All Blog Posts

How to create an effective cookie policy for your website

Information and choice about data privacy are among the fastest growing consumer demands. Consumers want transparency into and control of how their data is handled when visiting your website, and they are increasingly ready to do business elsewhere if their data privacy is disrespected.

Updated November 2, 2023.

Cookies are one of the most prevalent ways companies collect user data, and countries around the world have enacted laws that mandate how organizations collect user data through cookies, and how they communicate about it with users.

A website cookie policy is at the heart of compliance with most major data privacy laws. Some laws require opt-in consent by users before any personal data is collected, and others require opt-out options. Many regulations require your website to maintain an updated account of cookies and trackers in use, what the data they collect is used for, and with whom it may be shared. The information needs to be available to end users visiting your website. This is where a website cookie policy comes in.

A cookie policy is a document that provides a comprehensive list of the cookies and trackers used on a website, along with detailed information about each. The purpose of a website cookie policy is to help users understand how you store and process the personal data you collect via cookies.

Your website’s cookie policy must be kept up to date and should answer the following questions:

  • What types of cookies, and which specific cookies, are set?
  • What purpose(s) are the cookies used for?
  • What personal data do the cookies collect and process?
  • How long will the cookies stay on users’ browsers?
  • Who is the data shared with, or who has access to the data collected, including any third parties?
  • How can users set or change their cookie preferences?

Having a cookie policy for websites is a legal requirement under many global data privacy laws, including the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA)/California Privacy Rights Act (CPRA).

The difference between a privacy policy and a cookie policy is that a privacy policy includes, among other information, all the various ways your business may collect, process and store data from users, both online and offline.  A cookie policy is specifically about the tracking technologies embedded on your website, which process personal data from end users.

That’s why websites often include a cookie policy in their privacy policy, as a section detailing one of the ways in which the business is processing data.

However, another major difference between the privacy policy and the cookie policy is the fact that your cookie policy may need to be updated more often, because cookies on your website are dynamic and often change upon repeated visits. It is also common to adopt new technologies or change the ones in use on sites.

Most major data privacy laws, including the GDPR, require you to have a cookie policy on your website if you use cookies to collect user data. Most websites do use cookies. Regulations can require that websites display a cookie banner, which must link to a cookie policy, to visitors on their first visit to a website or app, or when updated consent must be obtained.

Your cookie policy can be a separate document, but this isn’t mandatory and it can be part of your privacy policy. If it’s included in the privacy policy, then the cookie banner must link to the specific section that outlines your cookie usage.

Why is a cookies policy important?

A cookies policy for websites is important because it shares detailed information with users about:

  • how your website collects, processes and shares their personal data
  • how users can change or withdraw cookie consent
  • what users’ rights or options are and how they can exercise them

A cookies privacy policy helps boost your compliance with global data protection laws and builds user trust, which is a growing priority for users worldwide. 79% of consumers say they’re more likely to trust a company with their information if the company clearly explains how it’ll be used.

A comprehensive cookie privacy policy, which shares detailed information about the different types of cookies used on your website, aids transparency, helping users understand their rights and options while enhancing your website’s credibility and legal standing.

What are the different types of cookies, and how does my website use them?

There are three different ways to classify cookies:

  • Session vs. Persistent
  • Essential vs. Non-essential
  • First-party vs. Third-party

Session cookies vs persistent cookies

Session cookies are temporary cookies that stay in a user’s browser during that particular session, e.g. a specific visit to a website. These cookies expire when the user leaves the website.

Persistent cookies don’t expire when a user leaves a website, but they do have an expiration date that can vary from days to months. Users can manually delete persistent cookies from their browser settings.

Essential cookies vs. Non-essential cookies

Essential cookies are necessary for a website to function. Cookies that remember your shopping cart items before you check out or keep you logged into your account for a particular session are examples of essential cookies. You don’t need prior consent to place essential cookies on a user’s device, but you must include them in your cookie privacy policy to comply with data privacy regulations.

Non-essential cookies are used for ancillary purposes such as marketing, statistics and setting user preferences.

