Cookies Policy

Cookies Policy

This Cookies Policy sets out the basis on which we, Collective Creative Ltd use cookies and similar technologies on or in relation to our website, www.collectivecreative.com (our website). This Cookies Policy is effective from 23 May 2018.1

Essential’ cookies are automatically placed on your computer or device when you access our website or take certain actions on our website. ‘Non-essential’ cookies and other technologies are only placed on your computer or device if you have consented to us doing so.2 For information on the difference between3 essential and non-essential4 cookies, see the section below entitled About cookies.

For information on how you consent and how you can withdraw your consent to us placing non-essential cookies and other technologies on your computer or device, see the section below entitled How to accept or reject cookies.

Contents5

  • About cookies
  • List of cookies used
  • Essential cookies
  • Non-essential cookies
  • How to accept or reject cookies
  • Copyright, credit and logo

About cookies

What are cookies?

Cookies are small data files sent by a website’s server to a web browser, processor memory or hard drive and stored there. They can be used for a range of different purposes, such as customising a website for a particular user, helping a user navigate a website, improving that user’s website experience, and storing that user’s preferences and login information.

Essential and non-essential cookies

Cookies can be classified as either ‘essential’ or ‘non-essential’.

Essential cookies: these are cookies that are either:

  • used solely to carry out or facilitate the transmission of communications over a network; or

  • strictly necessary to provide an online service (e.g. our website or a service on our website) which you have requested.

Non-essential cookies: these are any cookies that do not fall within the definition of essential cookies, such as cookies used to analyse your behaviour on a website (‘analytical’ cookies) or cookies used to display advertisements to you (‘advertising’ cookies).

Session and persistent cookies

Cookies can be classified as either ‘session’ or ‘persistent’, depending on how long they last after they are placed on your browser.

Session cookies: session cookies last for as long as you keep your browser open. They expire when you close your browser.

Persistent cookies: persistent cookies expire at a fixed point in time or if you manually delete them from your browser, whichever occurs first.

First and third party cookies

Cookies can be classified as ‘first party’ or ‘third party’.

First party cookies: these are cookies placed on your device by our website domain.

Third party cookies: these are cookies placed on your device by third party website domains.

If you require further information about cookies in general, please visit www.allaboutcookies.org

List of cookies used

[We use the following cookies on or in relation to our website:]6

Name of Cookie

Essential or Non-essential?

Type of cookie

First or Third party?

Session or Persistent?

Expiry Time

Purpose

[e.g. _ga]

[e.g. Non-essential]

Analytical

[e.g. First party]

[Persistent]

[e.g. 2 years]

[e.g. To distinguish website visitors]

Essential cookies

These are cookies which are strictly necessary for our website to be able to operate or to provide you with a service on our website which you have requested. We use the following essential cookies on our website:

  • [first party session cookies to remember your input when you fill in an online form over several pages on our website. These cookies are: [insert cookie names].]7

  • [first party session cookies for remembering the items you have placed in your shopping cart. These cookies are: [insert cookie names].]8

  • [first party session cookies to identify and authenticate you when you log into our website so you do not need to repeatedly enter your login information. These cookies are: [insert cookie names].]9

  • [first party [session OR persistent] security cookies used for detecting repeated failed login attempts. These cookies are: [insert cookie names].]10

  • [first party [session OR persistent] security cookies used to prevent abuse of the login system on our website. These cookies are: [insert cookie names].]11

  • [[first party OR third party] session multimedia player cookies to play

    content on our website. These cookies are: [insert cookie names].]12

  • [[first party OR third party] [session OR persistent] cookies to recognise whether you have accepted the use of cookies on our website. These cookies are: [insert cookie names]. These cookies expire after [insert time period for cookies to expire if they are persistent cookies e.g. 30 days].]

  • [[first party OR third party] [session OR persistent] cookies to remember the language in which to display our website to you. These cookies are: [insert cookie names]. These cookies expire after [insert time period for cookies to expire if they are persistent cookies e.g. 30 days].]13

  • [[first party OR third party] [session OR persistent] [include the details of any additional purposes for which you use essential cookies on your website.] These cookies are: [insert cookie names].] These cookies expire after [insert time period for cookies to expire if they are persistent cookies e.g. 30 days].]14

[Legal basis for processing: we process information about you contained in or obtained from essential cookies in our legitimate interests (Article 6(1)(f) of the General Data Protection Regulation).
Legitimate interests:
ensuring our site functions properly and providing you with online services you have requested.]15

How to opt out of essential cookies

Most browsers allow you to block all cookies, including essential cookies. Please note, however, that if you block all cookies, parts of our website and its functionality may not work or display properly.

You can delete existing cookies from your browser by clearing your browsing data and ensuring that the option to delete cookies is selected.

