Cookie Clauses For Your Privacy Policy

Your Privacy Policy must address cookies no matter where you transact business.

In the US, this is considered good customer service and offers you protection from liability. People may be wary of data files collecting their information and it's better to keep them informed when it's taking place.

In the E.U., the cookie clauses in your Privacy Policy agreement maintain compliance with privacy requirements such as the EU Cookies Directive.

However, any entity that transacts business in the E.U. and uses cookies on its website must meet additional requirements beyond what you write in your Privacy Policy.

What are Cookies

Almost every website or app uses cookies to track data and create personal experiences for users.

A cookie is a small data file stored on a user's computer or mobile device. It holds just enough data on a user to customize websites to that user's taste. Cookies may retain log-in information, save preferences, and even direct users to the spot where they last browsed.

Cookies may be enabled or disabled within browsers or indicating preferences in the settings section on mobile devices. Since cookies contain privacy implications, their use is addressed in the Privacy Policy agreement.

Cookies and the Privacy Policy

Privacy Policies normally contain an entire section or subheading addressing cookies.

While cookies do not collect data as extensively as online forms or a sign-up process would, users may still find them to be intrusive. That is why it is important to address them in your Privacy Policy.

Why Draft Cookies Clauses

There are three reasons you want cookie clauses under their own subheading in your Privacy Policy:

• Transparency.

  Even if you wouldn't be required to inform users (under US law, for example), it's still a good idea to let them know you use cookies.

  Discussing cookies in your Privacy Policy allows you to explain which cookies you use, why you use them, and the benefits they offer users.

• Implied consent.

  The Privacy Policy is accepted at sign-up. A less favored method of accepting the policies is as the user browses your website. You can learn the differences between browsewrap and clickwrap here.

  When users accept your Privacy Policy, there is also implied consent to the use cookies. This helps you in cases where users claim your cookies collected data without their permission.

• Limit possible liability.

  Most privacy claims are barred through the acceptance of the policy.

  However, it's possible that clicking links from third parties will also activate cookies and you need to waive liability for those actions.

  Also, your sections on cookies should explain how to disable cookies and even the consequences of that action (e.g., a less personal web experience).

  This protects your from liability not only from the use of cookies or a third party's use, but also if electing to disable cookies reduces a user's web experience.

The content within these sections on cookies needs to address these three reasons outlined above.

Here is how to accomplish that.

Content for Cookies Clauses

Cookies information in your Privacy Policy should clearly labeled under its own section or subheading. This keeps the information transparent and easy to find which is important since some users may feel uncomfortable with cookies technology.

If you provide a Table of Contents in your Privacy Policy, include a link to your cookies chapter or section. This makes it easier to find.

Amazon offers this to its visitors:

In the chapter on cookies, address why you use cookies, what they do, and how to disable them. That helps you meet the goals listed above regarding transparency, consent, and liability.

Explanations regarding your cookies usually start at the beginning. Other tracking software may also be mentioned in this section, so feel free to include mention of web beacons and other technology.

Apple explains that its websites and online services use cookies for providing services, customizing advertisements, and providing interactive applications. This is all mentioned in the beginning of its section on cookies:

Lenovo, an international computer and software company, takes the same approach. In the U.S. version of its Privacy Policy, it also explains that it collects information and stores it in log files:

Sometimes, there may be more detailed discussion on cookies. This is especially true with entities that have an international presence or simply use many types of cookies and user tracking technology.

Lenovo offers this further explanation of cookie usage right after its introductory paragraph in the cookies section. It also mentions that cookies may be turned off in the user's web browser:

A further explanation by Lenovo mentions that web beacon and other tracking technology works in conjunction with cookies. If you take the same approach with your website, you may wish to add similar information to your cookie provisions:

The introductory provisions from Lenovo above offer some instruction on disabling cookies. Apple explains to users how to turn off cookies in both its Safari browser and its mobile devices:

If an app or website uses unique tracking features, cookie provisions can address those as well. Apple has an Ad Tracking process that customizes advertisements to consumer preferences. Its cookies provision addresses turning that off:

Lenovo uses Flash cookies to support its cloud storage systems. These are often managed by third parties. It offers instructions for disabling these while also providing a link with further information:

Assess your cookie usage before you finalize a cookies provisions in your company's Privacy Policy.

If you use cookies that are controlled by processes other than browser or mobile device settings, include links or instructions that address them.

The Cookies Policy

The examples above are from Privacy Policies applicable to U.S. customers.

If you are based in the E.U. or have E.U. customers, you need a Cookies Policy in addition to the cookie provisions in your company's Privacy Policy.

The E.U. Cookies Directive places additional requirements on your use of cookies on an app or website.

E.U. Cookies Directive

The E.U. Cookies Directive is part of an e-Privacy Directive amended in May 2011.

In the U.S., acceptance of cookies is implied through the acceptance of the Privacy Policy. There are no notice requirements. The E.U. places extensive notice requirements on companies.

The EU Cookies Directive requires that:

• You must notify users that cookies are being used on your website, including which cookies, why they are used, and how,
• Users must indicate consent to the cookies, usually by clicking an "I Agree" button or checkbox, or
• If you provide a visible notice on your site that cookies are being used and if the user continues to browse, they accept the cookies.

Most E.U. companies provide a banner or active consent platform when it comes to cookies and create a separate Cookies Policy agreement.

When you visit Lenovo's Netherlands site, you first see this dialog. To continue, a user must hit the green "Accept and enter the website" button:

Even if you decide to rely on implied consent, your notice banner must be visible. It should remain until a user clicks on a certain number of pages within your site. Here is an example of how that can work:

Lenovo has different Privacy Policies for the U.S. and Netherlands. When you visit the U.S. version of the Privacy Policy of Lenovo, cookies are not specifically mentioned even though there are provisions about them in the Privacy Policy:

The Netherlands version of the Privacy Policy offers a link to the cookie provision in the Privacy Policy as well as a link to its Cookies Policy:

Another place where you will find differences is the footer section of a website.

Amazon does not offer a link to a Cookies Policy on its U.S. page:

But you will find a link to the Cookies Policy on its U.K. page:

If you are doing business in the E.U., or are based there, you not only have to offer a Cookie Policy but you also must make it visible.

Provide a link to the Cookie Policy in your banner or request active consent, but also add links on a privacy page, in your Privacy Policy, and the web footer.

Examples of Cookies Policies

Like Disclaimers and Return Policies, the Cookie Policy is a separate document on its own but it reflects similar provisions in the Privacy Policy.

This allows users who are interested in cookies to navigate directly to where they receive the most information on how and why you use them.

Lenovo's Netherlands site includes a Privacy Policy that's similar to the one for the U.S. site (translated by Google):

When you visit the Cookies Policy for the Netherlands website, Lenovo adds details to that go beyond the Privacy Policy provisions. However, they act as clarification and do not contradict one another:

This intends to give consumers more information as required not only by the E.U. Cookies Directive but also Netherlands law.

Amazon U.K. takes the same approach with its Cookies Policy.

Its U.K. Privacy Policy contains a linked header on cookies. Its Cookies Policy also acts as an enhancement of those privacy terms:

No matter where you do business, you need cookies provisions in your Privacy Policy.

In the U.S. it's a courtesy more than a legal requirement, but transparency helps with customer relations.

If you do business in the E.U., your Privacy Policy provisions about cookies will not be enough to meet the EU Cookies Directive.

You will need to assess your website and app for proper notices and provide clear links to the cookie provisions in the Privacy Policy and to your Cookies Policy.