How to Write a GDPR-Compliant Cookie Policy (With Template)
A step-by-step guide to writing a cookie policy that meets GDPR requirements.
Why You Need a Cookie Policy
If your website uses any cookies — even just a session cookie for login — you need a cookie policy. Under GDPR and the ePrivacy Directive, you must transparently inform users about every cookie on your site.
A privacy policy alone isn't enough. While some companies include cookie information in their privacy policy, best practice is to have a dedicated cookie policy that goes into specific detail about each cookie.
What Must Be Included
Your cookie policy must contain:
1. What Cookies Are
A brief, plain-language explanation of what cookies are and how they work. Don't assume your users are technical.
2. A Complete Cookie Table
For each cookie on your site, you must list:
| Field | Example |
|---|---|
| Cookie name | _ga |
| Provider | Google Analytics |
| Purpose | Tracks unique visitors |
| Category | Analytics |
| Duration | 2 years |
| Type | Third-party |
This is where most cookie policies fail. Generic statements like "we use analytics cookies" don't meet the transparency requirement. You must name each specific cookie.
3. Third-Party Services
List every third-party service that sets cookies or receives data through your site:
- Name of the service
- What data they receive
- Link to their privacy policy
- Where they process data (EU/US/other)
4. How to Control Cookies
Explain how users can:
- Accept or reject cookies via your consent banner
- Change their preferences after initial choice
- Delete existing cookies through their browser
- Opt out of specific tracking services
5. User Rights
Reference the GDPR rights that apply:
- Right to access their data
- Right to erasure
- Right to withdraw consent
- Right to lodge a complaint with a supervisory authority
6. Contact Information
Provide:
- Email address for privacy inquiries
- DPO contact (if applicable)
- Physical address of the data controller
7. Last Updated Date
Always include when the policy was last updated. Review it whenever you add new cookies, scripts, or third-party services.
Common Mistakes
- Outdated cookie list: New plugins or scripts add cookies you didn't document
- Missing retention periods: Every cookie must have a stated duration
- No third-party links: Users should be able to check each third party's own privacy policy
- Legalese: Write in clear, plain language — not legal jargon
- No DPO contact: If required, this must be included
Generate Your Policy Automatically
Instead of writing your cookie policy from scratch, you can use GDPR Fix to:
- Scan your site and detect every cookie automatically
- Classify each cookie by category and provider
- Generate a complete, GDPR-compliant cookie policy tailored to your actual cookies
- Copy-paste the generated policy onto your site
The AI-generated policy includes cookie tables, third-party disclosures, user rights sections, and consent withdrawal instructions — ready to publish with minimal edits.
Check your website now
Find out if your site has the issues described in this article. Free scan, results in minutes.
Scan Your Site — Free