Cookies Policy Sample: Complete Template With Clauses
Use this cookies policy sample to build a compliant cookie notice. Includes a cookie policy example, clause breakdowns, and GDPR/CCPA guidance.
A cookies policy sample gives you a concrete reference for the structure, language, and legal disclosures your own cookie notice needs to contain. Whether you operate a personal blog or a high-traffic ecommerce store, every website that sets non-essential cookies must inform visitors and, in most jurisdictions, obtain their consent before tracking begins.
This guide walks through a complete sample cookie policy section by section, explains the legal reasoning behind each clause, and identifies what you need to customize for your specific site. This content is educational and does not constitute legal advice. Consult a qualified attorney for guidance specific to your jurisdiction and business model.
What a Cookies Policy Covers
A cookie policy is a standalone disclosure document that explains how your website uses cookies and similar tracking technologies. It serves a narrower purpose than a privacy policy: where the privacy policy addresses all personal data processing, the cookie policy zooms in on device-level tracking.
A well-structured cookies policy sample addresses these areas:
- Technology definitions. What cookies, web beacons, pixels, and local storage objects are and how they work.
- Cookie categories. Essential, functional, analytics, and advertising cookies, with specific names and purposes.
- Legal basis. Consent for non-essential cookies under the ePrivacy Directive, legitimate interest where applicable, and how CCPA disclosure obligations interact with cookie tracking.
- User controls. How visitors manage preferences through your consent banner, browser settings, and opt-out mechanisms.
- Retention periods. How long each cookie persists on the user's device.
- Third-party disclosures. Which vendors set cookies on your site and links to their own privacy notices.
The document works alongside your privacy policy. Each should reference the other, and the two should not contain contradictory statements about data processing purposes or retention timelines.
Cookie Policy Example: Section-by-Section Breakdown
The following sections mirror what a production-ready cookie policy example contains. Adapt each clause to reflect the actual cookies and vendors your site uses.
Introduction and scope
Open with a plain-language statement about what the policy covers and who it applies to. Identify your organization by legal name and registered address so visitors know who controls the data.
Sample language: "This Cookie Policy explains how [Company Name] ('we', 'us', 'our') uses cookies and similar tracking technologies when you visit [website URL]. It describes what these technologies are, why we use them, and your rights to control our use of them."
Include the effective date and a note that the policy may be updated, with an explanation of how you will notify users of material changes.
What are cookies
Define cookies in terms a non-technical reader can understand. Explain that cookies are small text files placed on a visitor's device by the web server, that they can be first-party (set by your domain) or third-party (set by an external service), and that they can be session-based (deleted when the browser closes) or persistent (remaining for a defined period).
Mention related technologies covered by the same policy:
- Web beacons and pixels. Tiny images embedded in pages or emails that report back when loaded.
- Local storage and session storage. Browser storage mechanisms with larger capacity than cookies.
- Fingerprinting scripts. Code that collects device attributes to identify returning visitors without storing data on the device itself.
Categories of cookies you use
Group your cookies into clear categories. Most cookie policy examples use four groups, though your site may require more or fewer.
Essential cookies are strictly necessary for the website to function. They handle authentication, session management, security protections (such as CSRF tokens), and load balancing. Under the ePrivacy Directive, these do not require consent because the site cannot operate without them.
Functional cookies remember user preferences like language selection, region, or display settings. These improve the user experience but are not strictly necessary for the site to function. Consent is required in the EU and UK.
Analytics cookies measure how visitors interact with your site. Common examples include Google Analytics (_ga, _gid), Plausible, and Matomo. Article 5(3) of the ePrivacy Directive requires consent for these cookies in EU member states, even when they are configured to anonymize IP addresses.
Advertising cookies support targeted advertising, retargeting, and conversion measurement. These are set by advertising networks such as Google Ads, Meta, and LinkedIn. They carry the strictest consent requirements and are the most common target of regulatory enforcement.
