The Ultimate Guide to Writing a Cookie Policy

Whether you own a website or simply frequently visit them, you have most likely come across a variety of different cookie pop-ups as well as their related policies.

As a website owner, you may not even know or realize that your website uses cookies as they may have been placed by third-party services or systems that you are using (social media plug-ins, Google Analytics, or Google Ads, to name a few).

But what are cookies and why does everyone seem concerned about their use? Read on to learn more about cookie policies and why your website needs one.

Expert tip: Take the hassle of writing your own cookie policy away with our cookie policy generator. It will save you hours of work and possible costly legal mistakes.

What are Cookies?

Cookies are small text files filled with bits of information that are stored locally on a computer’s web browser. They allow for a better browsing experience as they store information about the website visitor, which can help create a more pleasant and personalized user experience.

For detailed information about cookies, read our article on the subject here.

What Type of Information is Stored by Cookies?

While that varies depending on the type of cookie and the website, cookies generally store information that can be used to keep track of a user’s activity on a specific website. Their preferences (language, location, currency), the pages visited, the time spent on a page, the items added to a shopping cart, etc.

The cookies generally do not store complete names and addresses, they are simply a combination of letters and numbers generated by the web browser and tracking the actions of a user on a website.

However, when combined with other readily available information, could lead to an individual being identifiable - this explains the heated debate surrounding the use of cookies, especially by third parties.

What are Cookies Used For?

Web cookies have various uses but their main purpose is to offer users a better browsing experience. They store information about a user, such as the primary language in which they browsed a website or the items that they viewed, in order to make relevant product suggestions and deliver targeted ads, for example.

Some permanent cookies can store log-in information, such as usernames and passwords, which is handy for the user but can become a security and privacy issue should someone get unauthorized access to a computer. However, as long as users know that cookies are being used, have consented, and clear their cache and cookies on a regular basis, there are more pros than cons.

There are various types of cookies that keep track of different information. Some are temporary and expire when the user leaves the website, these are called session cookies, others are more permanent, such as tracking or persistent cookies, and some are used by third-parties for marketing purposes, effectively allowing them to retarget people based on their interests and behaviors on the web, which is where privacy concerns can come into play.

Cookie policy document

A cookie policy is a document that provides detailed information to your website users in regards to your use of these text files and which addresses any privacy concerns. It should detail which cookies you are using and for what purpose (performance, advertising, functional, etc.), as well as mention if you are allowing third parties to install cookies on your website and link to their respective policies and opt-out pages.

While sometimes part of the privacy policy, which addresses general privacy concerns in regards to all data collected and processed on a website (through account creation, email lists, etc.), the cookie policy is often a separate document or section as it tends to be more technical and may need to be updated more frequently.

Not to mention that having a separate, standalone cookie policy should be considered essential if you have website visitors from or are located in the European Union in order to demonstrate compliance with their strict privacy laws.

If you are using cookies you need to have a cookie policy, as your website visitors have the right to know that you are collecting information about their activity on your page.

More importantly, you need to let them know exactly what information you are collecting about them so that they are aware and comfortable navigating your website. This is essential in order to build trust between you and your users and to establish a legitimate presence online.

Users should be able to choose what they wish to share about them on the Internet, as they can with the information that they share in person.

GDPR & Cookies

This is both a privacy issue as well as a legal requirement in some cases, as many countries require that websites that use cookies have a cookie policy in place. It is most famously required by the European Union (EU) under both the General Data Protection Regulations (GDPR) and the ePrivacy Directive - some of the strictest privacy laws in the world.

As a reminder, the GDPR applies to any website that has visitors from the European Union and thus processes their data, in other words, pretty much every website on the Internet.

European flag

Indeed, the GDPR considers that cookies that can be used for the purpose of identifying users fall under the definitions of “personal data” as “online identifiers”. This means that consent is required from the user unless the website processing user data has a “legitimate interest” in doing so.

In addition, the ePrivacy Directive, also known as the “EU Cookie Law”, confirms that explicit consent is required from users, which is why most websites now use a pop-up cookie consent banner that requires users to tick a box agreeing to the use of cookies before they can browse the website.

There are of course some exceptions for cookies that are considered “strictly necessary” to either transmit a communication or to provide the service requested by the user.

The definition of what is strictly necessary is up for debate, but logically includes any cookie that allows a user to use and navigate your website without a glitch. In the case of an e-commerce business, for example, cookies that allow the website to remember what items were added to a shopping cart in order to allow the customer to checkout seamlessly would be considered strictly necessary and thus would not require consent from the shopper.

To create a GDPR-compliant cookie banner for your website in just a few minutes and obtain valid consent from your users, use our free cookie consent banner plugin. This banner should link to a page on your website with your detailed cookie policy. And remember to store and document your users’ consent in order to remain GDPR-compliant.

Note that a few countries have adopted stricter or additional requirements in regards to cookies - you should always check local legislation to make sure that you are complying with applicable laws.

Your cookie policy should start by quickly explaining what cookies are and stating what first-party cookies your website is using. It should also mention if it uses third-party cookies (for marketing purposes, for example) - that is the case for most websites these days, as accumulating data on users is key for analytics and remarketing.

You should let your users know what information your cookies are storing about them, what you are doing with this information, how long and where this data is stored, and if you share it with any third parties.

Last but not least, you should let your users know that they can decide which cookies they allow, refuse all cookies or revoke their consent at any time while still being able to use your website, even though their experience may not be optimal.

It is good practice to link to external websites where your users can learn more about what cookies are, how they can be managed as well as the privacy challenges commonly associated with them.

Note that you must keep your cookie policy up to date to make sure that it remains compliant with the GDPR and other privacy laws worldwide. To create a cookie policy with global coverage for your website in a manner of minutes, use our handy attorney-drafted cookie policy generator.

To make sure that your website users know that you are using cookies and can make a sound decision before navigating your website, you should prominently disclose and give access to your cookie policy.

The best way to do that is by using a cookie consent banner that includes a link to your detailed policy. It's usually displayed as a popup somewhat in the footer or header of your website, for example:

Cookie consent banner

This cookie banner should require the user to confirm that they agree with your use of cookies and give them the option to decline or only accept essential cookies or provide a link to instructions on how to do that.

This will ensure that you are complying with the GDPR as you will have collected active and affirmative consent to the use of cookies from your users and given them the opportunity to read through your complete cookie policy so that they know exactly which information is collected about them.

You should also give your users easy access to your cookie policy by including a hyperlink in your menu or website footer, for example:

Cookie policy link in the footer

Click here for an article that contains examples of cookie banners and policies from some of the biggest online players as well as a template that you can customize and use on your website.

Final Words

While there are some legitimate privacy concerns surrounding the use of cookies, particularly by third parties and for analytical and remarketing purposes, they are essential as they allow websites to function optimally.

It is, however, important to have a strong and detailed cookie policy in place in order to be transparent with website users as well as to comply with ever-evolving global privacy laws, particularly the GDPR and the EU Cookie Law, which set the standards worldwide.

In this digital age, people are becoming more and more conscious about online privacy and it has become a frequent topic of discussion - as a website owner, you have responsibilities to uphold.