Ways to Notify Users About Cookies
If your company uses cookies or any other type of data collecting systems, you must notify your users that these types of systems are being used.
There are a number of different ways to notify your users about your use of cookies. This article will describe them and show examples so you can create your own cookie notification.
What are Cookies?
Cookies are small files that retain information from computers and can be accessed by the user and the company. They are a commonly-used tool to collect information from users and store that data for later use. Cookies fall under multiple privacy laws protecting the private information of individuals from defraudment and unfair practices.
Companies like Google use cookies as a way to track search history, making it easier to visit sites again, send advertisements based on searches, and allow your information to be stored by the websites.
There are multiple types of cookies related to security, shopping baskets, optimization, and customization. Some of these cookies actively collect user information or passively store the data for future use.
Users do have control over the use of cookies used by companies. Visitors can accept or reject the use of the cookies or adjust the settings of what information is collected and what cookies can be used.
Cookies fall under the policy restrictions set up by many laws across the world. California's CalOPPA law and the EU's Cookie Directive both require dictate disclosures and policies for the use of cookies.
Why Must Users be Notified About Cookies
Notifying your users about cookies allows them to consent or reject the use of the cookies, which is a major requirement in privacy laws that affect online businesses. These laws also dictate how your company can notify users of cookies and include some specific notification requirements.
At their core, cookies are a way to collect and store the private information of customers. This can include:
- Names
- Email addresses
- Credit card information
- Search history
- IP addresses
- Geolocational data and timestamping
Privacy Laws Regarding Cookies
In the USA, the EU and other countries around the world it is required by law to notify users of the collection of personal data to protect consumers from their information being used inappropriately or illegally. This is typically done with a Privacy Policy, and with cookies, either a separate Cookie Policy, a cookie consent notice or at minimum a cookie clause within a Privacy Policy.
While the FTC in the U.S. does not specifically require a Cookies Policy, it does require a general Privacy Policy to be disclosed to users and a Cookie Clause should be included in the Privacy Policy.
The FTC was enacted to protect online users from company's unfair or illegal practices of collecting and using private information. Since cookies are a way for companies to collect and store information, they fall under the FTC purview.
In the EU, one of the laws that applies to cookies is the GDPR. The law was enacted to create a transparency of information between companies and users.
The GDPR requires that any EU-based company, and companies elsewhere that do business in the EU or have EU-based customers, must include a Cookies Consent Notice. If you fall under one of these, your company must include separate links to a cookie notice and your Privacy Policy to stay compliant.
Cookies Directive
The EU Cookie Directive requires a separate Cookies Policy be provided in addition to the general Privacy Policy. The Cookies Policy must clearly lay out:
- Types of cookies used
- How cookies are used
- Why cookies are used
The Cookies Directive is the EU directive created in 2002 to protect the "processing of data" and the flow of private information that is collected by online companies.
Additionally, the Cookie Directive requires that there needs to be "prior consent" by users for the use and storage of their information. Companies must notify users immediately that they use cookies or other types of data collection, on the first visit to the site.
Both the Cookie Directive and the GDPR have stated that consent to the use of cookies and the collection of information must be:
- Informed
- Specific
- Freely given
- Unambiguous
- Clear affirmative action
In addition to privacy laws, when there are third parties that have access to your site, you must also disclose that to consumers as well.
Third Parties
If your company allows the use of third party cookies, a clause must be included in your Privacy Policy that notifies visitors that outside parties may have access and use their private information.
Third parties are usually site analytics companies, social media outlets, search engines, etc.
An example of a third party is Google Analytics. Google Analytics is a part of Google that analyzes websites for viewer information, demographics, loading speed, and search history.
Under the notification requirements of the privacy laws, companies must disclose this information in their Cookies Policy or Privacy Policy.
Amazon UK includes a separate paragraph in its Cookies Policy laying out approved third parties and what they may have access to, what the third parties do, and the relationship between them and Amazon. Also included is a link to further information on approved parties:
Make sure to be as transparent as possible and make it easy for users to learn more, adjust cookie settings or opt out at any time if they wish to do so.
