FAQ's to do with Cookies, Terms & Conditions and Privacy Policy

1 Feb 2013

EU law, information commissioners, cookies, implied consent, data protection, The ICO, e-privacy directives… Recently you could be forgiven for asking ‘what ever happened to running a simple, honest to God website!?’

Fear not.  Due to a number of clients contacting us for clarity on these issues, below we detail the basic information you need to navigate the jungle of website small print.

Terms & Conditions

Every website must have them.  Every website should also, in theory, get their Terms and Conditions checked by or written by someone in the legal profession.  This would be the most right and proper way to get your T’s & C’s arranged.  However, if your website is relatively small and simple, does not sell overseas, does not gather large amounts of data and is not in any other way complex we can provide a basic set of Terms & Conditions.  You can legally tailor these to your needs and they are suitable for 90% of our clients.  If you wonder whether you need to pay a visit to a lawyer to get yours, give us a call.

Your Terms & Conditions need to have a prominent link to them.  It is normal to find this in the footer or in the header of your website.

Privacy Policy

Every website must have one.  Previously not so important as often websites did not gather, store and use website user information.  Gathering and storing user info used to mean names, email addresses, contact details, etc. However ‘user info’ has now changed to include Cookies.  Cookies are now seen in the same way as all this other user information and you need to say something about them in your privacy policy.  The Privacy Policy is where the small print on Cookie policy lives and is subsequently more important than it used to be.

Your Privacy Policy should be labelled ‘Cookies & Privacy Policy’ and be in a prominent position.  It is normal to find this in the footer or in the header.

If you do collect ‘classic’ user info such as names, email addresses, contact details etc, you need to mention what you are going to or are not going to do with these details in your privacy policy.


Cookies in your Privacy Policy

1.  Your Privacy Policy needs to explain in broad terms what Cookies are, why you use them on your website and how a user can accept them or decline them through their browser settings:


A cookie is a small file which asks permission to be placed on your computer's hard drive. Once you agree, the file is added and the cookie helps analyse web traffic or lets you know when you visit a particular site. Cookies allow web applications to respond to you as an individual. The web application can tailor its operations to your needs, likes and dislikes by gathering and remembering information about your preferences.

We use traffic log cookies to identify which pages are being used. This helps us analyse data about webpage traffic and improve our website in order to tailor it to customer needs. We only use this information for statistical analysis purposes and then the data is removed from the system.

Overall, cookies help us provide you with a better website by enabling us to monitor which pages you find useful and which you do not. A cookie in no way gives us access to your computer or any information about you, other than the data you choose to share with us.

You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. This may prevent you from taking full advantage of the website.

You should also have a statement telling the user the implications of disabling cookies.  This is especially important if you are an online retailer.  John Lewis states:


“If cookies aren’t enabled on your computer, it will mean that your shopping experience on our website will be limited to browsing and researching; you won’t be able to add products to your basket and buy them.”


2.  Your Privacy Policy needs to list all the Cookies that are used on your website:

First party cookies.  These are your cookies. Supply the Cookies name & what the Cookies function is.

Third party cookies (e.g. Google Analytics).  For these you should supply the Cookie’s name, purpose and also the source code of the cookie.


How do I find out what Cookies are on my website?

The ‘easiest’ way to do this is to use the browser Firefox combined with Firebug and the Firecookie extension.



To be absolutely sure of getting all the cookies you will need to visit every page of the website.  

First party cookies will have www.mywebsite.co.uk addresses displaying

Third party cookies will have .mywebsite.co.uk addresses displaying

It is important that you get the Name and the Purpose of the cookie.  There should not be any cookies on your website that you don’t understand the purpose of.

3.  Your Privacy Policy needs to list all other third party services that are running through your website.

Social Networking buttons include scripts from third party sites may well be gathering usage information and these need to be listed.


Any other embedded content must also be stated to possibly be gathering usage information for example You Tube or Vimeo.


What is a ‘prominent position’?


The Information Commissioners Office as the enforcer of the new laws on Cookies, has the most ‘by the book’ position.  This features a pop up in the header that asks you to accept the use of cookies and offers you the opportunity see their Privacy Policy. http://www.ico.gov.uk/


John Lewis has a pop up in the same position solely offering you the opportunity to see their Privacy policy but assumes ‘applied consent’ to cookies once you navigate further into their website. http://www.johnlewis.com/


The Numer 10 Downing Street website simply has the word ‘Cookies’ in the header which takes you to the websites Cookie policy.


The online retailer PC world has a ‘Privacy & Cookies’ link in the footer of their website.


The Information Commissioners method is the most correct.  However, the new rules on Cookies were bought in so that the Information Commission could pursue disreputable websites using malicious third party cookies (no Reflow Studio website does this to the best of our knowledge).  Therefore a ‘Privacy & Cookies’ page, clearly linked to from the footer of your website, listing all the cookies that are on your website, should suffice for the IOC.


Still want more?








Blog archive