For more detailed information on how to accept and reject cookies, including guidance for specific browsers, please see the section below entitled How to accept or reject cookies

Non-essential cookies

We use the following types of non-essential cookies on our website:

  • Functional cookies
  • Analytical (or performance) cookies
  • Targeting (or advertising) cookies

Functional cookies

These are cookies that are designed for purposes such as enhancing a website’s functionality. These are either not strictly essential for the website or functionality which you have requested to work, or are cookies which serve non-essential purposes in addition to their essential purpose. We use the following functional cookies on our website:

  • [[first party OR third party] [session OR persistent] cookies to recognise you when you use our live chat service. These cookies are: [insert cookie names]. These cookies expire after [insert time period for cookies to expire if they are persistent cookies e.g. 30 days].]

  • [[first party OR third party] [session OR persistent] cookies to improve our website’s appearance our website and personalise it for you, including [insert details]. These cookies are: [insert cookie names]. These cookies expire after [insert time period for cookies to expire if they are persistent cookies e.g. 30 days].]

  • [[first party OR third party] [session OR persistent] cookies to [include any additional purposes for which you use functional cookies on your website.] These cookies are: [insert cookie names]. These cookies expire after [insert time period for cookies to expire if they are persistent cookies e.g. 30 days].]

How to opt in or out from functional cookies

See the section below entitled How to accept or reject cookies

Processing information about you contained in or obtained from functional cookies

[Legal basis for processing: we process information about you contained in or obtained from functional cookies in our legitimate interests (Article 6(1)(f) of the General Data Protection Regulation). We will only process such personal information if you have consented to us placing cookies on your computer or device.
Legitimate interests: improving your website experience and providing [or enhancing] the website functionality you have requested [and] [insert any additional purposes for which you use functional cookies or the information you gain from functional cookies e.g. analysing information about users of your website live chat service.]16

[For further information on how we use the information gathered from our use of functional cookies, please see the section entitled Our use of automated decision making and profiling in our privacy policy, which is available here: [insert link to privacy policy]]17

Analytical (or performance) cookies

Analytical (or performance) cookies track and gather data about what a user does on a website. These cookies are not essential for our website or its functionality to work. We use the following analytical cookies on our website:

  • [[first party OR third party] [session OR persistent] cookies [to analyse users’ access to and use of our website and its features.] These cookies are: [insert cookie names]. These cookies expire after [insert time period for cookies to expire if they are persistent cookies e.g. 30 days].]18

OR

[We use Google Analytics cookies on our website. Google Analytics cookies help us understand how you engage and interact with our website, including how you came to our website, which pages you visited, for how long and what you clicked on, your location (based on your IP address) [and] [insert any other information that you obtain about an individual from Google Analytics].

The Google Analytics cookies used on our website are: [insert cookie names]. These cookies are [session AND/OR persistent] cookies. These cookies expire after [insert time period for cookies to expire (indicate which Google Analytics cookies are session and persistent cookies and their expiry dates].]

[The information we collect using analytical cookies is collected on an anonymised basis.]19

More information

Google Analytics cookies are classified as first party cookies as they are set by our website domain, although Google collects and processes information from our use of Google Analytics. To find out more about how Google handles information collected from Google Analytics, see Google Analytics’ privacy policy, which is available here: https://support.google.com/analytics/answer/6004245

For information on how Google uses data from cookies it uses, please visit www.google.com/policies/privacy/partners/

How to opt in or out from analytical cookies

See the section below entitled How to accept or reject cookies

[To opt out of Google Analytics tracking across all websites in general, you can do so here: http://tools.google.com/dlpage/gaoptout]20

Processing information about you contained in or obtained from analytical cookies

[Legal basis for processing: we process information about you contained in or obtained from analytical cookies in our legitimate interests (Article 6(1)(f) of the General Data Protection Regulation).
Legitimate interests: analysing how individuals use our website to help us improve our website and business. For further information on how we use the information gathered from our use of analytical cookies, including profiling, please see the section entitled Our use of automated decision making and profiling in our privacy policy, which is available here: [insert link to privacy policy]21

Targeting (or advertising) cookies22

Targeting (or advertising) cookies record information about your visit to and use of our website, for advertising purposes. We use the targeting cookies for the following purposes on our website[[:] OR [. For information on third party targeting or advertising cookies we use on our website, please see the section below entitled Third party cookies.]]23

  • [[first party [session OR persistent] cookies to display advertisements to you based on your interests and to measure their effectiveness. These cookies are: [insert cookie names]. These cookies expire after [insert time period for cookies to expire if they are persistent cookies e.g. 30 days].]24

  • [[first party [session OR persistent] cookies to remarket advertisements to you on other websites you visit.] These cookies are: [insert cookie names]. These cookies expire after [insert time period for cookies to expire if they are persistent cookies e.g. 30 days].]

  • [include any additional purposes for which you use targeting cookies on your website.]

