If your EU-based or EU-directed website or mobile app uses Google Analytics, you're required to have a Cookies Policy in place.
In short, this is because the EU Cookies Directive requires a Cookies Policy, and the Google Analytics Terms of Service agreement requires users of the service to follow applicable laws.
What is Google Analytics
Google Analytics is the most widely used web analytics service on the internet.
This free service from Google that lets you see detailed statistics about how users interact with your website/app including traffic, average time on site, geographic location of visitors and other useful metrics.
It also incorporates marketing tools such as AdWords and remarketing advertising capabilities.
To provide these services, Google Analytics uses cookies. These cookies help Google identify unique users, identify unique sessions, gather information and store information. If your website/app uses remarketing, third party cookies, or DoubleClick cookies, can be used as well.
Google Terms of Service
If you sign up to use Google Analytics, you need to agree to the Google Analytics Terms of Service.
The Terms of Service requires you to have a Privacy Policy.
It also requires you to "comply with all applicable laws, policies, and regulations relating to the collection of information from Visitors."
One of these "applicable laws" is the EU Cookies Directive.
The EU Cookies Directive
This directive applies to any website/app that's:
- Owned by a business in the EU, or
- Directed towards EU citizens
If cookies are used by any such website/app, it requires that:
- Users are informed that cookies are used and how they're used,
- Consent is obtained before cookies can be used, and
- An opt out method is made available
Because Google Analytics uses cookies, this would trigger the requirements of the EU Cookies Directive.
Google Analytics' Terms of Service requires you to comply with applicable laws, which in this case means you must comply with the EU Cookies Directive.
If your business falls under the EU Cookies Directive and uses Google Analytics, you're going to need a Cookies Policy.
Your Cookies Policy
You have two options here.
You can either create a separate Cookies Policy or include a Cookies Policy clause in your existing Privacy Policy.
Either method will work, as long as you let users know:
- Your website/app uses cookies,
- How/why you use them,
- Any third parties that you allow to use them, and
- That users can opt out of this
It's also common for a Cookies Policy to include a clause that explains to users what a cookie is in simple, understandable terms.
A Separate Cookies Policy
Having a separate Cookies Policy comes with some perks.
It lets you add a link to your footer or link lists so your users can easily notice it. This is good for compliance purposes as well as user satisfaction.
You can also add your link to a link list, as seen here.
Having separate policies also lets you add very thorough information without overloading your Privacy Policy and overwhelming your users with one long, intimidating legal agreement.
For example, YuMe's Cookies Policy agreement is very thorough, including a mix of charts and text:
The chart breaks down types of cookies used, by what party, and how a user can opt out of this.
The text has additional general information about the site’s use of cookies.
Note that this is only about 1/5th of YuMe's Cookies Policy.
YuMe's Privacy Policy then includes just one short summary clause about cookies and links to this robust Cookies Policy.
LinkedIn has a Cookies Policy agreement that's separate from its Privacy Policy.
In its Cookies Policy, LinkedIn links to its Privacy Policy and the section within it that covers cookies.
When you visit the LinkedIn Privacy Policy agreement, you'll see a section on cookies that includes a summary of all of the relevant information, as well as a link to the full Cookies Policy.
Vimeo has a separate Cookies Policy agreement that lets users know right away that it's part of their Privacy Policy.
The Cookies Policy has detailed cookies-specific information, including a breakdown of the different types of cookies used and what each one does.
Vimeo's Privacy Policy agreement also includes thorough cookies information, as well as multiple links to the Cookies Policy throughout it.
Having separate policies where you reference each one in the other and include links to each one helps users stay informed and access your policies easily.
Privacy Policy with a Cookies Policy Clause
You may choose to simply go with a cookies section in your current Privacy Policy and skip the separate Cookies Policy.
Here's how Drift adds a short clause about cookies to its Privacy Policy.
Medallia has added a more robust and extensive cookies section to its Privacy Policy. It includes one clause for its survey and reporting cookies.
There's a second clause that covers website cookies and opting out.
Oracle includes a Cookies clause in its Privacy Policy.
Some businesses may choose to combine both policies into a Privacy & Cookie Policy, such as how Ascarii did.
Remember, under the EU Cookies Directive, if cookies are used, your website/app must:
- Inform users that cookies are used and how they're used,
- Obtain consent before cookies can be used, and
- Provide an opt out method
Of these three requirements, the first and the third can be met through your Cookies Policy or cookies clause in your Privacy Policy.
The second - obtaining consent - can be met through clickwrap, browsewrap and notification banners or pop-ups.
Obtaining Consent for Using Cookies
To get consent, you can include a pop-up or banner message when a user first visits your website.
In this message:
- Let users know that you use cookies,
- Link to your Cookies Policy/Privacy Policy with cookies clause, and
- Inform users what will constitute agreement/consent for cookies
This example from WeTransfer lets users know cookies are used, links to the Cookies Policy and makes users click an "I Agree" button to show consent.
The BBC uses a banner that lets users know that cookies are used, links to cookie settings and has a "Find Out More" link, and has a user click "Continue" to show consent to this.
Some websites/apps use a more passive browsewrap method of obtaining consent, such as this example that lets users know that by continuing to use the website, they're showing they're ok with cookies being used.
A notification box like this will typically remain visible to users until they've clicked a few times to show they plan to continue using the website.
Staying Compliant Summary
If you use Google Analytics and fall under the scope of the EU Cookies Directive, you need to do the following to stay legally compliant:
- Have a Privacy Policy
- Have a Cookies Policy/Cookies clause within Privacy Policy
- Have a banner/pop-up notification regarding your cookies usage
- Get consent for using cookies
- Provide an opt out method
Comprehensive compliance starts with a Privacy Policy.
Comply with the law with our agreements, policies, and consent banners. Everything is included.