What Is a Cookie Policy?
A cookie policy is a legal disclosure that explains how your website uses cookies, web beacons, pixel tags, and similar tracking technologies to collect data from visitors. It identifies every cookie your site places on a user's browser, describes what each cookie does, how long it persists, and whether it belongs to your domain or a third party. The policy also explains how visitors can manage their cookie preferences, withdraw consent, and delete cookies already stored on their devices.
Cookie policies became a regulatory priority after the European Union adopted the ePrivacy Directive (sometimes called the "Cookie Law") in 2002 and strengthened it with the 2009 amendment requiring informed consent before placing non-essential cookies. The GDPR, which took effect in May 2018, added further weight by classifying cookie identifiers as personal data and imposing steep fines for non-compliance. In the United States, the CCPA and its successor the CPRA treat certain cookie-based tracking as a "sale" or "sharing" of personal information, triggering disclosure and opt-out obligations for businesses with California users.
Beyond compliance, a well-written cookie policy builds trust with your audience. Users who understand exactly what data your site collects and why are more likely to grant consent, which in turn preserves your access to analytics and advertising revenue. A vague or incomplete cookie policy does the opposite: it erodes trust, increases consent banner dismissals, and puts your organization at risk of regulatory action from authorities like the UK ICO, France's CNIL, and the Irish Data Protection Commission.
Our attorney-reviewed cookie policy template helps you produce a disclosure that is accurate, comprehensive, and written in plain language. It covers strictly necessary cookies, analytics cookies, functional cookies, and advertising cookies, and includes provisions for consent management platforms, cookie audit schedules, and cross-border data transfer disclosures required by the GDPR.
GDPR Compliant
Meets ePrivacy Directive and GDPR transparency requirements for EU/EEA visitors
Consent Controls
Built-in language for opt-in banners, granular category selection, and withdrawal rights
Cookie Audit Ready
Structured cookie table format that maps directly to scanner output from OneTrust or Cookiebot
Cookie Policy Form Preview
Below is a visual preview of the sections included in our standard cookie policy template. The completed document is customized to your website's specific cookies, third-party integrations, and target jurisdictions.
Cookie Policy
Website Cookie Disclosure
Section 1: Introduction
Section 2: Cookie Categories
Section 3: Consent Management
Cookie Consent Mechanisms
How you collect and record cookie consent directly affects whether your tracking practices are legally defensible. The mechanism matters as much as the policy itself, and regulators have shown they are willing to fine organizations that get this wrong.
Cookie Consent Banner
The most common implementation is a banner or modal that appears on the first visit. A compliant banner offers at least two clear options: 'Accept All' and 'Reject All' (or 'Necessary Only'). The CNIL fined Google and Facebook a combined 210 million euros in January 2022 partly because their cookie banners made rejecting cookies significantly harder than accepting them. Equal prominence for both options is now the expected standard.
Granular Category Selection
Beyond accept/reject, best practice is to let users choose which cookie categories they consent to. A settings panel or 'Manage Preferences' button opens a layered interface where users can toggle analytics, functional, and advertising cookies independently. This approach satisfies the EDPB's guidance on granularity and gives users genuine control without forcing an all-or-nothing decision.
Consent Management Platforms (CMPs)
Tools like OneTrust, Cookiebot, TrustArc, and Osano automate banner display, preference storage, and tag blocking. A CMP scans your site for cookies, generates a cookie declaration, displays a compliant banner, stores consent records with timestamps, and conditionally loads scripts based on user choices. If you operate in the EU, look for a CMP that supports the IAB Transparency and Consent Framework (TCF) 2.2.
Consent Records and Proof
The GDPR requires data controllers to demonstrate that valid consent was obtained. Your CMP or consent log should record the timestamp of consent, the version of the cookie policy presented, the specific categories accepted, the user's IP address (or a pseudonymized identifier), and the method of consent. These records must be retained for as long as the consent is relied upon and made available to supervisory authorities on request.
How to Create a Cookie Policy: 7 Steps
A cookie policy should be specific to your website, not a generic template pasted from another site. Follow these steps to build a disclosure that is accurate, comprehensive, and defensible.
Run a Full Cookie Audit
Use an automated scanner (Cookiebot, OneTrust, or a browser developer-tools extension) to crawl every page of your website and identify every cookie, localStorage item, and tracking pixel being set. Record the cookie name, domain, purpose, type (first-party or third-party), category, and expiration period. This audit is the raw data your policy is built on.
Classify Cookies by Category
Sort your audit results into the four standard categories: strictly necessary, analytics/performance, functional, and advertising/targeting. This classification determines which cookies require consent and which are exempt. Be conservative in your classifications. If there is any doubt about whether a cookie is strictly necessary, treat it as requiring consent.
Identify Third-Party Providers
For every third-party cookie, identify the provider, link to their privacy policy, and confirm that a data processing agreement (DPA) is in place. Under the GDPR, you are jointly responsible for cookies set by third-party scripts embedded on your site. Document whether each provider acts as a processor or an independent controller.
Draft the Cookie Table
Create a structured table listing each cookie with its name, provider, purpose, category, type (session or persistent), and expiration. This table is the core of your cookie policy and the part most frequently reviewed by regulators. Keep it updated every time you add or remove a script.