  • Marketing cookies are used to track user behavior online in order to display more relevant or targeted ads. These cookies are generally classified as third-party cookies as they share information with advertisers and organizations that are not directly associated with the website that set the cookies on their device. Third-party marketing cookies are also known as tracking cookies.
  • Statistics cookies, also known as analytics cookies or performance cookies, are used to track how users interact with a website, e.g. which pages they visit, how long they spend on the website, and which links they click on. Their purpose is to help the website owner improve the website’s performance over time. Cookies used to measure performance using Google Analytics are an example of statistics cookies.
  • Preference cookies are used to store user preferences on a website between browser sessions, such as their browser language, location or bookmarked items. Websites use preference cookies to customize the content and services for users, such as showing an online store in their local currency or items they might like based on saved items.

First-party cookies vs. third-party cookies

First-party cookies are stored on a user’s device by the website they are browsing. Session cookies are an example of first-party cookies.

Third-party cookies are stored on a user’s device by an organization other than the website owner. Marketing cookies are often third-party cookies.

A comprehensive cookie privacy policy requires the following:

  • Notice of cookie usage: A statement that your website uses cookies and an explanation of what a cookie is for users who may not be familiar with the term or function.
  • List of cookies: A regularly updated and detailed list of all the cookies your website uses, by name, with the following information outlined for each one:
    • Purpose of the cookie, such as storing a user’s currency preference, live chat preference or advertising pixel
    • Cookie type, i.e. essential, marketing, performance, or preference
    • Cookie provider or organization that is collecting data via this cookie
    • Cookie duration or when it expires
  • Consent options: An explanation of which cookies users can accept or decline, and how users can withdraw cookie consent they have previously given

1) Identify all cookies and trackers

The first step to writing a cookie policy is to make a list of all the cookies and trackers your website uses. This can run into tens or even hundreds of cookies. Also, a cookie policy must be updated each time your website adopts new cookies or tracking technologies. To simplify this process and ensure you’re not missing any cookies, you can use a consent management platform like Cookiebot CMP, which automatically scans and updates for new cookies at prescribed intervals.

2) Include the required cookie information

For each cookie, you need to include why you use it, the cookie type, cookie provider, and expiration date.

3) Share consent withdrawal options

Users have a right to change or withdraw consent at any time, and the cookies privacy policy should clearly state the process for them to do so.

4) Share company contact information

The cookie policy should share the website owner’s name, or that of the responsible party, and contact information, such as a mailing and/or email address.

5) Use simple language

Like the cookie text on your banner, your cookie policy must be easy for users to understand. This means it should be written in a way that anyone can understand it even if they don’t have legal or technical knowledge.

Let’s take a look at Cookiebot’s cookie policy to see a published example of a cookie policy. It contains an overview of cookies and why we use them, shares a link for users to change their cookie consent directly from that page and lists the websites to which user consent applies. As the cookie policy is a separate document from the privacy policy, it also links to Cookiebot’s privacy policy, which contains the company’s contact information and other relevant data processing information.

The cookie policy page is also where users can learn their current consent state or cookie settings (”Deny“ or “Allow”), consent ID and date and time the consent was recorded.

Finally, the cookie policy page lists the details of all cookies used on the website, per legal requirements.

This is one way to display a cookie policy page that fulfills all the requirements and shares detailed information with users. Here are a few other examples of cookie policy pages:

  • Canva’s cookies policy page goes into a lot of detail about technologies, including cookies, web beacons, pixels and software development kits, as well as their advertising partners. The company’s detailed cookie list is found on a separate page called ’Manage Cookies’ and is linked from the cookies privacy policy page.
  • The Guardian’s cookie policy page contains all the required information plus a little extra. It explains the role advertising has played at the Guardian from its founding in 1821 till today.
  • Meta’s cookies policy page has several popup links, so it also includes a link to a printable version of the cookies policy and a link to previous versions.

Cookiebot CMP is a leading solution in the data privacy and consent management market, providing transparency and control to end users when it comes to cookies on your website.

After signing up to Cookiebot CMP, your website will be scanned automatically at regular or prescribed intervals. All cookies will be detected and controlled according to the specific data privacy requirements in your end-users’ locations. You could be required to enable cookie consent in Europe, opt-out in California or different compliance requirements with global data privacy laws like Brazil’s LGPD, South Africa’s POPIA and many others.

Cookiebot CMP also generates an automatic cookie policy for your website that is fully comprehensive, providing end users with transparency and control. Simply install it in your privacy policy or as a standalone subpage that is easy for users to find, enabling data privacy compliance and building trust with customers at the same time.

