How to Write a Website Cookie Policy

Having a well-written cookie policy could save you from trouble in the future.
We may receive compensation from the products and services mentioned in this story, but the opinions are the author's own. Compensation may impact where offers appear. We have not included all available products or offers. Learn more about how we make money and our editorial policies.

Cookies help simplify users' experiences on individual websites by "remembering" who they are.

These are simple text files that store information like site-specific login data in the user's web browser and are incredibly common across the Internet.

If you've ever logged into a site without having to fill in your password, for instance, or clicked off an e-commerce page. Only to return a few days later to find that pretty desktop lamp still waiting in your shopping cart, HTTP cookies are to thank for that.

Cookies, however, are often viewed by Internet users with suspicion. These users worry about data privacy - for many. The idea of sites "remembering" who you are by having access to certain identifiers like login e-mail or passwords seems ominous.

"What are they using it for?" they ask. "Could they be selling my data?"

Of course, cookies are locally stored on the user's browser and are not really dangerous in the way most people imagine. But there can be vulnerabilities with cookies, and cyber attackers can hijack your computer cookies giving hackers access to your browsing history.

In order to address these potential vulnerabilities, and help people feel safe as they browse the Internet, certain regions around the world - most notably the countries of the European Union - have introduced the concept of cookie compliance.

What is cookie compliance?

Cookie compliance refers to laws that enforce website transparency when it comes to the usage of cookies.

A "cookie compliant" website will let users know that it's using cookies, and what types of cookies it's using.

The site will give them the option to use it without downloading cookies, or without downloading certain types of cookies.

Since the specifics of cookies, compliance depends on the region, let's discuss how it works in some different geographical areas.

The European Union cookie laws

As mentioned above, the EU pioneered the idea of cookie compliance and has the most rigorous laws in the form of the "ePrivacy Directive" better known just as "the cookie law."

This 2002 directive is supported by the more recent General Data Protection Regulation, or GDPR.

Both stipulate that a website operator receives users' consent in order to use cookies (except for "necessary" cookies - more on that later).

Say a user is fine with certain cookies but wants to deactivate others - under the terms of EU law, you must make it so that they can still access the website.

If they do consent to certain cookies but change their mind later, it should be easy for them to opt-out of those cookies.

Finally, EU website operators - or those outside of the EU who are targeting EU customers - must document and store the received consent.

The United Kingdom cookie laws

Although the UK is no longer part of the EU. It did adjust its laws to be in accordance with the ePrivacy Directive back when it was a member.

Therefore, website operators in the UK basically have to adhere to the EU cookie regulations described above.

Australia cookie laws

In Australia, the main law that applies to cookies is the Privacy Act 1988. According to this statute, you should at least inform your users that you are using cookies that will collect their private information (although this is not spelled out explicitly).

Canada cookie laws

In Canada, "express consent" is required before cookies are installed. This doesn't exactly mean what it sounds like. Basically. all you have to do is let users know that you are using cookies - if they continue to use the site after being made aware, you have their "express consent".

Cookie laws in the United States

In the United States, there aren't any specific cookie compliance laws on a federal level. However, it's always a good idea to include that you're using cookies in the privacy policy.

This is especially true since California does have a privacy law called the California Online Privacy Protection Act (CalOPPA). This requires that commercial websites have a privacy policy detailing how information is collected.

Since pretty much every US commercial website is going to have one or two users in California - it is the largest state, after all - they should all detail their cookie usage in the privacy policy.

Furthermore, there's an online privacy law in the US known as the Children's Online Privacy Protection Act (COPPA). This applies only to websites aimed at children under 13.

To use cookies, you'd have to get parental consent. Which isn't really practical.

Therefore, if your US business site is aimed at young kids, you shouldn't use cookies at all.

How do you comply with cookie law?

To bring your website into compliance with the EU cookie law. you'll need to take a few steps.

First, you should perform what's called a "cookie audit" - you'll determine just what cookies you are using and what data they are tracking. There are a lot of different programs that provide cookie audits.

Next, installing a cookie banner on your site. A cookie banner is just something that will inform visitors to your site that you're using cookies.

You should also spell out, in clear, easy-to-understand terms, just what each of the cookies on your site does. Link to a page with this information on the cookie's terms or settings - for example, make a clickable link saying "More Information" or "Find Out More".

If you're providing an "opt-out" option, make sure it's simple for users to opt-out of cookies at any time.

However, you don't have to inform users of or receive consent for cookies that are deemed necessary to the functioning of your site.

For example, a shopping cart cookie is definitely something users expect when they're on an e-commerce site, and so the normal rules of cookie compliance won't apply to these cookies.

Cookie policy must-haves

  1. Users must know you're using cookies
  2. Users must know precisely what cookies you're using and what they do
  3. Users must have the option to use your website even if they don't want to use all of your cookies
  4. You must store users' received consent to having cookies installed

It's really that simple!

The bottom line

Overall it's not too difficult to make your website cookie-compliant. although you will need to know a thing or two about coding.

If you're in a country that enforces cookie compliance, and you don't follow the steps above, you'll usually get a notice to make the necessary changes within a set timeframe. In extreme cases, you might even have to pay a fine.

Even if you're not in a country that specifically requires user consent for cookies, taking some inspiration from their regulations can help ensure visitors to your website see it as transparent and trustworthy.

Trust is always important in increasing visitor frequency and shareability, helping to boost your site's visibility in multiple ways.

5.0
Limited-time offer: 56% off + 3 extra months
Learn More
On NordPass's website

NordPass
  • Strong encryption and security
  • User-friendly interface
  • Free version is limited to one device at a time