Creating a GDPR compliant cookie policy is essential for any business operating a website in Europe or processing data from EU residents. The General Data Protection Regulation (GDPR) treats cookies as personal data when they can be used to identify or profile individuals, and controllers must be transparent about how cookies work, obtain consent where necessary and allow users to opt out at any time.
Below you will find a detailed cookie policy checklist, practical guidance and examples to ensure that your website has a GDPR cookies policy.
GDPR-compliant cookie policy: Key takeaways
A cookie policy is a public-facing document explaining how cookies are used on your website.
Your cookie policy is GDPR-compliant if it includes all of the following:
- List of all cookies and who places them
- Purpose of each cookie
- Cookie duration
- Third‑party disclosures
- How users can withdraw consent or change cookie preferences
What is a cookie policy?
A cookie policy is a legal document that explains what cookies your website uses, why you use them, and how users can manage or disable them.
In simple terms, it tells visitors:
- What cookies are placed on their device
- What each cookie does (for example, login, analytics, ads)
- How long cookies stay active
- Whether cookies come from third parties like Google, Meta, or YouTube
- How users can accept, reject, or withdraw cookie consent
A cookie policy is usually linked in your website's footer and also through your cookie consent banner.
What GDPR says about cookie policies
GDPR requires transparency. Article 5 mandates personal data be processed lawfully, fairly, and transparently. Cookies that identify users or track behaviour qualify as personal data. Therefore, a GDPR-compliant cookie policy is mandatory.
In addition, Article 13 GDPR lists the information to be provided when collecting personal data and includes identity and contact details of the data controller, legal basis, recipients or third parties, retention period, DPO contact details, if applicable.
A GDPR-compliant cookie policy must clearly state:
- What cookies are used
- Purpose of each cookie
- Legal basis for processing (consent or legitimate interest)
- Cookie duration
- User control and consent withdrawal methods
A compliant gdpr cookies policy satisfies transparency obligations and provides user control over cookie-based data processing.
Cookie consent requirements
The GDPR and e-privacy directive together regulate the use of cookies in the European Union. These laws require websites to obtain informed and unambiguous consent before placing non‑essential cookies on a user’s device. According to guidance on cookies, organisations must:
- Obtain valid opt-in consent before using any cookies that are not strictly necessary.
- Provide accurate, specific information about what each cookie does and what data it collects.
- Store proof of consent.
- Allow website access even if users refuse cookies.
- Make it as easy to withdraw consent as it is to give it.
Penalties for non‑compliance
Supervisory authorities have broad powers to enforce the GDPR. In cases of non‑compliance, authorities can issue a warning, reprimand or a temporary or definitive ban on processing, and may impose GDPR fines of up to €20 million or 4 % of a company’s total annual worldwide turnover for serious violations or up to €10 million or 2% for less serious offences.
Fines would depend on factors like severity and duration of the infringement.
