« go to the main website

iubenda blog

iubenda's blog, privacy policy generator for websites and apps

Posted on by Simon Schmid

If you're based in Europe or you are officially targeting European users, then the cookie provisions may be relevant to you.

The reason for the cookie related obligations is the EU cookie law (also called e-Privacy Directive), which was last updated on 26 May 2011. Since then European states have interpreted and implemented the rules in various ways and stages. Your compliance measures will therefore depend on the country that is relevant to your project.

What's excpected from you if you fall under a cookie provision?

Make sure you explain what the cookies are used for. In particular these four tips seem to be a good framework to start from:

  • Which are the cookies used on your site?
  • Who is installing them?
  • What are they being used for?
  • How do you reject their installation/how do you uninstall them?

Iubenda's privacy policy generator will assist you with the creation of a cookie policy. By activating the cookie policy within iubenda you will get a complete section covering the use of cookies on your site or application, within your existing privacy policy.

This post explains how you can create a cookie policy easily with the help of iubenda's privacy policy generator.


How it works

Create a privacy policy with iubenda or choose the pre-existing privacy policy you want to improve. Then choose "Activate cookie policy" from within the customization settings in the right sidebar. This will open a modal window with forms that will help you with filling out and finalizing your cookie policy.

Iubenda prepopulates the cookies we know of (originating at your third party services). Therefore, all you have to do is to double-check your own cookies, add them to the appropriate forms and double-check the cookies we've identified for you.

What iubenda helps you with/Your next steps

The generator helps you out with a relevant structure by identifying the various relevant categories:

  1. Strictly necessary cookies
  2. Other cookies
  3. Automatically included cookies (included by the generator)

While you will have to manually include all of the cookies set by your application, we will help out by providing the cookies set by your third party services. We will also automatically group them with the appropriate categories, therefore we'll also make sure that people understand what these cookies are good for.

Since the handling of cookie disclosures and their enforcement couldn't be more of a mess across the continent, we've decided to start with this minimal implementation. Each country has their own rules for how you should handle the cookies and their disclosure. What this initial version provides you with, is the framework for disclosure within your privacy policy.

What you will have to take care of is the actual cookie notice and technical implementation according to your legislation. Some cookies need user consent and therefore need some sort of a banner to make sure that a user is able to consent to the use of those cookies.

Take this as a general statement:

Not all cookies require consent to be used. Those eligible to this exception are cookies essential to delivering the service requested by the user (the strictly necessary cookies mentioned above):

  • session cookies,
  • authentication cookies (for the duration of the session) and
  • user security cookies (the above mentioned strictly necessary cookies).

Cookies that need consent are usually to be found in advertisement and analytics related fields.

We encourage you to read up on the situation in your country. To facilitate this, we’ve linked you to the relevant coverage below.


Overview for Europe's legislations 

Below you'll find some notes regarding our main markets and some links to the relevant sites and documentation. Euopean regulators as part of Article 29 Working Party have published an opinion on cookies, which is why this document makes for insightful reading.

Here's an additional interesting pdf that compares the state of the cookie law implementation across the EEA which is helpful on many levels.

A defining element across the legislations is how that user consent needs to be sought. Is "implied consent" enough (the user sees the notice and keeps browsing because he consents to the setting of the cookies), or do you have to get prior consent that comes down to an "opt-in" solution?


Status: the ICO investigates based on complaints.

Strict ‘opt-in’ consent required (or expected): no

The ICO regarding implementation of the notice:

It is likely to be more difficult to obtain consent for this type [not strictly necessary cookies] where you do not have any direct relationship with a user – for example where users just visit a site to browse. In this case websites should ensure the information they provide to users about cookies in this area is absolutely clear and is highlighted in a prominent place (not just included through a general privacy policy link). As far as possible measures should be put in place to highlight the use of cookies and to try to obtain agreement to set these cookies. There are various ways in which information about cookies can be — see Providing information about cookies. 