How to opt in or out from advertising cookies

See the section below entitled How to accept or reject cookies

Processing information about you contained in or obtained from advertising cookies

Legal basis for processing: we process information about you contained in or obtained from advertising cookies in our legitimate interests (Article 6(1)(f) of the General Data Protection Regulation).25
Legitimate interests: displaying advertisements to you about our products and services [insert any relevant additional details or purposes]. [For further information on how we use the information gathered from our use of advertising cookies[, including [automated decision making] and [profiling]] please see the section entitled Our use of automated decision making and profiling in our privacy policy, which is available here: [insert link to privacy policy]]26

OR

[Legal basis for processing: consent (Article 6(1)(a) of the General Data Protection Regulation).
Consent: you give your consent to the purposes for which we process your information using advertising cookies by [insert method by which a user consents to your use of advertising cookies e.g. by clicking I accept the purposes for which you use advertising cookies in our cookie tool (describe the mechanism by which the user consents to the purposes for which you use advertising cookies on your website)]. [For further information on how we use the information gathered from our use of advertising cookies[, including [automated decision making] and [profiling]] please see the section entitled Our use of automated decision making and profiling in our privacy policy, which is available here: [insert link to privacy policy]]27

Third party cookies

Third parties use cookies to analyse your use of our website and/or to display advertisements (including third party advertisements) to you [and] [insert any other uses of third party cookies e.g. advertisement conversion tracking such as Google AdWords]. Third party cookies used in relation to our website include:

  • [Third party advertisement cookies. [Insert name of third party] uses cookies to display advertisements to you [[on our website] OR [on other websites] OR [elsewhere across the internet] [based on your interests [and behaviour]] and to measure their effectiveness. You can find out how [insert name of third party] uses your information and how they use cookies by accessing their privacy policy at [insert URL of third party’s privacy policy] and their cookies policy at [insert URL of third party’s cookies policy]. These cookies are: [insert cookie names].] These cookies expire after [insert time period for cookies to expire if they are persistent cookies e.g. 30 days].]28

  • [[Third party] OR [Google AdWords cookies]]29 [to track whether you have come to us via an advertisement we have placed on [a search engine results page] AND/OR [elsewhere across the internet, such as another website] and to record information relating to how you came to us such as your location when you accessed our website, the time of day you visited and the device you were using [and] [insert any other information collected about users e.g. by AdWords tracking or conversion cookies.] Google may use different cookies to track how you came to our website depending on what advertisement you clicked on and where.]30

  • [[Third party OR Google]] [remarketing cookies] [to display advertisements to you about our goods and services across the internet, including on other websites you visit. [Google uses cookies to display advertisements to you about our products and services on other websites and locations across the internet based on the fact that you have visited our website. Google may also display other advertisements across the internet to you about third party services using the Google AdSense network, although this is beyond our control. [For more information about Google remarketing, click here: https://support.google.com/adwords/answer/2453998?hl=en]31

  • [[Third party] OR [Google]] cookies [to display advertisements on our website]. [We use Google AdSense on our website. Google uses cookies to display advertisements to you on our website about third party goods and services based on the websites you have visited and your online behaviour and interests. For more information about Google AdSense, click here: https://support.google.com/adsense/answer/6242051?hl=en ]]32

More information

For information about the cookies Google uses in relation to the above, see the ‘Advertising’ section on the Types of cookies used by Google page in Google’s cookies policy, which is available here: https://www.google.com/policies/technologies/types/

For information about how Google uses data from cookies for its own purposes, please visit the following link www.google.com/policies/privacy/partners/

How to opt in or out from third party cookies

See the section below entitled How to accept or reject cookies

Processing information about you contained in or obtained from third party cookies

[Legal basis for processing: we process information about you contained in or obtained from third party cookies in our legitimate interests (Article 6(1)(f) of the General Data Protection Regulation).
Legitimate interests: the purposes for which we use the third party cookies as described above [and] [insert any relevant additional details]. [For further information on how we use the information gathered from our use of third party cookies[, including [automated decision making] and [profiling],] please see the section entitled Our use of automated decision making and profiling in our privacy policy, which is available here: [insert link to privacy policy]]33

AND/OR

[Legal basis for processing: consent (Article 6(1)(a) of the General Data Protection Regulation).
Consent: you give your consent to the purposes for which we process your information using third party cookies by [insert method by which a user consents to your use of third party cookies e.g. by clicking I accept the purposes for which you use advertising cookies in our cookie tool (describe the mechanism by which the user consents to the purposes for which you use advertising cookies on your website)]. [For further information on how we use the information gathered from our use of third party cookies[, including [automated decision making] and [profiling]] please see the section entitled Our use of automated decision making and profiling in our privacy policy, which is available here: [insert link to privacy policy]]34

Other technologies

[Web beacons]

[We [and any marketing companies we use]35 also embed web beacons [in our marketing emails [and/or] on our website].36 Web beacons are small GIF image files which enable us to track your receipt of our marketing emails, how often you view our adverts or website pages, your location, IP address and browser information. Web beacons are activated whenever you open a marketing email or access a page on our website which contains a web beacon. Web beacons transmit data when you view them but are not capable of accessing any other information on your computer. Web beacons are not stored on your hard drive unless you download a GIF image containing them.

Some (but not all) browsers enable you to restrict the use of web beacons by either preventing them from sending information back to their source (for example, when you choose browser settings that block cookies and trackers), or by not accessing the images containing them (for example, if you select a ‘do not display images (in emails)’ setting in your email server).]37

How to opt in or out

See the section below entitled How to accept or reject cookies

Legal basis for processing: we process the information we gather from the use of web beacons in our legitimate interests (Article 6(1)(f) of the General Data Protection Regulation).

