Cookie Policy, Yum!
This is the fourth blog in our series about Legal Documents you need for your website. Our first blog, Web Legal 101, gives an overview of Privacy Policies, Terms and Conditions, and Cookie Policies. Our second and third blogs take a detailed look at Privacy Policies and Terms and Conditions.
Cookie Management
I remember back in the day when my only Cookie Policy was “no cookies before dinner.” That was a simpler time.
Every computer user probably knows roughly what a cookie is, but we need to take a close look at all the ways they can be used, how different laws address this, and why you have probably seen an uptick of Cookie Banners lately. (I have a Cookie Banner that I wear as a sash on fancy occasions that says Chocolate Chip Forever!)
A cookie is a small data file that is installed on your browser by a web server when you visit a website. This little data file is labeled with an ID unique to you and your computer, like a name badge. The cookie is placed on your browser, so if you leave the website and return a week later, you still have that name badge attached to your browser, and the website remembers who you are and the preferences you saved on the site.
Just like with their namesake, the good part of cookies is really good. They personalize your web experience and make it easier to pass information to a website that you have visited before. They allow you to keep items in your shopping cart while you continue to look around the site, let you log into a website without remembering your password, and they have thoughtfully remembered the city that you live in, so that they can show you the local weather forecast.
Unfortunately, just like with their namesake, there can be a downside to cookies. Some cookies can allow your browsing to be tracked. While this may be helpful by keeping you logged on to the website you visit everyday, it is also a way to compile a long-term record of an individuals’ browsing history, and this screams potential privacy invasion.
Our goal in this blog is to make all of this as simple, straightforward, and easily understandable as possible, explain what all the different types of cookies are and how they are used, and tell you everything you need to know to determine if your website is obligated to publish a Cookie Policy and Banner.
But first, the obvious:
We are not lawyers. We are not a law firm. Nothing that we say or write should ever be used or seen as a substitute for professional legal advice. At most, you should take any of our discussion of legal issues in the same way that you would take good advice from your gardener neighbor about pruning your shrubs. (Our lawyer made us say that. Not the shrubs bit, though. We added that in ourselves.)
What Is A Cookie Policy?
Websites use cookies for everything from remembering log-in info, to analytics statistics, to social media buttons, and re-marketing services. Because these cookies are actually small data files that are installed on your computer’s browser, they can allow your browsing to be tracked, which opens concerns about privacy violations. So, depending on your website’s audience and location, you may be legally required to post a Cookie Policy and Cookie Banner.
Since you are reading the fourth of our blogs on the legal documents you need for your website, you probably have a solid idea about what a Cookie Policy is: a listing of all the cookies and trackers that your website utilizes, what type of cookies you use, what purpose they serve, and if your website allows any third parties to utilize cookies. This helps a visitor understand how you are using their information when they visit your site.
What Is A Cookie Banner?
You have probably noticed a lot more Cookie Banners (cookie consent banner, cookie notice, cookie splash page, cookie consent manager platform) in your wanderings around the internet lately. These jack-in-the-box dialogue boxes often pop up on a user’s first visit to a website. Their purpose is to alert the user that the website uses cookies, ask for permission to store those cookies on the user’s computer, and to inform the user of all the alternatives and rights that they have regarding those cookies. In reality, we all know that the Cookie Banner surprises the user, disrupts a visitor’s interaction with the website, and causes them to exclaim “What?” “I don’t know” “Whatever!” or “Sure, just go away!” before continuing on to your website with a bad taste in their mouth.
How Do I Even Know If My Website Has Cookies?
Almost every website uses cookies or trackers of some sort, not for any nefarious reasons, but simply to be able to offer its visitors the features that they are used to. Shopping carts, remembering log-ins, linking your website to your company’s Facebook page, heck, if your website was built on a content management system (like SquareSpace !), then you are using cookies. Even as the owner of the website, though, you may not know what cookies your website uses or where any data gathered from cookies is kept.
If you are curious to know exactly what cookies your site uses, there are two ways for regular, non-programmer people to figure it out.
