Cookies Opt-Out and Management Clauses

Cookies Opt-Out and Management Clauses

A cookies opt-out and management clause lets people disable the cookies they don't want businesses to install on their browser or device. It's an essential clause in any Privacy Policy or Cookie Policy, and so you should know how to draft one.

Below, we explore what these management clauses are, what they should contain, and how you can draft your own clause.



What are Cookies?

Cookies are small pieces of data stored on a browser or hard drive. They're used to allow websites to remember individuals and perform certain actions.

There are two main types of cookies: Essential and non-essential.

  • Essential cookies are integral to a website's functionality. For example, an essential cookie lets someone add an item to their shopping cart and continue browsing a website.
  • Non-essential cookies aren't required but they're extremely helpful for marketing purposes and for improving the user experience (UX). For example, non-essential cookies let businesses target ads at relevant customers.

If you use cookies (which you probably do) then you should have a Cookie Policy or Privacy Policy on your website explaining which cookies you use, why they're required and, most importantly, how people can disable them.

What is a Cookies Opt-Out and Management Clause?

A cookies opt-out and management clause is what it sounds like. It's a clause telling people how they can disable non-essential cookies or change their cookie preferences. The main types of non-essential cookies are:

  • Advertising cookies: These cookies are used to personalize ads so customers see products which are most relevant to them.
  • Analytical cookies: Analytical cookies monitor users' behavior to help companies better understand their audience.

Since non-essential cookies aren't required for your website to work properly, visitors should be able to reject or disable them.

Why is a Cookies Opt-Out and Management Clause Required?

Why is a Cookies Opt-Out and Management Clause Required?

There are a few reasons why you should include a cookies opt-out and management clause in your Cookie or Privacy Policy.

  • An opt-out clause helps people exercise privacy rights afforded to them by various privacy laws, such as the GDPR.
  • You can use a cookies opt-out and management clause to build consumer trust. If people know you take their privacy seriously, they're more likely to choose your goods or services.
  • Individuals may be more willing to share data with you or accept non-essential cookies if they believe you'll handle their data responsibly. The more data you have, the easier it is to build an effective marketing strategy.

No. It depends on what type of cookies you're using and which laws apply. Here's a brief summary.

  • You don't need consent before using essential cookies i.e. cookies which are required for the website to work.
  • You don't need consent to use cookies if a privacy law like the CCPA applies. However, you must give users the chance to opt out of non-essential cookies.
  • You do need consent to use non-essential cookies e.g. marketing cookies if you're targeting EU-based visitors.

If you're unsure whether you need consent for non-essential cookies, get legal advice or play it safe and assume that you do.

What Should a Cookies Opt-Out and Management Clause Include?

What Should a Cookies Opt-Out and Management Clause Include?

Every opt-out clause should contain, at minimum, the following information:

  • An acknowledgment of the user's right to opt out of cookies, and
  • How the user can turn off cookies and other tracking technologies

You should also include a brief description of what cookies are. It's good practice to include this description in your opt-out clause. However, if you don't, just make sure it's clearly set out in your Cookie Policy and/or Privacy Policy.

With all that in mind, let's take a closer look at each one of these requirements in turn.

Definition of Cookies

No matter whether it's a general or professional audience you're targeting, be sure to use simple and accessible language here so it's easy for people to understand how cookies work.

Here's an example from Etsy. Etsy begins its Cookie Policy by explaining, in straightforward terms, what cookies are. It also breaks down the three main types of cookies used, which is helpful for ensuring people have the information they need to make informed consent choices:

Etsy Cookies and Similar Technologies Policy: Types of Cookie Technologies clause - Intro section

This is a great example because Etsy uses bullet points and italic formatting to make the descriptions easier to read and therefore understand.

Opting Out of Cookies and Tracking Technologies

After setting out a cookie description, you need to ensure users know they can reject certain types of cookies.

Here's an example from Twitter. Twitter makes it clear that users can control cookies and decide how it and and its partners can use cookie-related data:

Twitter Help Center: How are cookies used - Privacy Options section excerpt

It's great practice to include a short sentence or two like this highlighting your commitment to privacy and a user's right to opt out.

How to Turn Off Cookies

The two main ways for users to disable cookies are disabling them through their browser or mobile device. Let's break down each option.

Web Browsers

Every browser functions a little differently, so the process for turning cookies off varies depending on whether someone uses Firefox, Chrome, and so on. However, you should provide at least a general overview of how users can reject cookies depending on which browser they use.

For example, Etsy tells people in section 5 of its Cookies Policy to look for the cookie preferences option in either the "options" or "preferences" browser menu:

Etsy Cookies and Similar Technologies Policy: Opt-in and Opt-out for Browsers clause

Users can click the various links to view more detailed instructions tailored to the browser they have.

