How to write a kick-ass cookie policy

Openli webinar

This webinar ended, but you can watch it on demand by submitting a form below

How to write a kick-ass cookie policy

Date: The 2nd of December

Time: 01:00 - 02:00 PM

A deep-dive into cookie policy.

In this webinar we’ll go through how to draft a good cookie policy, including what you need to include, and how to write it.

Webinar speakers


Stine Mangor Tornmark

CEO, Openli

Lawyer specialised in privacy and marketing law, with six years experience from Plesner and six years as VP for Legal and Compliance at Trustpilot.


Stine: Hi. So thank you for coming and thank you for taking the time to maybe enjoy your lunch together with me, or maybe just a cup of coffee. So today we're going to talk a little bit about writing a really good cookie policy. Before we jump into it, I'm going to share my screen so you can see a presentation which will hopefully make the subject a little more understandable, but maybe also a little more tangible. I would just love any type of questions that you might have. It makes it way more fun for me. I'm right now sitting in a phone booth because all our meeting rooms are completely booked and busy, so this is me speaking from a room all by myself, so feel free to actually just ask. I can see two of you have already done it, so that's amazing. I'm going to share my screen now, and I hope that everything is going smoothly. Just ask questions and I might take them at the end, but let's go.

Stine: So I'm going to present. So as I just said, today's subject is all about writing a cookie policy. One might think that this isn't the most sexy subject in the world, but it's actually pretty important, and it actually isn't that difficult if you know what to put in it. So let's jump into it. So a little bit about me. My background is as an attorney, I have worked for one of Denmark's biggest law firms for six years, where I had clients like Google and Netflix and HBO. Then went to a Danish startup where I helped build out their legal team and their data privacy compliance and all of that for six years. It became a big company at the end. And I founded Openli together with a few other colleagues, and we today are in the same space of helping companies become compliant online. So I do have quite an extensive knowledge in this space. Some might call it a little bit nerdy. It is, but I actually think it's really important, and that's why I'm sharing that knowledge.

Stine: So today we're going to talk a little bit about what a cookie policy should contain. We're also going to be covering some of these latest developments that we're seeing across Europe. And the reason why I'm actually including that in this little webinar is because it actually impacts all of us. So just about the webinar, ask questions along the way. I might answer them at the end. The more the merrier. And I'll send you an email afterwards so that you can get access to more information about this subject. Cool.

Stine: So the legislation that we're talking about today is eCompliance. Sorry, ePrivacy. It is in the compliance space. It is the ePrivacy Directive. You might've heard that there will come a regulation at one point, it hasn't been passed yet. If and when that regulation comes into play, it will govern all of Europe. Right now we have the directive. And that directive means that every company in Europe have to have the same minimum set of rules that is dictated by the directive. But they can actually implement stricter interpretations, stricter rules or different approaches, but they can't go below the directive. This means that there are differences across Europe when it comes to ePrivacy, And the ePrivacy Directive is actually where we find the cookie rules. The cookie rules that very much talk a bit about what is a cookie, when do you need to actually have a cookie banner on your website, do you need to get consent for it? But when we're talking about consent, it is actually the GDPR that is kicking in, because GDPR contains to rules about capturing consent, and the rules and requirements for that consent.

Stine: On top of that, we're also seeing IP addresses as being personal identifiable information. What you also might know as PII or personal data. That is also regulated by the GDPR. So therefore GDPR is also important. And then, as I talked a little bit about, given the fact that directives can be interpreted differently from country to country, we're also talking about local guidelines and local rules that we need to actually always keep on top of. Some of these local authorities are the UK data protection authorities, it's the Danish. It is CNIL. CNIL is the French. And all other countries around Europe have their own authority with their own interpretations and their own guidelines. They're somewhat the same, but there are differences.

Stine: So you need a cookie policy because under GDPR, you have some information requirements. Under article 13, you have an obligation to inform people about what information that you're capturing, how you're handling that information, what you're using it for, and also the purposes for collecting and processing people's data. And in the ePrivacy, you're obligated to tell people how and why you're using cookies. So that's where the cookie policy comes in. That is where you're giving people that information. And that's why it's important. So a cookie policy, what we'll go through now is what it needs to include. Well, it needs to include information about what a cookie is.