The simplest and most direct way is to jump online and use a free website cookie checker. This software will look through the code of your website and identify all of the cookies. Then, it will produce a report that identifies the cookie, shows what group it is in, gives you the life span of the cookie, (yup, that’s a thing), tells you it’s purpose, and whether it is a first-party or a third-party cookie. If you do need to create a Cookie Policy for your site, these reports will give you information that you will need to include. Some popular, trusted, and reliable free online cookie checkers for you to begin with:
The second way to check for cookies used on your website is to do it manually. If you google “manual cookie check” and include the name of the browser you are using, there are plenty of sites that will walk you through the process. If you go this route, there are a few things that you have to do on your computer to make sure that you get a clean, uncorrupted report:
Clear your cache and cookies
Browse your site in private mode to prevent loading cookies from other websites
Turn off the blocking of cookies from your browser
Here are a few websites that offer walkthroughs on manually checking your cookies:
What Websites Need Cookie Policies?
This may be the easiest decision that you will have to make regarding the legal on your website. It is always a good idea to make as much policy and operational information as possible available to a website visitor. Openness, honesty, and straight-forward transparency help build trust and loyalty in your company. But as far as what you are legally obligated to post on your website, with Cookie Policies and Cookie Banners, you fall into one of two categories. You either don’t need to post a separate Cookie Policy and Banner at all (any cookie information should be included in your Privacy Policy), or you are legally required to post a Cookie Policy and Banner, and let me tell you, if they are required, then they are strictly regulated and enforced.
Here is the litmus test. If your website either:
Collects information from kids in the US under 13
OR
Collects information from anyone outside the US,
then there are some pretty tight legal restrictions and regulations concerning cookies on your website. You might want to lawyer up now.
If your website doesn’t collect information from kids in the US under 13 or from anyone outside the US, then you are completely off the hook with regards to creating separate Cookie Policies and Banners. Please feel free to do a happy dance, and then go back and double-check that your Privacy Policy covers everything required.
Types of Cookies
Cookies (also called Internet Cookies, HTTP Cookie, Web Cookie, Browser Cookie) are text files with small pieces of data that are stored on your computer’s browser and used to identify your computer in the future. In general, only the domain (server, website) that placed a cookie can read it later. Only Amazon can read Amazon cookies, only Target can read Target cookies.
Just like their more delicious counterparts with chocolate chip, oatmeal raisin, and sugar, computer cookies come in all different types and flavors. You will need to know a little bit about the specifics (or at least remember to come back here and look them up!), because there are legal distinctions between the different types.
There are three basic categories that you can use to classify a cookie: Purpose of the Cookie, Who Set Them, and How Long They Last. Because bakery analogies always help, think about what these categories would be like with baked cookies - we have A. Flavor, B. Homemade or Store Bought, and C. how Gooey or Crispy the cookie is. Just as every baked cookie will fit into each category (Chocolate, Homemade, Gooey Cookies), every computer cookie will, too (Necessary, First Party, Session).
Category 1: Purpose of the Cookie
Because cookies can function is so many different ways and be created to do so many different things, a lot of legislation concerning online privacy hinges on the purpose or function of the cookie. To match the legal standards, we are going to divide up the purpose of cookies into two main types here: Necessary and Non-essential.
Necessary Cookies (Strictly Necessary Cookies, Essential Cookies) are cookies that are crucial to the functioning of the website, such as security, network management, and accessibility. Without these cookies, the website simply would not work the way that a user expects it to. The EU has exempted two types of cookies from its Cookie Law, and we are using those exemptions as our definition here.
Communication Exemption Cookies and other trackers whose sole purpose is to allow the communication on the website to be transmitted over a network. An example of this would be load balancing session cookies, which help ensure that a web page loads quickly by distributing the workload across numerous computers.