Cookiebot CMP is a plug-and-play consent management platform built around unrivaled scanning technology that finds more cookies than competitors, and is used by websites and organizations of all types and sizes. It enables full data privacy and cookie compliance for your website with major global data privacy laws.

Sign up now and have Cookiebot CMP up and running on your website in minutes.

Start now

Here’s a quick guide on how to set up your website’s cookie policy to be complete and compliant.

This is not legal guidance, but rather a quick overview of the most common requirements for your website, which you can automate by signing up to Cookiebot CMP, bringing industry-leading scanning technology to your domain with just a few lines of JavaScript.

1) What your website’s cookie policy should contain

Your website’s cookie policy must contain the following information:

  • the different types and categories of cookies in use
  • the duration of each cookie and tracker (how long they remain active on end-user browsers)
  • the categories of personal data/information that each cookie collects and processes
  • the purpose of each cookie (whether it’s for necessary functionality, statistics, marketing, etc.)
  • the third parties with which each cookie shares personal data
  • the countries/regions that each cookie sends personal data to
  • information about how end users can accept or reject cookies, and how they can check and change their consent status

Cookies and trackers are fundamental to the make-up of most modern websites. They help your domain with its most basic functions, enable statistics and analytics about its performance and make advertisements and social media outreach possible.

Cookies come in four categories:

  • Necessary cookies
  • Preference cookies
  • Statistics cookies
  • Marketing cookies

Necessary cookies are usually benign and exempt from data privacy requirements, while marketing cookies often process personal data from your end users and share it with third parties, which could be anywhere in the world. This requires consent under the EU’s GDPR and opt-out options under California’s CCPA.

However, all cookies must be documented clearly in your website’s cookie policy, regardless of type and category.

2) How to update your website’s cookie policy

Your cookie policy must always be up to date, and since cookies and trackers are dynamic, meaning that they often change upon repeated visits by users, you need to scan your website regularly to detect any new cookies and trackers that might have changed since last time you published the cookie policy on your website.

Making sure that your cookie policy is always up to date by listing the exact tracking technologies in operation on your domain is a legal requirement that can be difficult to achieve.

72% of cookies on websites are loaded “behind the scenes” by other third-party cookies. 

18% of cookies on websites are “trojan horses”, i.e. cookies that hide within other cookies—as deep as within eight other cookies—loading each other without your immediate knowledge.

50% of trojan horses will change on repeated user visits to your website.

(Source: Beyond the Front Page, a 2020 research paper on website cookies.)

Using Cookiebot CMP as your website’s compliance solution and cookie policy tool means that you can find 68% more cookies than with competitors’ cookie scanners.

Once your website’s cookie policy is complete and up to date, users must be able to easily find it. You can choose to feature it on its own subpage or integrate it as part of the broader privacy policy of your website.

3) Regional cookie policy requirements for your website

Though most cookie policy requirements are the same across many major data privacy laws, some obligations remain specific to countries and regions in the world.

For the EU’s GDPR, this includes informing end users about where and how they can make consent choices for all the non-necessary cookies in use on your domain.

If you have users from inside the EU, you are legally required to first obtain their explicit consent before you activate any cookies that process personal data, except the cookies that are strictly necessary for the basic function of your website.

This is usually done through a cookie banner that presents end users with a clear overview of all cookies in use on your website and provides them with an easy choice of saying yes or no, either to all cookies in use, or at a more granular level.

California’s CCPA/CPRA data privacy requirements include informing your end users about where on your website they can opt out of having their personal information—collected via cookies and trackers—shared with or sold to third parties.If you have users from California, you might be legally required to have a link on your website displaying: “Do Not Share Or Sell My Personal Information” through which visitors can opt-out of having their personal information sold to third parties.

FAQs

What is the purpose of cookies?

The purpose of cookies is to create a better user experience on websites and assist website owners in analyzing user activity to make improvements. Cookies remember user preferences like language and previously viewed items, making it easier for visitors to pick up where they left off. For website owners, they offer insights into how people use the site, which can be used to make targeted improvements and updates.

    Stay informed

    Join our growing community of data privacy enthusiasts now. Subscribe to the Cookiebot™ newsletter and get all the latest updates right in your inbox.

    By clicking on “Subscribe” I confirm that I want to subscribe to the Cookiebot™ newsletter. I can easily cancel my Cookiebot™ newsletter subscription and revoke consent to use my data by clicking the unsubscribe link or I can write to [email protected] to make the request. Privacy policy.