Privacy Policy Cookies Clause: Separate vs Combined

Cookies are small text files websites store on a visitor’s device to track their preferences, browsing behavior, and other valuable data. Through these important analytics, you, the website owner, can enhance the user experience.

The problem is that the use of cookies also raises privacy concerns. This is where the privacy policy cookies clause comes in. How are your privacy policy and cookies linked, you ask?

Since cookies collect personal data, your privacy policy’s cookie clause should explain this to ensure visitors understand their privacy rights.

Below, we’ll walk you through how to incorporate a cookies clause within your privacy policy. This step is key not just for staying on the right side of the law, but also for reassuring visitors that you value and protect their privacy.

KEY TAKEAWAYS:
  • A well-written privacy policy cookie clause not only informs visitors about your site’s cookie practices. It also helps your business comply with data privacy laws.
  • Obtain explicit consent from your visitors before setting up non-essential cookies. This demonstrates your commitment to user privacy.
  • A policy template or generator can streamline the process of creating a cookie clause. They provide a good starting point and help you avoid common mistakes.

PRO TIP: Don’t waste your time and take the guesswork out of the legal jargon with this personalized cookie policy generator trusted by over 200,000 businesses.

What is a Privacy Policy Cookies Clause?

A cookie clause in a privacy policy is a section that informs website users about the use of cookies and similar tracking technologies on the site. It explains what cookies are, how they are used, the types of cookies the website employs, and how users can manage or opt out of these cookies.

Check out this example from MistHub to see what a cookies clause looks like:

MistHub's cookie clause in their privacy policy on a white background.

Firstly, they mention the use of cookies on their website and why they are used. They also reassure visitors that these cookies do not collect personal information.

Then, to give visitors control over their information, they also remind them how they can opt out of cookies:

MistHub's cookie opt out information in their privacy policy on a white background.

A well-crafted cookies clause not only informs visitors about your cookie practices. It also helps ease their concerns by providing information on how they can control their data.

Why Do You Need a Cookies Clause in Your Privacy Policy?

You need a cookie clause in your privacy policy to comply with data privacy law. By explaining how cookies work and asking for cookie consent, you also demonstrate your commitment to transparency.

Basically, you need these clauses for the following reasons:

  • For Compliance With International Laws: Including a cookie clause as part of your privacy policy is required under various regulations. Many privacy laws require that you disclose how you use cookies, including the EU Cookies Directive (also known as the Privacy and Electronic Communications Directive) and the General Data Protection Regulation (GDPR).
  • For Meeting State-Specific Laws: In the U.S., laws like the California Online Privacy Protection Act and the California Privacy Rights Act state that businesses must publish a privacy policy that includes details on cookie usage.
  • For Better User Experience: When users understand how cookies are used, they can make better decisions about their online activities. In turn, you’re able to help them improve their overall experience on your site.

PRO TIP: Certain industries, such as healthcare and finance, may have additional data privacy regulations. If your website falls under these categories, be extra mindful of your cookie practices.

While not always strictly required, a separate policy for cookies may be needed for websites that use a lot of cookies or collect sensitive user data.

In my opinion, you need a dedicated cookies policy if your website uses certain types of cookies to track user behavior for analytics or marketing. A combined cookie and privacy policy can often suffice, but a dedicated policy can offer additional clarity.

This need for transparency is more important than ever. A survey from January 2023 found that 86% of users in the U.S. want to do more to protect their online privacy.

A bar graph of the result of Statista's 2023 survey about internet users who would like to do more to protect their digital privacy.

By having a clear cookie policy, you can help address these concerns and give users the information they need to make smart choices about their data. When visitors trust your site, they’re more likely to engage with your business.

Here’s a step-by-step guide to enforcing a cookie clause effectively:

Use a banner to inform visitors that cookies are used on the site. Provide options for accepting, rejecting, or managing cookies. The banner should be visible when users first visit your website and comply with regional regulations like GDPR and CCPA.

