The cookie policy deals specifically with the use of cookies on your site, whereas the privacy policy is a general document regarding all of the data processes on a website, including contact forms, mailing lists, etc.
Often, the cookie policy is integrated as a part of the privacy policy of a website or an app. Arguably, it is the most challenging part. At the heart of this is the nature of cookies:
- Firstly, cookies tend to change often. This means that the policy, having to be updated and correct, also must be revised accordingly.
- Secondly, cookies operate out of sight. Most website owners don’t even know themselves, what cookies are in operation on their own website.
- Thirdly, the majority of the cookies in operation on a website are usually set by third parties, i.e. have another provenance than the website itself.
- Therefore, it can be hard to have a complete overview at all times of the cookies in operation on your website, what information they gather, for what purpose, and where in the world the data goes to.
Read more about cookie and website tracking here.
The easiest way to ensure full control over your cookies, and to be sure that you have an accurate and updated cookie policy for your website, is to get a GDPR/ePR and CCPA compliant cookie solution, where the cookie policy is integrated with the actual monitoring of cookies on your website.
With Cookiebot, the monthly report from the cookie scan can with a few lines of JavaScript be integrated as an automatically updated part of your privacy policy or cookie policy, guaranteeing that they always are up to date and accurate.
Cookiebot is a consent management solution that enables full GDPR/ePR and CCPA compliance for your website.
We empower you to take care of all that is cookie-related on your website, so that you can have peace of mind, knowing that your website complies with the regulations.
Does the GDPR affect websites in the US?
The short and simple answer ‘yes’.
First and foremost, the GDPR is a universal law for the European Union.
This means that the GDPR not only regards all websites that are operating within the EU but also, all websites that are dealing with users from the EU.
So, since its enforcement in May 2018, all sites but strictly local ones outside of the EU are affected.
In a PwC survey of American multinational organizations, 92 percent said GDPR compliance was a top priority, and 71 percent had already started preparations (in January 2017). These included privacy policies, IT security and discovery of all the data they currently had.
In the US, the laws on the protection of data are more fragmented, because they are a patchwork of sector specific laws, regarding for example healthcare companies or financial institutions, or restricted to specific states, like California.
However, the GDPR being the most thorough and far-reaching data protection regulation ever passed, it is likely to go global or in the least to serve as a model for future regulations the protection of data.
Therefore, it is in any case relevant to take measures to comply.
The regulations might here and now seem like an annoying obstacle for companies, but in the long run they are helping to restore the trust and equity between companies and consumers in a data driven world.
Does the CCPA affect websites outside the US?
A short and simple yes here too.
The California Consumer Privacy Act (CCPA) has extraterritorial jurisdiction. It means that it applies to any business that collects or processes the personal information of California residents, regardless of where in the world that business is located.
However, to be regarded as a business under the CCPA rules, a company has to meet one of the three following attributes:
- have an annual gross revenue exceeding $25 million,
- derive 50% or more of its annual revenues from selling consumers’ personal information, buy, receive, sell,
- or share the personal information of 50.000 or more California residents, households or devices a year.
This means that if a company is based in, say, Singapore or Italy, but buys or sells the personal information of at least 50.000 California residents, that company is liable for CCPA compliance.
You can find many examples and templates for your cookie policy on the internet.
Keep in mind, however, that your policy should be revised and updated regularly, to make sure that it informs about the actual cookies in use on your site.
FAQ
What is a cookie policy?
A cookie policy is your website’s way of telling its users what cookies and trackers it uses, what data these collect, for what purposes, for how long they are active and with whom it shares this data. Users must also be informed via your cookie policy of how they can revoke consent to or opt out of having their personal data collected, processed and shared.
What cookies do my website use?
Your website uses first-party cookies that are strictly necessary for its basic function, but it’s very likely that it also uses third-party cookies for analytical or marketing purposes, e.g. through analytics tools, marketing software or social media plugins. To be sure what cookies your website uses, use a consent management platform to perform deep-scans of your domain.
How does my cookie policy become GDPR compliant?
The EU’s General Data Protection Regulation (GDPR) requires your website to have an up-to-date cookie policy that informs users what type of cookies it sets, how long they are activate on users’ browsers, what kind of data they collect, what purpose they collect it for, where the data is sent to and with whom it’s shared, and how users can reject cookies or revoke already given consent.
How does my cookie policy become CCPA compliant?
The California Consumer Privacy Act (CCPA) requires your website to inform California residents at or before the point of data collection about the categories of personal information it collects, to which third parties this is sold or disclosed, what types of cookies and trackers are in operation and a description of consumer rights and how to exercise them.