The GDPR Cookies Policy

by Jennifer L. Legal writer.
The GDPR Cookies Policy

If your website receives visitors from European Union (EU) countries, then the General Data Protection Regulation (GDPR) affects how you use cookies to collect their information, and what you can do with this information.

Most importantly, you must develop a Cookies Policy for your website. We'll explain why and show you how to create, display and get consent to your Cookies Policy in accordance with GDPR requirements.

The GDPR is an EU privacy law that came into effect on 25th May, 2018. It is one of the strongest data protection laws in the world.

The law tells businesses:

  • What data they may collect about visitors to their site
  • How to store this information
  • How to use the information
  • What Privacy Policies must exist
  • What consent they need to obtain from site visitors to collect their data

In simple terms, the GDPR has reformed how businesses handle and process data. It replaces earlier data protection rules which weren't designed to cope with today's digitalized world, and the amount of data we share online.

You might be wondering why we need the GDPR. The reality is that companies need some customer data to run their business. Consumers, however, want more control over their own information. The GDPR supports this right to privacy while reflecting business realities.

Under the GDPR, consumers now control:

  • Who collects information about them
  • What information is gathered
  • How this information is used
  • Whether any third parties get access to this information

A person has the right to revoke consent at any time. If someone decides they don't want you handling or storing their data any longer, you must comply. This is in line with general EU principles of transparency, fairness, individual control, and decision-making based on full knowledge of the facts.

So, who does the GDPR apply to?

Who the GDPR Applies to

Who the GDPR Applies to

The simple answer is that the GDPR protects EU residents and citizens from losing control of their personal information. Your business can be anywhere in the world, but the GDPR applies if your business:

  • Offers services and goods to EU citizens or residents
  • Monitors visitor behavior and attracts EU citizens or residents

An example will help. Say you're based in Sydney, Australia, and you run a holiday resort. If anyone from countries such as Italy, France, or Germany visits your website, you're technically responsible for data captured about them.

You're liable under the GDPR whether you control stored records, or whether you simply gather the data in the first place.

The GDPR doesn't apply if you're gathering data for purely personal reasons. If you employ less than 250 employees, the requirements are less strict, but you're still answerable to the GDPR.

The GDPR and Personal Data

The GDPR and Personal Data

The GDPR doesn't simply apply to any data. It covers what's known as personal data. Personal data is, put simply, any data which identifies someone or can be used to identify someone. It can be something as obvious as a name, or something less obvious like an IP address or a pseudonym.

You shouldn't collect more personal data than you need to operate your business and understand consumer needs. For example, you don't need someone's Social Security Number if you're a fashion website.

Essentially, if you control or process personal data, it's covered by the GDPR.

Why are cookies relevant, then? It's a simple answer:

  • Cookies can sometimes identify an individual, which makes them count as personal data
  • Cookies collect and store information, so they're part of the data handling process

Cookies and the GDPR

Cookies and the GDPR

Since cookies are so important to data collection, it's worth defining what they are.

When you visit a website, it asks your computer or mobile device to accept a cookie. The cookie is a very small piece of data which lets the website remember you and your actions. This helps identify browsing trends and patterns.

Cookies, then:

  • Help businesses show customers relevant ads
  • Let websites remember someone's unique preferences, which improves the visitor experience
  • Identify a user

Cookies are a powerful marketing and commercial tool, and businesses rely on them. The GDPR makes it mandatory for businesses to be honest about the cookies they install and what data they track.

You can do this with a good Cookie Policy. You also have an option to include information about cookies in your Privacy Policy and not have a separate Cookies Policy. But there are a few perks for separating these policies that we'll discuss a little later in the article.

Privacy Policy Cookies Clauses

A Privacy Policy tells users how you manage and collect their personal data.

Although some businesses have separate Cookie Policies and Privacy Policies, others include cookie clauses in their Privacy Policy. The best way to illustrate how this works in practice is through a few examples.

This first example is a clause on "Cookies and Other Tracking Technologies" from WebMD. The clause tells visitors what they need to know about cookies and what the website does with them.