Strictly Necessary Exemption Cookies and other trackers are deemed strictly necessary if they are essential for the website to perform the basic functions that the user asked for. If these cookies were disabled, then the service or function that the user requested would not be available. These are frequently first-party session cookies that expire when the user leaves the website. An example of this would be an Authentication Cookie that allowed users to log in and access secure areas of a website without re-entering their login-in credentials on every page. Another example would be if your ecommerce site used a session cookie that allowed a customer to keep an item in their cart while they continued to shop around your store, or used a cookie to retain the information that a visitor entered when filling out a form on your website.
Non-essential Cookies (Non-necessary Cookies) are cookies that are not vital for the functioning of the website, such as cookies used to analyze a visitor’s behavior on a website (Analytical Cookies) or cookies used to display ads (Advertising Cookies).
Functionality Cookies oddly, aren’t vital for your website to function, but they are first-party cookies that do enable the site to remember user site preferences and important information, such as username or location. This allows the website to provide personalized features like local news stories and weather if location is shared.
Performance Cookies are first-party cookies used specifically for gathering data on how visitors use a website, which pages of a website are visited most often, or if users get error messages on web pages. These cookies don’t collect identifiable information on visitors, which means all the data collected is anonymous and only used to improve the performance of a website.
Category 2: Who Set the Cookie
With the knowledge of what the cookie’s purpose is, we now need to find out who gets the information that the cookie contains. Essentially we are asking who the cookie reports back to, or who set it.
First-Party Cookies are those set, managed, and read directly by the owner of the site. They are created and used on a single domain (URL, website), and not shared with other websites or advertising partners. First-party cookies are supported by all browsers and can be blocked or deleted by the user.
Third-Party Cookies (Tracking Cookies) are managed by third parties (like advertisers, marketers, or researchers) to enable services provided by them, meaning that they are created and placed by websites other than the one you are visiting. Typically, a third party pays a company to include their cookie on the company’s website. The trackers will allow the third party to gather information about your visit and activities on the site. Third- party Cookies can be used to incorporate social media plugins, provide large collections of information about users across multiple websites, or to display ads to the user based on their previous browsing.
While first-party cookies only work on a single domain, third-party cookies track users across multiple domains, and are accessible on any website that loads the third-party server’s code. Third-party cookies are supported by all browsers and can be blocked or deleted by the user. The important development in this area is that privacy concerns are now leading many web browsers to block third-party cookies by default. This practice is beginning to present a challenge for advertisers.
Category 3: How Long the Cookie Lasts
Yup. Computer cookies can have expiration dates, too.
Session Cookies are temporary cookies that are deleted when you close your browser. They are first-party cookies that can be used to keep items in your cart as you shop around on a website. Once you end your browsing session, these cookies are deleted.
Persistent Cookie (Permanent Cookies) store data on your computer for an extended duration, and can be used to remember username and password for easier login, or other settings or preferences to help create a faster and more convenient website experience. They may come with an expiration date issued by the webserver.
Bonus Category: Freaky Cookies
Hopefully you won’t ever have to deal with these mutant cookies.
Zombie Cookies (Ever Cookies or Flash Cookies) are a special, nasty kind of third-party cookie that is permanently installed on users’ computers, not in the typical browser cookie storage, but hiding elsewhere. Zombie cookies stick around even when a user opts not to install cookies. Plus, just like their namesakes, they reappear after they’ve been deleted and are extremely difficult to permanently remove.
Super Cookies are arch-villain-level tracking cookies that work outside the system, making them impossible to get rid of. Super Cookies aren’t stored on your browser, but on the network. Since they work outside your computer, they don’t trigger any alarms with your browser cookie controls or ad blockers, allowing them to work undetected. That also means that they can travel across browsers on your computer, accessing information such as your browsing habits, login credentials, audio, and video streaming, even after you’ve deleted your cookies. Most Super Cookies can only operate in unencrypted HTTP connections, and since most websites now use HTTPS by default, they are becoming rarer. But, just like any tech, Super Cookies are also evolving, and are beginning to find their way into secure sites, too.
Trackers
A tracking cookie can be used to record your browsing behavior and interaction with a website. But, other trackers are commonly included in the discussion of cookies.