How to Notify Users About Cookies
Whether your company is based in the U.S., the EU, or both, you must notify your users of the cookies you use.
Notification must be clear and accessible to the user. Attempting to hide the link or making it difficult to find could lead your company to be found attempting to deceive your consumers.
Additionally, no matter how you notify your users, it must be done in simple, plain language to not confuse consumers.
There are three primary ways you can alert your users to your use of cookies:
- In your Privacy Policy
- In a cookie consent notice
- In a separate Cookie Policy
Your Privacy Policy
Companies based in the U.S. or international companies that have users in the U.S. must have a Privacy Policy. Unlike EU companies, U.S.-based companies are not required to include a separate Cookies Policy.
Companies that fall under this rule only need to include a disclosure section about cookies in their Privacy Policy.
Links to the Privacy Policy can be included in:
- Website footers
- Pop-ups
- Sign-up forms
- Checkout screens
But, they need to be clearly denoted so users do not miss the links.
If you are disclosing your Cookies Policy in a general Privacy Policy, it should be included in a distinct clause of the policy so users can clearly identify it.
Here's an example of a cookie clause in a Privacy Policy from Zappos. Zappos describes what cookies are in general, as well as why Zappos uses them, specifically. Users are also told how they can refuse and remove cookies, as well as what effects this may create:
Target includes a thorough clause in its Privacy Policy that addresses cookies, tracking, interest-based ads as well as opting out and disabling cookies:
In a Cookie Consent Notice
A Cookie Consent Notice is a pop-up window or banner that alerts the visitor that cookies are being used on the site. The notice appears the first time a user visits a site. While not required by U.S. laws, a Cookies Consent Notice is required under the EU's GDPR.
The pop-ups usually include a brief notification that the site uses cookies and how the cookies are used. You should also include additional links in the banner for more information so users can research, such as a link to your Cookie Policy, or Privacy Policy with a cookie clause.
Additionally, banners may include "I Accept" buttons for users to expressly consent to the use of cookies, or checkboxes. Just remember not to pre-tick any checkboxes you use to get consent.
An alternative some companies use is stating in their banners that continued use of the site or clicking on any of the links constitutes express consent of cookies, but this method is not recommended.
British Airways is an example of a banner that appears in the header of the site and includes a consent button:
Have a Separate Cookies Policy if Required
Not every company is required to have a separate Cookies Policy. The Cookie Directive of the EU requires that any EU-based company must have a separate policy.
The Cookies Policy must have a link separate from the general Privacy Policy and needs to be clear and easy to click.
Amazon is one of the top global websites doing business everywhere in the world. While the Amazon U.S. version doesn't need a separate link, the Amazon UK version must follow the requirements of the Cookie Directive and include a separate link to a Cookie Policy in its footer:
Two examples of what a separate Cookies Policy look like can be found in The Guardian and BBC UK.
The Guardian's Cookie Policy starts off with a table of contents so you can see what's included in the policy:
BBC UK has an independent page to explain the site's cookies and how users can accept or reject the use of them. Both of these sites use clear, simple language so as not to confuse the reader:
Summary
If your site uses cookies, you must notify your users. The users must have the opportunity to consent to the use and adjust the settings of the cookies, as well as opt out at any time.
Specific privacy laws lay out the reasons for notifications and how users should be notified about the use of cookies:
-
Privacy laws:
- U.S. companies with only U.S. customers are not required to include a separate Cookie Policy, but should address cookies in a Privacy Policy
- Companies that must comply with the GDPR must have a Cookies Consent Notice
- Companies that must comply with the Cookie Directive must include a separate Cookies Policy from the Privacy Policy
-
Notifying users about cookies
-
Privacy Policy
- Primarily U.S. companies include a clause in the Privacy Policy
-
Cookie Policy
- Required by the EU's Cookie Directive and must be wholly separate from a Privacy Policy
-
Cookie Consent Notices
- Notifications that pop up on first-time visits with brief description and consent button
-