Cookie inventory table
A detailed cookie table is the most important operational section of your cookies policy sample. Regulators expect specificity, not vague category descriptions.
| Cookie Name | Provider | Category | Purpose | Duration |
|---|---|---|---|---|
| session_id | First-party | Essential | Maintains user login session | Session |
| csrf_token | First-party | Essential | Prevents cross-site request forgery | Session |
| locale | First-party | Functional | Stores language preference | 6 months |
| _ga | Analytics | Distinguishes unique visitors | 2 years | |
| _gid | Analytics | Distinguishes unique visitors | 24 hours | |
| _fbp | Meta | Advertising | Tracks visits for ad targeting | 90 days |
| _gcl_au | Advertising | Stores conversion data | 90 days |
Replace these entries with the actual cookies your site sets. Scanning your site with an automated tool is the most reliable way to build an accurate inventory. A manual audit will miss cookies injected by third-party scripts that load conditionally.
Legal Requirements for Cookie Policies
Three regulatory frameworks shape how your cookie policy must be written and implemented. Understanding their distinct requirements prevents compliance gaps.
ePrivacy Directive (Directive 2002/58/EC)
The ePrivacy Directive, implemented nationally across EU member states, requires prior informed consent before placing non-essential cookies on a user's device. Article 5(3) is the operative provision. Consent must be freely given, specific, informed, and unambiguous. Pre-ticked checkboxes do not satisfy the requirement, as confirmed by the Court of Justice of the European Union in Planet49 (Case C-673/17, 2019).
The Directive applies to anyone targeting EU users, regardless of where the website operator is based. Penalties vary by member state. France's CNIL, for example, has issued fines exceeding 100 million EUR for cookie consent violations.
Privacy Policy Generator
Create a comprehensive privacy policy for your website or app. Create yours in minutes with TermsBox.
Generate NowGDPR (Regulation 2016/679)
The GDPR does not directly regulate cookies, but it governs the processing of personal data that cookies collect. Where a cookie collects data that identifies or can identify an individual, the GDPR's requirements for lawful processing, data minimization, and transparency apply in full. Article 13 requires you to inform users about the purposes of processing, the legal basis, and any recipients of the data.
Non-compliance penalties under the GDPR reach up to 20 million EUR or 4% of annual global turnover, whichever is higher.
CCPA and CPRA
The California Consumer Privacy Act and its amendment, the California Privacy Rights Act, require businesses to disclose categories of personal information collected and their purposes. Cookies that track users for advertising purposes may constitute a "sale" or "sharing" of personal information under CCPA Section 1798.140. If so, you must provide a "Do Not Sell or Share My Personal Information" link.
Violations carry penalties of $2,500 per unintentional violation and $7,500 per intentional violation. The CPRA also established the California Privacy Protection Agency, which has independent enforcement authority.
How to Write Your Own Sample Cookie Policy
Follow these steps to turn the sample into a policy that accurately reflects your site.
- Scan your website. Use an automated cookie scanner to detect every cookie, pixel, and storage object active on your pages. Manual inspection misses dynamically loaded scripts.
- Classify each cookie. Assign every detected cookie to a category (essential, functional, analytics, advertising). Be conservative: if a cookie is not strictly necessary for the site to function, it is not essential.
- Document purposes and retention. For each cookie, record what data it collects, why, how long it persists, and which vendor controls it. This information populates your cookie table.
- Draft the policy. Use the section structure from the cookie policy example above. Write in plain language. Avoid legal jargon where a simpler term communicates the same meaning.
- Implement a consent mechanism. Deploy a cookie banner or consent management platform that blocks non-essential cookies until the user opts in. The banner should link to the full cookie policy.
- Publish and link. Host the policy at a consistent URL and link it from your website footer, your consent banner, and your privacy policy.
- Schedule regular rescans. New third-party scripts introduce new cookies. Scan at least quarterly and after any significant site change.
Consent Banners and Cookie Policies Work Together
A cookie policy without a functional consent banner is incomplete. The policy informs, and the banner collects the consent that makes non-essential cookie use lawful.
Your consent banner should meet these requirements:
- No pre-selected options. All non-essential categories must default to off. The user actively opts in.
