If your website is based in the EU or directed towards EU citizens and you use cookies you must comply with the EU’s ePrivacy Directive which means consent to use cookies must be obtained before they are placed. Many websites collect browsing history and send out signal to advertisers by installing dozens of cookies in the browsers of visitors to their site. The ePrivacy Regulation provides greater protection for internet users than previous offered under the directive. Any company with a website who wishes to collect data via the use of cookies needs to ensure strict adherence to the new law which includes ensuring users are able to understand what personal data is being processed and for what purpose. Businesses who rely on their website as a main driver of revenue will have to address balancing growth of the business with ensuring the personal privacy of website users.
There is no legal requirement to create a separate cookies policy although most businesses are choosing to do so and it is particularly useful to do this if your website uses a number of different cookies for more than one purpose. The most common way is to upload a Cookie Consent Notice to your website in the form of a panel, pop-up or banner that gives users notice that cookies are used and provide a link to your Privacy and/or Cookies Policy. Visitors will then have to actively agree to this in order for you to get consent. As with your other legal agreements, your cookie policy should be laid out in a simple and easy to understand way, usually beginning with an explanation of what cookies are and what they do. This is usually followed by information on:
what types of cookies you use and how you use them - being as specific as possible;
a description of the use of third-party cookies - if you allow third parties to place cookies through your website, you need to disclose this here and include the third parties by name when you can;
details of the use of other tracking technologies on your website - for example if you use analytics services let your users know about this;
if you use a remarketing services such as Google Ads, you need to disclose this also - check the Terms of Use agreements for the service you use to see what is required - for example Google Ads requires a set of particular disclosures to be made;
the cookie policy should also disclose any other tracking technology - such as if you are using web beacons and pixel tags to track and identify users;
how users can control cookies and offer the user the opportunity to refuse to have a cookie or similar device stored on their device - as set out in Recital 25 of the privacy regulation;
how to control cookies - you need to let users know how they can adjust or disable the cookies you use and offer them the option to decline.