The authority regarding implementation of the notice:

It is particularly important that the requirements are met where so-called 'third party' or 'tracking' cookies are being deployed, such as when advertising networks collect information about websites visited by users in order to better target advertising. For cookie usage, this Office would be satisfied with a prominent notice on the homepage informing users about the website's use of cookies with a link through to a Cookie Statement containing information sufficient to allow users to make informed choices and an option to manage and disable the cookies. Practically, for Irish website operators we suggest the following for minimum compliance with these requirements:

Paraphrased these requirements are:

  1. Consent may be obtained explicitly through the use of an opt-in checkbox which the user can tick if they agree to accept cookies: "I accept cookies from this site [Checkbox]";
  2. Consent may also be obtained by implication: "By continuing to use this site you consent to the use of cookies in accordance with our cookie policy".


Status: uncertain

Strict ‘opt-in’ consent required (or expected): no

The situation is confusing to say the least. The directive seems not to be implemented properly, while recent news seem to be confirming the opposite (more information in German). If you want to be completely sure, go with an opt-in solution.


Status: enforcement not before May 8th, 2015.

Strict ‘opt-in’ consent required (or expected): no

Official guidance outlines the need for a privacy policy with cookie info, to be published through a special banner shown on the homepage of the website. That banner must contain two parts: 

  • Advise the users that the site installs cookies (first as well as third party cookies) allowing users to consent to this kind of data processing;
  • Place a link in the same banner to further information, especially for third party cookies which will allow the user to provide consent in a selective way.

Italian site owners are not liable for third party cookies according to this guidance by the Garante.


Status: active

Strict ‘opt-in’ consent required (or expected): yes/no

The CNIL recommends a two-step approach to obtaining consent:

  1. the website must have a banner on the home page that complies with the CNIL recommendations;
  2. the user must be informed in a simple and intelligible way (on a dedicated page) of how they may consent or refuse to all or some of the cookies. The information must be clear and set out full details about each type of cookie used on the site and the reasons why each cookie is used. 

Cookies can only be served if the visitor gives explicit/opt-in consent. Limited exemptions apply to analytics cookies.


Cookies may be served if the user given the user's consent (the information must be clear and comprehensive about why their personal data will be collected and processed). Implied consent is possible.

Le mécanisme de recueil de consentement, analysé ci-dessous, doit fournir un avertissement clair, compréhensible et visible concernant l’utilisation des cookies. Cet avertissement renverra vers l’information complète relative à la politique d’utilisation des cookies.

.La Commission considère que le butinage vers d’autres espaces du site (« further browsing ») pourra être considéré comme un comportement actif par lequel l’utilisateur signifie son consentement indubitable si l’utilisateur est clairement informé à ce propos et si cette information reste présente sur le site jusqu’à ce que l’utilisateur fasse un choix explicite ou ferme l’espace d’information.


Spain’s data protection authority has produced great guidance which states that the cookie notices should be sufficiently visible and link to a place with more information in which you can reject the cookie installation. It’s enough to show the notice upon the first visit. Implied consent may be enough.

"En los casos en que el usuario no manifieste expresamente si acepta o no la instalación de las cookies, pero continúe utilizando la página web o la aplicación se podría entender que éste ha dado su consentimiento, siempre que se le haya informado claramente en este sentido y se ofrezca en todo momento a través de las formas señaladas en esta guía un aviso que ofrezca de modo permanente información sobre la utilización de las cookies y la posibilidad de desinstalarlas.

La información que se ofrezca en esta primera capa se podrá mostrar a través de un formato que sea visible para el usuario como por ejemplo un layer, una barra o a través de técnicas o dispositivos similares, teniendo en cuenta que la localización en la parte superior de la página captaría mejor la atención de los usuarios."


Status: active

Strict ‘opt-in’ consent required (or expected): yes

Explicit guidance from the Portuguese data protection authority about consent is still missing. The opinions regarding the Portuguese DPA's stance is unambiguous, however: implied consent is probably not going to be enough and continuous use of a website will only be regarded as consent if clear and evident information has been given.