Write Clear Explanatory Text
Above the cookie table, write plain-language explanations of what cookies are, why your site uses them, and what rights visitors have. Avoid legal jargon. The GDPR requires that privacy information be provided in a concise, transparent, intelligible, and easily accessible form. Write at a reading level that a typical website visitor can understand.
Configure Your Consent Mechanism
Connect your cookie policy to a consent banner that blocks non-essential cookies until consent is granted. Test that scripts for analytics, advertising, and functional cookies do not fire before the user clicks 'Accept.' Verify that the 'Reject All' button works and that previously stored cookies are cleared when consent is withdrawn.
Schedule Regular Reviews
Set a calendar reminder to re-scan your site and update the cookie policy at least quarterly. Any deployment that adds a new analytics tool, chat widget, A/B testing script, or advertising pixel should trigger an immediate review. Document each update with a version number and date.
Key Components of a Cookie Policy
A thorough cookie policy covers each of the following areas. Missing any one of them can result in regulatory findings or consent banner failures.
| Component | Description |
|---|---|
| Introduction and Scope | Identify the website, the entity responsible, and the scope of the policy |
| Definition of Cookies | Explain what cookies are, including similar technologies like web beacons and pixel tags |
| Cookie Category Breakdown | Classify all cookies into strictly necessary, analytics, functional, and advertising |
| Cookie Table | Name, provider, purpose, type, and expiration for each cookie |
| Third-Party Disclosures | Identify third-party providers and link to their privacy policies |
| Legal Basis for Processing | State whether processing is based on consent, legitimate interest, or necessity |
| Consent Mechanism | Describe how users grant, refuse, and withdraw consent |
| Browser Cookie Settings | Instructions for managing cookies in Chrome, Firefox, Safari, and Edge |
| Impact of Disabling Cookies | Explain what site functionality may be lost if cookies are rejected |
| Cross-Border Data Transfers | Disclose if cookie data is transferred outside the EU/EEA and the safeguards used |
| Data Retention Periods | Specify how long cookie data is stored before deletion |
| Children's Privacy | State whether the site is directed at children and how it handles minors' data |
| Contact Information | Data controller contact details and DPO information if applicable |
| Policy Update Procedures | How users will be notified of material changes and the version history |
Legal Requirements by Jurisdiction
Cookie regulation varies significantly between the EU, the UK, and individual U.S. states. Your cookie policy needs to account for every jurisdiction where your website has visitors, not just where your company is headquartered.
EU / EEA: ePrivacy Directive and GDPR
The ePrivacy Directive requires informed, prior consent before placing non-essential cookies on a user's device. The GDPR reinforces this by classifying cookie identifiers as personal data and requiring a lawful basis for processing. Together, these regulations mandate opt-in consent banners, granular category controls, and documented proof of consent. Fines for non-compliance can reach 20 million euros or 4% of global annual revenue under GDPR Article 83.
United Kingdom: PECR and UK GDPR
The UK's Privacy and Electronic Communications Regulations (PECR) mirror the ePrivacy Directive and require consent for non-essential cookies. The ICO has issued detailed guidance on cookie consent, including requirements for clear "Accept" and "Reject" buttons with equal prominence. Post-Brexit, the UK applies the UK GDPR alongside PECR, maintaining substantially the same standards as the EU.
United States: State-Level Privacy Laws
The U.S. has no federal cookie law, but several state privacy statutes affect how websites use tracking technologies. The CCPA/CPRA requires businesses to disclose the categories of personal information collected through cookies and provide a "Do Not Sell or Share My Personal Information" link if cookies are used for cross-context behavioral advertising. Colorado, Connecticut, Virginia, and other states with comprehensive privacy laws impose similar disclosure and opt-out requirements.
Google Consent Mode v2
Starting March 2024, Google requires websites using Google Ads or Analytics in the EEA to implement Consent Mode v2, which communicates user consent status to Google tags. Without Consent Mode, you lose remarketing audiences and conversion measurement for EEA traffic. Your cookie consent banner must integrate with Consent Mode to pass ad_storage, analytics_storage, and ad_user_data signals.
Enforcement Examples
- CNIL vs Google (2022): 150 million euro fine for making cookie rejection harder than acceptance on google.fr
- CNIL vs Facebook (2022): 60 million euro fine for the same issue on facebook.com
- ICO vs Clearview AI (2022): 7.5 million pound fine related to cookie-based scraping and biometric processing
- Austrian DPA (2022): Fine issued to a publisher whose cookie banner listed fewer cookies than were actually placed
Frequently Asked Questions
Common questions about cookie policies, consent banners, GDPR compliance, and tracking disclosures.
Official Resources
Authoritative sources on cookie regulations, consent frameworks, and data protection guidance.
ICO Cookie Guidance
UK Information Commissioner's detailed guidance on PECR cookie requirements
CNIL Cookie Guidelines
French data protection authority's rules on cookies and trackers
GDPR.eu Cookie Guide
Practical guide to GDPR cookie consent requirements for website operators
California AG - CCPA
Official guidance on California Consumer Privacy Act obligations for online tracking
EDPB Guidelines
European Data Protection Board guidelines on consent and cookie compliance
IAB TCF 2.2
Industry standard Transparency and Consent Framework for programmatic advertising
Create your Cookie Policy in under 10 minutes.
Answer a few questions and download a compliant, attorney-drafted document ready for your state.