Trackers are small pieces of code that third parties (like advertisers, marketers, or researchers) pay websites to include in their web pages. The trackers will allow the third party to gather information about your visit and activities on the site, including the pages you view, items you click on, purchases you make, your physical and IP address, as well as other data about your visits. Over time, third parties can use that information to create profiles of millions of people, based on the websites they visit, how often, at what hours, etc.
More powerful trackers can actually watch your mouse movement. They can tell if you stay on the website home page for 10 seconds, and then switch to another page that you spend 10 minutes on, giving glimpses into your browsing habits. Some trackers watch you over multiple sites to analyze your interests and habits. For instance, I read an article about bird migration yesterday, and today I am getting a lot of ads for bird feeders. Sounds familiar, right? That is trackers at work.
Trackers can be referred to as a number of things, including: embedded scripts, pixel tags, spy dots, web beacons, automatic URLs, or auto hyperlinks. And, they can be as simple as a single, tiny, white pixel on a white background. Its tech like this that gives off creepy, stalking vibes!
US Cookie Policy
Privacy law in the United States is pretty weak compared to many other countries. Essentially, the US does not require separate consent policies for cookies, unless your website targets US kids under 13. If your company falls under the regulations of CCPA, then you will need to check your Privacy Policy to make sure it includes an opt-out.
US Privacy Policy and Cookie Requirements
CalOPPA
The strongest privacy laws that apply to a business operating in the US are found in California’s Online Privacy Protection Act (CalOPPA). Although a Privacy Policy may be required, California does not require a Cookie Policy or Banner.
CCPA
The California Consumer Privacy Law (CCPA) requires companies to provide users with a way of opting-out of having cookies stored on their devices.
However, the only websites that are regulated under the CCPA are companies that collect data in the US and either:
Have annual gross revenues exceeding $25 million
OR
Buy, sell, receive, or share personal information from at least 50,000 devices, consumers or households annually
OR
Make at least 50% of its annual revenues from the sale of consumers’ personal information
The CCPA allows data collection (and cookie use) that is pretty much unrestrained, as long as consumers have a way to opt-out. Since this opt-out info will be included in your Privacy Policy, no Cookie Banner or Policy is needed.
COPPA for US kids under 13
The only federal law in the US that governs online privacy is the Children’s Online Privacy Protection Act (COPPA). This law regulates the activity of websites, apps, online services, plugins, and even toys with online features that collect personal information from children in the United States under 13 years old.
COPPA is designed to limit the amount of information a business can collect from kids, and it does this with a very broad definition of personal information. As well as information that is entered directly by the user, COPPA regulates persistent or anonymous identifiers. These are details that can be used to identify a person over time, such as IP addresses, device serial numbers, and customer information collected using cookies or other trackers.
Before your website collects any information from children (including using cookies), COPPA requires that you present a direct notice to parents requesting their consent, and then you must receive and retain verifiable parental consent.
How feasible is this? Well, since its enactment, Mattel, Hasbro, Fisher-Price, Hershey’s, Sony, Google, TikTok, YouTube, and Nickelodeon have gotten into trouble over COPPA, with millions of dollars of fines levied.
If your business intends to market to children, you should be extremely cautious about using cookies at all. Our strongest advice would be to retain an attorney who specializes in this field. Since Fischer-Price and Google got into trouble over this law, this may not be a DYI activity.
International Cookie Regulation
Outside the US, online privacy protection is taken pretty seriously, and the European Union has created the toughest privacy and security laws in the world. Much like when, in creating our Privacy Policies we looked to California to provide our template for the strictest standards, the gold standard of Cookie Consent worldwide is the EU, so that will be our focus here. Keep in mind, though, that any country your website reaches may have variations or additional regulations, so be sure to review the data privacy laws for any country that you deal with.
The European Union has placed some of the world’s strictest requirements on businesses who collect personal information about Internet users within its borders. How seriously? Websites that collect data from EU citizens and fail to comply with the GDPR can be fined up to 20 million EUR or 4% of the company’s yearly revenue. Ouch.
