Cookie Policy: How to Create One to Comply With GDPR

In the year 2020, as a website owner, you must be aware of what cookies are and what they do and what is a cookie policy.

A cookie policy is a statement in the privacy policy or a separate page on a website that informs its visitors about the cookies the site uses, their purpose, and how to control them. 

Users can refer to the cookie policy to inform themselves about the type of data that the website or third-party will collect. Therefore, being transparent about what cookies the site uses, you can avoid any negative impact on trust the users have on your site.

The EU regulation, GDPR’s (if you have not heard of it, read our guide) impact on the use of cookies is not something to ignore. It mandated several standards for how a website must use cookies, thus changing the way you should present the cookie policy.

What Does GDPR Say About Cookies?

To be honest, not much! In fact, the word “cookie” is only mentioned once in the 88-page Regulation. 

Then, how does the GDPR affect the use of cookies?

GDPR states that one can identify a natural person using the data collected by online identifiers such as cookie identifiers, with or without any additional data. 

Cookies collect information that may be considered as personal data. Under GDPR, collecting personal data is subject to certain restrictions. 

This is precisely the reason GDPR affects how you use internet cookies, despite most of them being harmless.

The law mandates that data controllers (in this case, the website owner) must be transparent about their data collection and processing and require prior consent from data subjects (site visitors) for the same. 

GDPR makes it clear that data subjects have all the right to know all about these identifiers that collect their personal data and that they can object to it if they want to.

Your website’s cookie policy, therefore, must comply with all the GDPR requirements to avoid any legal trouble.

Creating a GDPR Compliant Cookie Policy

At the outset, one thing you have to keep in mind while creating the cookie policy for your website is that you have to present it in a concise, clear, and plain language. The people reading may not be comfortable with legal jargon or complicated terms. The idea is to make them aware of how you handle cookies.

The simpler the explanation, the better they will understand and trust you.

To create a cookie policy to comply with the GDPR, it must include mainly the following three parts:

What are cookies?

Many people visiting your website may have only a little or no knowledge of internet cookies. This part will be useful to them.

You can start with a general description of cookies and then the type of cookies and their purpose

Aim for this part is to give visitors some idea about what cookies do before you have to explain how and why your site uses them.

what are cookies - cookie policy

"what are cookies" - Spotify

How do you use cookies?

Now, this is the part where you have to list all the cookies that your website uses. 

You have to explain how you use the type of cookies listed in the “what are cookies” part.

You should mention the site’s purpose for using each type of these cookies. If they have any storage duration, that too needs to be mentioned.  

You can also discuss if your site, or any third party on your behalf, stores third-party cookies on the visitor’s device, and why. This information can be added as a separate part as well. 

You have to explicitly mention if these cookies store the visitor’s personal data. And, if they do, then be clear about what kind of personal data the cookies collect and why.

howyouusecookies - cookie policy

"How do you use cookies" - Zara India

How to manage cookies?

Your visitors may want not to share their personal data with you or third parties. Or they may not want you to monitor their online behavior. You are liable to provide them with options to opt out of such cookies.

In this part, you should mention various settings to manage or delete these cookies. The methods include browser settings, site settings, or links to allaboutcookies that explains in detail how to control cookies.

For cookies by third parties, you can link them to their settings/website.

Make sure your visitors are aware of their right to withdraw the consent they gave to use cookies at any time. Read this article to find out how you can change consent using CookieYes.

how to manage cookies - cookie policy

"How to manage cookies" - Facebook

Additionally, you can add the last date of an update to the cookie policy and the contact information of DPO or the site’s administrator. 

The cookie policy should be easily accessible on your website. The link should be available on the homepage itself, preferably in the header or footer.

You can also provide the link in the privacy policy (if the cookie policy is not part of it).

The following are some good examples of GDPR complying cookie policies:



Zara India




Creating a GDPR compliant cookie policy is not a hassle. However, it would be best if you were very careful while deciding what all information should go in it. Do not go overboard with technical details that may throw your visitors out of the necessary information. 

Disclaimer: This article does not represent legal advice. The purpose of this article is to provide general information only. Hence, for any legal advice, please contact a lawyer specialized in the area.