Writing Cookie Notices
Resources
Topics Covered
This section covers the following topics:
-
Learn the basics about cookies
-
Understand the regulatory landscape of cookie laws
-
What a cookie audit looks like
-
Example cookie banner
-
Tips on writing your own cookie banner
​
Please be advised that this “Cookie Notice Advisory Site” is provided as guidance and does not constitute legal advice. Please use it as a helpful reference. You may contact us for assistance by calling or emailing our service desk; contact links can be found at the bottom of this page.
Step 1: An Introduction to Cookie Notices
The world is abuzz with cookie banners and cookie notices, prompting users for consent to plant technical cookies on devices. But what is a website cookie, and why all the recent attention?
​In this section, we will examine website cookies from the perspective of how these tiny but powerful technologies relates to everyday businesses, including:
​
-
understanding the idea of website cookies, how they work, and their various forms;
-
realising the power of cookies, their benefit to website operators, and the concern of privacy advocates regarding unchecked cookie power;
-
understanding emerging laws that regulate the use of cookies, including fines and penalties that governing bodies can impose;
-
auditing websites to create an inventory of cookies employed throughout one’s website;
-
writing a cookie banner and cookie notice, and creating an online cookie inventory with attributes within a cookie table;
-
employing automated cookie tools such as OneTrust to manage cookie consent; and
-
getting help from Allendevaux privacy professionals with your site’s cookie notice, from a cursory review (with recommendations) to a full implementation.
​
​
Understanding Cookies
Many people ask, “Why are website cookies called cookies at all?” Some say the term cookie was coined after the story of Hansel and Gretel, who were able to mark their trail through a dark forest by dropping cookie crumbs behind them as markers of where they had been. In computation, the concept was first used on UNIX operating systems, and to differentiate, they were originally called magic cookies.
While we no longer call them magic cookies, they are commonly called technical cookies, website cookies, or simply cookies. But what are cookies, and how are they used?
Cookies are small text files that are placed by a cloud service (such as amazon.com) onto your device such as your phone, laptop, tablet, etc. when you view websites online. Like the analogy of Hansel and Gretel, a cookie enables website operators to track that you’ve visited their site before, helping to store data about you and your preferences so that you’re not prompted to repeat yourself in that regard. An example of information stored on a cookie is your personal registration data like your name, email address, contents of a shopping cart, the preferred layout of a webpage, preferences of what you like and so on. Without cookies, websites wouldn’t be able to personalise many things.
​
Can Cookies Spy on Me?
​
Nobody likes being spied on. Even something we do in public, such as browsing for clothing in a crowded store or purchasing groceries, becomes offensive if we discover someone not-far-off has been spying on our activities. Similarly, it’s deeply disturbing to think a company is monitoring and tracking our online activities and profiling us as individuals without consent.
But can cookies actually spy on my activity? In a simple word, yes. Because the word “spy” means to observe or collect information without the user’s awareness or consent, and when a user is not informed about cookies being placed on their device, that is spying. But worse than a contravention of ethics, this activity is illegal in many regulated territories, and punishable by fines and penalties.
Cookies collect information in many forms, and report this information back to the cloud services. When information is collected by a network of advertisers where results are correlated and compiled, it’s possible to build an intelligent profile about an individual and their online habits. Whilst concepts such as supercookies, evercookies, fingerprinting, canvas fingerprinting, and other techniques are beyond the scope of this write-up, all of these play into the intelligent analytics concerning privacy advocates.
Step 2: Understanding the Regulatory Landscape of Cookie Laws
Most online users do not understand the power of cookies, and regulators are working to ensure the power of cookies do not go unchecked. While governments around the world are drafting new cookie laws as of the writing of this text, such as Brazil’s LGPD or California’s CaCPA, the European Union’s ePrivacy Directive provides an excellent baseline to examine, soon to be upgraded to the ePrivacy Regulation (ePR).
The ePR covers more than just cookies, including unsolicited email, spam text messages, automated calling and other annoyances that marketing companies are using. Regarding cookies, the ePR will be upgrading requirements for cookie compliance. Even though the forthcoming regulation is a European text, it applies to other countries as long as those companies send direct marketing communications to EU individuals, collecting information and using cookies. The penalties for violating the ePR can be massive, expected to range from 10 to 40 million euros, or 2% to 4% of global revenue, whichever is greater, depending on the violation. But why are high fines being implemented?
