If you’re based in Europe or you are officially targeting European users, then the cookie provisions may be relevant to you.
The reason for the cookie related obligations is the EU cookie law (also called e-Privacy Directive), which was last updated on 26 May 2011. Since then European states have interpreted and implemented the rules in various ways and stages. Your compliance measures will therefore depend on the country that is relevant to your project.
What’s excpected from you if you fall under a cookie provision?
Make sure you explain what the cookies are used for. In particular these four tips seem to be a good framework to start from:
- Which are the cookies used on your site?
- Who is installing them?
- What are they being used for?
- How do you reject their installation/how do you uninstall them?
Iubenda’s privacy policy generator will assist you with the creation of a cookie policy. By activating the cookie policy within iubenda you will get a complete section covering the use of cookies on your site or application, within your existing privacy policy.
This post explains how you can create a cookie policy easily with the help of iubenda’s privacy policy generator.
How it works
Create a privacy policy with iubenda or choose the pre-existing privacy policy you want to improve. Then choose “Activate cookie policy” from within the customization settings in the right sidebar. This will open a modal window with forms that will help you with filling out and finalizing your cookie policy.
Iubenda prepopulates the cookies we know of (originating at your third party services). Therefore, all you have to do is to double-check your own cookies, add them to the appropriate forms and double-check the cookies we’ve identified for you.
What iubenda helps you with/Your next steps
The generator helps you out with a relevant structure by identifying the various relevant categories:
- Strictly necessary cookies
- Other cookies
- Automatically included cookies (included by the generator)
While you will have to manually include all of the cookies set by your application, we will help out by providing the cookies set by your third party services. We will also automatically group them with the appropriate categories, therefore we’ll also make sure that people understand what these cookies are good for.
Since the handling of cookie disclosures and their enforcement couldn’t be more of a mess across the continent, we’ve decided to start with this minimal implementation. Each country has their own rules for how you should handle the cookies and their disclosure. What this initial version provides you with, is the framework for disclosure within your privacy policy.
What you will have to take care of is the actual cookie notice and technical implementation according to your legislation. Some cookies need user consent and therefore need some sort of a banner to make sure that a user is able to consent to the use of those cookies.
Take this as a general statement:
Not all cookies require consent to be used. Those eligible to this exception are cookies essential to delivering the service requested by the user (the strictly necessary cookies mentioned above):
- session cookies,
- authentication cookies (for the duration of the session) and
- user security cookies (the above mentioned strictly necessary cookies).
Cookies that need consent are usually to be found in advertisement and analytics related fields.
We encourage you to read up on the situation in your country. To facilitate this, we’ve linked you to the relevant coverage below.
Overview for Europe’s legislations
Below you’ll find some notes regarding our main markets and some links to the relevant sites and documentation. Euopean regulators as part of Article 29 Working Party have published an opinion on cookies, which is why this document makes for insightful reading.
Here’s an additional interesting pdf that compares the state of the cookie law implementation across the EEA which is helpful on many levels [pdf removed by target page].
A defining element across the legislations is how that user consent needs to be sought. Is “implied consent” enough (the user sees the notice and keeps browsing because he consents to the setting of the cookies), or do you have to get prior consent that comes down to an “opt-in” solution?
UK
Status: the ICO investigates based on complaints.
Strict ‘opt-in’ consent required (or expected): no
The ICO regarding implementation of the notice:
It is likely to be more difficult to obtain consent for this type [not strictly necessary cookies] where you do not have any direct relationship with a user – for example where users just visit a site to browse. In this case websites should ensure the information they provide to users about cookies in this area is absolutely clear and is highlighted in a prominent place (not just included through a general privacy policy link). As far as possible measures should be put in place to highlight the use of cookies and to try to obtain agreement to set these cookies. There are various ways in which information about cookies can be — see Providing information about cookies.
Ireland
- Data protection authority: Office of the Data Protection Commissioner
- Cookies link
- Mockup page to visualize the cookie guidance
Status: active
Strict ‘opt-in’ consent required (or expected): no
The authority regarding implementation of the notice:
It is particularly important that the requirements are met where so-called ‘third party’ or ‘tracking’ cookies are being deployed, such as when advertising networks collect information about websites visited by users in order to better target advertising. For cookie usage, this Office would be satisfied with a prominent notice on the homepage informing users about the website’s use of cookies with a link through to a Cookie Statement containing information sufficient to allow users to make informed choices and an option to manage and disable the cookies. Practically, for Irish website operators we suggest the following for minimum compliance with these requirements:
Paraphrased these requirements are:
- Consent may be obtained explicitly through the use of an opt-in checkbox which the user can tick if they agree to accept cookies: “I accept cookies from this site [Checkbox]”;
- Consent may also be obtained by implication: “By continuing to use this site you consent to the use of cookies in accordance with our cookie policy“.
