Free Word download β’ Edit online β’ Save & share with Drive β’ Export to PDF
A Cookie Policy is a public-facing disclosure document that explains to website visitors which cookies and tracking technologies a site deploys, the purpose each one serves, how long it persists on the user's device, which third parties set or receive data from it, and what controls users have to manage or withdraw their consent. Unlike a full privacy policy β which covers all personal data an organization processes β a cookie policy focuses specifically on browser-based and device-based tracking. Privacy regulators in the EU, UK, Canada, and California treat it as a distinct transparency obligation, not simply a subsection of broader data-protection documentation.
Operating a website without a cookie policy is a compliance gap that regulators actively enforce, even against small businesses. Under GDPR, setting a single non-essential cookie without informed consent and a clear disclosure can expose an organization to supervisory authority action β fines for serious violations reach 4% of global annual turnover. Beyond regulatory risk, the absence of a cookie policy signals to visitors that data practices are opaque, which measurably reduces conversion rates and damages brand trust. A well-structured cookie policy also protects you operationally: it forces a full audit of every tracking tool on your site, surfaces third-party cookies you may not have known were being set, and gives your development team a living document to update whenever the tool stack changes. This template gives you a complete, plain-English framework to disclose your practices accurately, publish a compliant policy in hours rather than days, and maintain it as your site evolves.
| If your situation is⦠| Use this template |
|---|---|
| Site uses only Google Analytics and no advertising cookies | Simple Cookie Policy |
| Site serves users in the EU or UK and requires GDPR-compliant consent | GDPR Cookie Policy |
| Site collects personal data and needs a broader privacy framework | Privacy Policy |
| Site runs a cookie consent banner and needs terms to link to | Cookie Policy with Consent Banner Language |
| Mobile app that uses device identifiers and in-app tracking | Mobile App Privacy and Cookie Policy |
| SaaS platform with both a marketing site and authenticated app cookies | SaaS Cookie and Tracking Policy |
| Company needs a single document covering cookies and broader data practices | Privacy and Cookie Policy (Combined) |
Why it matters: Every new plugin, analytics tool, or ad pixel adds cookies to your site. A policy that does not reflect current cookies is out of compliance the moment it goes stale.
Fix: Schedule a quarterly cookie rescan and update the inventory table whenever you add or remove any third-party tool.
Why it matters: EU regulators have consistently ruled that behavioral advertising requires explicit consent, not legitimate interest β using the wrong basis exposes you to enforcement action.
Fix: Classify all marketing and retargeting cookies as consent-required and ensure your CMP blocks them until the user actively accepts.
Why it matters: Listing opt-out options without a working preference center or CMP means users cannot actually exercise their rights β which is itself a regulatory violation under GDPR Article 7.
Fix: Implement a consent management platform that allows category-level opt-in and opt-out, and test it from a fresh browser before publishing the policy.
Why it matters: Their cookie inventory will not match yours β your policy will disclose cookies you do not set and fail to disclose ones you do, both of which are regulatory risks.
Fix: Always start from a scanner-generated inventory of your own site and customize the template to reflect only the cookies your site actually sets.
Why it matters: GDPR and UK GDPR require specific retention periods. Vague language is a standard finding in regulatory audits and can trigger a formal reprimand.
Fix: Replace all vague duration language with specific timeframes β 'session', '30 days', '13 months', or '2 years' β drawn from your scanner data or the third party's documentation.
Why it matters: A cookie policy buried three clicks from the homepage does not satisfy transparency requirements β regulators expect it to be easily accessible, especially from the cookie banner.
Fix: Link to the policy directly from your cookie consent banner, your site footer, and your privacy policy. The URL should be permanent and not redirect.
Run your site through a cookie scanner (e.g., CookieBot scanner, OneTrust discovery, or browser developer tools) to generate a complete list of cookies being set, their source domains, and observed durations.
π‘ Do not rely on memory or what your developer told you β scanner output is the only reliable baseline. Rescan after every new tool or plugin you add.
Sort every cookie into one of four categories: strictly necessary, functional, analytics, or marketing/advertising. Strictly necessary cookies do not require consent; all others do under GDPR and similar frameworks.
π‘ When in doubt, treat a cookie as consent-required rather than strictly necessary β over-claiming the exemption is a common regulatory finding.
Replace all [COMPANY NAME], [WEBSITE URL], and [PRIVACY EMAIL] placeholders with your organization's legal name, the exact URL, and a monitored privacy contact address.
π‘ Use your registered legal entity name β not a trading name or brand name β for the controller identification section.
