Writing a Sample Cookie Policy
This article goes through the main headings and sections of a sample cookie policy template. However, it is not a complete Cookie Policy Template and should be used to write your own cookie notice. Read through the ICO guidance pages on PECR if you are unsure of your cookie law oligations.
PECR Compliance
The Privacy and Electronic Communications Regulations 2003 (PECR) is a UK regulation that works in conjunction with the UK GDPR and Data Protection Act 2018. The PECR sets out the regulations relating to privacy and electronic communications. It is most commonly associated with direct marketing rules and the ‘cookie law’.
If you set cookies on your website, carry out direct marketing and/or provides an electronic communications service or network, you must comply with the PECR. However, you should also check if you need to comply with the data protection laws. The GDPR applies alongside the ECR where cookies or direct marketing relate to personal data. An example of this would be identifying an individual through the use of cookies (online identifiers).
What is a Cookie?
A ‘cookie’ is a small text file or piece of data that is sent from a website and stored on a user’s device. The device can be a computer, tablet or mobile device on which the cookie is stored when the user accesses the website. Cookies are a form of identification that allows a website to recognise a user’s device and remember preferences from previous visits.
Whenever you visit a website for the first time, cookie(s) are downloaded onto your device. There are multiple reasons that webiste use cookies. The most common cookie uses include making websites work more efficiently and retaining shopping cart choices.
What is a Cookie Policy?
There are two steps to complying with the cookie rules on a website. Where any cookies are set, you have an obligation to notify users when they visit your website. Cookie Notice pop up notices are a common sight on most websites. They usually require you to accept or reject the cookies before you start browsing.
The initial cookie notice advises visitors that you are setting cookies and gives option on managing them. However, it is also a legal requirement to have a full Cookie Policy on the website. This is usually accessible from the notice and provides in-depth informaiton about the cookies used. The cookie policy should detail what cookies are, the types used and how to manage them.
It is good practice to provide easy access to a Cookie Policy. This is usually via the menu and/or footer of a website. The policy should also be accessible from the initial pop-up cookie notice. at all times on the website and not just when the user first sees the Cookie Notice pop-up. Likewise, it is best practice to provide a link to the policy from the Privacy Notice. Similarly, you can add links to the Cookie Policy and Privacy Notice in emails, text messages and in apps.
Complying with the Cookie Law
In the UK, the Privacy and Electronic Communications Regulation (PECR) sets out the rules regarding the use of cookies on websites. Section 6 of the Regulation prohibits the storing and accessing of information on a users’ terminal equipment (device) unless consent has been obtained.
Consent in the PECR uses the same definition as that of the UK GDPR. You must evidence that consent has been obtained via an affirmative action (i.e., signature, non-ticked box). It must be clear, granular and demonstrate a positive opt-in.
The PECR requires that detailed, clear, and relevant information is provided to the user regarding the existence of any cookies. Therefore, the cookie policy should include what each cookie does and what its purpose is. Consent must then be obtained from the user to allow cookie(s) to be stored on their device.
An exception to gaining consent is for necessary cookies. This is where a cookie is essential for providing a service requested by the user (for example, to remember shopping cart items). However, it is still a requirement to provide information about the cookie(s) in the Cookie Policy.
How to Manage Cookie Settings
A cookie policy should also provide users with information about how to manage and change any cookie settings. It should always be explained to visitors that essential cookies cannot be rejected as they are necessary for ensuring that the website functions correctly.
However, you can still provide details on how to manage all non-essential cookies and explain how to control cookie settings via the users’ browser or device settings.
If you want to understand ore about cookies and what your obligations are, you can visit www.allaboutcookies.org.
Cookie Policy Template
If you would prefer to purchase a professional, compliance policy, Know Your Compliance Limited are here to help. Our easy to use and customise Cookie Policy Template can be purchased on its own as as part of our exclusive PECR Policy Toolkit. A suite of templates that allow for easy compliance with the many PECR rules and requirements.
Whether you require a cookie policy template, direct marketing policy template, or want to use a PECR checklist to ensure compliance, our PECR Policy Toolkit includes it all.
Available as a standalone toolkit or included in our complete UK GDPR Bundle.