Ways to Notify Users About Cookies

Ways to Notify Users About Cookies

If your company uses cookies or any other type of data collecting systems, you must notify your users that these types of systems are being used.

Cookies are a commonly-used tool to collect information from users and store that data for later use. Cookies fall under multiple privacy laws protecting the private information of individuals from defraudment and unfair practices.

Notifying your users about cookies allows them to consent or reject the use of the cookies, which is a major requirement in privacy laws that affect online businesses. These laws also dictate how your company can notify users of cookies and include some specific notification requirements.

First, let's take a look at what cookies actually are.

What are Cookies?

What are Cookies?

Cookies are small files that retain information from computers and can be accessed by the user and the company.

Companies like Google use cookies as a way to track search history, making it easier to visit sites again, send advertisements based on searches, and allow your information to be stored by the websites.

Google Policies and Terms: How Google Uses Cookies intro

There are multiple types of cookies related to security, shopping baskets, optimization, and customization. Some of these cookies actively collect user information or passively store the data for future use.

Users do have control over the use of cookies used by companies. Visitors can accept or reject the use of the cookies or adjust the settings of what information is collected and what cookies can be used.

Cookies fall under the policy restrictions set up by many laws across the world. California's CalOPPA law and the EU's Cookie Directive both require dictate disclosures and policies for the use of cookies.

Why Must Users be Notified About Cookies

Why Must Users be Notified About Cookies

At their core, cookies are a way to collect and store the private information of customers. This can include:

  • Names
  • Email addresses
  • Credit card information
  • Search history
  • IP addresses
  • Geolocational data and timestamping

In the USA, the EU and other countries around the world it is required by law to notify users of the collection of personal data to protect consumers from their information being used inappropriately or illegally. This is typically done with a Privacy Policy, and with cookies, either a separate Cookie Policy, a cookie consent notice or at minimum a cookie clause within a Privacy Policy.

Privacy Laws Regarding Cookies

Privacy Laws Regarding Cookies

While the FTC in the US does not specifically require a Cookies Policy, it does require a general Privacy Policy to be disclosed to users and a Cookie Clause should be included in the Privacy Policy.

The FTC was enacted to protect online users from company's unfair or illegal practices of collecting and using private information. Since cookies are a way for companies to collect and store information, they fall under the FTC purview.

FTC About: Protecting Consumers

In the EU, one of the laws that applies to cookies is the GDPR. The law was enacted to create a transparency of information between companies and users.

The GDPR requires that any EU-based company, and companies elsewhere that do business in the EU or have EU-based customers, must include a Cookies Consent Notice. If you fall under one of these, your company must include separate links to a cookie notice and your Privacy Policy to stay compliant.

Cookies Directive

Unlike the U.S., the other EU law that applies to cookies, the Cookie Directive requires a separate Cookies Policy be provided in addition to the general Privacy Policy. The Cookies Policy must clearly lay out:

  • Types of cookies used
  • How cookies are used
  • Why cookies are used

The Cookies Directive is the EU directive created in 2002 to protect the "processing of data" and the flow of private information that is collected by online companies.

Additionally, the Cookie Directive requires that there needs to be "prior consent" by users for the use and storage of their information. Companies must notify users immediately that they use cookies or other types of data collection, on the first visit to the site.

Both the Cookie Directive and the GDPR have stated that consent to the use of cookies and the collection of information must be:

  • Informed
  • Specific
  • Freely given
  • Unambiguous
  • Clear affirmative action

In addition to privacy laws, when there are third parties that have access to your site, you must also disclose that to consumers as well.

Third Parties

If your company allows the use of third party cookies, a clause must be included in your Privacy Policy that notifies visitors that outside parties may have access and use their private information.

Third parties are usually site analytics companies, social media outlets, search engines, etc.

An example of a third party is Google Analytics. Google Analytics is a part of Google that analyzes websites for viewer information, demographics, loading speed, and search history.

Under the notification requirements of the privacy laws, companies must disclose this information in their Cookies Policy or Privacy Policy.

Amazon UK includes a separate paragraph in its Cookies Policy laying out approved third parties and what they may have access to, what the third parties do, and the relationship between them and Amazon. Also included is a link to further information on approved parties:

Amazon UK Cookies Notice: Third party cookies clause

Make sure to be as transparent as possible and make it easy for users to learn more, adjust cookie settings or opt out at any time if they wish to do so.

