Home » Blog » Is My Company Required to Post a Cookie Policy or Pop-Up Notification?

Is My Company Required to Post a Cookie Policy or Pop-Up Notification?

Cookies are small text files placed on a user’s device that are meant to collect data from consumers and help companies and third-party advertisers understand their online behavior.

It is helpful to know that it is best practice for websites and organizations in the U.S. or other countries to post a general Privacy Policy, Cookie Policy, or Cookie pop-up alerting users of the ways in which their data is being used.

In general, users have the right to know how their data is being used as well as have the option to either disable or delete Cookies if they are concerned about their online privacy and safety.

The common question that many companies have is whether they are required to post a Cookie policy or pop-up notification that alerts or lets users know that their website is tracking.

The following information has been compiled to help website owners, managers, directors, and company administrators become aware of the latest policies. This guide aims to inform you on whether you need to implement a Cookies pop-up as well as the correct legal jargon to use if you chose to write one.

What’s the ‘Cookie Law’ and Policy Surrounding Cookies?

For starters, what is the law concerning Cookies, and how do you know if your company needs a disclaimer explaining which Cookies are used while giving you the option to disable them?

The Cookie Law, also known as the ePrivacy Directive, went into effect in 2002 in an effort to protect and ensure EU user privacy.

If you’re a company in the EU, a company doing business in the EU, or a blog or company website receiving traffic from EU clients, you are subject to complying with “The Cookie Law.” This means you are obligated to publish a Cookie Policy on your website as well as a consent form and pop-up notification warning for users before you can track them and their digital data. Additionally, you must provide detailed information on the types of Cookies you are using as well as an option for users to decline or delete Cookies.

So does your US-based company need to comply? The short answer is no, but there is some grey area that might require you to comply with EU guidelines.

Media Genesis reports: “the majority of United States websites won’t need to comply with any regulations related to the Cookie Law unless you have a target audience in Europe.” This means that if your target audience is EU clients, you should defer to complying with the EU Cookie Law even if you are a US-based company.

Companies in the EU, or those doing business in the EU, must first provide consent to users and address, in detail, why they are using Cookies. Users must review the consent information and understand that Cookies are being used to track information, according to Media Genesis. 

You can go through this checklist to find out if you are complying with the law:

  • Companies must explain what Cookies (if any) are being used.
  • Explain the purpose of the Cookies on your site and what information it’s generating.
  • Must get the user’s consent so that your company can proceed to store a Cookie on their mobile device/computer.

Examples of EU Companies with Cookie Policies and Pop-Ups

One example of a Cookie pop-up notification and page is the European company Exor. If you visit their homepage and scroll to the bottom, you’ll see a message that says,

“This site uses cookies to its technical functionalities. If you want to find out more about the cookies we use and how to disable them, you can access our Cookie Policy. By continuing your visit on the website, you consent to the use of the cookies [CONTINUE].”

You can use Exor N.V.’s page as a guide and compare it with other sites to draft your own consent and Cookie Policy messages. It is required that you create a separate Cookie Policy page and include a hyperlink to the page in the message as well as another hyperlink to the consent form pop-up when the user clicks on [CONTINUE].

The Cookie Policy, like the one on Exor’s page, should include the following information (yours can slightly differ, of course–but please consult your company’s legal team or read up on what the law specifically says).

The pop-up should be clear and simple as well as give users the option to visit the  Privacy Page for more information or a Cookie Policy for companies receiving traffic from the EU. Lastly, it should hyperlink to all detailed pages and have an “Accept” button for consent purposes.

We’ll go over the policy one more time in case you missed it:

Cookie Policy

  • An explainer of what Cookies are and the types of Cookies being used on your site or app.
  • An explainer on the types of Cookies your site is using.
  • How your site is using the Cookies.
  • How your customers/users can disable or manage the cookies either on their laptop or a mobile device.

