RGPD

Drafting a Cookie Policy - FAQ

How do you draft a cookie policy?

Contents
Schedule a discussion

Reading time:

6 min

How do you draft a cookie policy?

If you have a website, you probably use cookies. Cookies, or trackers, are small text files saved on the computer or mobile phone of your users.

They are used in particular to improve the user experience, personalise content and advertising, and analyse traffic statistics.

However, their use is governed by French and European regulations.

To avoid penalties and protect your users' personal data, you must draft a cookie policy and ensure that the collection of the data processed complies with the regulations.

How do you create a cookie policy?

To create a cookie policy, you must identify all the cookies you use on your website.

To do this, you can use scanning tools such as Cookiebot or inspect the cookies using your web browser.

Another solution is simply to click on the padlock next to your URL address in order to display the website's cookies and data!

For each cookie, you must specify its purpose, its lifespan, the third party that places it and the consent required.

You must also explain how users can control cookies and withdraw their consent.

What are the 3 types of cookies?

There are three types of cookies:

  • necessary (functional) cookies,
  • performance cookies and
  • targeting or advertising cookies.

Necessary cookies are essential to enable your website to function properly.

Performance cookies are used to collect information about how the website is used in order to improve it.

Targeting or advertising cookies are used to track users across different websites in order to offer them targeted advertising.

Is the use of cookies regulated?

Yes, the use of cookies and the obtaining of consent through them are governed by the GDPR (General Data Protection Regulation) and by several texts, including Article 82 of the French "Informatique et Libertés" Act, as amended, which is based on Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector (known as the "ePrivacy Directive").

Article 82 of the "Informatique et Libertés" Act provides that no information may be stored in a user's equipment, nor read from that equipment, without the user's prior consent, unless those actions are strictly necessary for the provision of an information society service expressly requested by the subscriber or user.

The CNIL (French Data Protection Authority) has also issued recommendations and guidelines on the use of cookies and other trackers.

The GDPR requires users to give their consent prior to the use of cookies for a specific purpose, except for necessary cookies.

Why are we asked to accept cookies?

You are asked to accept cookies in order to inform you of their use and give you the possibility of choosing to accept or refuse them.

This makes it possible to comply with regulatory obligations regarding the protection of personal data and to protect users' privacy.

Can I refuse cookies? Is it possible to refuse a cookie?

Yes, you can refuse cookies by changing the settings of your web browser. However, this may impair the user experience and some services might not function properly.

In France specifically, an option must allow users to “accept all” but also to “refuse all” in the cookie consent collection banner.

You must therefore ensure that the user consent collection banner complies with the regulations.

On this point, the CNIL specifies that: “The CNIL points out that the information must be complete, visible and highlighted. In order not to mislead users, it also invites data controllers to ensure that the choice-collection interfaces do not incorporate potentially deceptive design practices intended to or likely to bias internet users' consent.”

What is the purpose of cookies?

The purpose of cookies is to improve the user experience by personalising content and advertising and by analysing traffic statistics.

They also make it possible to retain the user's preferences and to facilitate navigation on the website.

Cookies can be used to save items in the shopping cart of an e-commerce website (e-commerce site), or to store the user's login information.

Cookies can also be used to deliver targeted advertising based on the user's interests and browsing habits, in order to maximise the effectiveness of online advertising.

In short, the purpose of cookies is to optimise the user experience on a website by offering personalised navigation tailored to the user's needs.

The disadvantages of refusing cookies

Refusing cookies can have disadvantages for the user, in particular a less personalised user experience.

Indeed, cookies make it possible to retain the user's preferences and to offer them relevant content. Moreover, some websites may not function properly without the use of cookies.

Who controls the use of cookies?

Cookies are controlled by the website that places them on the user's computer. These are often services provided by third-party suppliers.

However, users also have a certain degree of control over cookies. They can refuse cookies by changing their browser settings, or delete cookies already stored on their computer.

In France, it is the Commission Nationale de l'Informatique et des Libertés (CNIL) that is responsible for the regulation and oversight of cookie-related matters. It issues recommendations and guidelines to help companies comply with the regulations in force.

Next steps after putting a cookie policy in place?

The next steps include:

  • Updating the processing records to take account of the legal bases and purposes relating to this collection of personal data;
  • Putting in place a retention policy adapted to the retention period of this specific personal data;
  • Ensuring that you have a cookie banner that complies with the relevant French regulations;
  • Putting in place a process that enables time-stamping and ensures the collection of users' consent regarding cookies.

