Cookie Policy Template for Startups (2025)

Quick Facts

What Is It? A Cookie Policy discloses how your website uses cookies and similar tracking technologies to collect information from users.
Who Needs It? Any website that uses cookies or tracking technologies (analytics, marketing, advertising, social media plugins). Required in EU (GDPR + ePrivacy Directive), recommended in California (CCPA/CPRA).
Key Requirements Describe all cookie types, purposes, providers, duration. Obtain prior consent for non-essential cookies (GDPR). Provide opt-out mechanism (CCPA/CPRA). Honor Global Privacy Control (GPC) signals.
Industries SaaS, e-commerce, media, social networks, marketing platforms, any website using tracking technologies.
Related Documents Privacy Policy, Terms of Service, cookie consent banner, consent management platform (CMP).
Compliance Frameworks GDPR (EU), ePrivacy Directive (EU), CCPA (California), CPRA (California), UK GDPR, UK PECR.

What This Template Includes

This comprehensive cookie policy template includes:

  • Cookie definitions and types (essential, analytics, marketing, social media)
  • GDPR/ePrivacy Directive compliance (prior consent, granular controls, easy withdrawal)
  • CCPA/CPRA compliance (opt-out mechanism, GPC support, "Do Not Sell or Share" disclosures)
  • Cookie table with name, provider, purpose, duration, type, and legal basis
  • User rights and consent management (accept, reject, manage preferences)
  • Contact information and data controller details
  • Updates and changes notification procedures
  • Cross-border disclosures for international businesses

This template is designed for SaaS startups, e-commerce platforms, and any website that uses cookies or tracking technologies. Customize the bracketed sections to fit your specific use case.

Cookie Policy Template

COOKIE POLICY

Last Updated: [DATE]

Effective Date: [DATE]

1. INTRODUCTION

This Cookie Policy explains how [COMPANY NAME] ("Company," "we," "us," or "our") uses cookies and similar tracking technologies on our website [WEBSITE URL] (the "Site").

This Cookie Policy should be read together with our Privacy Policy and Terms of Service.

By using our Site, you agree to the use of cookies in accordance with this Cookie Policy. If you do not agree, please adjust your browser settings to reject cookies or stop using our Site.

2. WHAT ARE COOKIES?

Cookies are small text files that are placed on your device (computer, smartphone, tablet) when you visit a website. Cookies are widely used to make websites work more efficiently, provide information to website owners, and improve your browsing experience.

Similar Technologies include:

  • Web beacons / Pixels: Small graphic images that track user activity and conversions.
  • Local storage: Browser storage (e.g., HTML5 localStorage) that stores data locally on your device.
  • SDKs: Software development kits that collect information in mobile apps.
  • Fingerprinting: Techniques that identify users based on device/browser characteristics.

For simplicity, this Cookie Policy uses the term "cookies" to refer to cookies and all similar tracking technologies.

3. WHY WE USE COOKIES

We use cookies for the following purposes:

Purpose Description Cookie Type
Essential / Strictly Necessary Enable core site functionality (login, security, load balancing, session management). Without these cookies, the Site cannot function properly. Essential
Performance / Analytics Understand how visitors use our Site (page views, clicks, session duration) to improve performance and user experience. Analytics
Functionality Remember your preferences (language, region, login status) to provide a personalized experience. Functional
Marketing / Advertising Deliver targeted ads based on your interests, track ad performance, and measure conversions. Marketing
Social Media Enable social media sharing (Facebook, Twitter, LinkedIn) and track social media interactions. Social Media

4. TYPES OF COOKIES WE USE

4.1 Essential Cookies (Strictly Necessary)

These cookies are necessary for the Site to function and cannot be disabled in our systems. They are usually set in response to actions you take, such as logging in, filling out forms, or setting privacy preferences.

You cannot opt out of essential cookies.

Cookie Name Provider Purpose Duration Type Legal Basis
[SESSION_ID] [Your Company] Session management (login, authentication) Session Essential Legitimate Interest (site functionality)
[CSRF_TOKEN] [Your Company] Security (CSRF protection) Session Essential Legitimate Interest (security)
[LOAD_BALANCER] [Your Company / CDN Provider] Load balancing (distribute traffic across servers) Session Essential Legitimate Interest (site performance)
[COOKIE_CONSENT] [Your Company] Remembers your cookie consent preferences [1 year] Essential Legitimate Interest (consent management)

[CUSTOMIZE THIS TABLE WITH YOUR ACTUAL ESSENTIAL COOKIES]

4.2 Analytics / Performance Cookies

These cookies help us understand how visitors interact with our Site by collecting and reporting information anonymously. They allow us to improve the Site's performance and user experience.

You can opt out of analytics cookies using our cookie consent banner.

Cookie Name Provider Purpose Duration Type Legal Basis
_ga Google Analytics Distinguish users 2 years Analytics Consent (GDPR) / Opt-Out Available (CCPA)
_gid Google Analytics Distinguish users 24 hours Analytics Consent (GDPR) / Opt-Out Available (CCPA)
_gat Google Analytics Throttle request rate 1 minute Analytics Consent (GDPR) / Opt-Out Available (CCPA)
[ANALYTICS_COOKIE] [Your Analytics Provider] [Purpose] [Duration] Analytics Consent (GDPR) / Opt-Out Available (CCPA)

[CUSTOMIZE THIS TABLE WITH YOUR ACTUAL ANALYTICS COOKIES]

For more information about Google Analytics cookies, see:

4.3 Marketing / Advertising Cookies

These cookies are used to deliver ads that are relevant to you and your interests. They may also be used to limit the number of times you see an ad and to measure the effectiveness of advertising campaigns.

