Cookie Policy Generator
Generate a clear cookie policy explaining what cookies your site uses and why.
About Cookie Policies
A cookie policy is the detailed disclosure of the cookies and similar technologies (pixels, local storage, fingerprinting) your site uses. It tells visitors what is stored on their device, who set it, and why — and it is the long-form document a cookie banner usually links to.
Cookie categories
- Essential — required for the site to work (session, security, load balancing). Usually no consent required.
- Functional — remember preferences like language or region.
- Analytics — measure traffic and user behaviour for site improvement.
- Advertising — build audience profiles to serve and measure targeted ads.
- Embedded — set by third-party content like YouTube videos, Twitter widgets, or social share buttons.
Best practices
- Pair this policy with a clear cookie consent banner if you use non-essential cookies.
- List the actual cookies you set, or at least the categories and third-party providers.
- Update the effective date whenever you add or remove a tracker.
- Provide working “how to manage cookies” links for the major browsers.
Cookie policy vs cookie banner — separate things
A cookie policy is a static document describing every cookie your site sets — name, purpose, duration, first or third party. A cookie banner is the runtime consent mechanism shown on first visit. Most jurisdictions require both: the policy as the persistent disclosure, the banner as the moment of consent. The policy lives at a fixed URL (linked from the footer and the banner). The banner runs JavaScript and stores the user's choice — typically in a first-party cookie or localStorage.
What each cookie entry should describe
- Name — the actual cookie name as set in the browser.
- Provider — your domain (first-party) or the third party (e.g. Google Analytics, Stripe).
- Purpose — one sentence in plain language. "Remembers your dark-mode preference across visits."
- Category — strictly necessary, functional, analytics, advertising, or social.
- Duration — session, or specific (30 days, 1 year, 2 years).
Categories and what they trigger
- Strictly necessary — cookies required for the site to function (session, cart, CSRF). No consent required under GDPR/PECR or CCPA.
- Functional — preferences, language, theme. Consent typically required in EU/UK; opt-out sufficient in most US states.
- Analytics — Google Analytics, Plausible, Matomo. Consent required in EU/UK. Anonymised or aggregated analytics may qualify as legitimate interest in some jurisdictions but the safe default is consent.
- Advertising / marketing — Meta Pixel, Google Ads, retargeting. Consent always required in EU/UK; opt-out increasingly required in US (Colorado, Connecticut, California for sensitive data).
- Embedded content / social — YouTube, Twitter embeds, social share buttons. These set third-party cookies on load — treat as advertising for consent purposes.
Common implementation mistakes
- "Accept all" without an equally-prominent "Reject all". EDPB guidance and CNIL enforcement have made this a clear violation.
- Pre-ticked consent boxes. Explicitly prohibited under GDPR Article 4(11) and Article 7(2).
- Loading analytics or ad scripts before consent. The most common technical violation. Defer all non-essential scripts until consent is recorded.
- No way to change consent later. Provide a "Cookie settings" link in the footer.
- Forgetting third-party iframes. Embedded YouTube videos set advertising cookies on load — use youtube-nocookie.com or load on click.