What's next

Activate the cookie policy like this and follow the instructions in the cookie modal.


And take a look at our guides for 

Or just make your first privacy policy with iubenda's generator.

Cookie policy pricing

The cookie policy is included in our standard Pro subscription pricing at $27/year or any other license for that matter. 

Posted on by Simon Schmid | Posted in Category

Leave a comment

Posted on by Simon Schmid

Two days ago we've announced the integration of the image processing service Cloudinary and the affiliate marketing app called Referral Candy. Today is starting off by the integration with another analytics  tool called Parse Analytics. This means you can now easily browse the collection of services/clauses within iubenda and find & add Parse Analytics to your privacy policies.



What is Parse Analytics?

Parse Analytics is a product by the Parse team that lets you properly analyze app usage and custom analytics.

With a single line of code, track any data point you can imagine in your app. Simply send us the data and we'll break it down for you in the Analytics dashboard.

Why include a privacy policy for Parse Analytics?

Analytics tools have the potential to analyze the behavior of your users. It's largely considered to be an activity that has to be disclosed to users/visitors of a website or app.

Parse has a paragraph for you to have a privacy notice in place in their terms, too:

3.3 You agree that you will protect the privacy and legal rights of the End Users of your application. You must provide legally adequate privacy notice and protection for End Users. If End Users provide you with user names, passwords, or other login information or personal information, you must make the End Users aware that the information will be available to your application and to Parse.

By using iubenda for your app this becomes as easy as choosing the Parse Analytics clause and adding it to your privacy policy. Let us help you with it.


Generate Privacy Policy for Parse

Posted on by Simon Schmid | Posted in Development

Leave a comment

Posted on by Simon Schmid


A little earlier we've announced the integration with an image processing service called Cloudinary. Now I'm happy to let you know our integration with an affiliate tool called Referral Candy. This means you can now easily browse the collection of services/clauses within iubenda and find & add Referral Candy to your privacy policies.


What is Referral Candy?

Referral Candy helps you acquiring new customers & increase sales with a referral program. You'll use it to amplify Word-of-mouth, increase sales and have richer customer insights. The set up is very flexible and lets you completely integrate it with your app, or test some campaigns manually.

Why include a privacy policy for Referral Candy?

Referral Candy collects the e-mail addresses of users, aggregates information on what pages consumers access or visit, and information volunteered by the consumer (such as survey information and/or site registrations). They also collect the total invoice amount and timestamp for purchases made by customers of retailers on their service. 

The data collection happening is something that should be disclosed and go into a privacy policy.

By using iubenda for your site this becomes as easy as choosing the Referral Candy clause and adding it to your privacy policy. Let us help you with it.


Generate Privacy Policy for Referral Candy

Posted on by Simon Schmid | Posted in Category

Leave a comment

Posted on by Simon Schmid


We've recently integrated Cloudinary with our privacy policy generator. This means you can now easily browse our ever growing collection of services/clauses and find & use Cloudinary in your privacy policies.

This is how you add a Cloudinary clause to your privacy policy

What is Cloudinary?

Cloudinary makes image management in the cloud simple. They can be used for web and mobile applications. Some of the features include: 

  • Upload images to a cloud-based storage
  • Tons of image manipulations & effects
  • PDFs, sprites, watermarks, social profile pictures
  • Fast CDN delivery for better user experience
  • Powerful dashboard, media library and reports
  • Comprehensive image management APIs

Why include a privacy policy for Cloudinary?

Using Cloudinary you may be uploading content to the service that includes personal information. The data collection happening is therefore something that should be disclosed and go into a privacy policy.

Cloudinary has a paragraph for your privacy compliant behaviour in their terms

You represent that your disclosure of privacy practices to Authorized Users will cover the Service's use of personal information pursuant to the Service's privacy policy, located at http://cloudinary.com/privacy.