You can opt out of marketing cookies using our cookie consent banner.

Cookie Name Provider Purpose Duration Type Legal Basis
_fbp Facebook Pixel Track conversions, optimize ads, build targeted audiences 90 days Marketing Consent (GDPR) / Opt-Out Available (CCPA)
fr Facebook Deliver targeted ads 90 days Marketing Consent (GDPR) / Opt-Out Available (CCPA)
IDE Google DoubleClick Serve targeted ads based on user behavior 1 year Marketing Consent (GDPR) / Opt-Out Available (CCPA)
[ADVERTISING_COOKIE] [Your Ad Provider] [Purpose] [Duration] Marketing Consent (GDPR) / Opt-Out Available (CCPA)

[CUSTOMIZE THIS TABLE WITH YOUR ACTUAL MARKETING COOKIES]

4.4 Social Media Cookies

These cookies enable social media functionality (sharing, liking, commenting) and track your social media interactions. They may also be used for advertising purposes.

You can opt out of social media cookies using our cookie consent banner.

Cookie Name Provider Purpose Duration Type Legal Basis
[SOCIAL_COOKIE] [Facebook / Twitter / LinkedIn] Social sharing, tracking social interactions [Duration] Social Media Consent (GDPR) / Opt-Out Available (CCPA)

[CUSTOMIZE THIS TABLE WITH YOUR ACTUAL SOCIAL MEDIA COOKIES]

4.5 Functional Cookies

These cookies allow the Site to remember choices you make (such as your username, language, or region) to provide a more personalized experience.

You can opt out of functional cookies using our cookie consent banner.

Cookie Name Provider Purpose Duration Type Legal Basis
[PREFERENCE_COOKIE] [Your Company] Remember user preferences (language, theme) [1 year] Functional Consent (GDPR) / Opt-Out Available (CCPA)

[CUSTOMIZE THIS TABLE WITH YOUR ACTUAL FUNCTIONAL COOKIES]

5. FIRST-PARTY VS. THIRD-PARTY COOKIES

5.1 First-Party Cookies

First-party cookies are set by our Site (the domain you are visiting) and can only be read by our Site. We use first-party cookies for essential functions, analytics, and personalization.

5.2 Third-Party Cookies

Third-party cookies are set by domains other than the one you are visiting. For example, if you visit our Site and we load a Facebook Pixel or Google Analytics script, Facebook or Google may set third-party cookies on your device.

We use third-party cookies for analytics, advertising, and social media functionality. You can manage third-party cookies using our cookie consent banner or your browser settings.

6. SESSION VS. PERSISTENT COOKIES

6.1 Session Cookies

Session cookies are temporary cookies that expire when you close your browser. They are used for essential functions like authentication and session management.

6.2 Persistent Cookies

Persistent cookies remain on your device after you close your browser, for a specified duration (e.g., 1 year). They are used for analytics, personalization, and advertising.

7. HOW TO MANAGE COOKIES

7.1 Cookie Consent Banner (Consent Management Platform)

When you first visit our Site, you will see a cookie consent banner that allows you to:

  • Accept all cookies: Allow all cookies (essential, analytics, marketing, social media).
  • Reject non-essential cookies: Allow only essential cookies (required for site functionality).
  • Manage cookie preferences: Choose which cookie categories to allow or block (granular control).

You can change your cookie preferences at any time by clicking the "Cookie Preferences" or "Manage Cookies" link at the bottom of our Site.

7.2 Browser Settings

You can also manage cookies through your browser settings. Most browsers allow you to:

  • Block all cookies
  • Block third-party cookies only
  • Delete cookies after each session
  • Receive a notification when a cookie is set

Instructions for popular browsers:

Note: If you block or delete essential cookies, some features of our Site may not function properly (e.g., you may not be able to log in or access certain pages).

7.3 Opt-Out of Third-Party Advertising Cookies

You can opt out of interest-based advertising from participating companies through the following services:

7.4 Global Privacy Control (GPC)

[IF YOUR SITE HONORS GPC SIGNALS (REQUIRED FOR CCPA/CPRA COMPLIANCE IN CALIFORNIA)]:

We honor Global Privacy Control (GPC) signals. If your browser or device sends a GPC signal, we will:

  • Not sell or share your personal information for targeted advertising.
  • Treat the GPC signal as a valid opt-out request under the CCPA/CPRA.

To enable GPC, use a browser or browser extension that supports GPC (e.g., Brave, Firefox with Privacy Badger, DuckDuckGo).

Learn more about GPC: https://globalprivacycontrol.org/

7.5 Do Not Track (DNT)

Some browsers offer a "Do Not Track" (DNT) signal. We do not currently respond to DNT signals because there is no universal standard for how DNT should be interpreted. However, we honor GPC signals (see Section 7.4).

8. YOUR RIGHTS AND CHOICES

8.1 GDPR / UK GDPR / ePrivacy Directive (EU/UK Users)

If you are located in the European Economic Area (EEA), the United Kingdom (UK), or Switzerland, you have the following rights under the GDPR, UK GDPR, and ePrivacy Directive:

Right Description How to Exercise
Consent and Withdrawal You have the right to give or withdraw consent for non-essential cookies at any time. Use our cookie consent banner or "Cookie Preferences" link.
Access You have the right to request access to the personal information we collect through cookies. Contact us at [PRIVACY EMAIL].
Deletion You have the right to request deletion of your personal information collected through cookies. Contact us at [PRIVACY EMAIL] or delete cookies through your browser settings.
Objection You have the right to object to the processing of your personal information for marketing purposes. Opt out of marketing cookies using our cookie consent banner.

ePrivacy Directive (Cookie Law):

  • We will not set non-essential cookies until you provide prior consent (opt-in).
  • We will make it as easy to withdraw consent as it is to give consent.
  • We will not use pre-ticked boxes or cookie walls (blocking access to the Site unless you accept cookies).

