your website. You have to make sure that your users can find it - and find it easily - otherwise your cookie setup won’t be compliant.

    Although the general focus here is on data as a whole, how a company treats a website visitors cookies is a visible way of seeing how a company treats its data more generally.

    Read more about website legal requirments

    What you need to include in your cookie policy

    There are a number of elements you need to include in your cookie policy. See the checklist below for an overview of what you need to include in your cookie policy.You cookie policy needs to include:

    1. A definition of what a cookie is

    People need to be informed about this in the cookie policy. An example of how we write this in our cookie policy is: “A cookie is a small piece of data that a website stores on your device when you visit it and which is then read when you later revisit the site.“. This description also needs to include a description of which kind of information a cookie contains.

    2. A description of why, how and what you use cookies for

    The description of what a cookie is, needs to be followed by why, how and what you use them for, e.g., “Cookies are used to enable certain features such as logging in to our website, to track site usage via analytics, and to store your user settings.”

    3. Consent information

    You need to inform your website visitors and users, about what it is that they are consenting to e.g.,: “By accepting our use of cookies, apart from necessary cookies, you consent to our use of cookies as described under "Types of cookies and how we use them" below. You may at any time change or withdraw your cookie consent - See the section “How you can change your cookie settings, incl. opting out” below.”

    4. A description of the different types of cookies on your website and how you use them

    You need to include a description of the different types of cookies you have on your website and how you use them, including but not limited to:

    • Session cookies vs. persistent cookies
    • First and third-party cookies
    • Necessary or essential cookies
    • Performance cookies
    • Functionality cookies
    • Analytical cookies
    • Marketing / advertising cookies
    • Third party cookies on your website
    • Your agreement (or lack thereof) with thirds party providers, declaring whether or not you have reviewed third party vendors privacy and cookie policy and cookie use
    • How users can control their cookie settings, and how they can opt-out of being tracked, and whether this will impact their use of the website (necessary cookies only).

    5. How users can control their cookie settings and opt-out

    One of the requirements for compliant consent is that people can withdraw the consent as easily as they gave it. You need to include this information in the cookie policy, and also make the option to change the settings easily accessible. How to change the consent should be included in the cookie policy as well.

    6. Information about your company and updates

    You need to include information about:

  • Who you are, and how can you be contacted,
  • How often will you update the cookie policy,
  • Company registration number,
  • When the policy is effective from,
  • How to write your cookie policy

    The way you write your cookie policy is important. You need to draft your cookie policy in a way that people can actually understand it - and avoid complex and lengthy sentences. Think about your intended audience. Who are you writing for? Is the information in the policy accessible to them?

    You must consider the following when writing a cookie policy:

    • The language in the cookie policy needs to be easy to understand
    • The user needs to know what they are giving consent to
    • The language in the cookie policy must be written in the same language as on the website
    • And must be catered to the target audience

    Many authorities, including the ICO and the Danish authorities, recommend that policies be split into sections that can be “unfolded” making it easier for the user to read and understand the content of the policy. A wall of text should be avoided.

    How to implement your cookie policy

    Your cookie policy needs to be added to your website on an easy to find page The cookie policy should also be embedded in your cookie pop-up, so that your website users have easy access to it, when they give consent.

    How to install cookie consent with Openli?

    Cookie policy generator or template

    Many cookie pop-ups include a cookie policy as part of the pop-up design, which is usually unfoldable. You can see in the example how Openli cookie policy is included in the widget.

    Get a vetted cookie policy template with Openli

    Openli´s cookie policy template

    Easily create your cookie policy using templates together with Openli's cookie solution. Your GDPR cookie policy is automatically embedded and displayed in your Openli cookie pop-up.

    Solve your GDPR and ePrivacy cookie compliance challenges easily with our automated cookie pop-up and policy generator. The cookie policy stays compliant where you do business and is vetted by law firms in 18 countries.

    Get a vetted cookie policy template with Openli

    Cookie policy generator or template

    Think about the design of your cookie policy. Many authorities, including the ICO and the Danish authorities, recommend that policies should be split up into sections so that each section can be “unfolded”, instead of being a 10 page wall of text. This is to make it easier for the user to read and understand the content of the policy.

    Many cookie widgets include an unfoldable cookie policy in the widget design. You can see in the example how Openli cookie policy is included in the widget.