Highlighting the Types of Cookies on Your Site in Your Cookie Policy

When discussing Cookie policies, it is important to mention that it is also best practice to make sure you highlight the types of Cookies you are using on your site. Transparency is key. The three different types of Internet Cookies as compiled by Rocket Lawyer include the following:

  • Session Cookies – these are typically known as temporary Cookies that help websites track user activity during a specific session. If the user drifts or goes to another website, the cookies are deleted. They are also commonly used on ecommerce sites.
  • Persistent Cookies – These are also known as “permanent Cookies.” Think of it as a more long-term Cookie that stays even after you close the website. It can remember login information so a user doesn’t have to constantly type out everything all the time.
  • Third-Party Cookies – These are generally installed by third parties (advertisers) that hope to learn more from users in terms of online behavior, spending habits, etc.
  • Flash Cookies – These Cookies generally stay on a user’s computer permanently. They can stay on a user’s device even far after all cookies have been deleted.
  • Zombie Cookies – These Cookies can be a nuisance to some users. The Cookie can be created again even after a user disables or deletes them, making them difficult to manage.


Should you Post a Cookie Policy and Pop-Up Notification Warning?

Although the Cookie Law applies specifically to EU companies, you should always err on the side of caution. It doesn’t hurt to set aside some time with your team to discuss the Cookies that are being used and whether a web developer can create a page explaining Cookie Policies to users.

At the very least, your US company should still post a general Privacy Policy page if you don’t have clients in the EU or receive traffic from the EU. There are no specific US-based laws when it comes to Cookies, but you should still post a disclaimer to be on the safe side. Also, if your web traffic suddenly changes and you start receiving a spike in visits from EU users, you won’t have anything to worry about.

If you’re a EU company, you can check to see if your website is compliant with Cookies and Online Tracking procedures here. Take a look at Shell’s Global Privacy Page here, which shows what the company does with personal data.

As a company, you can consider installing a pop-up Cookie consent notification that can be easily located at the bottom or top of the homepage, depending on your preference. According to Cookiebot, a Cookie consent banner is “the cookie warning that pops up on websites when a user first visits the site.” The consent banner should be simple and easy to find, with wording that is uniquely generated and not copied from another site.

Examples of Pop-up Notifications

An example of another pop-up notification warning for Cookies is seen on the US Shell website. Notice that pop-up notifications for Cookies immediately come up and are visible and easily accessible on the main homepage. There should be a quick paragraph explainer about how the Cookies on your page are used, including a link to Cookie Consent along with a button to “Accept” where users can click to approve and send in their consent.

In a nutshell, the Cookie warning lets the user knows that there are Cookies and Tracking in place on a website or app. Of course, the warning also lets users review the Consent page and click to consent to their data.

Cookiebot reports that consent banners initially began showing up on every EU company website after the “Cookie Law” went into effect shortly after 2002.

If you are a U.S. company, it is truly up to you as to whether you would like to model the disclaimers that other EU sites use (you will have to create your own, non-technical wording. You can use other sites as models, but do not copy the text).

It could help boost company morale and help users feel more at ease if you show transparency about data if you decide to create a policy page. Understand that if you are a US company, you don’t have to worry about the Cookie law unless you start to have an audience or traffic from EU users.

Not Complying or Reading up on the EU Cookie Law

Remember, if you are a US business or company that receives traffic or stores data from EU visitors, you are required to follow GDPR requirements and protocol. If you do not properly disclose this, your US website might risk financial or legal penalties and fines, according to CMDS Online. Make sure you ask and post a Cookie consent pop-up if your website is receiving traffic or targetting EU visitors.

CMDS Online writes, “the physical location of an organization does not impact GDPR compliance; it is the physical location or the individual whose data is being collected, processed, or stored that matters. Even if you’re a US company, chances are probably that you have European Union residents in your database.”

Additionally, please remember that GDPR or the General Data Protection Regulation applies “to any organization that collections and stores personal data on European Union users on their websites.” This law went into effect on May 25, 2018.

According to CMDS Online, any US websites that are found collecting information or data from EU citizens will be held accountable. This is why it’s crucial to read up on the Cookie Law and figure out if your website is storing data from EU residents. If so, you need to comply and make sure you:

1.) ask for consent
2.) Post a Cookie Policy page
3.) Create a space where users can disable or delete Cookies.



So in a nutshell, just because your business or company is not physically in the EU, it doesn’t necessarily mean that these laws do not apply to you. Make sure you do your research and consult with your web development and legal team for more information on how to protect your company from legal fines and penalties.

Social Feed