8.2 CCPA / CPRA (California Users)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

Right Description How to Exercise
Right to Know You have the right to know what personal information we collect through cookies. See Section 4 (cookie tables) or contact us at [PRIVACY EMAIL].
Right to Opt Out You have the right to opt out of the sale or sharing of your personal information for targeted advertising. Click "Do Not Sell or Share My Personal Information" link at the bottom of our Site, or enable GPC.
Right to Delete You have the right to request deletion of your personal information collected through cookies. Contact us at [PRIVACY EMAIL] or delete cookies through your browser settings.
Right to Non-Discrimination We will not discriminate against you for exercising your CCPA/CPRA rights. Automatic (we will not penalize you for opting out).

California "Shine the Light" Law:

California residents may request information about our disclosure of personal information to third parties for direct marketing purposes. To make such a request, contact us at [PRIVACY EMAIL].

9. COOKIES AND CHILDREN

Our Site is not intended for children under the age of [13/16] (depending on jurisdiction). We do not knowingly collect personal information from children through cookies.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us at [PRIVACY EMAIL], and we will delete the information.

[IF YOU COLLECT INFORMATION FROM CHILDREN, YOU MUST COMPLY WITH COPPA (U.S.) AND ADDITIONAL GDPR REQUIREMENTS. CONSULT LEGAL COUNSEL.]

10. CHANGES TO THIS COOKIE POLICY

We may update this Cookie Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons.

When we make changes:

  • We will update the "Last Updated" date at the top of this Cookie Policy.
  • If the changes are material, we will provide notice [30] days in advance by:
    • Posting a notice on our Site.
    • Sending an email to registered users at the email address on file.
    • [OTHER NOTIFICATION METHODS, AS APPROPRIATE].

Your continued use of our Site after the changes take effect constitutes your acceptance of the updated Cookie Policy.

We encourage you to review this Cookie Policy periodically.

11. CONTACT US

If you have questions, concerns, or requests regarding this Cookie Policy or our use of cookies, please contact us:

[COMPANY NAME] Attn: Privacy Team / Data Protection Officer Address: [COMPANY ADDRESS] Email: [PRIVACY EMAIL] (e.g., [email protected]) Phone: [COMPANY PHONE]

Data Protection Officer (DPO) / EU Representative (if applicable): Name: [DPO NAME] Email: [DPO EMAIL] Address: [DPO ADDRESS]

UK Representative (if applicable, for UK GDPR compliance): Name: [UK REP NAME] Email: [UK REP EMAIL] Address: [UK REP ADDRESS]

12. COOKIES USED ON THIS SITE (COMPREHENSIVE LIST)

[BELOW IS A COMPREHENSIVE TABLE OF ALL COOKIES USED ON YOUR SITE. CUSTOMIZE THIS BASED ON YOUR ACTUAL COOKIE USAGE. YOU CAN USE A COOKIE SCANNER TOOL TO IDENTIFY ALL COOKIES.]

Cookie Name Provider Purpose Duration Category Legal Basis (GDPR) CCPA Opt-Out Available?
session_id [Your Company] Session management Session Essential Legitimate Interest N/A (essential)
csrf_token [Your Company] CSRF protection Session Essential Legitimate Interest N/A (essential)
cookie_consent [Your Company] Store cookie consent preferences 1 year Essential Legitimate Interest N/A (essential)
_ga Google Analytics Distinguish users 2 years Analytics Consent Yes
_gid Google Analytics Distinguish users 24 hours Analytics Consent Yes
_gat Google Analytics Throttle request rate 1 minute Analytics Consent Yes
_fbp Facebook Pixel Track conversions, optimize ads 90 days Marketing Consent Yes
fr Facebook Deliver targeted ads 90 days Marketing Consent Yes
IDE Google DoubleClick Serve targeted ads 1 year Marketing Consent Yes
[ADD MORE COOKIES AS NEEDED] [Provider] [Purpose] [Duration] [Category] [Legal Basis] [Yes/No]

[USE A COOKIE SCANNER TOOL TO IDENTIFY ALL COOKIES ON YOUR SITE. POPULAR TOOLS: COOKIEBOT, ONETRUST, OSANO, TERMLY, COOKIEYES.]

13. LEGAL COMPLIANCE NOTES

13.1 GDPR / UK GDPR Compliance

This Cookie Policy complies with:

  • General Data Protection Regulation (GDPR) (EU) 2016/679
  • UK General Data Protection Regulation (UK GDPR)
  • ePrivacy Directive (Directive 2002/58/EC, as amended by Directive 2009/136/EC)
  • UK Privacy and Electronic Communications Regulations (PECR) 2003

Key requirements:

  • Prior consent (opt-in) for non-essential cookies.
  • Granular controls (users can accept/reject specific cookie categories).
  • Easy withdrawal of consent (as easy as giving consent).
  • No pre-ticked boxes or cookie walls.

13.2 CCPA / CPRA Compliance

This Cookie Policy complies with:

  • California Consumer Privacy Act (CCPA) (Cal. Civ. Code § 1798.100 et seq.)
  • California Privacy Rights Act (CPRA) (amendments to CCPA, effective January 1, 2023)

Key requirements:

  • Opt-out mechanism for the sale or sharing of personal information.
  • "Do Not Sell or Share My Personal Information" link prominently displayed.
  • Global Privacy Control (GPC) support (treat GPC signals as valid opt-out requests).
  • No discrimination for exercising CCPA/CPRA rights.

