Generate your Terms & Conditions for free — Get started now →

to navigate to select ESC to close

Free legal document generator

Free Cookie Policy Generator — GDPR & ePrivacy Compliant

Required under EU/UK GDPR and the ePrivacy Directive — the 'Cookie Law'. Lawyer-drafted. Covers all cookie categories, granular consent and third-party trackers including Google Analytics, Meta Pixel and TikTok. Free with a quick sign-up.

  • Covers ePrivacy, GDPR, UK PECR, CCPA cookie-sharing rules
  • Equal-prominence Accept / Reject guidance baked in (CNIL post-€150M fine standard)
  • Auto-classifies Google Analytics, Meta Pixel, TikTok, LinkedIn, HubSpot and 200+ vendors
Generate Your Cookie Policy Free Free to generate. Takes about 3 minutes.
Generated by 50,000+ businesses — free to use, free signup required
Abstract Cookie Policy generator illustration

What is a cookie policy?

A cookie policy is a legal document that explains what cookies and tracking technologies your website uses, what they do, how long they last, and how users can control or opt out of them. It is required under the EU ePrivacy Directive (the 'Cookie Law') and GDPR for any website that places non-essential cookies on the devices of EU or UK users. In California, the CCPA/CPRA requires disclosure of cookies that involve the sale or sharing of personal data. A cookie policy is separate from, but often linked within, your Privacy Policy.

How it works

No legal background needed. Free account required to save your document.

1

Answer a few questions

Tell us about your business — what you do, where your users are based, and what data you collect.

2

Preview your document

Your Cookie Policy is generated instantly, customised to your answers. Takes about 3 minutes total.

3

Publish or download

Hosted page, HTML embed, DOCX or plain text. Free with a quick sign-up.

Is a Cookie Policy legally required?

Cookie consent is the most-fined area of European data-protection law. Below is what each regulator now requires.

European Union
ePrivacy Directive 2002/58/EC, Article 5(3) + GDPR

Prior, informed, freely-given, specific, unambiguous, affirmative consent before any non-essential cookie. Pre-ticked boxes are invalid (Planet49, CJEU C-673/17).

France
CNIL guidance + ePrivacy

Refusing cookies must be as easy as accepting. €150M fine on Google and €60M on Facebook in 2022 for asymmetric Accept/Reject buttons. €35M fine on Amazon in 2022 for setting cookies before consent.

Enforced by:
CNIL
United Kingdom
Privacy and Electronic Communications Regulations 2003 (PECR)

Same standard as EU. ICO has issued enforcement notices in 2023–24 against major publishers and tech platforms for cookie-banner dark patterns.

Enforced by:
ICO
California, USA
CCPA / CPRA

Cookies used for advertising are 'sale' or 'sharing' of personal information. Requires disclosure, opt-out mechanism, GPC signal honouring and a 'Do Not Sell or Share' link.

Enforced by:
CPPA, California AG
Brazil
LGPD

Cookies that process personal data require a legal basis; consent for non-essential cookies.

Belgium
APD ruling on IAB Europe TCF (2022)

The Transparency and Consent Framework (TCF) used by thousands of sites was found non-compliant. Ongoing remediation; relying on TCF alone is insufficient.

Enforced by:
Belgian Data Protection Authority

Cookie Policy vs other legal documents

Cookie Policy, Cookie Banner and Privacy Policy are three different things. They are commonly confused — including by experienced legal teams.

Document Purpose Who needs it Required?
Cookie Policy Full written disclosure of every cookie, category, purpose, duration and third party Any site using non-essential cookies for EU/UK users Yes — ePrivacy, GDPR, UK PECR
Cookie Banner / CMP The on-site UI that obtains consent on first visit Any site using non-essential cookies for EU/UK users Yes — must be equal-prominence Accept/Reject
Privacy Policy Broad data-practices document; includes a cookies section but is not sufficient alone Any business collecting personal data Yes — GDPR, CCPA, CalOPPA

Key takeaway: Under strict EU enforcement (CNIL, Garante, ICO), a privacy-policy cookies section is not a substitute for a standalone cookie policy. You need both, plus a compliant banner.

What is included in your Cookie Policy

A compliant cookie policy must list every cookie and technology your site uses, plus the legal disclosures below.