GDPR cookie policy requirements checklist
Your cookie policy should act as a comprehensive transparency notice. Use the following checklist to ensure you include all mandatory elements:
| Requirement | Explanation |
|---|---|
| Definition of Cookies | Clearly explain what cookies are and that they are small text files stored on a user’s device. |
Categorise cookies clearly Eg: Necessary, Functional, Analytics, Performance, Advertisement. | |
| Detailed Cookie Table | Provide a structured table listing each cookie individually and their providers. Eg: YSC set by YouTube or lang set by LinkedIn |
| Purpose of each cookie type | Explain why each cookie is used Eg: authentication, remembering settings, measuring website performance, and personalising advertising. |
Legal basis for processing | Specify whether you rely on consent or legitimate interests for each cookie. Legitimate interest can apply to strictly necessary cookies, but consent is required for analytics and marketing cookies. |
Cookie duration/expiry | State how long each cookie remains on the user’s device. Eg: _ga set by Google Analytics stays for 1 year 4 days. |
Third‑party cookie disclosures | Identify any third‑party providers that set cookies on your site and indicate whether data may be transferred outside the EU. Eg: Google Analytics, Facebook, LinkedIn |
How to withdraw consent/ change preferences | Provide a straightforward mechanism that allows users to change their preferences or opt out of non‑essential cookies. Give links to the major browsers’ cookie preference centres. |
Contact information | Include an email or address where users can submit questions or exercise their rights. |
Essential vs non‑essential cookies under GDPR
Under the GDPR, not all cookies require consent. Cookies can be grouped into categories based on their necessity and purpose:
Category | Description | Examples | Consent required? |
|---|---|---|---|
Essential (strictly necessary) | Cookies necessary for core website functions, such as authentication and remembering session data. | token, d2_token on Reddit (login cookies) | No |
Preferences | Remember user choices (language, region, accessibility options). Without them, the website may still work, but the experience may be less personalised. | Default_lang set by Titkok | Yes |
Analytics | Measure performance, gather aggregated statistics or understand how visitors interact with the site. | S_ecid set by Adobe Analytics | Yes |
Marketing (advertising) | Create user profiles or track browsing across websites to deliver targeted ads. | __gpi_optout set by GoogleAds | Yes |
Common GDPR cookie policy mistakes
Even well‑intentioned websites often fall short on cookie compliance. Here are common mistakes and how to avoid them:
- Not listing all cookies: Many sites provide generic descriptions of cookie categories, but fail to list each cookie individually. Always name every cookie and specify who sets it. If your site uses third‑party scripts, audit them to discover hidden cookies.
- Vague purposes: “Analytics” or “marketing” isn’t enough. Explain specifically what each cookie does—e.g., “_ga tracks page views” or “_fbp measures ad conversion”. Detailed explanations build trust and satisfy transparency obligations.
- No opt‑out instructions: Users should be able to decline non‑essential cookies at any time. Provide a clear cookie settings button and ensure it is as easy to withdraw consent as to give it.
- Outdated information: Cookies change frequently when you update your site or add new tools. Regularly audit your site and update your cookie list, durations and third‑party disclosures. Use automated scanning tools and maintain change logs.
GDPR cookie policy example: Sample template
Below is a simplified example of a GDPR‑compliant cookie policy snippet. Use it as a model and tailor it to your own website:
Download the Sample Cookies Policy Template as a Word DOCX file.
Real-life examples of cookie policy
Your cookie policy for GDPR compliance should be tailored to your website's needs. Here are some examples for you to refer.
How to create a GDPR compliant cookie policy
Follow these steps to build and implement a robust cookie policy:
- Audit your cookies: Use a scanning tool or browser developer tools to list all cookies set on your website, including third‑party scripts and embedded content. Identify each cookie’s purpose, duration and provider.
- Use our GDPR generator: Our GDPR cookie policy generator helps you create a comprehensive policy by selecting cookie categories, entering cookie details and generating the necessary legal text in plain language.
- Add to your website: Publish the generated policy on a dedicated Cookies Policy page and link to it from your cookie banner and privacy policy. Ensure the policy is easily accessible from every page.
- Implement a consent banner: Display a cookie banner that presents users with options to accept or reject non‑essential cookies. Include a link to your cookie policy in it.
- Maintain and update: Regularly review your cookies and update the policy whenever you add new services or change how cookies are used. Store proof of consent and respect users’ choices across devices.
FAQ on GDPR-compliant cookie policy
By following this checklist and leveraging our generator, you’ll ensure your cookie policy meets the high standards of the GDPR, builds trust with visitors and reduces the risk of costly penalties.
Safna
CIPP/E from the International Association of Privacy Professionals (IAPP) | Data privacy writer
Keep reading
Cookie Policy Template (GDPR & CCPA): Guide and Free Template
Get a free cookie policy template that meets GDPR and CCPA requirements. Includes a step-by-step guide on what to include, how to customize it, and where to display it.
Cookie Policy for WordPress: A Complete Guide
WordPress cookie policy guide: what to include, GDPR/CCPA requirements, cookie categories, and how to generate and keep your policy updated.