Note: CCPA/CPRA do not require opt-in consent for cookies (opt-out model). However, users must be able to opt out of the sale/sharing of personal information.

13.3 International Compliance

If you operate in other jurisdictions, you may need to comply with additional cookie laws:

  • Canada: PIPEDA, CASL (anti-spam law)
  • Australia: Privacy Act 1988, Spam Act 2003
  • Brazil: LGPD (Lei Geral de Proteção de Dados)
  • Other countries: Check local privacy and e-privacy laws.

Consult legal counsel to ensure compliance with all applicable laws.

14. COOKIE CONSENT BANNER IMPLEMENTATION

To comply with GDPR/ePrivacy Directive requirements, you must implement a cookie consent banner (Consent Management Platform, or CMP) that:

  1. Blocks non-essential cookies until the user provides consent (prior consent requirement).
  2. Provides granular controls (users can accept/reject specific cookie categories: analytics, marketing, social media).
  3. Makes it as easy to reject as to accept (no dark patterns, pre-ticked boxes, or cookie walls).
  4. Allows users to withdraw consent at any time (e.g., "Cookie Preferences" link in footer).

Popular cookie consent banner solutions:

Example cookie banner text:

We use cookies to improve your experience on our Site, analyze site usage, and deliver personalized content and ads. By clicking "Accept All," you consent to the use of all cookies. You can also manage your cookie preferences or reject non-essential cookies.

[Accept All] [Reject Non-Essential] [Manage Preferences]

15. COOKIE POLICY CHECKLIST

Use this checklist to ensure your Cookie Policy is complete and compliant:

  • [ ] List all cookies by name, provider, purpose, duration, category, and legal basis.
  • [ ] Use a cookie scanner to identify all cookies on your Site (first-party and third-party).
  • [ ] Distinguish essential vs. non-essential cookies (only essential cookies can be set without consent under GDPR).
  • [ ] Implement a cookie consent banner (CMP) that blocks non-essential cookies until consent is obtained.
  • [ ] Provide granular controls (users can accept/reject specific cookie categories).
  • [ ] Include opt-out links for third-party advertising cookies (NAI, DAA, Google, Facebook).
  • [ ] Honor Global Privacy Control (GPC) signals (required for CCPA/CPRA compliance in California).
  • [ ] Include "Do Not Sell or Share My Personal Information" link (CCPA/CPRA requirement for California users).
  • [ ] Explain user rights under GDPR, UK GDPR, ePrivacy Directive, CCPA, and CPRA.
  • [ ] Provide contact information for privacy inquiries (email, address, phone, DPO).
  • [ ] Review and update regularly (at least annually, or when you add/remove cookies).
  • [ ] Test cookie banner functionality (ensure non-essential cookies are blocked until consent is given).
  • [ ] Document consent records (keep records of when users gave consent, what they consented to, and how they consented).

16. FREQUENTLY ASKED QUESTIONS (FAQs)

16.1 Do I need a cookie policy if I only use essential cookies?

Answer: It depends on your jurisdiction:

  • GDPR/ePrivacy Directive (EU/UK): If you only use essential cookies (strictly necessary for site functionality), you do not need to obtain consent. However, you should still inform users about essential cookies in a cookie policy or privacy policy.
  • CCPA/CPRA (California): You should disclose what information you collect through cookies (even essential cookies) in your privacy policy. A standalone cookie policy is recommended but not strictly required if you only use essential cookies.

Best practice: Even if you only use essential cookies, publish a cookie policy to be transparent and build trust with users.

16.2 What are essential cookies (strictly necessary cookies)?

Answer: Essential cookies are cookies that are absolutely necessary for the Site to function and cannot be disabled. Examples include:

  • Session cookies (login, authentication, shopping cart).
  • Security cookies (CSRF protection, fraud detection).
  • Load balancing cookies (distribute traffic across servers).
  • Consent management cookies (remember cookie consent preferences).

Essential cookies do not require consent under GDPR because they are necessary to provide the service the user requested (legitimate interest).

16.3 What are non-essential cookies?

Answer: Non-essential cookies are cookies that are not strictly necessary for the Site to function. Examples include:

  • Analytics cookies (Google Analytics, Mixpanel, etc.).
  • Marketing/advertising cookies (Facebook Pixel, Google Ads, etc.).
  • Social media cookies (Facebook, Twitter, LinkedIn sharing).
  • Functional cookies (remember language preferences, theme settings).

Non-essential cookies require prior consent under GDPR (opt-in). You must block these cookies until the user explicitly consents.

16.4 Do I need consent for Google Analytics?

Answer:

  • GDPR/ePrivacy Directive (EU/UK): Yes, you need consent for Google Analytics because it is not considered essential. Google Analytics is a performance/analytics cookie that requires prior opt-in consent under GDPR.
  • CCPA/CPRA (California): You do not need consent (opt-in) for Google Analytics. However, you must provide an opt-out mechanism if Google Analytics is used to sell or share personal information for targeted advertising.

Best practice: Obtain consent for Google Analytics in all jurisdictions to be safe. Use a cookie consent banner to block Google Analytics until the user consents.

16.5 What is the difference between first-party and third-party cookies?

Answer:

  • First-party cookies: Set by the domain you are visiting (e.g., yoursite.com). Only readable by that domain. Used for essential functions, analytics, and personalization.
  • Third-party cookies: Set by a domain other than the one you are visiting (e.g., facebook.com, google.com). Used for advertising, tracking across sites, and social media functionality.

Privacy impact: Third-party cookies raise more privacy concerns because they can track users across multiple websites (cross-site tracking). Many browsers (Safari, Firefox, Brave) now block third-party cookies by default.

