Sample Cookies Policy Template

Sample Cookies Policy Template

If your company uses cookies or other forms of files to collect and store user information, you should (and in some cases may need to) include a Cookies Policy on your site.

Cookies are small files that are sent from websites to users' computers and store the user's information to optimize a company's site, make visiting the site again easier, and sending ads. Since cookies are a form of collecting personal data, both the U.S. and the EU have created laws that require some type of disclosure of the use of cookies.

If you do not include a notification to users of your policy, it could open your company up to liability in the future.

This article will explain what a Cookies Policy is, when it's required, and how can you create and display your own.

What is a Cookies Policy?

A Cookies Policy is a disclosure of the following information:

  • What cookies are used by the company
  • How those cookies are used to collect the private information of visitors
  • How the user can control the disclosure of information and use of the cookies for collection

A Cookies Policy allows the company to have full disclosure with its users and creates a transparency of the collection of private information.

You may be more familiar with a Privacy Policy than you are with a Cookies Policy. A Privacy Policy is required by the United States Federal Trade Commision (FTC) and is a full disclosure of the practices of collecting, holding, and disclosing personal information.

Depending on where your company is based and who your audience is, your company can include a Cookies Policy or cookies clause in your general Privacy Policy, or you may need to separate these policies.

Do You Legally Need a Cookies Policy?

Do You Legally Need a Cookies Policy?

It all depends on where your audience is located. The U.S. and the European Union (EU) have different requirements about the inclusion of a Cookies Policy.

Figuring out what exact laws apply to you is extremely important in how you display your Cookies Policy.

United States

In the U.S., the FTC is the legal body that protects the private information of individuals online. Under FTC law, U.S. companies and EU companies that have US users, are required to have a Privacy Policy clearly stating:

  • What information is being collected and how it is stored
  • How the data is used
  • Who data is disclosed to
  • How you can adjust disclosure of your information

Cookies would fall under all of these disclosure statements and be included in the Privacy Policy.

However, the U.S. does not require a separate Cookies Policy. Generally, U.S. companies include a cookies section in their overall Privacy Policy, unlike EU laws which require a separate policy.

An example of this can be seen in Target's Privacy Policy. Target does not have any stores in the EU and does not ship to residents outside of the US, meaning it is not required to include a separate Cookies Policy.

However, its cookies disclosure is a distinct clause in its general Privacy Policy, but not a wholly separate policy:

Target Privacy Policy: Automated Collection cookie clause

European Union

Companies that do business in the EU or have EU customers are required by law to include a separate Cookies Policy from their general Privacy Policy.

The EU Cookie Law, or the ePrivacy Directive, was put in place in 2011 to control how personal information is collected and processed. Additionally, the GDPR (General Data Protection Regulation) requires that users must consent to the use of the cookies before they're used.

Your Cookies Policy will need to disclose to users:

  • How the company uses cookies
  • What cookies are used
  • How your users can accept or reject the use of the cookies

However, EU companies are not alone in falling under this rule. US companies who have EU customers also must include a separate Cookies Policy that is available to users.

What Should be Included in Your Cookies Policy?

What Should be Included in Your Cookies Policy?

While each company will need to create its own unique Cookies Policy based on business practices, there are some basics that must be included in every policy. Additionally, each of these basic requirements must be clear and in plain language.

You must include:

  • A definition of cookies
  • What cookies you use
  • What you use the cookies for
  • How users can opt out or adjust settings

Let's take a look at each of these sections with examples.

Definition of Cookies

Definition of Cookies

Not everyone is well-versed in digital lingo. It is important to use plain language and to clearly state what cookies are so that any of your users may understand and can freely consent or reject the use of them.

Long-winded legalese and roundabout explanations are no longer acceptable for legal policies.

Additionally, another way to direct users to learn about what cookies are is to include bold links that direct users to this separate clause.

The BBC uses an easy outline with links to take the users to exact clauses relating to cookies. It also gives a clear and simple statement as to what cookies are:

BBC Cookie and Browser Settings: What do I need to know about cookies

This type of format makes it really easy for a reader to navigate and find out specific information in an easy way.

What Cookies You Use

What Cookies You Use

There are multiple types of cookies that can be used by a company to collect personal information. You can have session, persistent, secure, etc. Companies must clearly denote what types of cookies are used in a simple, but informative way.

The use of tables, bold titles, or a defined outline will help clearly inform your users and comply with the privacy laws.

Apple is a good example of how to simply and easily describe the use of their cookies. Apple is a global company and they are required by the EU to follow their Cookie Law.

Included in its Cookies Policy, Apple clearly lays out the three types of cookies it uses to collect information and how the information collected is used by the company:

Apple Privacy: Use of Cookies - Categories

This format makes it really easy for readers to understand that multiple types of cookies are used and see exactly what each type does. This information is important so that users can adjust settings or opt in and out of different cookies with knowledge and awareness.

What You Use the Cookies For

What You Use the Cookies For

One of the most important pieces of your Cookies Policy is including what your cookies are used for and how you use the information that is stored and collected from the cookies.

Transparency in policy statements is important both under the FTC and the EU laws. Clearly informing customers of how you handle their personal information will protect you later on if any future issues arise.