Legitimate interest: [analysing the effectiveness of our email marketing campaigns [and/or [insert purpose of use of web beacons if you use them on your website in addition to email marketing]]. [For further information on how we use the information gathered from our use of web beacons[, including [automated decision making] and [profiling]] please see the section entitled Our use of automated decision making and profiling in our privacy policy, which is available here: [insert link to privacy policy]]38

[Facebook Pixel]39

[We use Facebook Pixel on our website. Facebook Pixel is a tracking code which allows us to track and monitor the success of advertisements we use on Facebook and to improve the effectiveness of those advertisements by recording information such as the device you used to access our website and the actions you took on our website using cookies. [We may also use Facebook Pixel to create retargeting advertisements and custom audiences for our advertisements on Facebook and on our website].]

Facebook aggregates data gathered from our use of Facebook Pixel on our website with data it gathers from other sources, in order to improve and target advertisements displayed on its website or via its services, to improve its systems and to provide measurement services to third parties which use Facebook’s advertising services. You can find out more about how Facebook handles information they collect about you and other individuals by accessing their privacy policy, which is available here: https://www.facebook.com/about/privacy]

How to opt in or out

See the section below entitled How to accept or reject cookies

[Legal basis for processing: we process the information we gather from the use of web beacons in our legitimate interests (Article 6(1)(f) of the General Data Protection Regulation).
Legitimate interest: [analysing the effectiveness of our advertisements on Facebook. [For further information on how we use the information gathered from our use of Facebook Pixel [, including [automated decision making] and [profiling]] please see the section entitled Our use of automated decision making and profiling in our privacy policy, which is available here: [insert link to privacy policy]]]40

OR

[Legal basis for processing: consent (Article 6(1)(a) of the General Data Protection Regulation).
Consent: you give your consent to the purposes for which we process your information using Facebook Pixel by [insert method by which a user consents to your use of advertising cookies e.g. by clicking I accept the purposes for which you use advertising cookies in our cookie tool (describe the mechanism by which the user consents to the purposes for which you use advertising cookies on your website)]. [For further information on how we use the information gathered from our use of Facebook Pixel[, including [automated decision making] and [profiling]] please see the section entitled Our use of automated decision making and profiling in our privacy policy, which is available here: [insert link to privacy policy]]41

How to accept or reject cookies

There are a number of different ways in which you can accept or reject some or all cookies [and similar technologies]42. Some of the main methods of doing so are described below:

You are welcome to block the use of some or all of the cookies we use on our website. However, please be aware that doing so may impair our website and its functionality or may even render some or all of it unusable.

You should also be aware that clearing all cookies from your browser will also delete any cookies that are storing your preferences, for example, whether you have accepted cookies on a website or any cookies that are blocking other cookies.

You can find more detailed information about cookies and adjusting your browser settings by visiting www.allaboutcookies.org

Accepting or rejecting cookies

[Cookie control tool43

[You can accept or reject [non-essential] cookies by using our cookie management tool].] [insert description of how your cookie control tool works and how a user can turn on or off different types of cookies].]

Browser settings

You can accept or reject some or all cookies (for example, blocking all third party cookies) by adjusting your browser settings. If you do not know how to do this, the links below set out information about how to change your browser settings for some of the most commonly used web browsers:

Some browsers, such as Chrome and Firefox, allow you to change your settings to browse in ‘incognito’ mode, limiting the amount of data placed on your machine and automatically deleting any persistent cookies placed on your device when you finish your browsing session. There are also many third party applications which you can add to your browser to block or manage cookies.

Existing cookies

To clear cookies that have previously been placed on your browser, you should select the option to clear your browsing history and ensure that the option to delete or clear cookies is included when you do so.

Google Adsettings

You can manage and opt out of personalisation of advertisements by Google by visiting Google’s ad settings page here https://adssettings.google.com/ and by:

  • unticking the button entitled ‘Also use Google Account activity and information to personalize ads on these websites and apps and store that data in your Google Account’; and
  • switching the ‘Ads Personalisation’ setting off (i.e. by ensuring the switch at the top of the page is set to the left/grey and not the right/blue).

Alternatively, you can install a free browser plugin here: https://support.google.com/ads/answer/7395996

Google Analytics Opt-out Browser Add-on

You can opt out of Google Analytics tracking by installing the browser add-on which is available here: http://tools.google.com/dlpage/gaoptout

Disconnect for Facebook

You can install a browser add-on tool called ‘Disconnect Facebook pixel and FB tracking’. This will stop Facebook tracking you on third party websites. You can install the too here:

European Interactive Digital Advertising Alliance Tool

You can opt out of Facebook and other companies that participate in the Digital Advertising Alliance in Europe from showing you interest based ads by visiting http://www.youronlinechoices.com, selecting your country, clicking ‘Your Ad Choices’, then locating Facebook (and any other companies you want to block) and selecting the ‘Off’ option.

