Skip to content
Back to Blog
GuideApril 12, 20268 min read

How to Write a GDPR-Compliant Cookie Policy (With Template)

A step-by-step guide to writing a cookie policy that meets GDPR requirements.

Why You Need a Cookie Policy

If your website uses any cookies — even just a session cookie for login — you need a cookie policy. Under GDPR and the ePrivacy Directive, you must transparently inform users about every cookie on your site.

A privacy policy alone isn't enough. While some companies include cookie information in their privacy policy, best practice is to have a dedicated cookie policy that goes into specific detail about each cookie.

What Must Be Included

Your cookie policy must contain:

1. What Cookies Are

A brief, plain-language explanation of what cookies are and how they work. Don't assume your users are technical.

2. A Complete Cookie Table

For each cookie on your site, you must list:

FieldExample
Cookie name_ga
ProviderGoogle Analytics
PurposeTracks unique visitors
CategoryAnalytics
Duration2 years
TypeThird-party

This is where most cookie policies fail. Generic statements like "we use analytics cookies" don't meet the transparency requirement. You must name each specific cookie.

3. Third-Party Services

List every third-party service that sets cookies or receives data through your site:

  • Name of the service
  • What data they receive
  • Link to their privacy policy
  • Where they process data (EU/US/other)

4. How to Control Cookies

Explain how users can:

  • Accept or reject cookies via your consent banner
  • Change their preferences after initial choice
  • Delete existing cookies through their browser
  • Opt out of specific tracking services

5. User Rights

Reference the GDPR rights that apply:

  • Right to access their data
  • Right to erasure
  • Right to withdraw consent
  • Right to lodge a complaint with a supervisory authority

6. Contact Information

Provide:

  • Email address for privacy inquiries
  • DPO contact (if applicable)
  • Physical address of the data controller

7. Last Updated Date

Always include when the policy was last updated. Review it whenever you add new cookies, scripts, or third-party services.

Common Mistakes

  • Outdated cookie list: New plugins or scripts add cookies you didn't document
  • Missing retention periods: Every cookie must have a stated duration
  • No third-party links: Users should be able to check each third party's own privacy policy
  • Legalese: Write in clear, plain language — not legal jargon
  • No DPO contact: If required, this must be included

Generate Your Policy Automatically

Instead of writing your cookie policy from scratch, you can use GDPR Fix to:

  1. Scan your site and detect every cookie automatically
  2. Classify each cookie by category and provider
  3. Generate a complete, GDPR-compliant cookie policy tailored to your actual cookies
  4. Copy-paste the generated policy onto your site

The AI-generated policy includes cookie tables, third-party disclosures, user rights sections, and consent withdrawal instructions — ready to publish with minimal edits.

Free scan

Check your website now

Find out if your site has the issues described in this article. Free scan, results in minutes.

Scan Your Site — Free