16.6 What is a cookie consent banner (CMP)?

Answer: A cookie consent banner (also called a Consent Management Platform or CMP) is a pop-up or banner that appears when a user visits your Site for the first time. It:

  1. Informs users about the cookies you use.
  2. Requests consent for non-essential cookies.
  3. Blocks non-essential cookies until consent is obtained (GDPR requirement).
  4. Provides granular controls (accept all, reject all, manage preferences).

Popular CMPs: Cookiebot, OneTrust, Osano, Termly, CookieYes, Usercentrics.

16.7 What is Global Privacy Control (GPC)?

Answer: Global Privacy Control (GPC) is a browser signal that tells websites "do not sell or share my personal information." It is a universal opt-out mechanism for California residents under CCPA/CPRA.

How it works:

  1. User enables GPC in their browser or browser extension (e.g., Brave, Firefox with Privacy Badger, DuckDuckGo).
  2. Browser sends a GPC signal to websites.
  3. Websites that honor GPC automatically opt out the user from the sale/sharing of personal information.

CCPA/CPRA requirement: Websites must honor GPC signals as valid opt-out requests. Failure to honor GPC can result in enforcement action by the California Privacy Protection Agency (CPPA).

Learn more: https://globalprivacycontrol.org/

16.8 Do I need to honor GPC signals?

Answer:

  • California (CCPA/CPRA): Yes, if you sell or share personal information and you target California residents, you must honor GPC signals.
  • Other jurisdictions: GPC is not required outside of California, but it is considered a best practice for privacy compliance.

How to implement: Use a CMP or consent management script that automatically detects and honors GPC signals. Popular CMPs (Cookiebot, OneTrust, Osano) support GPC.

16.9 What is the difference between GDPR and CCPA cookie requirements?

Answer:

Requirement GDPR / ePrivacy Directive (EU/UK) CCPA / CPRA (California)
Consent Model Opt-in (prior consent required for non-essential cookies). Opt-out (no prior consent required, but users must be able to opt out of sale/sharing).
Cookie Banner Required? Yes (must block non-essential cookies until consent is obtained). No (but recommended to provide opt-out mechanism).
Granular Controls Required (users must be able to accept/reject specific cookie categories). Not required (but recommended).
Essential Cookies No consent required (legitimate interest). No opt-out required (necessary for service).
Enforcement Data Protection Authorities (DPAs), fines up to €20 million or 4% of global turnover. California Privacy Protection Agency (CPPA), fines up to $7,500 per intentional violation.

Best practice: Implement a cookie consent banner that complies with both GDPR and CCPA/CPRA requirements (opt-in for non-essential cookies, opt-out for sale/sharing, GPC support).

16.10 How do I scan my website for cookies?

Answer: Use a cookie scanner tool to automatically identify all cookies on your Site (first-party and third-party). Popular tools include:

How it works: Enter your website URL, and the tool will scan all pages and identify cookies by name, provider, purpose, duration, and category.

Note: Cookie scanners may not catch all cookies (especially dynamic cookies loaded by JavaScript). Manually review your Site's code to ensure all cookies are identified.

16.11 What happens if I don't comply with cookie laws?

Answer:

GDPR/ePrivacy Directive (EU/UK):

  • Enforcement: Data Protection Authorities (DPAs) can investigate and issue fines.
  • Fines: Up to €20 million or 4% of global annual turnover (whichever is higher).
  • High-profile cases: Google fined €90 million (France, 2020), Amazon fined €746 million (Luxembourg, 2021).

CCPA/CPRA (California):

  • Enforcement: California Privacy Protection Agency (CPPA) can investigate and issue fines.
  • Fines: Up to $2,500 per unintentional violation, $7,500 per intentional violation.
  • Private right of action: Consumers can sue for data breaches if the company failed to implement reasonable security measures.

Other consequences:

  • Reputational damage (loss of user trust).
  • Legal liability (lawsuits from users or consumer advocacy groups).
  • Loss of business (some users may refuse to use your Site if you don't comply with cookie laws).

16.12 Do I need a DPO (Data Protection Officer) for cookie compliance?

Answer:

  • GDPR: You need a DPO if:
    1. You are a public authority (government agency).
    2. Your core activities involve large-scale monitoring of individuals (e.g., behavioral advertising, extensive tracking).
    3. Your core activities involve large-scale processing of special categories of data (health, biometric, genetic data).

Most startups do not need a DPO unless they engage in large-scale monitoring or processing of sensitive data.

  • CCPA/CPRA: DPO is not required.

Best practice: Even if not required, designate a privacy point of contact (e.g., privacy team, privacy email) to handle cookie and privacy inquiries.

16.13 Should I use a cookie wall (block access unless users accept cookies)?

Answer: No. Cookie walls are not compliant with GDPR/ePrivacy Directive.

GDPR/ePrivacy Directive:

  • Consent must be freely given. If you block access to your Site unless users accept cookies, consent is not freely given (it is coerced).
  • Regulators have ruled against cookie walls. For example, the French DPA (CNIL) has fined companies for using cookie walls.

CCPA/CPRA:

  • Cookie walls are not explicitly prohibited, but you cannot discriminate against users for exercising their CCPA/CPRA rights (e.g., opting out of sale/sharing). Blocking access for opting out may be considered discrimination.

Best practice: Do not use cookie walls. Provide users with a genuine choice to accept or reject cookies.

16.14 Can I use pre-ticked boxes for cookie consent?

Answer: No. Pre-ticked boxes (opt-out checkboxes) are not compliant with GDPR.

GDPR requirement:

  • Consent must be freely given, specific, informed, and unambiguous.
  • Users must take an affirmative action to consent (e.g., click "Accept" button).
  • Pre-ticked boxes do not constitute affirmative action. The user must actively opt in (tick the box themselves).