Copyright, credit and logo

This Cookies Policy is based on a template provided by GDPR Privacy Policy. For further information, please visit https://gdprprivacypolicy.org

The copyright in this Cookies Policy is either owned by, or licensed to, us and is protected by copyright laws around the world and copyright protection software. All intellectual property rights in this document are reserved. Where we display the GDPR Privacy Policy logo on our website, this is used to indicate that we have adopted a privacy policy template provided by GDPR Privacy Policy as the basis for this Privacy Policy.

1 You must insert the effective date of your cookies policy so your users know when your cookies policy takes effect. If you have not previously uploaded a cookies policy to your website, or if you are replacing your existing cookies policy with this cookies policy, the effective date will be the date when you upload this cookies policy to your website.

2 Include this statement if you use non-essential cookies on your website.

3 Include this statement if you use non-essential cookies on your website.

4 Include this statement if you use non-essential cookies on your website.

5 When you upload this cookies policy to your website, you should ensure that the titles in this “Contents” section link to the relevant headings in the main body of the cookies policy. For instance, the “About cookies” title in this “Contents” section should link to the “About cookies” heading in the main body of the cookies policy.

6 Note that there are two approaches for describing the cookies on your site. One approach is to set out the specific cookies using the table approach, as per the example table we have included. This is a more technical approach, and unless you are familiar with how to work out which cookies your browser uses, you should ask your website developer. A good free tool to work out the cookies used on your website is Cookiebot, which you can use to conduct a free cookie audit of your site. It is available here: https://www.cookiebot.com/en/start. The other approach is to describe the use of cookies more generally. We have included as much detail as possible to ensure you meet the ‘clear and transparent’ requirement of Article 12 of the GDPR and we would recommend that you provide all of this information as far as possible, including indicating whether the cookies in question are session or persistent. You should still provide the technical cookie names as far as possible to allow users to identify the particular cookies in their browser. For an example of the minimum level of detail you need to provide, see the ICO’s cookies policy which is available here: https://ico.org.uk/global/cookies/

7 First party session cookies used to keep track of what a user inputs into a form across several pages on a website will be essential cookies as the user will be considered to have requested this service. If the cookies are third party or persistent cookies or serve any other function other than remembering a user’s input, they will not constitute essential cookies and should be classified as functional cookies, in which case you will need to obtain a user’s consent before using them.

8 First party session cookies used to remember what a user has placed in their shopping cart will constitute essential cookies, provided they are used solely for this purpose.

9 Cookies used to authenticate a user logging in so that the user does not have to enter their username and password repeatedly after they have logged in are considered to be essential cookies. However, they cannot be used for any other purpose e.g. advertising or behavioural monitoring purposes. Please note that a persistent authentication cookie will be considered a functional cookie e.g. and consent will be required e.g. by the user ticking an optional box with the title such as ‘remember me (uses cookies)’.

10 Cookies used for increasing security for the user can be considered essential cookies and can last longer than the user’s session in order to satisfy their security purpose (i.e. they can be persistent cookies). Cookies used for your own website security which cannot be considered to be used for the purpose of increasing the user’s security or which provide any other services that the user has not explicitly requested will not be considered essential cookies and should be considered functional cookies.

11 Cookies used for increasing security for the user can be considered essential cookies and can last longer than the user’s session in order to satisfy their security purpose (i.e. they can be persistent cookies). Cookies used for your own website security which cannot be considered to be used for the purpose of increasing the user’s security or which provide any other services that the user has not explicitly requested will not be considered essential cookies and should be considered functional cookies.

12 Multimedia cookies to allow video and/or audio content on your site to play can be considered essential cookies provided that the cookies are only used when a user plays the audio and/or video clip. A typical example are Adobe Flash cookies commonly known as ‘flash cookies’. In order to be considered essential, the cookies must be session cookies (not persistent cookies) and the cookies must serve any other purpose than allowing the content to play.

13 Language preference cookies can be essential cookies provided that they are only set if the user selects the language they would like the website displayed in. They must be session cookies or persistent cookies lasting no more than a few hours. If they last longer than a few hours they will be considered functional cookies and will require consent.

14 You should insert any additional essential cookies you use on your site. To be considered essential, the cookie must be considered to be either: (i) used for the sole purpose of carrying out the transmission of a communication over an electronic communications network (i.e. over the internet, for example load balancing cookies); or (ii) (more likely) strictly necessary in order for the provider of an information society service (i.e. an online service) explicitly requested by the subscriber or user to provide the service. Note that the service must be considered to be strictly necessary from the user’s perspective, not your perspective. In addition, if the cookie is used for multiple purposes, each purpose must satisfy the strictly necessary test in order for the cookie to be considered to be an essential cookie. Finally, cookies that persist longer than necessary to provide the relevant service the user has requested are unlikely to be considered essential cookies as they should only last as long as the user has requested the service. Persistent cookies are therefore generally unlikely to be considered essential cookies. If you have doubts about whether any other cookies used on your site can satisfy the strict criteria to be essential cookies, you should err on the side of caution and consider them functional (or analytical or targeting cookies, as appropriate) and obtain the necessary consent from the user to use them.

