Free Cookie Policy Template for GDPR & CCPA Compliance

If your website uses cookies or other similar tracking technologies to collect and store any information about users, it is important for you to include a cookie policy on your website. As per laws like the General Data Protection Regulation (GDPR) in the EU, California Consumer Protection Act (CCPA) in the US, websites are required to inform users about their use of cookies and this can be achieved through a cookie policy.

Step 1. Identify the cookies your website uses

The first step is to identify all the cookies your website uses. To do this Create a FREE CookieYes Account and verify your email address. Our scanner will then automatically detect and categorize cookies on your site as — necessary, functional, advertisement, analytics, and performance cookies.

Watch this video to see how you can generate a free cookie policy template for your website!

Step 2. Customize your cookie policy

Head to your CookieYes account and click on ‘More’ from the top navigation bar. Then select Cookie Policy Generator. You will see a pre-filled cookie policy template with a ‘Show cookie audit table‘ enabled by default. This means, your cookie policy will contain a table with the full list of cookies detected on your site.

You can customize the content in the cookie policy template or add clauses as per your requirements. In the Manage Cookie Preferences section, your website visitors will be able to modify or change their cookie consent at any time using the ‘Revisit consent widget’. This will help your website get compliant with the right to withdraw, a key requirement under the GDPR. 

With each website scan, your cookie policy will also be auto-updated with new cookies detected on your site. With paid plans, you will also be able to schedule cookie scanning so that you don’t have to manually initiate a scan. 

A cookie policy should include the following sections:

• An explanation that you use cookies and what cookies are
• Description of the types of cookies used by your site
• Explanation of any other tracking technologies used
• Details of why these cookies are used
• Description of how users can opt-out or set their cookie preferences

Cookie policy should also use plain, easy-to-understand language. Keep in mind that the purpose of providing a cookie policy is to be transparent about the use of cookies.

You should display a link to your cookie policy that is accessible from every page of your website. Usually, websites post their legal documents such as terms of use, privacy policy, and cookie policy in the website’s footer. 

On the mobile app, you should display your cookies policy in the menu, under the ‘About’ or ‘Legal’ sections. You can also link your website’s cookie policy on your cookie banner so users can be easily directed to the cookie policy page.

Implement cookie consent on your website

A cookie policy is not the only requirement under privacy laws like the GDPR and CCPA. Cookie consent is an important requirement under the GDPR. Websites that collect and process data of EU residents have to display cookie banners and get explicit consent from users before they deploy any cookies other than the strictly necessary cookies.

While opt-in consent is not mandated under CCPA, the law requires that websites provide CCPA notices to users so that they can opt-out of the sale of their personal information. It is therefore important that your cookie policy reflect your compliance with the applicable data privacy laws.

To achieve this, CookieYes is your go-to cookie compliance solution. You can easily add a fully customizable cookie consent banner, and CCPA notices and make it available in 30+ languages. CookieYes will scan your website and automatically block third-party cookies until you get user consent. You can also record user consent in a consent log to demonstrate your compliance during audits. 

Most likely, yes. It depends on your intended audience i.e. where your website users are based in. The EU and the US have slightly different regulations regarding cookies. 

European Union

Recital 30 of the European Union’s General Data Protection Regulation (GDPR) notes that online identifiers like cookies when combined with other identifiers or information can be used to create profiles of individuals and identify them. While Recital 26 states that any data that can be used to identify an individual either directly or indirectly (on its own or in conjunction with other information) is personal data. Therefore, data from cookies are part of personal data in the GDPR.

The GDPR and the ePrivacy Directive also mandate that users are informed about how their data is collected and processed. Article 13 and Article 14 of the GDPR require that any information or communication relating to the processing of personal data is easily accessible and is available in clear and plain language. As cookies come under the scope of personal data, a GDPR cookie policy is required for websites in the EU, or websites that cater to users in the EU. 

Do you need a separate cookie policy and privacy policy?

If your website uses cookies, you should have a dedicated cookie policy and it should be disclosed in your privacy policy as well. It is better to have a separate cookie policy if you have a mix of users from different geographies including EU residents. 

United States

Under the California Consumer Protection Act (CCPA) personal information refers to any information that identifies, relates to or is capable of being linked, directly or indirectly with a particular consumer or household.

The CCPA defines a non-exhaustive list of data types that come under the scope of this definition. It includes unique personal identifiers such as Internet Protocol (IP) address, cookies, beacons, pixel tags, mobile ad identifiers, or similar technology that can be used to identify a particular consumer or device. In short, as cookies could be used to potentially identify users, they can be considered personal data.

Therefore as per CCPA, websites should disclose their use of cookies in a cookie policy. However, the US does not require a separate cookie policy page. Generally, businesses in the US include a cookie policy section in their privacy policy. 