Best practice: Use opt-in checkboxes (unchecked by default) or "Accept" / "Reject" buttons. Do not use pre-ticked boxes.

16.15 How long should I keep cookie consent records?

Answer:

  • GDPR: Keep consent records for as long as you process the personal information, plus 3-5 years after processing ends (to defend against potential complaints or investigations).
  • CCPA/CPRA: No specific retention requirement, but keep records for a reasonable period to demonstrate compliance (e.g., 3-5 years).

What to record:

  • When the user gave consent (date and time).
  • What the user consented to (which cookie categories).
  • How the user consented (cookie banner, form submission, etc.).
  • Version of the cookie policy at the time of consent.

Best practice: Use a CMP that automatically logs consent records.

17. RELATED RESOURCES

18. NEXT STEPS

  1. Customize this template with your company's specific cookie usage (see Section 12 for the comprehensive cookie table).
  2. Use a cookie scanner to identify all cookies on your Site (see FAQ 16.10 for recommended tools).
  3. Implement a cookie consent banner (CMP) that blocks non-essential cookies until consent is obtained (see Section 14).
  4. Test your cookie banner to ensure non-essential cookies are blocked until the user consents.
  5. Honor Global Privacy Control (GPC) signals if you target California residents (see Section 7.4).
  6. Review and update your Cookie Policy at least annually, or whenever you add/remove cookies.
  7. Consult legal counsel to ensure compliance with all applicable laws in your jurisdictions.

19. DISCLAIMER

This Cookie Policy template is provided for informational purposes only and does not constitute legal advice. Cookie laws vary by jurisdiction and are subject to change. You should consult with a qualified attorney to ensure your Cookie Policy complies with all applicable laws in your jurisdictions.

Promise Legal is not responsible for any legal issues arising from the use of this template.

Need help customizing your Cookie Policy or implementing a cookie consent banner? Contact Promise Legal for personalized guidance.

Download

Download Cookie Policy Template (Markdown) Download Cookie Policy Template (Word) Download Cookie Policy Template (PDF)

(Download buttons to be implemented by your development team.)

Customization Checklist

Use this checklist to customize the cookie policy template for your startup:

  • [ ] Replace all bracketed placeholders (e.g., [COMPANY NAME], [WEBSITE URL], [PRIVACY EMAIL]) with your actual information.
  • [ ] Scan your website for cookies using a cookie scanner tool (Cookiebot, OneTrust, Osano, Termly, CookieYes).
  • [ ] Complete the cookie tables in Sections 4 and 12 with all cookies your Site uses (name, provider, purpose, duration, category, legal basis).
  • [ ] Implement a cookie consent banner (CMP) that blocks non-essential cookies until consent is obtained.
  • [ ] Test your cookie banner to ensure non-essential cookies are blocked until the user consents.
  • [ ] Honor Global Privacy Control (GPC) signals if you target California residents.
  • [ ] Include "Do Not Sell or Share My Personal Information" link in your Site footer (CCPA/CPRA requirement).
  • [ ] Appoint a DPO or privacy point of contact (if required by GDPR or recommended for your business).
  • [ ] Review and update your Cookie Policy at least annually, or whenever you add/remove cookies.
  • [ ] Document consent records (use a CMP that automatically logs consent).
  • [ ] Link to your Cookie Policy from your Site footer and cookie consent banner.
  • [ ] Cross-reference your Cookie Policy with your Privacy Policy and Terms of Service (ensure consistency).

Key Provisions Explained

1. Prior Consent (GDPR / ePrivacy Directive)

What it means: You must obtain the user's consent before setting non-essential cookies.

How to comply:

  • Implement a cookie consent banner that blocks non-essential cookies until the user clicks "Accept" or selects specific cookie categories.
  • Do not use pre-ticked boxes or cookie walls (these do not constitute valid consent).

Example: When a user visits your Site, they see a cookie banner that says "We use cookies to improve your experience. You can accept all cookies or manage your preferences." Non-essential cookies (analytics, marketing) are not loaded until the user clicks "Accept."

2. Granular Controls (GDPR / ePrivacy Directive)

What it means: Users must be able to accept or reject specific cookie categories (e.g., accept analytics cookies but reject marketing cookies).

How to comply:

  • Provide a "Manage Preferences" or "Customize Cookies" option in your cookie banner.
  • Allow users to toggle on/off each cookie category (essential, analytics, marketing, social media).

Example: Your cookie banner has three buttons: "Accept All," "Reject Non-Essential," and "Manage Preferences." If the user clicks "Manage Preferences," they see a list of cookie categories with toggle switches.

3. Easy Withdrawal (GDPR / ePrivacy Directive)

What it means: It must be as easy to withdraw consent as it is to give consent.

How to comply:

  • Include a "Cookie Preferences" or "Manage Cookies" link in your Site footer (visible on all pages).
  • When the user clicks the link, re-display the cookie banner or preferences panel so they can withdraw consent.

Example: Your Site footer includes a link labeled "Cookie Preferences." When clicked, the cookie banner reappears, allowing the user to change their cookie preferences or withdraw consent entirely.

4. Global Privacy Control (GPC) (CCPA / CPRA)

What it means: If a user's browser sends a GPC signal, you must automatically opt them out of the sale/sharing of their personal information.

How to comply:

  • Use a CMP or consent management script that detects GPC signals.
  • When a GPC signal is detected, do not load cookies used for selling/sharing personal information (e.g., advertising cookies, cross-site tracking).

Example: A California user enables GPC in their Brave browser. When they visit your Site, your CMP detects the GPC signal and automatically opts them out of marketing cookies.

