How to Create a GDPR-Compliant Cookie Policy for Your Website

by | Websites

Last updated: Nov 2, 2021 | Published: Dec 15, 2020

How to Create a GDPR-Compliant Cookie Policy for Your Website

Website cookies are the small digital files that are stored on a user’s device (PC or smartphone). These text files contain small pieces of data that are used to store the name of your website and identify a user’s device when they make a return visit.

As the Cookie Law applies to all online businesses, the majority of websites use several cookies. Although some users may find them annoying, if you keep your notifications simple, informative and transparent, you can help alleviate any concerns they might have.  

There is a wide range of information you can store in a cookie. For example:

  • The pages people visited
  • The length of time they spent on each page or the website as a whole
  • The account holders who have logged in
  • The links that visitors clicked 
  • The settings or the preferences they selected
  • The items they chose/bought

The primary purpose of recording a visitor’s behaviour is to customise their user experience. 

What is a cookie policy and why do websites need one?

A cookie policy informs users about the number and types of cookies active on your website. It also explains:

  • The specific data that you are tracking
  • The purpose of the collected information
  • Where you intend to send people’s data

Your cookie policy should allow visitors to change their settings or opt out altogether. It is vital that you regularly update your cookie page to ensure it is accurate.

As mentioned earlier, the purpose of cookies is to improve the user experience. Unfortunately, many users have grown wary of cookies as they are concerned about their online privacy and security. In fact, these people are right in the sense that cookies do pose a potential risk. For instance, you can use these files to monitor, store and share a visitor’s every move on your website. For this reason, website owners need to obtain explicit consent from their visitors before storing or sharing their browsing information.     

GDPR and Cookies

The General Data Protection Regulation (GDPR) is an EU law intended to protect a person’s private information online. GDPR rules guide businesses on how they should handle the sensitive information provided by their customers and users. Violations may result in fines and other penalties.

As cookies contain visitors’ personal information, you must tell people what you collect. You also need their express consent before you obtain and process their data. Furthermore, implied consent through disclaimers is not allowed under the GDPR.

This is why you need to include a cookie consent banner and policy page on your website. You should also provide visitors with a clear option allowing them to accept or reject the cookies.

How to write a GDPR-compliant cookie policy for your website

  • Learn about the cookies applicable to your website

You should begin by identifying the type of cookies that a website like yours will use. This will enable you to create a specific and valid policy for your site. Besides your own cookies, don’t forget to check the ones set by third parties; you should read their cookie policies to discover what they are using on your site. You can use Cookiebot’s free tool to do this: https://www.cookiebot.com/en/

  • Design the cookies

One option is to design your cookies as a pop-up box. Alternatively, you could create a notification and place it at the bottom of the screen. Either method will ensure that your visitors will immediately see the cookie warning. Make sure the cookie content is as brief as possible; if people want additional information, you can provide them with a link to your cookie policy page.

Our recommended solution is to use Cookiebot to manage this. It is free for sites up to 100 pages, and has tiered pricing thereafter. We can help you integrate this – find out more here.

  • Plan the content you want to incorporate in your policy

You can set the cookie policy as part of your main privacy settings or create it as an independent page. If you want to comply with the GDPR rules, you need to make sure that the language is direct and easily understandable. In addition, the policy should contain the following essential details:

  • Types of cookie used
  • The data you are tracking
  • The length of time your file will reside on a visitor’s browser
  • Why you use cookies
  • Where you send the data and who you share it with
  • Guidance on how to reject the cookies or change the cookie settings

Writing a cookie policy from scratch takes time. Fortunately, there are many free templates available online – just complete all the relevant details and you will have a policy tailored to your business. 

What happens if your visitors reject the cookie policy?

There will always be users who will decline your cookie policy. If this happens, you are not allowed to track their activities on your website. 

Remember, you cannot force people to give their permission and valid consent needs to be willingly given and specifically expressed. Moreover, users must be duly informed. Consent also requires a direct positive action from the visitor; for example, by clicking on a link. Permission will not be deemed to have been given if the cookie policy is difficult to understand or hard to find.

Conclusion

If you own a website, it is essential that you create a cookie policy that first-time visitors can easily read and understand. In addition, as it is not uncommon for people to initially land on a different page to your homepage, you need to make sure that you display the notification on every page. Make sure you place the link to your policy in a highly visible area of your website. Finally, don’t forget to include a simple guide on how people can reject your cookies.    

Similar articles