- Granular controls. Users should be able to accept or reject cookies by category, not just "Accept All" or "Reject All."
- Equal prominence. The reject option must be as easy to find and use as the accept option. Regulators have penalized designs that bury the reject button or use dark patterns to steer users toward acceptance.
- Persistent access. Users must be able to change their preferences after the initial choice. A link in the footer or a floating icon that reopens the preference center satisfies this requirement.
- Documented consent records. Store a timestamped record of each user's consent choices. This evidence is essential for demonstrating compliance during a regulatory inquiry.
The cookie policy generator at TermsBox produces a policy that aligns with the consent categories in the platform's cookie consent banner, keeping both documents in sync without manual reconciliation.
Common Mistakes in Cookie Policies
Reviewing a cookies policy sample is only useful if you know what to avoid. These are the errors that appear most frequently in regulatory enforcement actions and compliance audits.
- Vague cookie descriptions. Stating "we use cookies to improve your experience" without listing specific cookies, purposes, and vendors fails the transparency requirements of Article 13 of the GDPR.
- Missing or outdated cookie table. If your table lists cookies that no longer exist or omits cookies that are active, the policy is inaccurate. Regulators view this as a transparency failure.
- Consent banner that loads cookies before consent. If analytics or advertising scripts fire before the user clicks "Accept," the consent mechanism is non-compliant regardless of what the policy says.
- No distinction between first-party and third-party cookies. Users have a right to know which external organizations receive data collected through your site.
- Confusing the cookie policy with the privacy policy. Publishing one document that tries to serve both purposes often results in incomplete coverage of both topics. Maintain separate documents and cross-reference them.
- Ignoring non-cookie technologies. Pixels, local storage, and fingerprinting scripts are subject to the same rules as cookies. If your policy only mentions cookies by name, it may not cover all the tracking your site performs.
International Considerations for Cookie Policies
If your website serves visitors from multiple countries, your cookie policy needs to account for varying legal requirements.
The United Kingdom operates under the UK GDPR and the Privacy and Electronic Communications Regulations (PECR), which mirror the EU framework but are enforced independently by the Information Commissioner's Office (ICO). Brazil's LGPD (Lei Geral de Protecao de Dados) requires consent for cookie-based data collection and applies to any website processing data of individuals in Brazil. South Africa's POPIA requires a justification condition, similar to a legal basis, before processing personal information through cookies.
For sites with global reach, the practical approach is to apply the strictest standard (typically the EU/UK framework) as the baseline and layer on jurisdiction-specific requirements where needed. This means:
- Default all non-essential cookies to off for all visitors
- Provide granular consent controls
- Display a "Do Not Sell or Share" link for California visitors
- Maintain the cookie table in the language(s) your site is available in
Frequently Asked Questions
What should a cookies policy sample include?
A complete cookies policy sample should include a definition of cookies, the types of cookies your site uses (essential, analytics, advertising, functional), specific cookie names with purposes and retention periods, your legal basis for processing, how users can manage or withdraw consent, and contact information for your data protection officer or privacy team.
Is a cookie policy legally required?
Yes, under the ePrivacy Directive (Directive 2002/58/EC) and its national implementations, any website that sets non-essential cookies on visitors' devices must inform users and obtain consent. The GDPR reinforces this by requiring a lawful basis for processing personal data collected through cookies. In the United States, the CCPA requires disclosure of data collection practices, which includes cookie-based tracking.
How is a cookie policy different from a privacy policy?
A cookie policy focuses specifically on the tracking technologies your website uses, including cookies, pixels, local storage, and SDKs. A privacy policy covers your broader data processing practices, such as what personal data you collect, why you collect it, who you share it with, and how users can exercise their rights. Many websites publish both documents and cross-reference them.
How often should I update my cookie policy?
Update your cookie policy whenever you add or remove cookies, change analytics or advertising vendors, modify retention periods, or expand into new jurisdictions. At a minimum, scan your site quarterly to detect new cookies introduced by third-party scripts and update your policy accordingly.