Fines and compliance penalties (such as mandatory biannual audit by a third party) are intended to ensure compliance with cookie laws, designed to respect the privacy and security of individuals unless consent has been provided to collect, track and profile a user’s online activity. But not all cookies are the same, and cookies collect differing types of information depending on their type.
The Most Common Types of Cookies
In most cases, there are four types of cookies you will encounter:
​
Strictly Necessary Cookies
Strictly necessary cookies enable you to move around the website and use its features. Without these cookies, we will not be able to provide certain features, such as automatic forwarding to the least busy server, or remembering your wish lists.
Performance Cookies
Permitting website operators to measure and improve the site’s operation to count visitors, track sources, determine how visitors move around the site.
Functional Cookies
Permit enhanced functionality of the website and personalisation such as live chats.
Targeting Cookies
Also called advertising cookies, these are there to build profiles of your interests and show you relevant ads on other sites.
Your cookie notice should list these cookie classifications, and inventory the cookies used under each heading. In order to do this, it’s best to start by conducting a cookie audit, and this topic is covered next.
Step 3: Conducting the Website Cookie Audit
In order to comply with regulations, and in order to write a proper cookie notice, start by auditing your existing website. To view an example website audit performed by certified IBITGQ auditors at Allendevaux & Company, use the contact page and let us know. We'd be happy to send over an example.
The audit produces an inventory of cookies used throughout the site, and determines the types and attributes of cookies used to track a user’s online activity.
​
Often times, the audit results surprise website operators, not realising the types and extent of cookies being employed including third-party tools. In nearly all cases, the website audit reveals a labyrinth of linked pages violating existing laws, but the audit also produces a list of actions to take to bring a site into compliance. The audit also produces a comprehensive list of cookies that can be listed in the cookie notice, ensuring the practice of due care and due diligence have been performed responsibly.
Once you have the results of your website audit, you can construct two essential elements:
​
-
The website cookie banner, which is displayed when a user first visits the website, and collects consent from users to employ cookies;
-
The website cookie notice, which provides detail about which cookies are employed, whether or not it is a first-party or third-party cookie, the names of the cookie, and attributes such as its lifespan.
Step 4: Writing a Cookie Banner
Your website’s cookie banner should appear when visitors first arrive to your site. Sometimes called a “consent banner”, these short notices inform users about cookies the website wants to use, and gives users a choice (called consent) before setting a cookie on the user’s device.
Within the European Union, the ePrivacy Directive in association with the GDPR requires prior, informed consent to be displayed to users before setting cookies; further, you must document each instance for every unique visitor. As a general rule, follow these guidelines:
​
-
Give visitors an opportunity to opt-in and opt-out of any type of cookie, providing specific and accurate information on all cookies and other tracking technology in use on the website.
-
Record consent before collecting any data from the user, keeping the record securely stored.
-
Allow visitors to withdraw their consent at any time.
-
Delete visitor’s data upon request.
-
Renew consent requests every 12 months.
​
Some of you may choose to use an automated tool to do this, and there are many you can use. If you need help with any of this, including which tool to use, contact Allendevaux & Company at info@allendevaux.com.
​
Website Cookie Banner Examples
Cookie Banner Example One
​
This website employs cookies to remember users and understand ways to enhance each user’s experience. While some cookies are essential, others help us improve your experience by providing insights into how the site is used. For more information, visit our Cookie Notice.
​
Cookie Banner Example Two
​
To make this website work properly, and to provide the most relevant services to our visitors and platform users, we place small data files called cookies on your device when we have your consent to do so. Our Cookie Notice provides you with information about these cookies, what they do, your choice related to these cookies, and how to control them for this website.
​
Accept Cookies
Accept Cookies
Providing Choice and Receiving Consent
​
Regardless of the notice you write, you must place a tick box or button that permits the users to accept the cookie such as <Accept Cookies>. If you have the capability, it is also helpful to provide individual specificity on the types of cookies used by your system. You’re probably familiar with seeing something similar to the following:
​
Cookie Type and Description
Choice
​
Strictly Necessary Cookies: These cookies allow the provision of enhance functionality and personalisation, such as videos and live chats. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies, then some or all of these functionalities may not function properly.