Ensure that users actively consent to the use of non-essential cookies (analytics, marketing, etc.). Only set these cookies after the user has given consent. This step helps in complying with privacy laws that mandate explicit permission for non-essential tracking technologies.

Provide a way for users to easily update or withdraw their consent at any time. This can be done by including a “Cookie Settings” option in your website’s footer, ensuring users have control over their data preferences.

Use a cookie management tool to automatically block non-essential cookies until consent is given. These tools can simplify cookie management and compliance with regulations, ensuring that no cookies are set until proper consent is collected.

Keep records of user consent for cookies. Tools that log user preferences ensure compliance and provide documentation in case of audits. This is especially important for GDPR, which requires proof of consent.

Periodically review and update your cookie policy to ensure it reflects current practices and legal requirements. Notify users of changes, especially if new types of cookies are introduced. Staying up-to-date helps maintain compliance.

Enforce the “Do Not Track” Signals

Respect browser settings that signal “Do Not Track” preferences. By honoring these signals, you comply with user expectations and maintain transparency about how tracking technologies are handled on your website.

9 Key Components of a Cookies Clause

A well-structured cookies clause should include the following key elements to ensure clarity, compliance, and effectiveness:

1. Definition of Cookies

Your privacy policy should clearly state what cookies are before diving into how they are used. This ensures that users have a solid understanding of cookies from the start.

Here’s how Outdoor Voices handled this in its privacy policy:

Outdoor Voices' definition of cookies in their privacy policy on a white background.

Here, you can also mention other tracking technologies you use, like web beacons. Similar to cookies, they collect information about user activity on your site.

2. Types of Cookies Used and Their Purposes

Aside from a clear definition of cookies, you should also include information about cookies your website uses. I recommend categorizing the different types of cookies you use to help users understand their purposes.

For example, you can say that:

  • Essential cookies are necessary for your site to function properly, enabling basic features like page navigation and secure access to areas of the website.
  • Performance cookies help you analyze how visitors interact with your site, allowing you to improve user experience.
  • Functionality cookies remember user preferences, such as language or region, enhancing personalization.
  • Advertising cookies track user behavior to deliver more relevant ads based on their interests.

By clearly outlining these categories, you inform users about how cookies contribute to their browsing experience.

3. Information You Collect Through Cookies

Your privacy policy should clearly state what information you use the cookies to collect, such as:

  • User preferences (e.g., language settings, product preferences)
  • Browsing history (e.g., pages visited, time spent on site)
  • Device information (e.g., IP address, browser type)
  • User interactions (e.g., clicks, scrolls)
  • Demographic information (e.g., estimated age, location)
  • Personal information (if applicable, such as email address or user ID)

For transparency, fashion accessories brand, William Painter, does this by including a table of the personal data they collect and to whom they share them:

William Painter's information collected through cookies on a white background.

The clause on cookies in your privacy policy must explain that you require user permission to track data. Remind visitors that before any cookies are placed, they need to actively consent to issue cookies on their devices.

Users must be aware of what they are agreeing to. To do this, you can implement a pop-up or banner that provides users with clear options to accept, reject, or customize their cookie preferences.

PRO TIP: Obtain explicit consent before placing cookies. It is not just a best practice but a legal requirement in many jurisdictions.

Many laws, including the GDPR in Europe, require explicit consent before placing cookies on a user’s device. This means users should clearly agree to the use of cookies, usually through a button or checkbox, like in this example from PopSockets:

PopSockets' cookie consent banner on a white background.

On the other hand, implied consent is based on user behavior, such as continuing to browse the site, and does not meet the legal standards set by many data protection laws.

5. Information on How Users Can Accept or Reject Cookies

Outline the steps users can take to accept or decline cookies when prompted by the cookie banner or pop-up on their initial visit. Include information on how they can accept some cookies and reject others.

On my website, I make sure to remind visitors that they have the choice to either accept all cookies or select specific ones based on their privacy and comfort level. This way, users can enjoy a personalized experience while feeling secure about their data.

PRO TIP: Avoid overwhelming users with excessive information when designing your cookie banner. A simple and informative message increases the likelihood of obtaining user consent.