Additionally, if your company allows third parties, such as Google Analytics, to have access to your users' information, that must also be disclosed. Third parties use the data as a way to:

  • Advertise
  • Research search history
  • Analyze the dynamics of a website

LinkedIn includes a simple table clearly stating the reasons for why the cookies are used and how the cookies affect those uses with simple, plain language:

LinkedIn Cookie Policy: What are Cookies Used For chart excerpt

Again, this breakdown and format makes it easy for readers to understand and really comprehend the different categories of cookies being used, and for what.

How Users can Opt Out or Adjust Settings

How Users can Opt Out or Adjust Settings

Another important clause to include in your Cookies Policy is how users can accept, reject, or adjust their cookies settings.

One of the most important changes in the GDPR is that implied consent is no longer accepted. Users must give express consent when it comes to accepting the use of cookies.

Additionally companies need to provide accessible links to their settings and tips for how users can change them.

The travel booking website Priceline includes its own cookie section with tips for how you can accept or reject cookies and how you can opt out of specific types of cookies the company uses:

Priceline Privacy and Cookies Policy: Controlling Cookies clause

Note how multiple links are provided for different opt-out resources, getting further information and adjusting settings.

Where to Display Your Cookies Policy

Where to Display Your Cookies Policy

While neither the FTC or the EU state exactly where you should include links to your Cookie Policy, they both state links must be clear and easily accessible.

Three common places you should display a link to your Cookies Policy are:

  • In a cookies notice when asking for consent
  • Your website's footer
  • Your mobile app's Legal/About menu

One of the best ways to display your Cookies Policy is in consent notices. Consent notices usually are included in sign-up forms or pop-up banners that appear when a user visits the site for the first time.

Normally included is a brief description of cookies and how the company uses them. They also typically include links to their general Cookies Policy or Privacy Policy for further information.

Coca-Cola UK includes a pop-up banner at the bottom of its website that has a short summary of the use of cookies, third party partners, and links for further information. An "Accept Cookies" consent button is also included for visitors to expressly accept the use of cookies:

Coca-Cola UK Cookie Consent banner notice

Later in this article we'll help you create your own consent solution with our free and easy-to-use Cookie Consent generator.

The most common place to include a link to your Cookies Policy is in your website footer. Most people know to scroll to the bottom to find the link and expect a link to be included there.

The link to your Cookies Policy, or general Privacy Policy if you are a US-only company, should be clear and stand out to the user.

A prime example of clearly displaying a link to your Cookies Policy can be found in Amazon UK's footer. The white lettering stands out from the black background drawing attention to the links:

Amazon UK website footer with links

The French retail and grocery company Carrefour includes a separate link to its Cookies Policy from its overall "Legal Information" in the footer of the website.

Carrefour website footer with links

The App Legal or About Menu is an ideal place to include a link to your Privacy Policy or Cookies Policy if your website has a long landing page.

If a user has to continually scroll down the page to get to the footer such as on a news outlet or a media source, including a drop down menu and having a link to your policy under your About section makes accessing your policy easy.

BuzzFeed has a very long landing page that as you scroll down keeps refreshing additional stories without reaching the footer of the page. To counteract that, it has included a dropdown menu on the side that allows you to access links to statements and policies:

BuzzFeed About menu with legal links highlighted

Feel free to link your Cookies Policy anywhere else where you think your users might need or want to know about your cookie practices. The more informed your users are, the better.

How to Get Consent for Your Cookies Policy

Consent is one of the top requirements by both the FTC and the GDPR. The best approach is to use a checkbox to request consent. Pre-checked boxes or pre-filled forms are no longer acceptable.

Express consent needs to be given by the users.

Pop-ups or banners are one of the best ways to get consent from users. Pop-ups appear within seconds of users accessing a website for the first time and notify users of the use of cookies.

The banners typically include a short description of the cookies being used on the site with links for further information to the policies. There needs to be enough information on the banner to inform the user and provide additional avenues for them to reject or research more.

eBay UK includes a bold blue pop-up to alert the user about the disclaimer and provides an accept button and additional links for adjusting settings on the cookies.

eBay UK Cookie Consent banner notice

These pop-ups or banners need to include checkboxes or "I Accept" buttons that allow users to easily accept or reject the use of cookies. In addition to the buttons, a link to the Cookies Policy should be included.

Under Armour UK displays a pop-up notice to users as soon as they arrive on the landing page. The notice includes a button for accepting and proceeding to the website along with a link to where to find out more information:

Under Armour UK Cookie Consent notice

If you are creating your Cookie Policy or are unsure of how to go about it, answering these simple questions will help you create a law abiding policy:

  • Do you legally need a Cookie Policy?
    • The United States doesn't require a separate policy, but must be included in Privacy Policy
    • The European Union requires a separate policy from the general Privacy Policy
  • What should be included in your Cookies Policy?
    • Definition of cookies
    • What cookies are used
    • What you use the cookies for
    • How users can opt out or adjust settings
  • Where to display your Policy?
    • In a cookie notice when asking for consent
    • Pop-up or banner
    • App Legal/About Menu
  • How to get agreement for Cookies Policy/Consent to place cookies
    • Through pop-ups on first time visits to site
    • Use of "I Accept" buttons