​
Always On
​
Performance Cookies: These cookies allow us to count visits and traffic sources, so we can measure and improve the performance of our site. They help us know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies, we will not know when you have visited our site.
​
On/Off
​
Functional Cookies: These cookies allow the provision of enhanced functionality and personalisation, such as videos and live chats. They may be set up by us or by third-party providers whose services we have added to our pages. If you do not allow these cookies, then some or all of these functionalities may not function properly.
​
On/Off
​
Targeting Cookies: These cookies are set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant ads on other sites. They work by uniquely identifying your browser and device. If you do not allow these cookies, you will not experience our targeted advertising across different websites.
​
On/Off
​
It is important in some geographies to ensure the preferences are not set to “On” by default in accordance with an explicit consent requirement. This requires an individual to consciously switch a preference from “Off” to “On” before saving the overall preference settings.
​
As mentioned earlier, the consent selection must be recorded securely, and renewed every 12 months.
​
​Step 5: Writing the Cookie Notice
​
With that background, it’s time to write your cookie notice. The following is an example website cookie notice. You may copy and modify this notice for use on your own website, changing the contents to fit your unique environment. We recommend your cookie notice to be a dedicated page, with a link to this page made available from the footer of every webpage.
​
An Example Cookie Notice That You Can Use
Cookie Notice
Last modified: Date
​
Introduction
​
To facilitate this website’s functionality, and to deliver pertinent services to cloud users and website visitors, this site installs tiny data files called cookies onto your device when you provide us with consent to do so. Accordingly, this message relays information about these cookies, detailing their functionality, your ability to permit or deny their installation, and how to control them.
What Is A Cookie?
​
A cookie is a small text file that a cloud service or website saves on your computer, phone, tablet or other mobile device when you visit the website. Once these files are installed on your system, the cookies are transmitted back to the originating cloud service or website on each subsequent visit, enabling the service to recognize returning users with their saved preferences and user selections. In some cases, other affiliated websites may recognize the same cookie, enabling cookies to be shared across related services.
Cookies on this site may be delivered in a first-party representation (set by Acme Services) or third-party representation (set by another website), and may also be set in association with emails you receive from us. Please be aware that third-party cookies are cookies are set by an entity other than the website owner for purposes such as collecting information on user behavior, demographics, or personalized marketing. An example of a third-party cookie could be youtube.com or doubleclick.net and others, where these third-party tools could be used within the Acme Services website; in those cases, the cookie is controlled by the third-party. These cookies enable embedded content to function properly, such as YouTube videos, Facebook advertising, Instagram feeds, PayPal payment processing forms, application forms or other tools. Again, if used, these associated services use their own cookies. We do not have control over the placement of cookies by other websites or the lifespan of these cookies, even if you are directed to them from our website.
Cookies help us enhance your experience when using the website. They also help us understand how people use our site, such as which pages are most popular, so that we can better serve our site users.
Cookies Used On This Site
​
You may encounter various types of cookies on this website, such as:
-
strictly necessary cookies, required for the website to function and cannot be switched off without impacting its functionality;
-
performance/analytical cookies, permitting website operators to measure and improve the site’s operation to count visitors, track sources, determine how visitors move around the site;
-
functional cookies, permitting enhanced functionality and personalization such as live chats;
-
targeting cookies, to build profiles of your interests.
Each of these cookies may be represented by Acme Services in the form of a first-party cookie, or one of our partners in the form of a third-party cookie. Because it is important for us to maintain transparency and foster choice, each of these are explained below.
​
Strictly Necessary Cookies
​
Strictly necessary cookies are necessary for the website to function and cannot be switched off. They are usually only set in response to actions made by the user which amount to a request for services, such as setting privacy preferences, logging in or filling in forms. Users can set their browsers to block or alert them about these cookies, but some parts of the site may not function properly.
​
First Party
Cookie Name
Source
Lifespan
Description
wpcs_consent
acme.com
10 months
Tracks cookie consent preferences.
Third Party
Cookie Name
Source
Lifespan
Description
LANG
.paypal.com
9 hours
Used to process payments with PayPal
tsrce
.paypal.com
1 year
Used to process payments with PayPal
enforce_policy
.paypal.com
Session
Used to process payments with PayPal
tsx-pp-s
.paypal.com
23 minutes
Used to process payments with PayPal
akavpau_ppsd (2)
.paypal.com
Session
Used to process payments with PayPal
csrftoken
.instagram.com
1 year
CSRF protection for Instagram feed.