Users must be able to adjust their cookie preferences as their needs change. You can add a cookies opt-out and management clause that provides detailed instructions on how they can change their cookie settings after their initial acceptance of cookies. 

Tell visitors they can access the cookie settings through the footer or the privacy settings page. Here, they should be able to see their current settings and make adjustments.

It’s also good practice to inform them how they can access their browser settings to disable cookies altogether if they choose to do so. I like how Peak Design gave an extra tip on how users can take control of their data online:

Peak Design's instructions for changing cookie settings on a white background.

7. Data Retention Period

Specify how long the cookies on your website will retain user data before it is deleted or anonymized. Especially if your site utilizes a large number of cookies, providing clear timelines for each type can enhance transparency and trust.

Tell them that some cookies might store data for a limited time, like session cookies that expire once they close their browser.

On the other hand, persistent cookies can remain on their devices for a longer duration. Often, this type of cookie remains until they are manually deleted or until the expiration date set by your site.

According to data protection laws, websites should only store personal data for as long as necessary to fulfill their intended purpose.

For example, you can set analytics cookies to expire after 24 months if the data is only needed for annual reporting. Failure to adhere to these guidelines can lead to significant penalties.

8. Third-Party Cookies

In your third-party cookies section, disclose whether your website or app uses cookies provided by third parties.

These cookies are set by domains outside the one the user is visiting, typically by companies providing external services like advertising networks, analytics firms, and social media platforms.

Here’s how Wells Fargo informed its site visitors about the use of third-party cookies:

Wells Fargo's third-party cookies information on a white background.

In addition to informing users about the presence of these cookies and their purposes, tell them how they can opt-out or modify their settings if they prefer not to have their activity tracked by third parties. This shows you respect their choices on your site.

9. Contact Information for Questions

Include contact information for users with questions or who need further clarification about cookie policies.

What I do on my websites is that I provide them with several channels for communication, such as a dedicated email address, a phone number, and even a mailing address if applicable.

Additionally, you could offer a contact form specifically for privacy concerns and queries. This ensures users have direct and straightforward ways to reach out to you.

Creating a cookie clause for your privacy policy is essential to ensure transparency about how cookies are used on your website and to comply with legal requirements like the GDPR and CCPA. Follow these steps to craft a comprehensive cookie clause:

Step 1: Define Cookies

Start by explaining what cookies are, especially for non-technical users. Describe them in simple terms:

Example: “Cookies are small text files stored on your device when you visit a website. They help improve your experience by remembering your preferences, login information, or analyzing how you use our website.”

Step 2: Explain the Types of Cookies Used

List and define the types of cookies your website uses. Common categories include:

  • Strictly Necessary Cookies: Essential for the website to function properly.
  • Performance Cookies: Collect anonymous information on how visitors use the website.
  • Functionality Cookies: Remember the choices you make, such as language preferences.
  • Targeting/Advertising Cookies: Track your activity to show personalized ads.

Provide examples and purposes for each type:

Example: “We use performance cookies to analyze how visitors use our site, enabling us to improve functionality.”

Step 3: Disclose Third-Party Cookies

If third parties (like Google Analytics or advertisers) use cookies on your site, explain this:

Example: “We allow third-party services like Google Analytics to set cookies on your device to track user behavior and improve our services.”

Step 4: Explain the Duration of Cookies

State how long cookies will remain on the user’s device (session or persistent cookies):

Example: “Some cookies expire once you close your browser, while others may stay on your device for a set period or until you delete them.”

Inform users about how you obtain their consent to use cookies:

Example: “By continuing to use our website, you consent to the use of cookies as described in this policy.”

Step 6: Give Users Control Over Cookies

Explain how users can manage or block cookies. Include instructions for browser settings or linking to external cookie management tools:

Example: “You can control or block cookies through your browser settings. Please refer to the help documentation for your browser to learn more.”

If you have a separate cookie policy, provide a direct link to it within the privacy policy.