Although this business also has a separate Cookie Policy, this is a useful example of a Privacy Policy with the right cookie content. Note this is just an excerpt of the entire clause:

WebMD Privacy Policy: Cookies and Other Tracking Technologies clause excerpt

In this second example, Huawei does not have a separate Cookie Policy. Everything about cookies, including how to consent and withdraw this consent, is included in the Privacy Policy. Here is an extract from the relevant section in the Privacy Policy:

Huawei Privacy Policy: Cookies and Similar Technologies clause excerpt

Both policies are perfectly valid under the GDPR because there's no need for a separate Cookie Policy, so long as the clause explains:

  • That cookies are used
  • What data is collected by them
  • What happens to the data, and if it's shared with anyone
  • How users can change cookie settings or revoke consent

Many businesses do have two separate policies, however. What's the benefit of this?

The Benefits of a Separate Cookie Policy

When you keep your Cookie Policy and your Privacy Policy separate, you make it easier for users to find the information they are looking for.

  • A separate Cookie Policy lets users click straight through to the cookie information without scrolling through the Privacy Policy document
  • Cookies are very important to data processing, and dedicating a separate policy to cookies shows users that you take privacy seriously
  • Shorter policies are easier for users to glance through and understand

It's vital that a Cookie Policy is easy for users with no legal knowledge to comprehend. With that in mind, how do you create a GDPR-compliant Cookie Policy for your own website?

Creating A Cookie Policy

To create a legally effective Cookie Policy, the document must include certain things. It must include:

  • How you use the cookies, for example to keep a user signed in without re-entering their password each time they visit the site
  • The types of cookies used on the site, whether they're for advertising, analytics, or customer convenience
  • If information is transferred to or used by third parties
  • How users can reject cookies, and how to turn them off

Consent, which is freely given in full knowledge of how cookies are used, underpins the GDPR cookie regulations.

In the excerpt below from Gymshark's Cookie Policy, the company clearly explains what cookies are and why they're being used. Each section of the Cookie Policy covers, in more detail, what cookies are used and what happens to the information collected:

Gymshark Cookie Policy: Intro clause excerpt

Gymshark explains that cookies will be used for remembering the customer, and why this is important. In this case, the customer is remembered so they can access their wishlist the next time they visit the site:

Gymshark Cookie Policy: What type of cookies do we use clause

It's also clear how to delete cookies and turn the feature off:

Gymshark Cookie Policy: Turn off and delete cookies clause excerpt

Keep the Cookie Policy simple and easy to comprehend while still including thorough and complete information.

Displaying a Cookie Policy

You must obtain consent at the outset, and you should make it easy for users to access the Cookie Policy on whatever device they're using.

A banner or notification works well as a cookie consent solution. The below banner pops up the first time you visit WebMD's website, and you can't browse any further without consenting to the cookies. This means the user has the clear opportunity to review the Cookie Policy.

As you can also see, there's a clear link to the Privacy Policy included, so users can give their informed consent:

WebMD Cookie Consent banner with Agree button

When the user browses the site, there should always be a chance for them to access the Cookie Policy or the Privacy Policy. Here's an example of how Entrepreneur provides links to each separate policy in its website footer:

Entrepreneur website footer with links

Obtaining Consent to Place Cookies

When you're obtaining consent to cookie placement, you should ensure that:

  • You're honest about the cookies you're placing on devices
  • It's clear why you need the information you're collecting
  • The consent is unequivocally obtained, meaning users know exactly what they are consenting to before they proceed to use your site
  • You use a banner, or a pop-up, because the user must engage with this notice before browsing the site
  • You include a link to the Cookie Policy and Privacy Policy in your website footer
  • It's easy to adjust, revoke, or deny consent

The following example is an effective consent tool. It makes it clear that the University of Brighton uses cookies, there's a reason why they use cookies, and it's possible to review the Cookie Policy and change the Cookie Settings before consenting:

University of Brighton Cookies Consent notice with Cookie Policy and Cookie Settings

Conclusion

The GDPR balances the needs of the business world against the rights of individuals. Part of this balance includes disclosing some information about your use of cookies to your EU users.

Make sure your GDPR Cookies Policy:

  • Is clearly written
  • Discloses what cookies you collect, what you use them for and if you share their data with any third parties
  • Is displayed in a cookie consent banner or pop-up

If you don't have a separate Cookies Policy, make sure you include a cookie clause in your Privacy Policy where you cover the same information.

Last updated on 29 August 2019
Article categories
Jennifer L.

Legal writer.