Cookie inventory

  • Cookie name and category (necessary, preference, analytics, marketing)
  • First-party vs third-party
  • Purpose in plain English
  • Duration (session vs persistent; precise expiry for persistent)
  • Provider / third-party recipient

User control

  • How to withdraw consent (must be as easy as giving it — GDPR Art. 7(3))
  • Browser-level cookie controls per platform
  • Link to cookie-preference centre on the site
  • Honouring of the Global Privacy Control (GPC) signal

Technologies beyond cookies

  • Pixels (Meta Pixel, TikTok Pixel, LinkedIn Insight Tag)
  • Local storage and session storage
  • Server-side tracking and CAPI implementations
  • Fingerprinting techniques (canvas, font, audio fingerprints)

Legal disclosures

  • Legal basis (consent for non-essential; legitimate interest is not valid for marketing cookies under CNIL/ICO guidance)
  • International transfers from any third-party cookie provider
  • Children's cookies disclosure if site is directed at minors
  • Update notification policy when cookies change

Built for your business type

The generator adjusts clauses based on your industry — so you only get the language you actually need.

Publishers & media

Heavy ad-tech stacks, CAFC/IAB TCF integrations, Google Ad Manager, header bidding — full inventory and granular consent are mandatory.

Ecommerce

Marketing pixels (Meta, TikTok, Pinterest, Google Ads), abandoned-cart cookies, A/B-test cookies — most of which require explicit consent.

SaaS

Product-analytics cookies (Mixpanel, Amplitude, PostHog), session-replay (Hotjar, FullStory), help-widget cookies (Intercom, HubSpot).

Trusted by 50,000+ businesses

"We received a CNIL warning letter about our previous banner. Migrated to a compliant policy and equal-prominence banner the same week."
Camille D.
Marketing Director, French ecommerce
"The cookie inventory matched our actual GTM container almost perfectly. Saved us a full audit cycle."
Tom B.
Privacy Engineer
"The CCPA section caught two pixels we were going to forget. That alone is worth it."
Lauren P.
Compliance Lead

Frequently asked questions

Questions about Cookie Policy before you get started?

What is a Cookie Policy?

A Cookie Policy is a legal document that explains what cookies and tracking technologies your website uses, what data they collect, their purpose (analytics, marketing, functionality), who sets them, and how users can manage or opt out of them.

Is a Cookie Policy required by law?

Yes, under the EU ePrivacy Directive and GDPR, websites that use cookies to track users or collect personal data must disclose this clearly. California (CCPA), Canada (PIPEDA), and other jurisdictions have similar requirements. A Cookie Policy is the standard way to meet this obligation.

What is the difference between a Cookie Policy and a Privacy Policy?

A Privacy Policy covers all personal data processing. A Cookie Policy specifically addresses cookies and tracking technologies — their names, purposes, lifespans, and how to control them. Many websites include both, or embed cookie information within the Privacy Policy.

Do I need a Cookie Policy for Google Analytics?

Yes. Google Analytics uses cookies to collect data about visitor behavior. GDPR requires you to inform users about these cookies, obtain consent before setting non-essential cookies, and explain how they can opt out. A Cookie Policy combined with a consent banner covers these requirements.

What types of cookies should I disclose?

Disclose all cookie categories: strictly necessary cookies (session management, security), functional cookies (preferences, language), analytics cookies (visitor tracking), and marketing/advertising cookies. Each should list the cookie name, provider, purpose, and expiry duration.

How do I get consent for cookies under GDPR?

GDPR requires prior, informed, and freely given consent before setting non-essential cookies. This means a cookie consent banner that does not pre-tick consent boxes, offers genuine opt-out choices, records consent, and allows users to change their preferences at any time.

Generate a compliant Cookie Policy in minutes

Lawyer-drafted, ePrivacy and GDPR ready. Equal-prominence consent guidance built in. Free with a quick sign-up.

Generate My Cookie Policy Free

Free to generate. Takes about 3 minutes. Free account required.

Other generators you might need

Terms & Conditions

Set the rules for using your website or app. Protect your business and manage user expectations with a professionally crafted T&C.

Privacy Policy

Legally required if you collect personal data. Stay compliant with GDPR, CCPA, CalOPPA, and privacy laws worldwide.

EULA

End-User License Agreements for software and apps. Required on the Apple App Store, Google Play, and for SaaS products.
See All 6 Generators