Cookies are an essential component of a website. They improve the users’ experience, and they collect data about a user's behavior on the site. This information can then provide better content, personalized ads, and more. All this may sound great, but it quickly becomes problematic under most data protection laws.
In some jurisdictions, you’ll need to provide users with a means of opting out of cookie usage. In others, they need to opt-in before you can load any non-essential cookies. And in most situations, you need proof of consent. Moreover, these laws require you to inform your users about what data you collect from them, how you use it, and what rights they have over their data. That’s why a cookie policy is a vital part of compliance. So let’s take a closer look at what cookie policies are, who needs to have one, and more.
In short, a cookie policy is a document containing a list of all the cookies used on a website, along with detailed information about each. It also helps users understand how their data is used, how long the cookies will remain on their device, and more.
A cookie policy isn’t the same as a privacy policy. Your privacy policy includes information about all the data you collect, process, store, or transfer. A cookie policy looks strictly at the cookies that track user data.
Many websites choose to include their cookie policy in their privacy policy. While that’s not wrong, it can be confusing and create problems down the line. For instance, cookie policies are explicitly required by the EU ePrivacy Directive and the GDPR, and while they can be integrated into your privacy policy, it’s safer to have an explicit, separate document you can point to.
A cookie policy is also not the same thing as a cookie banner, which you may have seen on websites as a popup that asks whether you agree to the use of cookies or not. However, these two go hand in hand. The cookie policy gives all the details about what cookies you use, why you use them, and how. The banner is how you collect consent and is often a feature of your consent management platform.
Studies estimate that by 2023, 75% of the world will be covered by a data protection regulation. And while browser support for third-party cookies may be going away, cookies as a whole will remain an important method for collecting users' data — and therefore will continue to be regulated by these data protection laws.
Many laws, starting with the General Data Protection Regulation (GDPR) also require transparency when it comes to data processing activities. Plus, users themselves prefer businesses that are transparent about these practices, and they value companies that put an emphasis on data privacy.
What better way to tell your users about the data you process through cookies than a cookie policy?
Does your website use cookies? Then yes, you need a policy.
The GDPR is, to date, the most restrictive data protection law. Recital 30 talks specifically about online identifiers like cookies, making it clear they’re seen as a means of data collection.
Other laws, such as the California Consumer Rights Act (CPRA) or Brazil’s Data Protection Law (LGDP), were inspired by the GDPR. While their requirements might differ slightly—the CPRA, for instance, allows you to load cookies automatically, but users must be able to opt-out—the idea remains the same. A cookie policy is a must for compliance.
Cookies can be an incredibly useful source of actionable information for businesses. They’re not all bad. Some are essential—without them, your website can’t function properly. Strictly necessary cookies are exempted from privacy laws and can load with or without the user’s consent.
The other categories of cookies—analytics, marketing (also known as advertising or targeting), and functionality (also known as personalization)—are more complicated and require informed consent. The cookie policy is there to provide users with information on what these cookies do.
A good place to start is by conducting a data protection impact assessment (DPIA), which is recommended under many legislations such as the GDPR. This risk assessment audit can help you identify, analyze, and minimize the privacy risks that come with collecting, processing, using, storing, and sharing user data. DPIAs are mandatory under certain conditions, which your use of cookies may or may not meet, but it’s still a good idea to conduct one just to get a sense of the risks posed by collecting/processing consumer information and to identify ways to minimize those risks.
Here are some things your policy should touch on:
The policy should also be available in all the languages in which a service is provided. For instance, if you have a multilingual website, you will need to translate the cookie policy in all those languages.
Cookies aren’t exactly static. Providers may often change the types of cookies they upload or their filenames. Other teams with website access at your organization may implement a solution that uses cookies without letting your compliance or legal team know. Modern business websites are often subject to change frequently, so it can be easy to lose track of what sorts of cookies you’ve deployed.
To keep your policy up to date, you’ll need to perform regular scans of your site to take a catalog of the cookies at use on your site and what functions they perform. CMPs have the benefit of both managing cookie consent on your site as well as scanning and categorizing the cookies you use. After all, you can’t block or permit cookies based on user consent if you don’t know what cookies are on your site and what they’re doing.
Now that we know all about what a cookie policy is and why you need it, let’s take a look at an example.
Osano’s cookie policy begins with information on how cookies are used. It continues with ways to disable cookies and then details the different types of cookies used on Osano’s website. Finally, it lists each cookie file, along with its source, purpose, and expiration date.
This is, more or less, what your cookie policy should contain. You may choose a slightly different structure. For instance, some prefer to list the cookie files before explaining what each type of cookie does. What matters is to make sure your policy contains all the necessary information and is easy to read even for less experienced users. But even with an existing cookie policy to base your own on, it can feel challenging to craft a compliant policy from scratch. That’s why Osano CMP comes with a cookie policy template and other legal documents that you can fill in and tailor to your own business.
Whether a regulation specifically mentions your cookie policy or not, all data privacy laws feature some language around the importance of disclosing the right information to your users.
You need to inform users of what cookies you use, their purposes, sources, and expiration date. You also need to gather their consent and keep a record of it. Because cookies aren’t static, your cookie policy will need to be updated regularly.
Remember that a cookie policy is not the same as a privacy policy. You may choose to merge them together, but you can’t skip either of them.
If you’re looking for help with your cookie policy or your CMP, Osano can help. We offer templates, but also a comprehensive solution to consent management, that will help you become compliant with all applicable data protection laws.