The GDPR Cookies Policy
If your website receives visitors from European Union (EU) countries, then the General Data Protection Regulation (GDPR) affects how you use cookies to collect their information, and what you can do with this information.
Most importantly, you must develop a Cookies Policy for your website. We'll explain why and show you how to create, display and get consent to your Cookies Policy in accordance with GDPR requirements.
The GDPR is an EU privacy law that came into effect on 25th May, 2018. It is one of the strongest data protection laws in the world.
The law tells businesses:
- What data they may collect about visitors to their site
- How to store this information
- How to use the information
- What Privacy Policies must exist
- What consent they need to obtain from site visitors to collect their data
In simple terms, the GDPR has reformed how businesses handle and process data. It replaces earlier data protection rules which weren't designed to cope with today's digitalized world, and the amount of data we share online.
You might be wondering why we need the GDPR. The reality is that companies need some customer data to run their business. Consumers, however, want more control over their own information. The GDPR supports this right to privacy while reflecting business realities.
Under the GDPR, consumers now control:
- Who collects information about them
- What information is gathered
- How this information is used
- Whether any third parties get access to this information
A person has the right to revoke consent at any time. If someone decides they don't want you handling or storing their data any longer, you must comply. This is in line with general EU principles of transparency, fairness, individual control, and decision-making based on full knowledge of the facts.
So, who does the GDPR apply to?
Get compliant today with PrivacyPolicies.com
Select one of our generators to create the required legal agreements for your business:
- Our Privacy Policy Generator can help you generate a customized Privacy Policy in around three minutes, for free.
- Our Terms & Conditions Generator can help you generate a customized Terms & Conditions agreement in around three minutes, for free.
- Our EULA Generator can create a customized End-User License Agreement for your mobile or desktop app.
- Our Cookies Policy Generator can create a customized Cookies Policy to help your compliance with ePrivacy Directive and GDPR.
- Our Disclaimer Generator can create a disclaimer or disclosure for your website.
- Our Return & Refund Policy Generator can help your ecommerce store by creating a returns or refunds policy.
Integrate a free Cookies Notice and Cookie Consent banner to comply with the EU ePrivacy Directive and the new GDPR law regarding cookies.
Who the GDPR Applies to
The simple answer is that the GDPR protects EU residents and citizens from losing control of their personal information. Your business can be anywhere in the world, but the GDPR applies if your business:
- Offers services and goods to EU citizens or residents
- Monitors visitor behavior and attracts EU citizens or residents
An example will help. Say you're based in Sydney, Australia, and you run a holiday resort. If anyone from countries such as Italy, France, or Germany visits your website, you're technically responsible for data captured about them.
You're liable under the GDPR whether you control stored records, or whether you simply gather the data in the first place.
The GDPR doesn't apply if you're gathering data for purely personal reasons. If you employ less than 250 employees, the requirements are less strict, but you're still answerable to the GDPR.
The GDPR and Personal Data
The GDPR doesn't simply apply to any data. It covers what's known as personal data. Personal data is, put simply, any data which identifies someone or can be used to identify someone. It can be something as obvious as a name, or something less obvious like an IP address or a pseudonym.
You shouldn't collect more personal data than you need to operate your business and understand consumer needs. For example, you don't need someone's Social Security Number if you're a fashion website.
Essentially, if you control or process personal data, it's covered by the GDPR.
Why are cookies relevant, then? It's a simple answer:
- Cookies can sometimes identify an individual, which makes them count as personal data
- Cookies collect and store information, so they're part of the data handling process
Cookies and the GDPR
Since cookies are so important to data collection, it's worth defining what they are.
When you visit a website, it asks your computer or mobile device to accept a cookie. The cookie is a very small piece of data which lets the website remember you and your actions. This helps identify browsing trends and patterns.
Cookies, then:
- Help businesses show customers relevant ads
- Let websites remember someone's unique preferences, which improves the visitor experience
- Identify a user
Cookies are a powerful marketing and commercial tool, and businesses rely on them. The GDPR makes it mandatory for businesses to be honest about the cookies they install and what data they track.
You can do this with a good Cookie Policy. You also have an option to include information about cookies in your Privacy Policy and not have a separate Cookies Policy. But there are a few perks for separating these policies that we'll discuss a little later in the article.