The EU’s requirement for cookie consent comes from two important laws: The Cookie Law and GDRP.
ePrivacy Directive (Cookie Law) works alongside the GDPR to regulate the requirements for the use of cookies, electronic communications, and related data/privacy protection.
ePrivacy Directive (The Cookie Law) 2009/136/EC[113]
Enacted way back in the technological Jurassic period of 2002 and amended twice since then (with another revision waiting in the wings), the Cookie Law comes into play if your website uses cookies and you have European Union-based users. It informs users about cookies and other tech that collects personal information or tracks users’ behavior, requires users’ informed consent before storing cookies or accessing information on user’s devices, and mandates that websites obtain and save records of users’ cookie consent.
Quick geo-political review here: since the EU is a union of 27 Member States, rather than being one simple country, there can be differences in the details of what each Member State requires to satisfy this directive. So, exactly what steps you must enact to comply with these directives depends largely on which Member States of the European Union you are interacting with. (See Coming Soon To A Country Near You: ePrivacy Regulation for more on that!)
GDPR
The General Data Protection Regulation (GDPR) is the toughest privacy and security law in the world. Though it was drafted and passed by the European Union (EU), it applies to websites located across the globe, if they target or collect data related to EU citizens.
The GDPR specifies how personal data should be lawfully processed, including how it’s collected, used, protected, or interacted with in general. Examples of personal data include (but are not limited to) basic identity data such as names, health, genetic, and biometric data, web data such as IP addresses, personal email addresses, political opinions, and sexual orientation data.
The GDRP also sets strict rules on how businesses request and obtain consent. Implied consent and opt-out models of consent are not allowed. Consent must be earned via a user’s specific, clear, affirmative action, and requires that you keep and maintain valid records of consent if processing user data based on this consent. Without these records, the consent you collect is considered invalid.
Coming Soon To A Country Near You: ePrivacy Regulation (GDPR[114])
The ePrivacy Directive is going to be repealed soon, replaced by the ePrivacy Regulation, which passed in 2018, and should go into effect late 2022 or 2023. This regulation was written to extend coverage and scope of personal data protection in general, regardless of how the information is being processed.
It is a much broader law, widening the range of technology that is covered, from cookies to any tracking method, and including any kind of electronic communication channel, such as Skype or WhatsApp.
It also extends the definition of personal information, and further restricts acceptable reasons for processing such data.
But the biggest change that this piece of legislation will bring comes from its name rather than its contents.
Legal Difference Between Directives and Regulations
EU Directives (like the ePrivacy Directive currently in place) set up goals and guidelines for what they want to achieve, and then allow Member States to independently figure out how to accomplish that goal.
Since current Cookie Law ePrivacy is a directive, the specifics of how requirements should be met are heavily dependent on individual Member State law.
An example of this would be user cookie consent. The ePrivacy Directive states that consent to cookies must be provided. But how long does that consent last? Since it isn’t specified in the Cookie Law, each Member State must rule on this themselves. Denmark suggests that consent doesn’t expire. Ireland says that consent expires after 6 months, Spain says 24 months, and Belgium’s law specifies that “cookies should not be stored longer than necessary to perform their stated purpose,” whatever that adds up to.
EU Regulations (like the new ePrivacy Regulation, which has not yet been put into effect) are legally binding across every Member State in the European Union, and enforced according to unified rules. This means that everyone in the EU will be following and enforcing the exact same legislation with the new Cookie Law.
So, it is going to get simpler!
Cookie Law and GDPR General Compliance
Blocking the use of cookies before gaining user consent, recording and saving records of cookie consent, posting an accurate Cookie Banner, and publishing a comprehensive Cookie Policy are all requirements under the Cookie Law and GDPR.
Cookie Banner
An accurate Cookie Banner (Cookie Notice) must be conspicuously and noticeably displayed upon the user’s first visit to the website. It must either provide an obvious link to a more detailed Cookie Policy or must detail the usage and purpose of the cookies itself. And, it must clearly explain all options relating to the use of cookies to the consumer and state what consumers’ actions would signify consent.