5. "Do Not Sell or Share My Personal Information" Link (CCPA / CPRA)

What it means: California users must have a clear, easy way to opt out of the sale/sharing of their personal information.

How to comply:

  • Include a prominent link in your Site footer labeled "Do Not Sell or Share My Personal Information" or "Your Privacy Choices."
  • When clicked, the link should allow the user to opt out of the sale/sharing of their personal information (e.g., by disabling marketing cookies).

Example: Your Site footer includes a link labeled "Do Not Sell or Share My Personal Information." When clicked, the user is taken to a preferences page where they can opt out of marketing cookies and third-party tracking.

6. Cookie Tables with Comprehensive Information

What it means: Your Cookie Policy must list all cookies by name, provider, purpose, duration, category, and legal basis.

How to comply:

  • Use a cookie scanner tool to identify all cookies on your Site.
  • Create a table (see Section 12) with the following columns:
    • Cookie Name (e.g., _ga)
    • Provider (e.g., Google Analytics)
    • Purpose (e.g., "Distinguish users")
    • Duration (e.g., 2 years)
    • Category (e.g., Analytics)
    • Legal Basis (GDPR) (e.g., Consent)
    • CCPA Opt-Out Available? (e.g., Yes)

Example: Your Cookie Policy includes a comprehensive table listing all 15 cookies used on your Site, including first-party and third-party cookies.

Common Mistakes to Avoid

1. Not Blocking Non-Essential Cookies Until Consent Is Obtained

Mistake: Loading analytics or marketing cookies as soon as the user visits the Site, before they consent.

Why it's a problem: Violates GDPR/ePrivacy Directive requirement for prior consent. Regulators can fine you for this.

How to fix: Implement a CMP that blocks non-essential cookies until the user provides consent.

2. Using Pre-Ticked Boxes or Cookie Walls

Mistake: Using pre-ticked boxes (opt-out checkboxes) or cookie walls (blocking access unless the user accepts cookies).

Why it's a problem: Consent must be freely given and an affirmative action. Pre-ticked boxes and cookie walls do not constitute valid consent under GDPR.

How to fix: Use opt-in checkboxes (unchecked by default) or "Accept" / "Reject" buttons. Do not block access to your Site for users who reject cookies.

3. Not Providing Granular Controls

Mistake: Only offering "Accept All" or "Reject All" options, without letting users choose specific cookie categories.

Why it's a problem: Users must be able to accept some cookies and reject others (e.g., accept analytics but reject marketing).

How to fix: Provide a "Manage Preferences" option that lets users toggle on/off each cookie category.

4. Not Honoring Global Privacy Control (GPC) Signals

Mistake: Ignoring GPC signals from users' browsers (required for CCPA/CPRA compliance in California).

Why it's a problem: CCPA/CPRA requires you to honor GPC signals as valid opt-out requests. Failure to honor GPC can result in fines from the California Privacy Protection Agency (CPPA).

How to fix: Use a CMP that detects and honors GPC signals automatically.

5. Not Updating Your Cookie Policy When You Add/Remove Cookies

Mistake: Adding new cookies (e.g., a new analytics tool) without updating your Cookie Policy.

Why it's a problem: Your Cookie Policy must be accurate and up-to-date. If you don't disclose all cookies, you may violate transparency requirements under GDPR and CCPA.

How to fix: Review and update your Cookie Policy at least annually, or whenever you add/remove cookies. Use a cookie scanner to ensure all cookies are identified.

6. Treating All Cookies as Essential

Mistake: Claiming that all cookies (including analytics and marketing cookies) are "essential" to avoid obtaining consent.

Why it's a problem: Only strictly necessary cookies are exempt from the consent requirement. Analytics and marketing cookies are not essential and require consent under GDPR.

How to fix: Accurately categorize cookies as essential, analytics, marketing, or social media. Only essential cookies can be set without consent.

7. Not Keeping Consent Records

Mistake: Not documenting when, how, and what users consented to.

Why it's a problem: Under GDPR, you must be able to demonstrate that you obtained valid consent. If you can't prove consent, regulators may fine you.

How to fix: Use a CMP that automatically logs consent records (date, time, version of Cookie Policy, cookie categories consented to, etc.).

8. Not Making It Easy to Withdraw Consent

Mistake: Hiding the "Cookie Preferences" link or making it difficult for users to withdraw consent.

Why it's a problem: GDPR requires that it be as easy to withdraw consent as to give it. If users can't easily change their preferences, you violate this requirement.

How to fix: Include a prominent "Cookie Preferences" or "Manage Cookies" link in your Site footer (visible on all pages).

9. Not Providing an Opt-Out Mechanism for California Users

Mistake: Not providing a "Do Not Sell or Share My Personal Information" link for California residents (CCPA/CPRA requirement).

Why it's a problem: CCPA/CPRA requires you to provide an easy opt-out mechanism for the sale/sharing of personal information. Failure to provide this link can result in fines.

How to fix: Include a "Do Not Sell or Share My Personal Information" link in your Site footer, prominently displayed and easy to find.

10. Not Testing Your Cookie Banner

Mistake: Implementing a cookie banner but not testing whether non-essential cookies are actually blocked until consent is obtained.

Why it's a problem: If your cookie banner doesn't actually block cookies, you violate GDPR/ePrivacy Directive prior consent requirements.

How to fix: Test your cookie banner using browser developer tools (Network tab) or cookie testing tools. Verify that non-essential cookies are not loaded until the user consents.

When to Use This Template

You should use this Cookie Policy template if:

  • Your website uses cookies (analytics, marketing, advertising, social media, etc.).
  • You target users in the EU/UK (GDPR/ePrivacy Directive compliance required).
  • You target users in California (CCPA/CPRA compliance required).
  • You want to be transparent about your data collection practices and build trust with users.
  • You need to comply with cookie consent laws to avoid fines and legal liability.

