5 Cookie Policy Examples for Websites (GDPR & CCPA Compliance Guide)

Writing a cookie policy is not an easy task. It requires attention to detail, a commitment to transparency, and a plan for consistent updates. Between finding a cookie policy template or writing it from scratch, you might find it helpful to look at examples before you begin writing it. We understand the jitters, so we compiled a blog that provides an overview of website cookie policy, along with real examples.

A cookie policy is a comprehensive legal statement that details how a website uses cookies and other tracking technologies. It explains what cookies are, the specific types of cookies employed, the data they collect, the purposes for which this data is used, and most importantly, how website visitors can manage or control their cookie preferences.

Essentially, it serves as a dedicated privacy policy for cookie usage, and is an essential step to comply with privacy laws like the General Data Protection Regulation (EU GDPR) and ePrivacy Directive in the European Union, UK GDPR and Privacy and Electronic Communications Regulations (PECR) , and the California Consumer Protection Act in the US. 

What should go into a cookie policy? 

A compliant cookie policy should clearly outline:

• An explanation of what cookies are.  
• The different types of cookies used by the site
  • Examples: first-party, third-party, session, persistent, necessary, performance, and advertising cookies.  
• The names and specific purposes for which each cookie is used.  
• Whether the data collected through cookies is shared with any third parties (Third-party cookies).  
• Instructions on how users can change their cookie settings, opt out, or revoke their consent. 
• Contact details of the organisation.
• Last update or effective date of the cookie policy. 

What are the best practices for writing a CCPA/GDPR compliant cookie policy

• Write in plain, easy-to-understand language
• Avoid complex legal jargon to ensure transparency
• Enable users to make informed choices about their data
• Make it easily accessible, often linked in the website’s footer and directly from a cookie consent banner.

The GDPR and ePrivacy Directive, originating from Europe, establish a stringent “opt-in” framework, while the CCPA and CPRA in California operate on an “opt-out” model. Here is more information on the two important data privacy laws.

GDPR & ePrivacy Directive

The General Data Protection Regulation (GDPR) and the ePrivacy Directive (commonly referred to as the “EU cookie law”) impose strict requirements on websites. If a website deploys cookies and attracts visitors from the European Union (EU) or European Economic Area (EEA) member states, a cookie consent notice/cookie banner and a cookie policy become mandatory.

This obligation extends even to websites based outside the EU if they serve users within these regions. 

The fundamental principle underpinning GDPR and the ePrivacy Directive is the necessity of obtaining clear and explicit consent before any non-essential cookies are placed or accessed on a user’s device. The consent must be freely given, informed, specific, and unambiguous.

CCPA/CPRA

The California Privacy Rights Act (CPRA) apply to for-profit businesses meeting any of the specific thresholds:

• Annual gross revenues exceeding $25 million.
• Processes the personal data of 100,000 or more California residents, households, or devices.
• Derives 50% or more of its annual revenue from selling or sharing personal information.

Websites must notify users about the use of cookies along with a convenient opt-out option and provide a disclosure on the use of cookies (cookie policy).

A central requirement is the provision of a clear and conspicuous “Do Not Sell or Share My Personal Information” link. This link is mandatory if a website sells or shares personal data collected via cookies or other tracking technologies, reflecting the CCPA’s “opt-out” model.

Websites are also required to honour Global Privacy Control (GPC) signals as valid opt-out requests, allowing users to automatically communicate their privacy preferences.

Here are some excellent examples of cookie policies that you can use as inspiration. These are provided for reference only and should not be copied word-for-word. Your cookie policy must be tailored to your specific business practices and the cookies used on your website. By keeping accessibility, conciseness, and transparency in mind, you can create an even better cookie policy that suits your website’s needs. 

BMW

The cookie policy of BMW can be easily accessed from the footer of its website.

When accessed, it takes us to an interactive cookie modification interface followed by detailed information about the cookies.

BMW follows a layered approach, which is recommended by enforcers for GDPR-compliant cookie policies or other disclosures.

As shown in the above image, users can navigate through the cookie policy easily using accordions and find out what each cookie does, who places it, and how they can opt out.

European Commission

As a regulatory agency of the European Union, the EU Commission shows a concise and intelligible cookie policy on its website.

The page contents on the top-left of the policy act as quicklinks, making it easy for visitors to navigate the components of the cookie policy.

The contents of the cookie policy are also in plain language, easing comprehension even for people with no technical background.

As shown above, this GDPR cookie policy example tells its visitors the types of cookies and each cookie name in a tabular format.

This is how the policy explains how they can manage cookie preferences:

CookieYes

CookieYes provides a cookie policy that is concise, structured, and easy to navigate. It begins by explaining what cookies are and then outlines the specific cookies used on the website.

Each category of cookie, such as necessary, functional, or advertising, is presented in a clear table format, listing the individual cookies, their purpose, and duration.

Towards the end, the policy gives visitors practical guidance on managing their preferences. It explains how to adjust cookie settings in different browsers and includes a direct button that links back to the cookie banner, allowing users to update their choices instantly.

USA Today

The USA Today’s cookie policy modestly addresses the EU and California users in a single document.

See this, for example:

It also has a separate section discussing opting out of targeted advertising.

To ease navigation, USA Today has included Page contents as jump links.

BBC

We have seen a few good examples of how a standalone cookie policy can be maintained. Here is an example of a combined privacy and cookie policy. 

The BBC has done this job in a user-friendly and layered manner. From the footer, one can access a cookie notice, with questions and answers, which then directs the user to a detailed policy.

You can click on the questions and find out how BBC uses cookies, or click on the “View the full version” button, and you will be taken to the policy document.

Within the document, you can skip to the cookie section through the page contents on the top-left.

Here are some methods using which you can create a cookie policy for your site.

Cookie policy generator

You can easily create a cookie policy for your website using a cookie policy generator. 

Step 1:

Log in to your CookieYes account or sign up if you do not have one already.

Then, choose More > Cookie policy generator from the dashboard.

Step 2:

Select your preferred languages. CookieYes cookie policy generator lets you write your policies in multiple languages, including French and Dutch.

Step 3:

Click on Next and proceed through the four auto-generated sections of your cookie policy: About cookies> Use of cookies> Types of cookies> Cookie preferences.

Step 4:

Click on Generate cookie policy and complete the steps to publish it as guided by the tool.

This way, you will have a cookie policy on your website, and it barely takes a few minutes. This is hands-down the easiest way to create a cookie policy.

Difficulty level: 0/5

Write from scratch

You could also write a cookie policy by yourself.

Step 1:

Start by scanning your site for cookies. This way, you will know what cookies are on your site and categorise them as essential, analytics, third-party cookies, etc.

Step 2:

Create an outline with relevant sections that are important to comply with privacy laws like GDPR, ePrivacy Directive and CCPA. It must contain at least:

• What are cookies? 
• Why do we use cookies?
• How do we use cookies?
• What cookies are on our site?
• How can users control cookies?
• How often will we update this cookie policy?
• How to contact us?

Step 3:

Review the policy before publishing it. We recommend a thorough review by an expert to ensure that it complies with the cookie policy requirements under major laws and is easy to understand.

Then, publish it conspicuously on your website, and also link it from the cookie banner.

Difficulty level: 5/5

Cookie policy template

A template meets in the middle of the first two methods. Here, you will get an outline, which needs to be further improved to suit your website’s needs.

Difficulty level: 3/5