In the US, the Federal Trade Commission (FTC) Act requires that businesses have a privacy policy. Websites are required to inform users on how they collect, use, share, and protect their personal information. Cookies fall under the scope of privacy disclosures and should be included in the privacy policy.

Let’s take a look at how websites implement cookie policies. McKinsey avoids legalese and describes their use of cookies and the explanation of what cookies are in the first section.

Accenture details the categories of cookies they use and how and why they are used in this section.

Meanwhile, Mailchimp uses a tabular format to describe the different categories of cookies being used, and for what.

ViacomCBS details the different types of tracking technologies they use including cookies.

Vox Media details the choices users have regarding cookies and how users can manage or opt-out of the use of cookies.

What is a cookie policy? 

A cookie policy is a detailed declaration about the cookies used on a website, how these cookies are used, what data they track, for what purpose, and how users can control the usage of cookies by a website. The cookie policy should also document any other types of tracking technologies that are used by a website, such as web beacons and pixel tags.

In the past, cookie usage was either not mentioned or was vaguely referred to in the privacy policy. A cookie policy circumvents this and brings information about cookies used by a website to the users. Your website’s cookie policy can be a standalone document or can be part of your privacy policy. 

What are cookies?

Cookies are small text files placed on a user’s device when they visit a website. They are used primarily to enable sites to operate perfectly. Some cookies are used to collect data from users for personalized, targeted ads, tracking user behaviour, etc. 

Cookies can be first-party or third-party cookies. First-party cookies are owned and created by the website you’re browsing. Third-party cookies are owned and created by a third party, usually another business providing a service to the website owners such as Facebook, YouTube, Google Analytics, Hotjar etc. 

Why do websites show cookie policy?

Websites cookie policy, like privacy policy, is added on websites to make users aware of how a website collects their information and provide transparency regarding how their personal data is used. As almost all websites use cookies to collect data about their users, cookies and online identifiers are considered as part of personal data by privacy laws like the GDPR, CCPA, LGPD, CNIL, and so on. Hence a cookie policy is a legal requirement so that users can exercise their right to be informed about the processing of their personal data. 

What is a cookie policy generator?

A cookie policy generator is a tool that can help you create a cookie policy for your website. A cookie policy generator should be able to scan your website, identify and categorize cookies and generate a cookie audit table.

CookieYes cookie policy generator is a free tool that provides a cookie policy template with a detailed cookie audit table. You can customize the content as per your needs or use the default cookie policy template for a comprehensive cookie policy for your website.

Is it a legal requirement to have a cookie policy?

Yes, a cookie policy is a legal requirement if you process data of your website visitors who are from the EU/EEA and the UK, to comply with the GDPR and UK GDPR, respectively. Websites are required to have disclosures on what personal data they process and the purposes for processing. As cookies are part of personal data in the GDPR, websites should disclose their use on their website. You can include the disclosure about cookies within your privacy policy or publish it as a standalone cookie policy. 

What should my cookie policy say?

What should my cookie policy say?

Your cookie policy should tell your website visitors what cookies are, the cookies you use, their purposes and how they can change or set their cookie preferences. 

Here’s how to write your cookie policy:

• What are cookies – an explanation of what cookies are
• How do you use cookies – a disclosure of why your website uses cookies
• Types of cookies you use – a complete list of cookies classified based on cookie categories.
• How to manage cookie preferences – describe how users can change their cookie preferences or provide a ‘cookie settings’ button to display your cookie banner easily.

You can tailor your cookie policy and add more details specific to your website and It’s always a good idea to consult with legal professionals to ensure compliance and accuracy.

To easily create an effective cookie policy, you can use our free cookie policy generator which features an in-built cookie policy template.

Does GDPR require a cookie policy?

Yes, the General Data Protection Regulation (GDPR) requires websites that use cookies to have a cookie policy. To comply with the GDPR, websites must obtain informed and explicit consent from users before placing any non-essential cookies on their devices. 

A cookie policy is essential in providing clear and transparent information to users about the types of cookies used, their purpose, and how users can manage or disable them. 

What is the consent policy for cookies?

The consent policy for cookies refers to the process of obtaining user consent before placing cookies on their browser/devices. This is a key requirement to comply with privacy regulations such as the GDPR. 

Here’s how to implement a consent policy for cookies:

Deploy a cookie banner: Display a cookie banner or popup when a user visits your website. Provide clear and concise information about cookies and request their active consent before setting cookies on their browsers. 

Publish a cookie policy: Generate a cookie policy with a detailed disclosure about the types of cookies used, their purpose, and any third-party cookies involved. Link the policy page to your cookie banner so that users are informed about what data is collected, how it is used, and who has access to it.