Step 8: Update Clause as Necessary

Indicate that you may update the cookie clause in the future and inform users how they’ll be notified of changes.

To help you understand what an effective cookies clause looks like in practice, check out the examples below.

These excellent privacy policy cookie clause examples show how different online businesses articulate cookie usage, manage consent, and communicate user options clearly.

Manscaped

Manscaped uses a brief clause in its privacy policy that is easy to understand. They clearly explain what cookies are and what they do, which helps even those who aren’t tech-savvy get the basics without feeling overwhelmed.

Manscaped's privacy policy cookies clause on a white background.

This simplicity is one of its strengths, as it avoids complicated jargon and makes the information accessible to everyone. They also include a link to their full Cookie Policy for users who want to learn more, which is great for keeping the main policy uncluttered.

While streamlined, it could be improved by briefly mentioning how users can manage their cookie preferences directly in the main clause. This would provide immediate clarity on user options without requiring them to click through to another page.

Vici

Another good example of a privacy policy cookies clause is this section from Vici. The policy lists the types of cookies it uses, helping users know exactly what kind of data is being tracked and for what purposes.

Vici's privacy policy cookies clause on a white background.

That said, users would have appreciated it more if Vici included a direct link to its Cookie Settings within the clause itself. The absence of this link means users would have to navigate through multiple pages to adjust their preferences.

It would have also been better if they named the third parties who may have access to their users’ browsing data.

Alo Yoga

Alo Yoga maintains a general privacy policy in place and complements it with a dedicated policy specifically for cookie usage.

Alo Yoga's privacy policy cookies clause on a white background.

Like Manscaped, this dual-policy approach allows for detailed explanations without overwhelming the general privacy policy with technical details about cookies.

Moreover, this means that users looking for general privacy information are not bombarded with cookie-related details, making the information more digestible and accessible.

Meanwhile, those interested in the specifics of cookie management can find all the necessary details in the dedicated section.

Victory Hangers

Victory Hangers offers a unique approach to its privacy policy cookies clause by using a question-and-answer format. This makes the information more engaging and easier to understand for users who may be unfamiliar with how a company uses cookies.

Victory Hangers' privacy policy cookies clause.

By framing the details as answers to common questions, Victory Hangers demystifies the subject, making it more accessible and less daunting for users to navigate.

Questions like “What are cookies?” “Why do we use them?” and “How can you manage your cookie settings?” guide users through the information systematically. This format also allows for clearer communication about how cookies impact the user’s experience.

Crown and Caliber

I like Crown and Caliber’s privacy policy because, apart from detailing the cookies that are used on the site, it also provides practical help for users looking to manage their cookie preferences.

Crown and Caliber's privacy policy cookies clause on a white background.

The linked content can guide users on how to adjust the cookie and browser settings of popular browsers like Google Chrome, Apple Safari, and Mozilla Firefox.

Crown and Caliber’s privacy policy goes even a step further by including a link to allaboutcookies.org. This website is an extensive resource for anyone looking for detailed information about cookies and data privacy.

Frequently Asked Questions

Do I need a cookie policy if I have a privacy policy?

Yes, if your website uses cookies, it’s best to have a dedicated cookie policy. This ensures clarity and compliance with privacy laws.

What types of cookies should I disclose in my privacy policy?

Disclose all types used: essential, performance, functionality, and advertising cookies. Detail their purpose and data handling.

Do I need to update my privacy policy if I add or change cookies?

Yes, update your privacy policy whenever you add or change cookies. This keeps it accurate and compliant.

How often should I review and update my cookies clause?

Review and update your cookies clause annually or whenever you change cookie use. This ensures ongoing compliance.

How can I ensure my cookies clause complies with GDPR?

To comply with GDPR, ensure your cookies clause offers clear consent options and details on cookie types.

Andreea Mare
CIPP/E, CIPM, FIP, ECPC-B, LLM
Andrea is a data protection and privacy specialist with many years of education and expertise in this area of law. She helps clients by ensuring compliance is reached on all levels while taking into account the legal requirements and their business' needs.