RGPD
How do you draft a cookie policy?
Reading time:
6 min
How do you draft a cookie policy?
If you have a website, you probably use cookies. Cookies, or trackers, are small text files saved on the computer or mobile phone of your users.
They are used in particular to improve the user experience, personalise content and advertising, and analyse traffic statistics.
However, their use is governed by French and European regulations.
To avoid penalties and protect your users' personal data, you must draft a cookie policy and ensure that the collection of the data processed complies with the regulations.
To create a cookie policy, you must identify all the cookies you use on your website.
To do this, you can use scanning tools such as Cookiebot or inspect the cookies using your web browser.
Another solution is simply to click on the padlock next to your URL address in order to display the website's cookies and data!
For each cookie, you must specify its purpose, its lifespan, the third party that places it and the consent required.
You must also explain how users can control cookies and withdraw their consent.
There are three types of cookies:
Necessary cookies are essential to enable your website to function properly.
Performance cookies are used to collect information about how the website is used in order to improve it.
Targeting or advertising cookies are used to track users across different websites in order to offer them targeted advertising.
Yes, the use of cookies and the obtaining of consent through them are governed by the GDPR (General Data Protection Regulation) and by several texts, including Article 82 of the French "Informatique et Libertés" Act, as amended, which is based on Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector (known as the "ePrivacy Directive").
Article 82 of the "Informatique et Libertés" Act provides that no information may be stored in a user's equipment, nor read from that equipment, without the user's prior consent, unless those actions are strictly necessary for the provision of an information society service expressly requested by the subscriber or user.
The CNIL (French Data Protection Authority) has also issued recommendations and guidelines on the use of cookies and other trackers.
The GDPR requires users to give their consent prior to the use of cookies for a specific purpose, except for necessary cookies.
You are asked to accept cookies in order to inform you of their use and give you the possibility of choosing to accept or refuse them.
This makes it possible to comply with regulatory obligations regarding the protection of personal data and to protect users' privacy.
Yes, you can refuse cookies by changing the settings of your web browser. However, this may impair the user experience and some services might not function properly.
In France specifically, an option must allow users to “accept all” but also to “refuse all” in the cookie consent collection banner.
You must therefore ensure that the user consent collection banner complies with the regulations.
On this point, the CNIL specifies that: “The CNIL points out that the information must be complete, visible and highlighted. In order not to mislead users, it also invites data controllers to ensure that the choice-collection interfaces do not incorporate potentially deceptive design practices intended to or likely to bias internet users' consent.”
The purpose of cookies is to improve the user experience by personalising content and advertising and by analysing traffic statistics.
They also make it possible to retain the user's preferences and to facilitate navigation on the website.
Cookies can be used to save items in the shopping cart of an e-commerce website (e-commerce site), or to store the user's login information.
Cookies can also be used to deliver targeted advertising based on the user's interests and browsing habits, in order to maximise the effectiveness of online advertising.
In short, the purpose of cookies is to optimise the user experience on a website by offering personalised navigation tailored to the user's needs.
Refusing cookies can have disadvantages for the user, in particular a less personalised user experience.
Indeed, cookies make it possible to retain the user's preferences and to offer them relevant content. Moreover, some websites may not function properly without the use of cookies.
Cookies are controlled by the website that places them on the user's computer. These are often services provided by third-party suppliers.
However, users also have a certain degree of control over cookies. They can refuse cookies by changing their browser settings, or delete cookies already stored on their computer.
In France, it is the Commission Nationale de l'Informatique et des Libertés (CNIL) that is responsible for the regulation and oversight of cookie-related matters. It issues recommendations and guidelines to help companies comply with the regulations in force.
The next steps include:
To conclude, these cookies make it possible to collect information about the user's browsing habits and to personalise the user experience. However, the use of cookies is regulated and websites must inform users of their use of cookies. Users also have a certain degree of control over cookies and can refuse or delete the cookies stored on their computer.
Having navigated together through the intricacies of cookie regulation, it is clear that every detail matters. As a lawyer working in the field of personal data protection, I understand how crucial it is to ensure your website's compliance.
If you too feel the need for expertise in this complex field, do not hesitate to contact me. Together, we can develop a cookie policy perfectly suited to your website or e-commerce site. Take the first step towards protecting your users and bringing your site into compliance today! You can book an appointment or leave me a message below.
To learn more
As soon as your site uses cookies or trackers, their use is governed by French and European law. You must inform users, obtain their consent for non-essential cookies and allow them to withdraw it. Failing this, you expose yourself to penalties and to a risk for the personal data collected.
Start by identifying all the cookies present on your site, using a scanning tool or your browser's inspector. For each cookie, specify its purpose, its lifespan, the third party that places it and the consent required. Finally, explain how the user can control cookies and withdraw their consent.
A distinction is drawn between necessary (or functional) cookies, which are essential to the operation of the site, performance cookies, which measure use of the site in order to improve it, and targeting or advertising cookies. Only strictly necessary cookies are exempt from prior consent.
No, not for all of them. Cookies strictly necessary for the operation of the site or for a service expressly requested by the user are exempt from consent. By contrast, non-exempt audience-measurement cookies, targeting cookies and advertising cookies require prior, free and informed consent, obtained before any placement.
Consent must be given through a clear positive act, before non-essential cookies are placed. The user must be able to accept or refuse just as easily, and to withdraw their choice at any time. Pre-ticked boxes and automatic placement before the user takes action are not compliant.
The CNIL actively monitors cookie banners and has imposed significant penalties on non-compliant sites. Beyond the fine, poor management exposes you to complaints and undermines users' trust. The compliance of the banner and of consent collection has become a major point of vigilance.
No. The cookie policy deals specifically with the trackers placed on the user's device. The privacy policy covers more broadly all of your personal data processing. The two are complementary, and a site that places cookies needs both.
You can use a dedicated scanning tool, inspect the cookies via your browser's developer tools, or click on the padlock next to the URL to display the site's cookies and data. This inventory is the essential first step before drafting an accurate cookie policy.
Still have questions?
Our team is available!
Have a question?

Ressources
Aller plus loin