PYPF
.paypalobjects.com
1 month
Used to process payments with PayPal
​
Performance And Functional/Analytical Cookies
​
Performance and functional/analytical cookies are similar with slight differences; they both provide information to the server or cloud service to track that’s useful to the operator. Performance cookies provide reliability metrics, which can include but are not limited to network latency, packet loss, jitter, server-side delay and other helpful metrics. Functional/analytical cookies provide information such as the number of unique web users, demographics, browser types encountered, length of stay on a webpage, length of stay on a website, and other analytics useful to a website operator.
We use Google Analytics cookies to collect information about how visitors use our website. Google Analytics employs both performance and analytical cookies. These cookies collect information in the aggregate to give us insight into how our website is being used and how it’s performing. We anonymize IP addresses in Google Analytics, and the anonymized data is transmitted to and stored by Google on servers in the United States. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google's behalf. Google will not associate your IP address with any other data held by Google. The following table has more information about these cookies.
​
Cookie Name
Lifespan
Description
_gid
1 day
This cookie name is associated with Google Universal Analytics. This appears to be a new cookie and as of Spring 2017 no information is available from Google. It appears to store and update a unique value for each page visited.
_ga
2 years
This cookie name is associated with Google Universal Analytics - which is a significant update to Google's more commonly used analytics service. This cookie is used to distinguish unique users by assigning a randomly generated number as a client identifier. It is included in each page request in a site and used to calculate visitor, session and campaign data for the sites analytics reports. By default it is set to expire after 2 years, although this is customisable by website owners.
_gat_gtag_UA_589826_
38 hours
Used for Google Analytics.
ss_cid
2 years
Identifies unique visitors and tracks a visitor’s sessions on a site.
ss_cpvisit
2 years
Identifies unique visitors and tracks a visitor’s sessions on a site.
ss_cvisi
30 minutes
Identifies unique visitors and tracks a visitor’s sessions on a site.
ss_cvr
2 years
Identifies unique visitors and tracks a visitor’s sessions on a site.
ss_cvt
30 minutes
Identifies unique visitors and tracks a visitor’s sessions on a site.
To view an overview of the privacy of your Google Analytics cookies please go here: https://support.google.com/analytics/answer/6004245.
You may install a Google Analytics Opt-out Browser Add-on by going here: https://tools.google.com/dlpage/gaoptout.
Targeting Cookies
Targeting cookies are set through a site by advertising partners. They may be used by those companies to build a profile of users’ interests and show relevant ads on other sites. They work by uniquely identifying a user’s browser and device. If a user does not allow these cookies, he/she will not experience targeted advertising across different websites.​
​
First Party
Cookie Name
Source
Lifespan
Description
IDE
doubleclick.net
22 months
This domain is owned by Doubleclick (Google). Doubleclick is Google's real time bidding advertising exchange.
How To Control And Delete Cookies
You have the capability to control and delete cookies with most browsers. This section provides guidance regarding how to do that.
Using Your Browser
Many of the cookies used on our website and through emails can be disabled through your browser. To disable cookies
through your browser, follow the instructions usually located within the “Help” or “Tools” or “Edit” menus, depending on your browser. Please note that disabling a cookie or category of cookies does not delete the cookie from your browser unless manually completed through your browser function.
Cookies That Have Been Set In The Past
Collection of your data from our analytics cookies can be deleted. If cookies are deleted, the information collected prior to the preference change may still be used, however, we will stop using the disabled cookie to collect any further information from your user experience. For our marketing cookie, when a user opts out of tracking, a new cookie is placed to prevent users from being tracked.
Questions?
For more information, feel free to contact our Data Privacy Manager at privacy@yourwebsiteaddress.tld.
A Brief Recap Before You Leave
-
Risk management about minimising risks and effectively taking them when you do need to take them.
-
You need to know your risk and measure it before you can monitor improvement.
-
Risk is an asset in danger. To move assets away from danger you need an effective threat model.
-
Untreated risk is referred to as "inherent risk" and treated risk is referred to as "residual risk" or the risk that remains.
-
The goal isn't to completely remove all risk, as that's impossible. Your goal is to keep applying treatment until the risk is at an acceptable level according to your regulatory and contractual obligations.
​