How to Notify Users About Cookies

How to Notify Users About Cookies

Whether your company is based in the U.S., the EU, or both, you must notify your users of the cookies you use.

Notification must be clear and accessible to the user. Attempting to hide the link or making it difficult to find could lead your company to be found attempting to deceive your consumers.

Additionally, no matter how you notify your users, it must be done in simple, plain language to not confuse consumers.

There are three primary ways you can alert your users to your use of cookies:

  • In your Privacy Policy
  • In a cookie consent notice
  • In a separate Cookie Policy

Your Privacy Policy

Companies based in the U.S. or international companies that have users in the U.S. must have a Privacy Policy. Unlike EU companies, U.S.-based companies are not required to include a separate Cookies Policy.

Companies that fall under this rule only need to include a disclosure section about cookies in their Privacy Policy.

Links to the Privacy Policy can be included in:

  • Website footers
  • Pop-ups
  • Sign-up forms
  • Checkout screens

But, they need to be clearly denoted so users do not miss the links.

If you are disclosing your Cookies Policy in a general Privacy Policy, it should be included in a distinct clause of the policy so users can clearly identify it.

Here's an example of a cookie clause in a Privacy Policy from Zappos. Zappos describes what cookies are in general, as well as why Zappos uses them, specifically. Users are also told how they can refuse and remove cookies, as well as what effects this may create:

Zappos Privacy Notice: Cookies clause

Target includes a thorough clause in its Privacy Policy that addresses cookies, tracking, interest-based ads as well as opting out and disabling cookies:

Target Privacy Policy: Cookies, Tracking and Interest-Based Advertising clause

A Cookie Consent Notice is a pop-up window or banner that alerts the visitor that cookies are being used on the site. The notice appears the first time a user visits a site. While not required by U.S. laws, a Cookies Consent Notice is required under the EU's GDPR.

The pop-ups usually include a brief notification that the site uses cookies and how the cookies are used. You should also include additional links in the banner for more information so users can research, such as a link to your Cookie Policy, or Privacy Policy with a cookie clause.

Additionally, banners may include "I Accept" buttons for users to expressly consent to the use of cookies, or checkboxes. Just remember not to pre-tick any checkboxes you use to get consent.

An alternative some companies use is stating in their banners that continued use of the site or clicking on any of the links constitutes express consent of cookies, but this method is not recommended.

British Airways is an example of a banner that appears in the header of the site and includes a consent button:

British Airways cookie consent notice

Have a Separate Cookies Policy if Required

Not every company is required to have a separate Cookies Policy. The Cookie Directive of the EU requires that any EU-based company must have a separate policy.

The Cookies Policy must have a link separate from the general Privacy Policy and needs to be clear and easy to click.

Amazon is one of the top global websites doing business everywhere in the world. While the Amazon U.S. version doesn't need a separate link, the Amazon UK version must follow the requirements of the Cookie Directive and include a separate link to a Cookie Policy in its footer:

Amazon UK footer with Cookies Notice highlighted

Two examples of what a separate Cookies Policy look like can be found in The Guardian and BBC UK.

The Guardian's Cookie Policy starts off with a table of contents so you can see what's included in the policy:

The Guardian Cookie Policy table of contents

BBC UK has an independent page to explain the site's cookies and how users can accept or reject the use of them. Both of these sites use clear, simple language so as not to confuse the reader:

BBC: Cookies and Browser Settings - Take Control page screenshot

Summary

If your site uses cookies, you must notify your users. The users must have the opportunity to consent to the use and adjust the settings of the cookies, as well as opt out at any time.

Specific privacy laws lay out the reasons for notifications and how users should be notified about the use of cookies:

  • Privacy laws:

    • U.S. companies with only U.S. customers are not required to include a separate Cookie Policy, but should address cookies in a Privacy Policy
    • Companies that must comply with the GDPR must have a Cookies Consent Notice
    • Companies that must comply with the Cookie Directive must include a separate Cookies Policy from the Privacy Policy
  • Notifying users about cookies

    • Privacy Policy

      • Primarily U.S. companies include a clause in the Privacy Policy
    • Cookie Policy

      • Required by the EU's Cookie Directive and must be wholly separate from a Privacy Policy
    • Cookie Consent Notices

      • Notifications that pop up on first-time visits with brief description and consent button
Last updated on 23 June 2020

Article categories