Stine: You might think, "Why do I need that?" Well, that is because people need to be informed about what it is you're doing. So here, you'll be telling people a little bit about what a cookie is. And in this slide, you can see I've actually inserted some of the sentences that we have in our cookie policy so that you can get inspired by it. As you can see, what we're saying is the cookie is a small piece of information, a small piece of data, that you put on a website, actually in the browser, and that remembers the user's visit, or at least has an idea of where did the user come from, for how long did they browse the site, and all of this type of information. So that needs to be included.

Stine: You also need to tell people about them giving consent to your use of cookies. It isn't, and this is really important, enough just to have the statement in your cookie policy. You need to capture consents through a cookie banner. So when I'm talking a bit about consent here, it is information in your cookie policy, but then this isn't enough. You need to really capture consents with the banner popping up and people pressing, "Yes, I accept." Hopefully that's understandable. What you also need to do, and you can see a written in here, you have to tell people about their rights to actually be able to change their minds. And there needs to be a section about that, and I'll come back to that in just a short while.

Stine: So your cookie policy also needs to describe the different types of cookies you use and how you use them. The first part are more generic descriptions of the differences between session cookies and persistent cookies. So from a legal standpoint, session cookies aren't as intrusive as persistent cookies because, because persistent cookies will remain after the user closes the browser. Whereas session cookies are only there for the duration of their visit. But you need to tell people a little bit about differences. So when, and I'll come back to that in a short while, they see the different types of cookies you use, they understand why you're talking about session cookies versus persistent cookies, and why you're also talking about expiration dates for the cookies, because that needs to be included as well.

Stine: The next overall information requirement that you need to include in your cookie policy is first party cookies and third party cookies, and tell people about differences between the two. Here, I can also tell you that first party cookies are seen as less intrusive, less problematic compared to the third party cookies. Third party cookies are, from a legal standpoint, the ones that you're afraid of. And the reason for it is that here, the people that are placing cookies aren't you as the website owner. It is somebody else. It could be Facebook. It could be YouTube. And here they're setting the cookies and they're tracking the users and they're using the data for their own purposes. You also need to tell what a first party cookie is, which is the type of cookie that you place on your website and that only you can access and read. When we're talking about the third party cookies, you also need to make sure that you have links to those third parties, and the links needs to be to the privacy policy so that people can actually read how these companies are processing the data that comes from the cookies.

Stine: The next type of cookie you need to tell people about necessary cookies. Necessary cookies are the ones that you can place on your website you can use without capturing consents from your users because they're required for the full core functionality of your website. An example could be the shopping basket. That when people are actually buying something from you and it's placed in the shopping basket, it actually remains there. It could also be security type cookies or, in Openli's case, it is remembering whether or not people gave consent to your use of cookies. So here, as an example, you can see that the provider is Openli for those types of cookies we're talking about here, and it is an explanation about the specific type of cookie, and then there is the cookie name. And you can see here that it's a session cookie, and the other one is the session cookie. It's information you need to include in your cookie policy.

Stine: Then we have the analytical cookies. Those are the tracking cookies, the ones that are really important in order for you to make your website better. The ones that you need to get an understanding of where people are coming from, how are they using your website, and maybe also improve your decision-making in how to improve the website experience. But you need to remember that analytical cookies cannot be placed unless to user's given consent. You need to explain to the user the type of analytical cookies you use, more specifically the names of them. You need to tell them about who is providing the specific analytical cookie. And you need to tell the purpose for the use of the cookies that we're talking about.

Stine: And here I've just included a few examples. You can see you have Google Analytics and you have many different types of Google Analytic cookies. One expiring after one day. Somebody up to 500. Here it's really important, actually, to take a look at the expiration, because you can't keep cookies forever and you can't keep them for two years. That's way too long. So you need to only have them for as long it is required. It's not nice to have. It's a need to have. And 500 days might be regarded as being a bit too long, so you have to take a look at the duration of your different types of cookies.