The required contents in a Cookie Banner vary depending on country, but may include:
User’s right to grant or refuse consent to cookies
How the user can exercise that right
Instructions for disabling cookies
Company contact information
How users can set their cookie preferences
How you deploy cookies
How you handle third-party data sharing
Explicit Accept and Reject buttons
Cookie Policy
An effective Cookie Policy informs your users that your site uses cookies and gives a straightforward explanation of how cookies work, what type of cookies your site uses, and what purpose you use them for. This policy should exist on a dedicated page of your website, and link to your privacy policy.
The Cookie Law doesn’t require that you list and name every individual cookie used. You only need to clearly state the type of cookies installed (first party or third party, session or persistent), their purpose, and how you use them.
If you list any third-party cookies, you must also provide information about any such third party and provide a direct link to their privacy or Cookie Policy.
User Consent / Preventively Blocking Cookies Before Consent
The Cookie Law is very specific in establishing that websites cannot run or install any cookies (except exempt cookies) on a user’s machine until after the user has provided informed consent.
This consent to cookies must be freely given, specific, informed, and explicit, which means that it must be provided by the user through a clear, active, opt-in action.
Why Is Valid Active Consent Different Depending On Where You Live?
We previously discussed the different rulings that EU Member States have come to in deciding how long a user’s cookie consent lasts. Even though the ePrivacy Directive mandates that users must give active consent to cookies, the length of time that the consent can last is not specified. So, every Member State is obliged to create their own legislation on this detail.
Unfortunately, until the ePrivacy Regulation is enacted, there are many details like this that are going to be different depending on Member State law.
The Cookie Law mandates user opt-in by an explicit affirmative action. This means that if you offer a checkbox for the user to mark and thereby give cookie consent, the consent checkbox can’t be pre-checked. The user has to willfully perform the action declaring consent and opt-in, rather than opting-out.
However, what is a valid method of a consenting action will differ depending on Member State law. These actions of acceptance may include clicking on a page link, or clicking an option on the Cookie Banner. However, the European Data Protection Board (EDPB) updated their guidelines on consent in May of 2020, prohibiting cookie walls and invalidating scrolling and continued browsing as an acceptable method of consent.
Cookie Walls (or Tracking Walls) require users to consent to all cookies before viewing any information on a website. This is sometimes referred to as the “Take it or Leave it” approach. The EDPB ruled that general access to your website cannot be restricted to only those users who have accepted all cookies. Prohibiting general access based on the users’ cookie preferences is viewed as coercive. Only certain content can be restricted based on cookie preferences. Cookie walls are considered invalid since the user has no genuine choice.
The Cookie Law also states that even after consent has been given, users must be given the possibility to refuse or withdraw their consent. According to some Member States, this involves providing information or a means for your users to withdraw consent. In some cases under Member State law, browser settings are considered to be an acceptable means of withdrawing consent.
For a great run down of some of the biggest differences in EU Member States’ rulings on collecting cookie consent, visit Iubenda’s GDPR Cookie Consent Cheatsheet.
Record of Consent
The Cookie Law requires you to be able to prove that a user consented to cookies on your website. This by itself doesn’t require that records of users’ cookie consent be kept. However, in most cases, cookies process personal data, and so the GDRP legislation that governs record-keeping requirements applies. Valid records of cookie consent need to be maintained and saved for each user for up to 12 months from their last visit, and it is considered best practice to:
obtain and save cookie consent settings
collect granular, per purpose consent, and
store proofs of users’ preferences via cookie preference logs
Cookie Exemption
The ePrivacy Directive shouts from the rooftops that unless you have a user’s active consent to receive cookies from your website, you are prohibited from running or installing any cookies...except exempt cookies. Absolutely no cookies or trackers may be utilized until after the user has provided informed consent...except exempt cookies.
Admittedly, my personal cookie law is overflowing with exemptions from regulation (for instance, cookies eaten over the sink don’t count), but which cookies is the EU talking about here?