Industries that commonly need a Cookie Policy:

  • SaaS platforms
  • E-commerce websites
  • Media and publishing websites
  • Social networks
  • Marketing platforms
  • Any website using Google Analytics, Facebook Pixel, or other tracking technologies

FAQs

Do I need a separate Cookie Policy, or can I include cookies in my Privacy Policy?

Answer: You can do either:

  1. Standalone Cookie Policy (recommended) – Provides more detail and makes it easier for users to find cookie-specific information.
  2. Cookies section in Privacy Policy – Combines both in one document. Acceptable if your privacy policy is not too long.

Best practice: Use a standalone Cookie Policy and link to it from your Privacy Policy, Terms of Service, and cookie consent banner.

What's the difference between a Cookie Policy and a Privacy Policy?

Answer:

  • Privacy Policy: Describes how you collect, use, share, and protect all personal information (including information collected through cookies, forms, account creation, etc.).
  • Cookie Policy: Focuses specifically on cookies and tracking technologies (what cookies you use, why, how to manage them).

Relationship: Your Cookie Policy should reference and link to your Privacy Policy. Together, they provide a complete picture of your data practices.

How often should I update my Cookie Policy?

Answer: You should update your Cookie Policy:

  • At least annually (to ensure it reflects current practices and laws).
  • Whenever you add or remove cookies (e.g., you start using a new analytics tool).
  • Whenever cookie laws change (e.g., new regulations in your jurisdictions).

Best practice: Conduct a cookie audit every 6-12 months using a cookie scanner tool. Update your Cookie Policy to reflect any changes.

Can I use Google Analytics without a cookie consent banner?

Answer:

  • GDPR/ePrivacy Directive (EU/UK): No. Google Analytics requires prior consent because it is not essential. You must block Google Analytics cookies until the user consents.
  • CCPA/CPRA (California): You can use Google Analytics without prior consent (opt-out model), but you must provide an opt-out mechanism if Google Analytics is used to sell/share personal information.

Best practice: Obtain consent for Google Analytics in all jurisdictions to be safe.

What is the ePrivacy Directive (Cookie Law)?

Answer: The ePrivacy Directive (Directive 2002/58/EC, as amended by Directive 2009/136/EC) is an EU law that specifically regulates electronic communications, including cookies and tracking technologies.

Key requirements:

  • Prior consent for non-essential cookies (opt-in).
  • Clear information about cookies (purpose, provider, duration).
  • Easy opt-out mechanism for cookies.

Relationship to GDPR: The ePrivacy Directive complements the GDPR. Both laws apply to cookies, and you must comply with both.

Future: The EU is working on an ePrivacy Regulation to replace the ePrivacy Directive, but it has been delayed. The European Commission formally withdrew the ePrivacy Regulation in February 2025, so the ePrivacy Directive remains in effect.

Do I need a cookie consent banner if I only serve U.S. users?

Answer: It depends:

  • CCPA/CPRA (California): Cookie consent banner is not required, but recommended to provide an opt-out mechanism.
  • GDPR (if you have any EU users): Cookie consent banner is required to obtain prior consent for non-essential cookies.

Best practice: If you have any international traffic (even a small percentage), implement a cookie consent banner to be safe. It shows you take privacy seriously and builds trust with users.

What happens if I don't comply with cookie laws?

Answer: See FAQ 16.11 for detailed enforcement and penalties. In summary:

  • GDPR: Fines up to €20 million or 4% of global turnover.
  • CCPA/CPRA: Fines up to $7,500 per intentional violation.
  • Reputational damage, legal liability, loss of business.

Can I use a free cookie consent banner?

Answer: Yes, there are free cookie consent banner solutions:

  • Cookiebot (free plan for small websites)
  • Osano (free plan for non-commercial use)
  • Termly (free plan with limitations)
  • CookieYes (free plan for small websites)

Limitations of free plans:

  • May not block cookies until consent is obtained (GDPR violation).
  • May not support all features (granular controls, GPC support, consent logging).
  • May display the provider's branding.

Best practice: For serious businesses, invest in a paid CMP (Cookiebot, OneTrust, Osano, Usercentrics) to ensure full compliance and professional functionality.

Do I need to translate my Cookie Policy for international users?

Answer: It depends on your jurisdictions:

  • GDPR: Cookie policies must be in a "clear and plain language" that users understand. If you target users in multiple countries, translate your Cookie Policy into their languages.
  • CCPA/CPRA: Translation is not required, but recommended if you have a significant number of non-English-speaking users in California.

Best practice: Provide translations for languages spoken by a significant percentage of your users (e.g., Spanish, French, German, Italian).

Next Steps

  1. Customize this template with your company's specific cookie usage (see Section 12 for the comprehensive cookie table).
  2. Use a cookie scanner to identify all cookies on your Site (see FAQ 16.10 for recommended tools).
  3. Implement a cookie consent banner (CMP) that blocks non-essential cookies until consent is obtained (see Section 14).
  4. Test your cookie banner to ensure non-essential cookies are blocked until the user consents.
  5. Honor Global Privacy Control (GPC) signals if you target California residents (see Section 7.4).
  6. Review and update your Cookie Policy at least annually, or whenever you add/remove cookies.
  7. Consult legal counsel to ensure compliance with all applicable laws in your jurisdictions.

Need help implementing a cookie consent banner or conducting a cookie audit? Contact Promise Legal for personalized guidance.

Related Resources:

This button allows you to scroll to the top or access additional options. Alt + A will toggle accessibility mode.