Separate Cookies Policy from Privacy Policy

Separate Cookies Policy from Privacy Policy

Your website might need a separate Cookies Policy and Privacy Policy depending on your target audience and the privacy laws affecting your business.

Some website owners combine a Cookies Policy with a Privacy Policy. In many instances, this is ok. However, you're better off separating them if your website attracts residents from the EU or might in the future.

What's the difference between a Cookies Policy and a Privacy Policy? Why does the EU want them separated? What are the implications for your business? Let's dive in for answers.

Get compliant today with

Select one of our generators to create the required legal agreements for your business:

Integrate a free Cookies Notice and Cookie Consent banner to comply with the EU ePrivacy Directive and the new GDPR law regarding cookies.

What Are Cookies?

What Are Cookies?

A cookie is a small text file that a website or app sends to a user's device. This text file collects information about user actions on your site.

Cookies store helpful information to enhance users' experiences with your site, and possibly to improve your ability to reconnect with them later.

Information collected by cookies can include the user's preferred language, device settings, browsing activities and other useful information.

Websites like Google use cookies to make ads more relevant to their users. They also track analytics such as counting the number of visitors to a page, locations of visitors, search preferences and so on.

Use of Cookies

Cookies generally are used to perform one or all of the following:

  • Authentication: Cookies help websites determine if a user is logged in, and then deliver the right experience and features to that unique user.
  • Security: Cookies help impose security measures on a website. They also help detect unusual and suspicious activities.
  • Advertising: Cookies deliver a better advertising experience for both users and advertisers. Cookies help connect advertisers to users who are most interested in their products based on the user's browsing history.
  • Performance: Cookies help your website learn how services work for different people and how to route traffic between servers.
  • Analytics and Research: Websites and apps use cookies to learn which of their services are most used. This helps determine what to improve, what to remove and what to leave the same.

Some cookies can gather data across several websites in order to create user behavior profiles. These profiles are then used to send targeted content and advertisement to users.

While this is a useful development, it also raises the issue of invasion of privacy. Privacy laws seek to address these concerns and this is why a Cookies Policy is necessary.

What is a Privacy Policy?

What is a Privacy Policy?

A Privacy Policy is a legal document that explains the different ways you collect and manage a user's personal data. It is one of the most important legal documents for your website.

Not only are you legally required to post a Privacy Policy to your website, you also are required to follow it. Failure to uphold your website's Privacy Policy and comply with applicable privacy laws can lead to fines and penalties.

A Privacy Policy is an excellent tool to build a relationship with your website users. It helps your users know what to expect and to understand how you protect their privacy.

Let's consider the building blocks of a Privacy Policy.

What personal information will you collect from users?

Personal information is data that has the potential to identify an individual. This can include data such as an email address, first or last names, date of birth, mailing address, family information and so on. name, email address, date of birth, family information, personal interests and so on.

Budweiser includes the following clause in its Privacy Policy to let users know what information they can expect to have collected:

Budweiser Privacy Policy: Information We Collect clause excerpt

Why do you need to collect the personal information?

You need to explain why you collect personal information.

Examples might include:

  • Are you collecting personal data to email information about future offers and new services?
  • Is your goal to help improve your products and services?
  • Will the data help you provide a better or more personalized experience?

Airbnb's Privacy Policy states it may use the information it collects to improve its platform and the user experience:

Airbnb Privacy Policy: How We Use Information clause - improve and develop platform section

Note that this is just one section of this clause, so check out the full Privacy Policy to see how the rest of this clause is presented.

Will you be sharing the collected personal information with any third parties?

If you share personal data with third parties such as Google Analytics, advertising platforms or others, you must disclose this.

Here's how Instagram discloses this information in its Data Policy:

Instagram Data Policy: Sharing with Third-party Partners clause excerpt

Many third-party services also require disclosures of this sometimes, so check their requirements.

What is a Cookies Policy?

What is a Cookies Policy?

A Cookies Policy is a policy explaining detailed and specific information about the cookies your website uses. The policy should explain the use of cookies and how a user can limit or prevent the placement of cookies on a device.

Your Cookies Policy can be a standalone page on your website or it can be integrated with your Privacy Policy.

EU Law on Cookies Policies

In May 2011, the European Union adopted the Cookies Directive as part of its drive to improve online privacy for EU citizens. The directive affects all websites based in the EU or targeting users in the EU.

The European Commission provides this definition of cookies in its EU Internet Handbook section about cookies.

EU Commission's definition of cookies

The Cookies Directive requires websites to alert users of the presence of cookies and explain the kinds of cookies being used. The users must be able to refuse or accept cookies placement on their devices.

Websites often use pop-up boxes or obvious banners to alert users of the use of the cookies.

Lloyd's of London uses a homepage banner to notify its users that cookies are used:

Lloyd's of London cookies notice banner

At the bottom of the page, we also see links to the Privacy & Cookies Policy.

Lloyd's of London website footer showing Privacy and Cookies link

Having a separate Cookies Policy is not as strong a mandate outside the EU. However, US-based websites targeting EU customers must follow the Cookies Directive.

At minimum, your website should have a Privacy Policy with a dedicated section dealing with cookies.

Amazon's approach helps illustrate the differences between US and European Cookies Policies. Let's look at their US and UK websites.

The UK version has both a Privacy Notice page and a Cookies Notice page.

