If you’re wondering when a cookie policy is needed on your ecommerce site, it’s important to bear in mind that you’ll need one whenever you’re using cookies on your website or app. This is because you’re required under privacy law to explain to individuals what cookies you use and how you use them, and it’s common practice to set this information out in a cookies policy.
The privacy rules also apply to ‘similar technologies’ to cookies; for example flash cookies, web beacons, device fingerprinting, pixels and plugins.
Although you’re not legally required to provide information about your use of cookies if you’re only using essential (or strictly necessary) cookies, the Information Commissioner’s Office (ICO) advises that it’s best practice to do so in all circumstances. Essential cookies are those that are strictly necessary in order for people to use your website properly (see below).
You’re also required to get the consent of your users before you set any non-essential cookies, so it’s important that you understand the distinction. We’ve set out below some examples of different types of cookies your ecommerce website might use.
Different types of cookies
There are various different types of cookies, including:
1. Essential cookies
These are cookies that are essential in order for your site to function properly. This could include cookies that enable pages on your website to load quickly, those that remember your users’ login details or cookies that remember what your customer has placed in their shopping baskets.
You do not need to get consent before you set these cookies.
2. Analytics cookies
These cookies collect information about how your users use your website, for instance what pages they visit most often and what searches they carry out.
These cookies do not meet the strictly necessary exemption, and so you must get consent of your website users before setting them.
3. Advertising cookies
Cookies may be used for online behavioural advertising, which is a form of targeted advertising where information about your customers’ web browsing activity is collected and analysed in order to market goods and services to them more effectively. Information collected might include the websites they visit, the ads they click on or the products that they buy. You can then use this information to show your users targeted advertisements about products they are most likely to be interested in. For further guidance, see our Q&A on Online behavioural advertising.
Some businesses may also use cookies and similar technologies on their sites to collect information about their users so that they can sell targeted advertising space to other businesses.
Advertising cookies do not meet the strictly necessary exemption, and so you must get consent of your website users before setting them.
What about third party cookies?
If your website allows third parties to set cookies on your users’ devices (eg from an advertising network), you must inform your users about this and obtain their consent first. This responsibility lies with both you and the third party, so you will need to liaise with them to ensure that your obligations are met.
When to provide your cookie policy
You need to provide your cookie policy to your website users the first time they use your site, and before you set any non-essential cookies. Remember that you also need to get consent to non-essential cookies, and you must provide your cookies information before users give their consent. As such, it’s common to set out information about how you use cookies in the same mechanism you use to get consent (eg your banner or pop-up window). This should then contain a link through to your cookie policy where more detailed and comprehensive information can be found. You should also provide a link in the header or footer of your website, wherever it will be appropriately prominent.
Your cookie policy should be set out in plain language, giving clear information about how cookies operate, what categories of cookies you use on your website and what those cookies are used for. You should steer clear of overly complex or technical terminology. For further guidance about what to include in your cookie policy, read this blog.
Remember that if your use of cookies involves your business processing personal data (eg because a cookie ID can be used to identify an individual, either directly or when used in combination with other information), you must make sure that you also provide a privacy policy explaining how you use that data. See this blog for further guidance about what a privacy policy is and when you need one.
The content in this article is up to date at the date of publishing. The information provided is intended only for information purposes, and is not for the purpose of providing legal advice. Sparqa Legal’s Terms of Use apply.
Before joining Sparqa Legal as a Senior Legal Editor in 2017, Frankie spent five years training and practising as a corporate disputes and investigations lawyer at leading international law firm Hogan Lovells. As legal insights lead, Frankie regularly contributes to Sparqa Legal’s blog, writing content across employment law, data protection, disputes and more.