The Cookie Law allows two exemptions to the consent requirement:
Communication Exemption
Cookies and other trackers whose sole purpose is to allow the communication on the website to be transmitted over a network are exempted. An example of this would be load-balancing session cookies, which help ensure that a web page loads quickly by distributing the workload across numerous computers.
Strictly Necessary Exemption
Cookies and other trackers are deemed strictly necessary if they are essential for the website to perform the basic functions that the user asked for. If strictly necessary cookies were disabled, then the service or function that the user requested would not be available. These are frequently first-party session cookies that expire when the user leaves the website.
So, if your ecommerce site used a session cookie that allowed a customer to keep an item in their cart while they continued to shop around your store, that would be a strictly necessary cookie. It involves a service that your website provides for customers who requested it. Similarly, if your customer was filling out a form on your website, a first-party session cookie would most likely be used to retain the information they entered.
Strictly Necessary cookies remember which page of a website a user was on, so that the visitor can use the browser’s back button. Or, they allow users to log in and access secure areas of a website without re-entering their login credentials on every page. They can also allow a language preference to be set for a website and not force the user to select that preference again on every page they go to.
Even if you utilize cookies that are exempted under these circumstance, you are still required to include them in your Cookie Policy, explaining what they do and why they are necessary.
How to Create Your Cookie Policy
OK! So how do you ensure that all the legal mumbo-jumbo is correct on your website? If you have already created a Privacy Policy or a Terms and Conditions Agreement, then the answer is very similar, so buckle up for some déjà-vu.
Here are your two options for creating a Cookie Policy, and your one big no-no.
First Option:
Remember those online compliance software service websites that can build your Privacy Policy and Terms and Conditions Agreements? Almost all of them can also generate Cookie Policies, too. You answer some questions about your company, and they generate the policy for you. Some of the websites are free to use, some charge a flat fee or monthly subscription for advanced features that tailor the content more specifically to your business.
Pros: Inexpensive, Completed copy ready for you to use within minutes.
Cons: If your business is complex, you may need more customization. Some usage and legal terms may be confusing.
This route is a pretty inexpensive way to go, but it does require you to do your homework. Some popular, trusted, and reliable website generators for you to begin your research:
Second Option:
Enlist a lawyer’s services. If you are not comfortable searching and comparing options offered by online websites and doing some reading up on the legal requirements yourself, then pass this work on. And, if you are dealing with a website that is legally required to provide a Cookie Policy (collecting data from kiddos in the US under 13, or anyone outside the US), then things get very complicated very quickly, and the penalties that can come from these pieces of legislation could be catastrophic to a small business. The laws are also complex, with an enormous amount of detail. If your website falls under one of these regulations, spare yourself a lot of mind-boggling hours staring at legal documents, and find a lawyer who specializes in this field to help you sort out what you need to do and advise you on how to best protect your business.
Pros: Complete customization, along with having an expert advising specific and precise language to include to best protect your business.
Cons: Expense. It may be days before you have working copy.
The Big No-No
I know that it is tempting. It is easy to think that one quick cut and paste could make all your problems go away. But keep your eyes on your own website!
Do not copy. Do not go to another, similar website, copy the legalese and paste it on your website. Nope. Just don’t. Seriously. We’ve got to be grownups about this. First, there is no way that you will have exactly the same cookies as another site. And, if your Cookie Policy doesn’t adequately address everything it needs to, then you could be headed for some nasty fines.
A Cookie Policy lets your website visitors know how you use their data. Although it is not a national requirement of all websites in the US, it is a solid business practice that fosters transparency and trust with your users. It will go a long way with visitors to your website if you keep your Cookie Policy up-to-date and answer a few questions:
What types of cookies does your website use?
What is the purpose for the cookies?
What categories of personal data is processed by the cookie?
What happens to the personal data collected?
With what third parties is the data shared?
How long do the cookies stay on users’ browsers?
How can users change their cookie preferences for the site?
How can users check on or change their consent for cookies later?
mini Monster also has detailed looks at other legal documents that you may need to create for your site. Check out our blogs on Privacy Policies and Terms and Conditions.