We see many organisations including details of their use of cookies on their Privacy Policy page. While this might be a fairly common practise, we don’t consider it best practice – for a number for reasons.

First is for simplicity. A cookies policy may have to go into some detail about your use of cookies and it should also provide users with instructions – or at least links to instructions – to clear cookies and change browser settings to block cookies.

If you include a lengthy cookie policy within your general privacy policy, you make the privacy policy longer and more complex and likely more difficult to understand. This goes against the principle of transparency:

Under the General Data Protection Regulation, information provided to a data subject should be ‘concise, easily accessible and easy to understand, and that clear and plain language and, additionally, where appropriate, visualisation be used’.

Long, complex privacy policy statements that would be difficult for a layperson to understand could, in theory, put you in breach of the regulation!

GDPR Cookies PolicyFor example, the GDPR Portal Cookie Policy page comprises nearly 600 words, has several links to external resources (like instruction sites for adjusting browser settings for Google Chrome, Microsoft Internet Explorer, Apple Safari and Mozilla Firefox), and some video content explaining what cookies are and how behavioural advertising works.

We could try to pack this into our general Privacy Policy page, but we want to keep both of these as clear and concise as possible for the data subject, so we maintain the Cookie policy as a separate page.

We do make a brief reference to our use of cookies in our Privacy Page (under ‘passive information collection and use’) and include a link to the Cookies Policy page so that users can get more details if that is an area of interest.

Another reason is simply one of practicality. Our cookies acceptance popup has a link to our cookies policy page for the convenience of users. If a user of our web site has questions over how we are using cookies or what they can do to block cookies, they can click on the link and all the information they required will be available on a single page.

If the cookie policy was contained within the general privacy policy, the information would be more difficult to find and it may be more confusing for the user.

So if you are debating whether or not to have a separate cookie policy, we recommend having two separate pages. Of course you can include reciprocal links to each from both pages.

This simplifies the cookie acceptance experience and helps to maintain the principle of transparency for communication of privacy policy information to the data subject.

Data Protection Officers and others tasked the responsibility of protecting personal data at organisations will have many more difficult decisions to make than this one, but many simple, small steps take you closer to a complete and comprehensive strategy for compliance with the letter and the spirit of data protection legislation.

The short answer for this one is simply to maintain your Cookies Policy page separately from your Privacy Policy page.

About the GDPR Portal

The GDPR Portal site provides businesses with information on data protection and privacy issues and practical advice on the processes and procedures required to keep personal data safe, protect the rights of EU citizens and protect your organisation from the reputational and financial risks from breaches of the General Data Protection Regulation.

If you need help with developing, implementing or enforcing your data protection strategy, complete the contact form to the right and we’ll get in touch to see if we can help.

Need to speak to an expert about data privacy and protection?

 

Need help with your compliance strategy for GDPR and other data protection legislation?

 

Complete the enquiry form to arrange a no-obligation call to see if we can help.