15 The information contained in cookies (the unique string of letters and numbers contained in a cookie) can be considered personal information under the GDPR if it can uniquely identify a device or the individual using the device (either on their own or in combination with other information). Therefore, cookies themselves can be considered personal information under the GDPR. The test for whether a cookie should be considered personal information is whether it can be used to identify an individual’s device or the individual themselves, taking into account all the means reasonably likely to be used, such as singling out them out, either by you (the data controller) or another person directly or indirectly. When considering the ‘means reasonably likely to be used’, you should take into account all relevant factors such as the costs and amount of time necessary to identify the individual, the technology available to do so as well as technological developments. In particular, the GDPR envisages that it can be possible to identify someone using a cookie in combination with other unique identifiers like IP addresses and information collected by your website server. You will therefore need to consider the cookies you use individually, whether they uniquely identify a device or an individual and the information they contain in order to establish whether they constitute personal information or not. If you determine that they are personal information, you will need a legal basis for processing them. For essential cookies, we have suggested using your legitimate interests. You may also need to amend the description of your legitimate interests depending on the purpose(s) for which you use essential cookies on your website (i.e. if they are not covered by the suggested descriptions that are provided by default).

16 The information contained in cookies (the unique string of letters and numbers contained in a cookie) can be considered personal information under the GDPR if it can uniquely identify a device or the individual using the device. Therefore, cookies themselves can be considered personal information under the GDPR. The test for whether a cookie should be considered personal information is whether it can be used to identify an individual’s device or the individual themselves, taking into account all the means reasonably likely to be used, such as singling out them out, either by you (the data controller) or another person directly or indirectly. When considering the ‘means reasonably likely to be used’, you should take into account all relevant factors such as the costs and amount of time necessary to identify the individual, the technology available to do so as well as technological developments. In particular, the GDPR envisages that it can be possible to identify someone using a cookie in combination with other unique identifiers like IP addresses and information collected by your website server. You will therefore need to consider the cookies you use individually, whether they uniquely identify a device or an individual and the information they contain in order to establish whether they constitute personal information or not. For functional cookies, we have suggested using your legitimate interests. You may also need to amend the description of your legitimate interests depending on the purpose(s) for which you use functional cookies on your website (i.e. if they are not covered by the suggested description that is provided by default).

17 If you use process an individual’s personal information by automated means (e.g. by the use of cookies) to evaluate, analyse or predict aspects about that individual (such as their behaviour, location or movements) i.e. to build up a profile about them, you will be conducting ‘profiling’ and you will need to disclose this in the section of your privacy policy entitled ‘Our use of automated decision making and profiling’. If you automate decisions in relation to individuals using their personal information, you will need to disclose such automated decision making as well.

18 If your website uses cookies to track and analyse users’ behaviour, you should complete this clause. If you specifically use Google Analytics for as your web analytics provider, you should delete this clause and complete the clause immediately below. If you use a third party analytics solution other than Google Analytics, you should include the same level and type of information as is provided for Google Analytics.

19 Include this statement if the information you collect using analytical cookies is collected on an anonymised basis i.e. it is impossible to identify an individual from the information collected.

20 This provision should only be included if you use Google Analytics on your website.

21 The information contained in cookies (the unique string of letters and numbers contained in a cookie) can be considered personal information under the GDPR if it can uniquely identify a device or the individual using the device. Therefore, cookies themselves can be considered personal information under the GDPR. The test for whether a cookie should be considered personal information is whether it can be used to identify an individual’s device or the individual themselves, taking into account all the means reasonably likely to be used, such as singling out them out, either by you (the data controller) or another person directly or indirectly. When considering the ‘means reasonably likely to be used’, you should take into account all relevant factors such as the costs and amount of time necessary to identify the individual, the technology available to do so as well as technological developments. In particular, the GDPR envisages that it can be possible to identify someone using a cookie in combination with other unique identifiers like IP addresses and information collected by your website server. You will therefore need to consider the cookies you use individually, whether they uniquely identify a device or an individual and the information they contain in order to establish whether they constitute personal information or not. If you determine that they are personal information you will need a legal basis for processing them. For analytical cookies, we have suggested using your legitimate interests. You may also need to amend the description of your legitimate interests depending on the purpose(s) for which you use analytical cookies on your website (i.e. if they are not covered by the suggested description that is provided by default).

22 This section is designed to cover off your use of first party advertising cookies used on your site (i.e. generally your own cookies placed used by your website). If you use third party advertising cookies, such as Google AdSense, you should complete Google AdSense in the third party cookies section below. If you do not use any first party advertising cookies on your website, you can delete this section.

23 Include this clause if you use third party advertising cookies on your website in addition to first party advertising cookies. If you use third party advertising cookies, such as Google AdSense, you should complete the Google AdSense paragraph in the third party cookies section below.

24 Include this clause if you use first party advertising cookies on your website. If you use third party advertising cookies, such as Google AdSense, you should complete Google AdSense in the third party cookies section below.