Stine: Then you have the marketing cookies. That is also something you need to tell users about if you're using marketing cookies. Here, for example you have the tricky provider that I've just included that's LinkedIn, because LinkedIn is a kind of two-headed beast. It's not a beast, but it's just to give you an example and understanding, because LinkedIn can both give you analytical data, but they can also give you marketing data and marketing cookies. If the cookies are only used for analytical purposes, well, then you wouldn't include it here, but many people or companies are using Google, or sorry, LinkedIn for advertising/marketing. And in this case, you can see that we've included information a bit about clicking on ads and ending up purchasing products, et cetera. And here is also that you can see that the advertiser can determine whether or not you've clicked on an ad on LinkedIn and later visited their site. So this is for marketing purposes. And again, back to the information being here.

Stine: It was just an example, just FYI. So users also needs to be given information about how they can control the cookie settings and opt out. So you need to tell them not only about the fact that they can go in and make some changes to their browsers and configure it so that they accept cookies by default, or also reject them, but you also need to have some kind of a mechanism that makes it as easy for the user to opt out from cookies as it was to give the consent in the first place. So that's the information you need to include as well.

Stine: Then we come to the more generic standard information that all your policies should include, and that is, are you going to update the cookie notice/policy? In 99% of all cases you will, at one point, need to update it because you use new cookies. And as soon as you use a new cookie, it needs to be included in your cookie policy. So you need to tell people that you will be updating the cookie policy and more information about how that mechanism is going to work. Then you need to tell them a little bit about who you are, your address and contact details, so that they can always get in touch with you. And you need to also tell people when the policy came into effect, and with a date stamp, so they can see, "Was this the policy that I read last time, or is this a new one?"

Stine: So now we've captured what your cookie policy needs to include. What is also really important is talk a little bit about the type of language you should be using. Firstly, it is super important that people understand what it is you're writing about. So take a look at your cookie policy and see, "Do I actually write it in a way so that people can understand it? Do I write it in a way so that people get a sense of what is going on?" That needs to be the core of your thought process. And if it is, well good, then you're in a good place. But if it's too complicated, you should be revisiting the way you're describing it. The users need to know what it is that they're giving consent to.

Stine: And that is why you also need to not only explain it in a way that's easy to understand, but you also need to be specific. You need to be explicit about what it is that is going on, and you need to be explicit about what it is that you're doing. The language in your cookie policy should be the same as what you have on your website. So if your website is in Dutch, your cookie policy should be in Dutch. If your website is in English, well, your cookie policy should be in English too. And then it needs to be catered to your target audience. That's also something to keep in mind. So that was the cookie policy.

Stine: The next question is where do you need it? Well, you need it on your website. You need it in your cookie banner. So it needs to be in that cookie popup that you have on your website. But you should also include a link to it, for example, at the bottom of your page. So today you probably have your privacy policy. The majority of companies do. You have your terms and conditions. And next to it, you should also have your cookie policy. so now we've taken you through how to draft it, what should be in it, what language should you use, and where should you actually keep it? That is actually the core of what your cookie policy needs to be about, and also needs to include.

Stine: So why is this so important? Well, it is super important because it's easy for people to see if you have a cookie policy. Is it on your site? That is only a one second job. The other part is you're required to have it. And the third thing is that right now there is a lot of focus on cookies and enforcement of companies' use of cookies. I'll come back to the enforcement and the things that are going on in just a few minutes. But just to sum up, because that is what is very much at core, you need to get consent for your use of cookies if you're using marketing cookies, if you're using functional cookies, if you're using preference cookies, or analytical cookies.

Stine: You don't need consent if you're using necessary cookies, but you still need to inform people about how you're using it. You still need a cookie policy and you still need some kind of cookie popup, even though you're only using necessary cookies. But the pop-up doesn't have to be an acceptance. If you're talking about you only having necessarily cookies, it would just be a little, "Hey, we're using only necessarily cookies. Take a look at how we're doing it here." And then there would also be a link to your website, a link to your cookie policy and the necessary cookies you're using. But if you're using any of the other cookies, and I must say, I don't know a lot of websites that aren't, then you need to get consent.