Germany
Status: uncertain
Strict ‘opt-in’ consent required (or expected): no
The situation is confusing to say the least. The directive seems not to be implemented properly, while recent news seem to be confirming the opposite (more information in German). If you want to be completely sure, go with an opt-in solution.
Italy
- Data protection authority: Garante per la protezione dei dati personali
- Cookies link/guide (Italian)
Status: enforcement not before May 8th, 2015.
Strict ‘opt-in’ consent required (or expected): no
Official guidance outlines the need for a privacy policy with cookie info, to be published through a special banner shown on the homepage of the website. That banner must contain two parts:
- Advise the users that the site installs cookies (first as well as third party cookies) allowing users to consent to this kind of data processing;
- Place a link in the same banner to further information, especially for third party cookies which will allow the user to provide consent in a selective way.
Italian site owners are not liable for third party cookies according to this guidance by the Garante.
France
- Data protection authority: CNIL
- Cookies link
- Cookies guidance (French: Comment mettre mon site web en conformité ?)
Status: active
Strict ‘opt-in’ consent required (or expected): yes/no
The CNIL recommends a two-step approach to obtaining consent:
- the website must have a banner on the home page that complies with the CNIL recommendations;
- the user must be informed in a simple and intelligible way (on a dedicated page) of how they may consent or refuse to all or some of the cookies. The information must be clear and set out full details about each type of cookie used on the site and the reasons why each cookie is used.
Cookies can only be served if the visitor gives explicit/opt-in consent. Limited exemptions apply to analytics cookies.
Belgium
- Data protection authority: CPVP
- Cookies guidance (French: Projet de recommandation d’initiative soumise à enquête publique
concernant l’utilisation des cookies)
Status: active
Strict ‘opt-in’ consent required (or expected): no
Cookies may be served if the user given the user’s consent (the information must be clear and comprehensive about why their personal data will be collected and processed). Implied consent is possible.
Le mécanisme de recueil de consentement, analysé ci-dessous, doit fournir un avertissement clair, compréhensible et visible concernant l’utilisation des cookies. Cet avertissement renverra vers l’information complète relative à la politique d’utilisation des cookies.
.La Commission considère que le butinage vers d’autres espaces du site (« further browsing ») pourra être considéré comme un comportement actif par lequel l’utilisateur signifie son consentement indubitable si l’utilisateur est clairement informé à ce propos et si cette information reste présente sur le site jusqu’à ce que l’utilisateur fasse un choix explicite ou ferme l’espace d’information.
Spain
- Data protection authority: AGPD
- Cookies link (Spanish: Guía sobre el uso de cookies)
- Cookies guidance infographic (Spanish)
Status: active
Strict ‘opt-in’ consent required (or expected): no
Spain’s data protection authority has produced great guidance which states that the cookie notices should be sufficiently visible and link to a place with more information in which you can reject the cookie installation. It’s enough to show the notice upon the first visit. Implied consent may be enough.
“En los casos en que el usuario no manifieste expresamente si acepta o no la instalación de las cookies, pero continúe utilizando la página web o la aplicación se podría entender que éste ha dado su consentimiento, siempre que se le haya informado claramente en este sentido y se ofrezca en todo momento a través de las formas señaladas en esta guía un aviso que ofrezca de modo permanente información sobre la utilización de las cookies y la posibilidad de desinstalarlas.
La información que se ofrezca en esta primera capa se podrá mostrar a través de un formato que sea visible para el usuario como por ejemplo un layer, una barra o a través de técnicas o dispositivos similares, teniendo en cuenta que la localización en la parte superior de la página captaría mejor la atención de los usuarios.”
Portugal
Explicit guidance from the Portuguese data protection authority about consent is still missing. The opinions regarding the Portuguese DPA’s stance is unambiguous, however: implied consent is probably not going to be enough and continuous use of a website will only be regarded as consent if clear and evident information has been given.
What’s next
Activate the cookie policy like this and follow the instructions in the cookie modal.
And take a look at our guides for
- How to find out which cookies are installed by your site
- How to add a cookie policy to your privacy policy
Or just make your first privacy policy with iubenda’s generator.
Cookie policy pricing
The cookie policy is included in our standard Pro subscription pricing at $27/year or any other license for that matter.