25 The information contained in cookies (the unique string of letters and numbers contained in a cookie) can be considered personal information under the GDPR if it can uniquely identify a device or the individual using the device. Therefore, cookies themselves can be considered personal information under the GDPR. The test for whether a cookie should be considered personal information is whether it can be used to identify an individual’s device or the individual themselves, taking into account all the means reasonably likely to be used, such as singling out them out, either by you (the data controller) or another person directly or indirectly. When considering the ‘means reasonably likely to be used’, you should take into account all relevant factors such as the costs and amount of time necessary to identify the individual, the technology available to do so as well as technological developments. In particular, the GDPR envisages that it can be possible to identify someone using a cookie in combination with other unique identifiers like IP addresses and information collected by your website server. You will therefore need to consider the cookies you use individually, whether they uniquely identify a device or an individual and the information they contain in order to establish whether they constitute personal information or not. If you determine that they are personal information you will need a legal basis for processing them. For advertising cookies, we have suggested using your legitimate interests. You may also need to amend the description of your legitimate interests depending on the purpose(s) for which you use advertising cookies on your website (i.e. if they are not covered by the suggested description that is provided by default).

26 If you use process an individual’s personal information by automated means (e.g. by the use of cookies) to evaluate, analyse or predict aspects about that individual (such as their behaviour, location or movements) i.e. to build up a profile about them, you will be conducting ‘profiling’ and you will need to disclose this in the section of your privacy policy entitled ‘Our use of automated decision making and profiling’. If you automate decisions in relation to individuals using their personal information e.g. to display advertisements to them based on the fact they have visited your website, you will need to disclose such automated decision making as well.

27 If you use very intrusive advertising or remarketing cookies you will need to obtain consent from the user to process their information (cookie data about them) for such purposes and will not be able to rely on your legitimate interests. This is separate consent from the consent the user gives to the placement of cookies on their device which is required under the Privacy and Electronic Communications Regulations. It is currently unclear whether, in practice, you will need to gain a separate consent for processing personal information contained in or derived from cookies and consent for placing cookies on a user’s device and we expect that, in practice (due to the practical unworkability of obtaining two separate consents) consent to the cookies being placed on the user’s device will constitute consent for the purposes for which a website processes personal information contained in or derived from those cookies. However, the position is not clear and not relevant guidance has been produced as yet. You should therefore assume that separate consents will be required as this is the strict legal position.

When consent is required

In terms of the level of intrusiveness of advertising and other tracking cookies required to trigger the requirement to obtain consent to process someone’s personal information (cookie information) for these purposes, this is not yet entirely clear. However, guidance produced by the Article 29 Working Party has indicated that advertising to a particular demographic e.g. women in London, would not be too intrusive and would not have a significant effect on individuals. However, targeting advertisements to vulnerable adults or minority groups would (e.g. showing gambling advertisements to someone in financial difficulties) and, accordingly, consent would be required. The guidance indicates that whether consent is required will always be fact and situation dependent and the following factors should be taken into account: (i) how intrusive the profiling process is; (ii) the expectations and wishes of the individuals you target; (iii) the way you deliver the advertisement; and (iv) how vulnerable the individuals you target are.

28 You should complete this template clause if you use a third party advertising cookie provider other than Google. In addition, you should try to provide as much information (via links if necessary) to explain to users how those cookies are used if users require further detail.

29 Include this reference if the third party cookies you use are Google AdWords cookies.

30 This provision is designed to cover situations where someone has come to your website via a search engine advertisement service you have been using (such as Google AdWords) or via an advertisement on elsewhere on a display network (e.g. Google’s display network). If you use such advertising, you should explain what you do with the information you obtain from such advertisements (e.g. targeting your advertisements more effectively or analysing statistics about users who have accessed your website).

31 Include this clause if you use Google AdWords remarketing for your website.

32 Include this clause if you use Google AdSense on your website.

33 If you use process an individual’s personal information by automated means (e.g. by the use of cookies) to evaluate, analyse or predict aspects about that individual (such as their behaviour, location or movements) i.e. to build up a profile about them, you will be conducting ‘profiling’ and you will need to disclose this in the section of your privacy policy entitled ‘Our use of automated decision making and profiling’. If you automate decisions in relation to individuals using their personal information e.g. to display advertisements to them based on the fact they have visited your website, you will need to disclose such automated decision making as well.

34 If you use very intrusive advertising or remarketing third party cookies you will need to obtain consent from the user to process their information (cookie data about them) for such purposes and will not be able to rely on your legitimate interests. This is separate consent from the consent the user gives to the placement of cookies on their device which is required under the Privacy and Electronic Communications Regulations. It is currently unclear whether, in practice, you will need to gain a separate consent for processing personal information contained in or derived from cookies and consent for placing cookies on a user’s device and we expect that, in practice (due to the practical unworkability of obtaining two separate consents) consent to the cookies being placed on the user’s device will constitute consent for the purposes for which a website processes personal information contained in or derived from those cookies. However, the position is not clear and not relevant guidance has been produced as yet. You should therefore assume that separate consents will be required as this is the strict legal position.