By using iubenda for your site this becomes as easy as choosing the Cloudinary clause and adding it to your privacy policy. Let us help you with it.


Generate Privacy Policy for Cloudinary

Posted on by Simon Schmid | Posted in Category | Tagged , ,

Leave a comment

Posted on by Simon Schmid

Last year we've written about the so called Internet Sweep Day which was a coordinated audit by 19 members of the GPEN (Global Privacy Enforcement Networt) looking at over 2000 popular sites and applications worldwide.

Between the May 12 and 18 the GPEN went ahead with organizing an international privacy sweep, specifically targeted at mobile applications, this time around involving 27 data protection authorities around the world.

The communicated issues to be examined before the sweep were as follows:

Sweep participants will be looking at the types of permissions an app is seeking, whether those permissions exceed what would be expected based on the app’s functionality, and most importantly from a transparency perspective, how the app explains to consumers why it wants the personal information and what it will do with it.

Participating authorities will look at some of the most popular apps or apps that are of particular interest in their country or region. For example, some authorities plan to focus on health-related apps or apps developed by public sector organizations.

A little later in the year we plan to take a look at some of the reactions from the sweep. This should help form an understanding of which elements are being closely looked at and therefore should be closely looked at by you. 

Some of the interesting results will be found in Australia, UK, Spain, New Zealand, Mexico, Italy, Ireland, France, Germany and Canada.



Posted on by Simon Schmid | Posted in Category

Leave a comment

Posted on by Simon Schmid

Ever since the Do Not Track amendments have been passed and have become effective on January, 1st, the world website and app owners have wondered how they could best comply with the changes.

The amendment added two new requirements to Californias so called CALOPPA:

  1. the operator’s response to a browser DNT signal or to “other mechanisms,” and
  2. the possible presence of other parties conducting online tracking on the operator’s site or service.

Now the Attorney General's office of California has released another guide for website owners and developers (yes mobile app owners as well). This time the guides covers the Do Not Track requirement and how to make sure you comply with it.

You can read and download the Do Not Track guide "Making your Privacy Practices Public" here.

The key takeaways of the guide can be summarized like this:

  • Prominently label the section of your policy regarding online tracking, for example: “California Do Not Track Disclosures.”
  • Describe how you respond to a browser’s Do Not Track signal or similar mechanisms within your privacy policy instead of providing a link to another website.
  • If third parties are or may be collecting personally identifiable information, say so in your privacy policy.
  • Explain your uses of personally identifiable information beyond what is necessary for fulfilling a customer transaction or for the basic functionality of the website or app.
  • Describe what personally identifiable information you collect from users, how you use it and how long you retain it.
  • Describe the choices a consumer has regarding the collection, use and sharing of his or her personal information.
  • Use plain, straightforward language that avoids legal jargon and use a format that makes the policy readable, such as a layered format. Use graphics or icons instead of text.

As you can see only the first two takeaways are about Do Not Track itself.  That's because the underlying goal is quite simple. Tell your visitors what Do Not Track does on your site, or what it doesn't.

I'm pasting in the larger recommendations regarding Do Not Track in their entirety for you below:

Make it easy to find the Do Not Track section of your policy.

Clearly identify the section in which you describe your specific policy regarding online tracking or how you respond to consumers’ DNT signals. Use a header, for example “How We Respond to Do Not Track Signals,” “Online Tracking” or “California Do Not Track Disclosures.”

Describe how you respond to a browser’s DNT signal or to another such mechanism.

Describing your response in your privacy policy statement is preferable to simply providing a link to a related “program or protocol” (hereinafter referred to as a “program”) because it provides greater transparency to consumers.


If you decide not to describe your response to a DNT signal or to another mechanism, provide a clear and conspicuous link in your privacy policy statement to a program that offers consumers a choice about online tracking.

In our policies we have a statement that per default assumes that you do not honor or react to Do Not Track requests.

Generate a privacy policy with iubenda

Posted on by Simon Schmid | Posted in Category

Leave a comment