Privacy Policy Cookies Clauses
A Privacy Policy tells users how you manage and collect their personal data.
Although some businesses have separate Cookie Policies and Privacy Policies, others include cookie clauses in their Privacy Policy. The best way to illustrate how this works in practice is through a few examples.
This first example is a clause on "Cookies and Other Tracking Technologies" from WebMD. The clause tells visitors what they need to know about cookies and what the website does with them.
Although this business also has a separate Cookie Policy, this is a useful example of a Privacy Policy with the right cookie content. Note this is just an excerpt of the entire clause:
In this second example, Huawei does not have a separate Cookie Policy. Everything about cookies, including how to consent and withdraw this consent, is included in the Privacy Policy. Here is an extract from the relevant section in the Privacy Policy:
Both policies are perfectly valid under the GDPR because there's no need for a separate Cookie Policy, so long as the clause explains:
- That cookies are used
- What data is collected by them
- What happens to the data, and if it's shared with anyone
- How users can change cookie settings or revoke consent
Many businesses do have two separate policies, however. What's the benefit of this?
The Benefits of a Separate Cookie Policy
When you keep your Cookie Policy and your Privacy Policy separate, you make it easier for users to find the information they are looking for.
- A separate Cookie Policy lets users click straight through to the cookie information without scrolling through the Privacy Policy document
- Cookies are very important to data processing, and dedicating a separate policy to cookies shows users that you take privacy seriously
- Shorter policies are easier for users to glance through and understand
It's vital that a Cookie Policy is easy for users with no legal knowledge to comprehend. With that in mind, how do you create a GDPR-compliant Cookie Policy for your own website?
Creating A Cookie Policy
To create a legally effective Cookie Policy, the document must include certain things. It must include:
- How you use the cookies, for example to keep a user signed in without re-entering their password each time they visit the site
- The types of cookies used on the site, whether they're for advertising, analytics, or customer convenience
- If information is transferred to or used by third parties
- How users can reject cookies, and how to turn them off
Consent, which is freely given in full knowledge of how cookies are used, underpins the GDPR cookie regulations.
In the excerpt below from Gymshark's Cookie Policy, the company clearly explains what cookies are and why they're being used. Each section of the Cookie Policy covers, in more detail, what cookies are used and what happens to the information collected:
Gymshark explains that cookies will be used for remembering the customer, and why this is important. In this case, the customer is remembered so they can access their wishlist the next time they visit the site:
It's also clear how to delete cookies and turn the feature off:
Keep the Cookie Policy simple and easy to comprehend while still including thorough and complete information.
Displaying a Cookie Policy
You must obtain consent at the outset, and you should make it easy for users to access the Cookie Policy on whatever device they're using.
A banner or notification works well as a cookie consent solution. The below banner pops up the first time you visit WebMD's website, and you can't browse any further without consenting to the cookies. This means the user has the clear opportunity to review the Cookie Policy.
As you can also see, there's a clear link to the Privacy Policy included, so users can give their informed consent:
When the user browses the site, there should always be a chance for them to access the Cookie Policy or the Privacy Policy. Here's an example of how Entrepreneur provides links to each separate policy in its website footer:
Obtaining Consent to Place Cookies
When you're obtaining consent to cookie placement, you should ensure that:
- You're honest about the cookies you're placing on devices
- It's clear why you need the information you're collecting
- The consent is unequivocally obtained, meaning users know exactly what they are consenting to before they proceed to use your site
- You use a banner, or a pop-up, because the user must engage with this notice before browsing the site
- You include a link to the Cookie Policy and Privacy Policy in your website footer
- It's easy to adjust, revoke, or deny consent
The following example is an effective consent tool. It makes it clear that the University of Brighton uses cookies, there's a reason why they use cookies, and it's possible to review the Cookie Policy and change the Cookie Settings before consenting:
The best approach is to use a checkbox to request consent. Just don't pre-tick the checkbox.
Conclusion
The GDPR balances the needs of the business world against the rights of individuals. Part of this balance includes disclosing some information about your use of cookies to your EU users.
Make sure your GDPR Cookies Policy:
- Is clearly written
- Discloses what cookies you collect, what you use them for and if you share their data with any third parties
- Is displayed in a cookie consent banner or pop-up
If you don't have a separate Cookies Policy, make sure you include a cookie clause in your Privacy Policy where you cover the same information.