Some websites prefer to list the browser instructions within the clause itself. Both approaches are fine. Physiopedia, for example, lists how visitors can delete cookies if they use FireFox, Internet Explorer, or Safari:

Physiopedia Cookie Policy: How do I delete a cookie clause

Physiopedia clearly lists the main steps in short bullet points which makes for a readable, accessible clause for the average reader.

Mobile Devices

Do you use cookies on mobiles and smartphone apps? If so, it's worth setting out how users can disable or reject cookies on these devices.

Let's consider Bumble's approach. Bumble clearly sets out the steps for disabling cookies on both Android and iOS devices. Bumble also emphasizes that the user is in control although rejecting certain cookies may stop the site from functioning properly, which gives people the information they need to make an educated choice:

Bumble Cookie Policy: How can you refuse or withdraw consent to the use of Cookies clause

There's no need to cover every possible operating system in detail. Since iOS and Android are the most popular, covering these systems should be sufficient.

Here's another example from Snapchat. It's a shorter clause and it's less informative but it still covers the main point that users can head to the "settings" menu on their mobile and disable cookies from there:

Snap Cookie Policy: Mobile Device Identifiers clause

Let's look more in detail at how to draft a cookies opt-out and management clause that you can use in your Cookies Policy and/or Privacy Policy to keep your users informed while complying with relevant laws.

How to Write a Cookies Opt-Out and Management Clause

How to Write a Cookies Opt-Out and Management Clause

There's no set format for writing cookie management clauses. Some possibilities include:

  • A short paragraph or two explaining how people can change their cookie preferences
  • More comprehensive clauses explaining which cookies you use, what they're for, and how users can customize their cookie settings
  • A clause with an in-built cookie disablement feature
  • A very simple paragraph directing users to a separate cookie settings page

Here are some examples of these four most common approaches.

Simple Paragraphs

Sometimes one or two paragraphs are all you need to effectively communicate how people can opt out of cookies.

It's important that you don't use long-winded paragraphs or overly complex language. Otherwise, people may find it difficult to make sense of what you're saying.

On the other hand, you still need to provide enough information for people to understand the significance of the clause.

Let's consider this example from Freshworks. It's only a single paragraph and it tells people what cookies are and how people can change their cookie preferences via the website cookie banner:

Freshworks Cookie Policy: Your Privacy clause

Arguably, this clause could be more comprehensive. Iit doesn't touch on how users can adjust cookies on their browser or their mobile. However, it's still a good example of how you can communicate cookie management in just a few sentences.

Here's another example from Starbucks:

Starbucks Privacy Policy: Your Choices clause - Cookies Web Beacons and Similar Technologies section

Ideally, aim for just a few lines of text per paragraph. If you're worried about being too vague or you're not sure if you've covered all the right information, provide a link to your Cookie Policy or other page where individuals can read more about their cookie rights before setting their preferences.

You might choose to set out how people can opt out of different types of cookies and tracking technologies e.g. location and marketing cookies.

Some businesses choose this approach because it gives visitors more control over specific cookies and empowers them to make more informed choices. There's also a chance visitors will continue to accept some cookies rather than just turning them all off, so from a marketing perspective, this approach could work.

Here's an example from Microsoft:

Microsoft Privacy Statement: Cookies and Similar Technologies clause

This is a great approach because users can decide what matters to them and make empowered decisions before using your platform.

You might also list the different websites users can visit to turn off various cookies. Snapchat provides users with six platforms they can quickly access to change their cookie settings:

Snap Cookie Policy: Change Your Settings clause

If you choose this approach it may be helpful to also include a brief summary of which cookies each site uses so people have all the information they need to make an informed choice.

One of the most user-friendly ways to write your cookie opt-out and management clause is to include a way for users to change their cookie preferences within the clause itself.

Here's a good example from TeePublic. The clause itself is very short, but it explains what cookies are, how they work, how users can opt out, and why they might want to keep cookies switched on:

Teepublic Privacy Policy: Cookie Consent Preferences interface

This approach is a convenient way to help your visitors make informed cookie consent choices.

However you structure your cookie management clause, every clause should have one thing in common: It must be easy for visitors to understand your policies on cookies and what rights they have to customize their preferences.

Conclusion

You don't need consent to use essential cookies throughout your website. However, you often need consent if you're using non-essential marketing cookies. Therefore, you need a cookie management clause in your Privacy or Cookie Policy that informs people of their rights.

Your clause should explain:

  • Visitors can opt out of non-essential cookies and tracking technologies, and
  • How to opt out of these tracking cookies

It's also a good idea to set out what cookies are so people can make informed decisions as to whether they want to accept them on their device.

While there's no set format for writing your cookies opt-out and management clause, it should be simple, easy to understand, and formatted in an accessible way. If it works for your business, you can also integrate the process for opting out of non-essential cookies into your management clause.