Stine: And you can not place cookies on any people... Use cookies, non-necessary cookies in those categories until a person has given consent. That means you need to block those type of cookies up at the point where the user clicks, "Yes, I'm okay with it." You also need to remember that you need consent if you're starting to use your cookies in new ways, if you're starting to use new cookies that you didn't use when the user first visited your website, or if you changed your cookie policy.

Stine: So now we actually have the framework in place. So if you're doing all of that, you're pretty much home safe. And the next part is more just nice to know than need to know, but if you don't, well then please pay attention, because a few days ago, the French data protection agency issued a fine against a very big supermarket in France. And one of the things that the supermarket was doing wrong was use of cookies. And they got a pretty big fine, as you can see here. Because what they did was placing cookies on people's devices before they actually got consent. So super important, I'll be happy to share the links if you guys speak French to the press release from the French data protection agency.

Stine: And you might be thinking, "Well, I'm not in France, so really doesn't impact me." And you're right. But what you should keep in mind is that CNIL, which is the French data protection agency, is one of the most powerful agencies in Europe, and many of the other agencies around Europe are looking towards the French when we're talking a bit about setting the bar, setting the standard, but also setting the tone. So you should definitely, if you don't have your cookie consents in order, take a look at it.

Stine: Because what we're also seeing is that there are movements in all of Europe, not just in France. The French agency has also issued new guidelines about use of cookies, but so has the Spanish. The Spanish came into effect on October 31st, where they're kind of like what I've just showed you, going through the requirements that we've just went through, and saying that is what you need to abide by and these are the requirements you need to fulfill. At the same time, not only in France, but also in the Netherlands, Belgium, and in the UK, are we getting information from the authorities where they're saying that they are now going to enforce noncompliant cookie setups. So it is a focus area around Europe and not only in France.

Stine: I hope that this was of value to you. We are always doing these small webinars that hopefully don't take as much time, so that you can actually join and get value out of it, and go and take a look at your own settings and hopefully feel safe and secure about what you're doing with the data online. We have more webinars coming up, so feel free to sign up on our page regarding webinars. But before we say goodbye today, I'm going to stop sharing my screen. Oh, sorry. Oh my God. So many things going on. I don't know. There it is.

Stine: Sorry. No, we just got the funnel of that overload. I can see that Dennis didn't get the intro, so I'm sorry for that, and as you've already been informed, we're going to be sending out a replay so that you can get the information as well. I can see that there is one question and I'm going to read it out loud just to make sure that you all get it. So how would you handle third party cookies from plugins that you need on your website, for example customer support chat, as conversion tracking, could some of these be justified as necessary? Well, the thing is, as soon as something is a third party cookie, it can't be necessary. And you might think, "Huh, what does she mean?" Well, the thing is, if it's a third party cookie, the data isn't going to you, so therefore it can't be necessary. It is not something that is 100% required for you to be able to run your website.

Stine: There will be some type of cookies that would be necessary, and in addition to security, login is also one of the things that could be necessary so that people can actually log into a product. It could also be classified as, for example, if you're using Calendly. So if you're using Calendly for people to actually book a meeting with a plumber, just as an example, that's required for you actually coming out and fixing their tubes. Well, then you could argue that that is a necessary cookie as well that is being placed by Calendly, but on your behalf, because it's a first party cookie. Does it make sense?

Stine: Any other questions? Just going to close the window for that one. If there aren't any more questions, I'm going to say goodbye now, but we will definitely send you guys an email and we are in the business of helping companies become better data citizens. So if you guys have any questions or if there's anything that you would like to know more about, just shoot us an email. The easiest way will be to just send an email to [email protected], and we will be more than happy to help you guys. So with that, I hope you are doing great and that you will have a wonderful afternoon. Take care. Bye.