To conclude, these cookies make it possible to collect information about the user's browsing habits and to personalise the user experience. However, the use of cookies is regulated and websites must inform users of their use of cookies. Users also have a certain degree of control over cookies and can refuse or delete the cookies stored on their computer.

Having navigated together through the intricacies of cookie regulation, it is clear that every detail matters. As a lawyer working in the field of personal data protection, I understand how crucial it is to ensure your website's compliance.

If you too feel the need for expertise in this complex field, do not hesitate to contact me. Together, we can develop a cookie policy perfectly suited to your website or e-commerce site. Take the first step towards protecting your users and bringing your site into compliance today! You can book an appointment or leave me a message below.

To learn more

Is a cookie policy mandatory?

As soon as your site uses cookies or trackers, their use is governed by French and European law. You must inform users, obtain their consent for non-essential cookies and allow them to withdraw it. Failing this, you expose yourself to penalties and to a risk for the personal data collected.

How do you draft a cookie policy?

Start by identifying all the cookies present on your site, using a scanning tool or your browser's inspector. For each cookie, specify its purpose, its lifespan, the third party that places it and the consent required. Finally, explain how the user can control cookies and withdraw their consent.

What are the three types of cookies?

A distinction is drawn between necessary (or functional) cookies, which are essential to the operation of the site, performance cookies, which measure use of the site in order to improve it, and targeting or advertising cookies. Only strictly necessary cookies are exempt from prior consent.

Is consent to cookies always required?

No, not for all of them. Cookies strictly necessary for the operation of the site or for a service expressly requested by the user are exempt from consent. By contrast, non-exempt audience-measurement cookies, targeting cookies and advertising cookies require prior, free and informed consent, obtained before any placement.

How do you validly obtain consent to cookies?

Consent must be given through a clear positive act, before non-essential cookies are placed. The user must be able to accept or refuse just as easily, and to withdraw their choice at any time. Pre-ticked boxes and automatic placement before the user takes action are not compliant.

What are the risks of non-compliant cookie management?

The CNIL actively monitors cookie banners and has imposed significant penalties on non-compliant sites. Beyond the fine, poor management exposes you to complaints and undermines users' trust. The compliance of the banner and of consent collection has become a major point of vigilance.

Cookie policy and privacy policy, are they the same thing?

No. The cookie policy deals specifically with the trackers placed on the user's device. The privacy policy covers more broadly all of your personal data processing. The two are complementary, and a site that places cookies needs both.

How can I find out which cookies are present on my site?

You can use a dedicated scanning tool, inspect the cookies via your browser's developer tools, or click on the padlock next to the URL to display the site's cookies and data. This inventory is the essential first step before drafting an accurate cookie policy.

Still have questions?

Our team is available!

Have a question?

Vos informations restent strictement confidentielles.
Thank you! We will get back to you shortly. If you'd like to speed things up, schedule a time with me directly here:
Schedule a 15-minute call
Oops! Something went wrong while submitting the form.
Homme en costume bleu foncé avec cravate et pochette blanche, bras croisés, regardant vers l'avant.

Ressources

Aller plus loin

00
article(s) affiché(s) sur
00

7 min

What is the real cost of an external DPO for an SME?
What DPO cost must SMEs bear to ensure the protection of their business and compliance with the GDPR?

5 min

GDPR: the 5 most costly mistakes
Here are the 5 most costly mistakes in the event of a breach of the GDPR and of personal data protection obligations.

11 min

Custom software development: the key contractual elements to protect your investment
The development of custom software represents a major strategic investment for a company. Beyond the financial aspects, it is a project that mobilises considerable internal resources and can profoundly transform business processes.

3 min

Source code obsolescence does not justify non-performance of the contract: a key ruling from the Paris Court of Appeal
IT outsourcing (infogérance) is a contract whereby a company entrusts the management of its information system to a specialised service provider.

5 min

DORA Lawyer - Cybersecurity
The European regulation on digital operational resilience for the financial sector, also known as the “DORA Regulation” (Digital Operational Resilience Act), is a European Union initiative aimed at strengthening the digital resilience of financial sector players.

6 min

Online gambling: main legal risks and how to guard against them in 2025
The online gambling sector is undergoing constant change, both technologically and from a regulatory standpoint. In France, the legislation governing this activity has been considerably strengthened, in particular with the entry into force of the SREN law of May 2024.
Prendre rendez-vous
Book an appointment