Amazon UK website footer with links

When you click on the Cookies Notice link in Amazon UK's footer, you're taken to a separate page that has information on cookies:

Amazon UK: Help and Customer Service - excerpt of Cookies section

This is different from the US version which has only a Privacy Policy page, and no separate cookies information linked:

Amazon US homepage showing link to Privacy Policy

The cookies clause is part of the Privacy Policy in the US version:

Amazon Privacy Notice: What About Cookies clause

Creating a Cookies Policy

Your website will need a Cookies Policy, either as a standalone page or as part of your Privacy Policy page. It should contain the following 5 elements:

1. A notification that you have cookies on your website

It is necessary to inform your users that your website uses cookies. This should be the first thing mentioned in your Cookies Policy, and can also be accomplished by a notification banner or pop-up, which we'll discuss shortly.

2. An explanation of what cookies are

Explain to users in the simplest terms what a cookie is and how it works. Most users have no idea what a cookie is or how your website might be using cookies to collect personal data.

Give a brief description and consider including a link to an informative resource for further reading.

The law requires you to make a concerted effort to educate the public about cookies.

3. What kinds of cookies do you use?

There are many different types of cookies:

  • First Party Cookies: These are cookies collected by your website or app. These cookies are only used by your site or app when the user visits.
  • Third Party Cookies: These cookies are used to share information with third parties such as advertisers or social media platforms.
  • Session Cookies: These cookies remain active on your user's browser until closed.
  • Persistent Cookies: A user's browser stores these cookies for a specific amount of time before the cookies expire. These are used to perform functions such as keeping a user logged in or for web analytics purposes.
  • Secure or HTTP-only Cookies: These cookies help prevent malicious cross-site attacks

4. The reasons you need to use cookies

Describe why your website needs to use cookies. Be transparent and comprehensive in disclosing how the cookies benefit you and your website's users.

You should also inform your users when your website uses cookies for services like social media sharing, personalized ads and analytics.

Additionally, it is wise to inform your users of whether disabling cookies will cause any form of malfunction or reduced user experience.

5. How users can opt out of cookies placed on their devices

Inform your users of how they can disable or block cookies. Provide simple instruction such as how they can go to the 'Settings' section of their browser to accept or reject some or all cookies requested by your website.

Priceline provides multiple options for this in a "Controlling Cookies" clause:

Priceline Privacy and Cookies Policy: Controlling Cookies clause

Examples From Cookies Policies

Below is an example of an intro of a Cookies Policy from LinkedIn.

Screenshot of LinkedIn's Cookie Policy intro

Note that right in the beginning, LinkedIn informs the user that the site uses cookies, and then goes on to give an explanation of what a Cookie is.

LinkedIn continues with an explanation of the types of cookies it uses and why:

LinkedIn Cookies Policy: What are Cookies Used For clause

Instagram provides another solid example. In its Cookies Policy, it explains how long cookies will stay on the devices of its users, and the difference between first and third party cookies.

Instagram Cookies Policy: About Cookies clauses

Facebook's Cookies Policy is a good example of making a Cookies Policy visually appealing and easy to read:

Facebook Policies -  Cookies: Cookies and Other Storage Technologies clause

LinkedIn does a great job of explaining how users can block cookies placement on devices:

LinkedIn Cookies Policy: How to block or remove cookies clause

LinkedIn also provides links to helpful resources for further information about cookies and user controls:

LinkedIn Cookies Policy: Other Helpful Resources links list

Preparing your Cookies Policy

Now that you know what a Cookies Policy looks like and should contain, what do you need to do to write your own?

  1. Find out what cookies your website uses

    You cannot copy another website's Cookies Policy, as your use of cookies may be different. Be sure you know what cookies your website uses and what each cookie does. It is vital that the explanations you give in your policy are both accurate and truthful.

    You also must familiarize yourself with the Cookies Policies of all third parties that may be using cookies on your website. Advertisers, web analytics services and others will impact your Cookies Policy.

  2. Keep your policy short and simple

    Your Cookies Policy should provide all essential information your users will need to know, but it should be as short as possible. Stick to the facts and avoid fluff.

    Make your Policy easy to understand. Avoid using legalese or terms that will confuse your users.

  3. Be aware of applicable laws

    Different laws apply to different places. As explained above, there are different laws for businesses/websites working out of the US and those in the European Union.

    Get to know the laws applicable to your website before writing your policy.

    If your website is based in the US but will have customers and users in the EU, you must abide by the EU laws. Mobile apps also must comply.

Displaying Your Cookies Policy

After writing your Cookies Policy, determine where to display it on your site or app. Making your Cookies Policy easy to find is as important as making it easy to understand.

Make it visible.

Place a link to your Cookies Policy in a place where users will find it with ease. The policy should be accessible from every page on your website. The footer of your website is a common place to link to your Cookies Policy.

Here's how The Hershey Company provides a footer link to its Cookies Policy, as well as links to other important policies. This makes it very easy for someone to find the Cookies Policy and other related information.

Hershey's website footer links

Don't conceal your Cookies Policy in the middle of long legal documents or other long, fine-print documents.

It's also a good idea to place a prominent banner on your homepage to announce and explain your use of cookies. You must include the option to accept or reject the placement of cookies.

Barclay's Cookies Notice Banner

Alternatively, you can use pop-ups to disclose your Cookies Policy.

Your Cookies Policy is essential to building trust with your users and is necessary to comply with privacy laws.

  • Keep your Cookies Policy on a separate page from your Privacy Policy if your website will target users from the EU.
  • Make your Cookies Policy obvious and easy to find.
  • Make it easy to understand.
  • Do your best to educate, inform and assist your users in understanding your use of cookies and their rights to block or remove them.