Ways to Notify Users About Cookies
Cookies are a commonly-used tool to collect information from users and store that data for later use. Cookies fall under multiple privacy laws protecting the private information of individuals from defraudment and unfair practices.
Notifying your users about cookies allows them to consent or reject the use of the cookies, which is a major requirement in privacy laws that affect online businesses. These laws also dictate how your company can notify users of cookies and include some specific notification requirements.
First, let's take a look at what cookies actually are.
What are Cookies?
Cookies are small files that retain information from computers and can be accessed by the user and the company.
There are multiple types of cookies related to security, shopping baskets, optimization, and customization. Some of these cookies actively collect user information or passively store the data for future use.
Why Must Users be Notified About Cookies
At their core, cookies are a way to collect and store the private information of customers. This can include:
- Email addresses
- Credit card information
- Search history
- IP addresses
- Geolocational data and timestamping
Privacy Laws Regarding Cookies
The FTC was enacted to protect online users from company's unfair or illegal practices of collecting and using private information. Since cookies are a way for companies to collect and store information, they fall under the FTC purview.
In the EU, one of the laws that applies to cookies is the GDPR. The law was enacted to create a transparency of information between companies and users.
- Types of cookies used
- How cookies are used
- Why cookies are used
The Cookies Directive is the EU directive created in 2002 to protect the "processing of data" and the flow of private information that is collected by online companies.
- Freely given
- Clear affirmative action
In addition to privacy laws, when there are third parties that have access to your site, you must also disclose that to consumers as well.
Third parties are usually site analytics companies, social media outlets, search engines, etc.
An example of a third party is Google Analytics. Google Analytics is a part of Google that analyzes websites for viewer information, demographics, loading speed, and search history.
Amazon UK includes a separate paragraph in its Cookies Policy laying out approved third parties and what they may have access to, what the third parties do, and the relationship between them and Amazon. Also included is a link to further information on approved parties:
Make sure to be as transparent as possible and make it easy for users to learn more, adjust cookie settings or opt out at any time if they wish to do so.
How to Notify Users About Cookies
Whether your company is based in the U.S., the EU, or both, you must notify your users of the cookies you use.
Notification must be clear and accessible to the user. Attempting to hide the link or making it difficult to find could lead your company to be found attempting to deceive your consumers.
Additionally, no matter how you notify your users, it must be done in simple, plain language to not confuse consumers.
- In a cookie consent notice
- Website footers
- Sign-up forms
- Checkout screens
But, they need to be clearly denoted so users do not miss the links.
In a Cookie Consent Notice
A Cookie Consent Notice is a pop-up window or banner that alerts the visitor that cookies are being used on the site. The notice appears the first time a user visits a site. While not required by U.S. laws, a Cookies Consent Notice is required under the EU's GDPR.
An alternative some companies use is stating in their banners that continued use of the site or clicking on any of the links constitutes express consent of cookies, but this method is not recommended.
British Airways is an example of a banner that appears in the header of the site and includes a consent button:
Have a Separate Cookies Policy if Required
Not every company is required to have a separate Cookies Policy. The Cookie Directive of the EU requires that any EU-based company must have a separate policy.
Two examples of what a separate Cookies Policy look like can be found in The Guardian and BBC UK.
BBC UK has an independent page to explain the site's cookies and how users can accept or reject the use of them. Both of these sites use clear, simple language so as not to confuse the reader:
- Companies that must comply with the GDPR must have a Cookies Consent Notice
Notifying users about cookies
Cookie Consent Notices
- Notifications that pop up on first-time visits with brief description and consent button