If you want to know what a cookie policy should contain, we’ve set out below the key information that should be included.
You must provide clear and comprehensive information to individuals about your use of cookies, and get their consent before you set any non-essential cookies. Non-essential cookies are those that are not strictly necessary in order for your website to function properly. You can find out more about different types of cookies in this blog. Bear in mind that these rules around using cookies also apply to ‘similar technologies’ to cookies, such as web beacons, pixels and plugins.
It’s common to set out information about your use of cookies in the same mechanism you use to get consent (eg your cookie banner or pop-up window). This should then contain a link through to your full cookie policy where more detailed and comprehensive information can be found.
For more guidance about when to provide information about your use of cookies, see this blog.
Contents
Your cookie policy should include the following key information:
- what cookies you set on your website;
- what those cookies are used for;
- whether you share information obtained through your cookie use with third parties; and
- how individuals can withdraw their consent to your use of non-essential cookies, and whether there are any consequences of them doing so (eg if withdrawing consent to a particular cookie will affect the way your website works).
The information should be provided in plain language and you should steer clear of overly complex terminology. The ICO has advised that if you decide to include detailed lists of all of the cookies you use on your site, it may also help to provide a high-level summary about the different types of cookies used and how they operate.
Use our template to create a cookie policy that is written in a style and format that your users can easily digest.
Bear in mind that if your use of cookies also involves you processing your website users’ personal data (eg because a cookie ID can be used to identify them, either directly or when used in combination with other information), you must also comply with data protection law. This includes providing a privacy policy explaining how you use their data. See this blog on privacy policies for further guidance.
How to get consent
To get consent from your website users, you must require them to take a positive action. The user continuing to use your website will not amount to valid consent, nor generally will ‘cookie walls’ which essentially block access to your site until users agree to your use of cookies. The most common way of requesting consent is to have a banner or pop-up window on the site, alongside some form of button to acknowledge the policy.
Pre-ticked boxes or ‘on’ sliders are not compliant with the consent requirements.
Your banner notice or pop-up window must also (before you request consent) include information about your use of cookies, including their purpose and duration. This will typically link through to your cookie policy for more comprehensive information (see above).
Remember that you do not need to get the consent of users if the cookies you are using are strictly necessary in order for you to provide a service that they have requested. However, even in these cases, the ICO recommends that you still provide clear information to your website users about your use of all cookies.
When to get consent
You must get the consent to your use of cookies straight away and before you set any non-essential cookies. This means that the mechanism you use to get consent (eg your banner or pop-up window) must be in a clear and prominent place when your users first visit your website. It’s also important that it does not emphasise options to ‘agree’ or ‘allow’ non-essential cookies over options to ‘reject’ or ‘block’ them.
Renewing consent
Bear in mind that there may be circumstances in which you will need your website users to provide new consent to cookies (eg if you are setting new non-essential cookies, which their previous consent did not cover).
You must also ensure that your cookie policy is updated if your use of cookies changes.
Managing consent
You should ensure that users have an easy way to enable or disable non-essential cookies at any time. It’s best practice to have a cookie management tool on your website that allows users to manage their settings easily. Your cookie policy should also include information about how individuals can withdraw their consent (see above).
Who to get consent from
Consent to cookies is required from either the person paying for the device (called the ‘subscriber’) or the person who is using it, but not both. From a practical point of view, you may not always be able to tell who is providing the consent, so you must ensure that someone has provided valid consent. Generally speaking, if a user or subscriber has previously consented, but then the current user of the device objects, best practice is to rely on the most recent indication.
If your website is likely to be accessed by children, you must make sure that the consent mechanism you use and your cookie policy are appropriate for them. You will also need to comply with the ICO’s Age Appropriate Design Code, which sets out standards for online services likely to be accessed by children. For further guidance see our Q&A on Privacy and children.
The content in this article is up to date at the date of publishing. The information provided is intended only for information purposes, and is not for the purpose of providing legal advice. Sparqa Legal’s Terms of Use apply.
Before joining Sparqa Legal as a Senior Legal Editor in 2017, Frankie spent five years training and practising as a corporate disputes and investigations lawyer at leading international law firm Hogan Lovells. As legal insights lead, Frankie regularly contributes to Sparqa Legal’s blog, writing content across employment law, data protection, disputes and more.