For each cookie, enter the cookie name, the setting party (first or third party), the stated purpose, and the expiry duration from your scanner output. Add a link to each third party's privacy policy.
π‘ Group cookies by category in the table so users can scan the section quickly β a flat alphabetical list of 40 cookie names is unreadable.
Name your consent management platform or cookie banner tool, explain what happens when a user accepts or rejects each category, and confirm that non-essential cookies are blocked until consent is given.
π‘ If you have not yet implemented a CMP, note it in your project backlog β publishing a cookie policy without a functional consent mechanism is incomplete compliance.
Replace any 'as long as necessary' language with specific durations from your scanner or the third party's documentation. Session = browser close; persistent = exact number of days or years.
π‘ Google Analytics 4 cookies default to 2 years but can be reduced to 14 months in the GA4 data settings β consider doing so to reduce your retention footprint.
Insert the current date in the 'Last revised' field at the top of the policy, publish it to a permanent URL (e.g., /cookie-policy), and link to it from your cookie banner, footer, and privacy policy.
π‘ Store the previous version in your document archive so you can demonstrate what the policy said at any point in time if a regulator requests it.
A privacy policy covers the full scope of personal data collection, processing, storage, and sharing across every channel β forms, emails, purchases, and cookies. A cookie policy addresses only tracking technologies on the website. Both are required for most sites, and they should cross-reference each other. When combined into a single document, the cookie section must still be specific enough to satisfy cookie-specific regulatory requirements.
Terms of use govern the legal relationship between the site operator and the user β acceptable use, intellectual property, disclaimers, and dispute resolution. A cookie policy is a transparency and consent document, not a contract. They serve different regulatory purposes and both should be linked from the site footer, but they should not be merged into a single document.
A GDPR consent form captures explicit user consent for a specific data processing activity β such as a newsletter subscription or form submission. A cookie policy is a disclosure document that informs users what cookies are set and provides opt-out mechanisms. The two work together: the consent form records a consent event, while the cookie policy describes the data practices that event covers.
A data processing agreement (DPA) is a contract between a data controller and a data processor β such as your analytics vendor β that governs how the processor handles personal data on your behalf. A cookie policy is the outward-facing disclosure to end users. GDPR requires both: the DPA with your vendors and the cookie policy for your site visitors.
Must disclose cart-persistence cookies, remarketing pixels from Google and Meta, and affiliate tracking cookies β all of which require consent under GDPR and CCPA.
Typically uses separate policies for the marketing site and the authenticated application, as cookies inside a logged-in product may have different consent bases.
Ad-funded sites set a high volume of third-party advertising cookies β IAB Transparency and Consent Framework (TCF) compliance is standard for programmatic ad inventory.
Analytics cookies on health-related sites may infer sensitive health conditions, triggering heightened consent requirements and restrictions on behavioral advertising under GDPR's special-category data rules.
Law firms and financial advisers whose sites collect enquiry form data alongside analytics cookies face scrutiny over whether cookie data constitutes confidential client information.
Loyalty and booking platforms use long-lived persistent cookies and cross-device tracking, requiring detailed retention disclosures and clear opt-out paths for returning customers.
| Path | Best for | Cost | Time |
|---|---|---|---|
| Use the template | Small to mid-sized websites using standard tools like Google Analytics, a social pixel, and a live-chat widget | Free | 1β2 hours including a cookie scan |
| Template + professional review | E-commerce sites with advertising cookies, SaaS products serving EU users, or any site monetized through programmatic advertising | $200β$600 for a privacy lawyer or consultant review | 2β5 days |
| Custom drafted | Enterprise sites with complex cookie stacks, health or financial data, or multi-jurisdiction compliance programs | $1,000β$3,500+ | 1β2 weeks |
This document is one of 3,000+ business & legal templates included in Business in a Box.
Access over 3,000+ business and legal templates for any business task, project or initiative.
Customize your ready-made business document template and save it in the cloud.
Share your files and folders with your team. Create a space of seamless collaboration.
"Fantastic value! I'm not sure how I'd do without it. It's worth its weight in gold and paid back for itself many times."
"I have been using Business in a Box for years. It has been the most useful source of templates I have encountered. I recommend it to anyone."
"It has been a life saver so many times I have lost count. Business in a Box has saved me so much time and as you know, time is money."
Stop downloading documents. Start operating with clarity. Business in a Box gives you the Business Operating System used by over 250,000 companies worldwide to structure, run, and grow their business.
Start freeΒ Β·Β No credit card required
