Almost every website has one, but few business owners know what exactly belongs in it: the cookie policy. Often it is a generic three-paragraph text, copied from another website at some point. That does not cut it. A cookie policy must describe which cookies your website actually sets, and list a number of mandatory details for each cookie.
Why you need a cookie policy
The obligation comes from two directions at once.
The ePrivacy rules (implemented in national legislation across the EU) require consent before you set non-essential cookies. That consent must be informed: a visitor can only validly agree to something that has been clearly explained.
The GDPR adds a transparency duty on top for every processing of personal data. Many cookies collect identifiable data such as a unique visitor ID or IP address, so they fall under that duty.
The Court of Justice of the EU made this concrete in the Planet49 ruling (2019): visitors must know, among other things, how long cookies remain active and whether third parties have access to them. Exactly the information that belongs in a cookie policy.
What must be listed per cookie
A proper cookie policy contains a table with, for every cookie your website sets:
Name. The technical name of the cookie, such as _ga or PHPSESSID. This lets a visitor (or regulator) verify that your policy matches what the browser shows.
Provider. Who sets the cookie? You (first-party) or an external service such as Google, Meta or HubSpot (third-party)? For third-party cookies, readers also expect a reference to that party’s privacy policy.
Purpose. What is the cookie for? “Marketing” alone is too vague; better is, for example, “measures advertising effectiveness by recognising visitors across websites”.
Category. Necessary, functional, analytics or marketing. This classification must match the choices in your cookie banner: a visitor who declines analytics cookies must not receive any.
Retention period. How long does the cookie stay on the device? A session, 24 hours, 13 months, 2 years? This is the information the Court of Justice explicitly made mandatory.
Legal basis. For necessary cookies this is usually legitimate interest; for all other categories it is consent.
The policy should also cover: how visitors can withdraw or change their consent, whether data is transferred outside the EEA, and when the policy was last updated.
The real problem: do you know which cookies you set?
This is where most websites go wrong. Not because owners want to hide anything, but because modern websites set cookies the owner is unaware of.
A few examples from practice:
- A tag manager (such as Google Tag Manager) loads scripts that set cookies of their own. One marketing colleague adding a tag, and your cookie landscape has changed.
- A chat widget such as Intercom or Tawk.to sets cookies to link conversations to visitors.
- A YouTube embed can set Google tracking cookies, even if the visitor never plays the video.
- Social share buttons and pixels from Meta or LinkedIn set cookies that follow visitors across websites.
Writing a cookie policy based on what you think you use is therefore almost guaranteed to produce a policy that is wrong. And a wrong policy is not a detail: it means the consent you collect is not validly informed.
The only reliable approach is measuring instead of guessing: scan your website the way a real visitor experiences it, and build your cookie table from what actually happens. You can use our free cookie policy generator for that, or do it manually with our cookie audit template.
Cookie policy and cookie banner: two different things
The terms are often mixed up, but each solves a different part of the puzzle:
- The cookie banner asks for consent before non-essential cookies are set, and remembers the visitor’s choice.
- The cookie policy documents which cookies exist, with all mandatory details, so that the consent is informed.
A banner without a proper policy collects consent that is legally shaky. A policy without a banner means you are setting cookies without consent. You need both, and they must reference each other: your banner should link straight to your cookie policy.
A cookie policy is never finished
Perhaps the most important insight: a cookie policy is not a document you write once. Every change to your website can alter the cookie landscape. The new booking module, the replaced analytics tool, the campaign pixel that was added “temporarily”: all potential new cookies that belong in your policy.
So schedule a periodic check, or better: automate it. GDPRWise rescans your website periodically and updates your cookie policy automatically when new cookies appear. That way what you publish keeps matching what your website does, months after launch too.
Enter your domain and we detect every cookie on your website, including provider, purpose, retention period and classification. The scan is free; generate the policy with a free account.