When consent is required

In terms of the level of intrusiveness of third party advertising and other tracking cookies required to trigger the requirement to obtain consent to process someone’s personal information (cookie information) for these purposes, this is not yet entirely clear. However, guidance produced by the Article 29 Working Party has indicated that advertising to a particular demographic e.g. women in London, would not be too intrusive and would not have a significant effect on individuals. However, targeting advertisements to vulnerable adults or minority groups would (e.g. showing gambling advertisements to someone in financial difficulties) and, accordingly, consent would be required. The guidance indicates that whether consent is required will always be fact and situation dependent and the following factors should be taken into account: (i) how intrusive the profiling process is; (ii) the expectations and wishes of the individuals you target; (iii) the way you deliver the advertisement; and (iv) how vulnerable the individuals you target are.

35 Many email marketing companies use web beacons to track a recipient’s activity when they open an email (including things like open rates and click through rates). If you use a marketing company or mailing list provider (e.g. MailChimp) that uses web beacons, you should say so and identify that provider and provide a link to their privacy policy. If you use any other tracking technologies you must disclose them as well.

36 If you use web beacons, you should inform users of whether you use them in your emails and/or on your website.

37 This entire section can be deleted if you are confident that your website, email server and any third party marketing companies you engage with do not use web beacons or similar tracking technologies. If you are in any doubt, it is recommended that you include this paragraph in this policy.

38 If you use analyse information such as open rates, click through rates and any other ways in which individuals engage with your emails (i.e. to build up a profile about them and their behaviour), you will be conducting ‘profiling’ and you will need to disclose this in the section of your privacy policy entitled ‘Our use of automated decision making and profiling’. If you automate decisions in relation to individuals using their personal information e.g. you automate the decision to send out emails based on engagement rates, you will need to disclose this automated decision making in your privacy policy as well.

39 Insert this clause if you use Facebook Pixel. Please note, however, that we Facebook’s GDPR compliance status is beyond our control and Facebook has already been fined for breaches of EU privacy law under current legislation, in particular for not getting proper consent to the processing of personal information (you can find out more about this here: https://uk.reuters.com/article/us-facebook-spain-fine/facebook-fined-1-2-million-euros-by-spanish-data-watchdog-idUKKCN1BM1OU). If you wish to use Facebook Pixel, it will therefore be very important for you to get explicit consent (through the use of a cookie compliance tool) for the use of Facebook Pixel on your website, as you should not rely on the consent obtained by Facebook for its third party advertisers to display advertisements. Even if you have obtained such consent, it is possible (even likely) that a regulator could find that Facebook’s use of information shared with it is not lawful and there is still therefore a risk that sharing information with Facebook could result in you being fined. We would therefore recommend that you do not use Facebook Pixel until Facebook’s GDPR-compliance status is confirmed. We also recognise, however, that many businesses find Facebook advertising a particularly cost-effective way of marketing and if you wish to continue to use Facebook Pixel after 25 May 2018, this cookie policy will help you mitigate (but not remove) the risks. This is for the simple reason that Facebook’s compliance is completely beyond our control.

40 You will need to disclose in detail in your privacy policy how you automate decisions to display advertisements to users on Facebook including how you profile them using various criteria in to do so e.g. using Facebook’s custom audiences.

41 If you use Facebook Pixel in an intrusive manner you will need to obtain consent from the user to process their information (cookie and Facebook user data about them) for such purposes and will not be able to rely on your legitimate interests. This is separate consent from the consent the user gives to the placement of cookies on their device which is required under the Privacy and Electronic Communications Regulations. It is currently unclear whether, in practice, you will need to gain a separate consent for processing personal information contained in or derived from Facebook Pixel and consent for placing Facebook cookies on a user’s device and we expect that, in practice (due to the practical unworkability of obtaining two separate consents) consent to Facebook Pixel cookies being placed on the user’s device will constitute consent for the purposes for which a website processes personal information contained in or derived from its use of Facebook Pixel. However, the position is not clear and no guidance has yet been released on this issue. You should therefore assume that separate consents will be required as this is the strict legal position.

When consent is required

In terms of the level of intrusiveness of advertising and other tracking cookies required to trigger the requirement to obtain consent to process someone’s personal information (cookie information) for these purposes, this is not yet entirely clear. However, guidance produced by the Article 29 Working Party has indicated that advertising to a particular demographic e.g. women in London, would not be too intrusive and would not have a significant effect on individuals. However, targeting advertisements to vulnerable adults or minority groups would (e.g. showing gambling advertisements to someone in financial difficulties) and, accordingly, consent would be required. The guidance indicates that whether consent is required will always be fact and situation dependent and the following factors should be taken into account: (i) how intrusive the profiling process is; (ii) the expectations and wishes of the individuals you target; (iii) the way you deliver the advertisement; and (iv) how vulnerable the individuals you target are.

42 Insert this wording if you use web beacons or Facebook Pixel and complete the web beacons section below.

43 Insert description of the cookie management tool you use on your website. Note that, due to the requirement to obtain explicit and granular consent prior to placing different types of non-essential cookies on a user’s device (if not individual non-essential cookies), the need for a cookie management will effectively become mandatory if you use any non-essential cookies on your website. There are several tools available, including Cookie Control by CIVIC, which is the solution the Information Commissioner’s Office uses (ICO) and which is available here: https://www.civicuk.com/cookie-control