Every privacy regulation that touches cookies - the ePrivacy Directive, the GDPR, the CCPA, the UK's PECR - expects one thing from your website: tell visitors what cookies you set, why you set them, and what choices they have. That document is your cookie policy. Get it wrong, and your cookie banner consent becomes legally questionable regardless of how well designed it is.
In 2025, the French CNIL imposed a combined total of nearly 487 million euros in sanctions, with cookie violations making up the largest category. The ICO launched a systematic review of the top 1,000 UK websites, issuing warnings to 134 of the first 200 it inspected. Incomplete or inaccurate cookie policies featured in both enforcement programmes. The document you publish matters.
What a Cookie Policy Is (and How It Differs from a Privacy Policy)
A cookie policy is a standalone document - or a clearly marked section within a broader privacy policy - that explains how your website uses cookies and similar tracking technologies. It covers cookie names, purposes, durations, categories, and third-party providers.
A privacy policy, by contrast, addresses all personal data processing across your organisation: customer databases, email lists, employee records, and everything else. Cookies are one slice of that picture. Some sites combine both into a single page, but splitting them makes it easier for visitors to find cookie-specific information quickly - and easier for regulators to audit.
Legal Requirements That Shape Your Cookie Policy
Three overlapping legal frameworks determine what your cookie policy must contain. Article 5(3) of the ePrivacy Directive requires that users receive clear information before any non-essential cookie is stored on their device. The GDPR, specifically Articles 13 and 14, mandates transparency about what personal data is collected, who processes it, and on what legal basis. In California, the CCPA requires disclosure of the categories of personal information collected, including data gathered through cookies.
The practical effect is a minimum information set that every cookie policy needs. Skip any element, and you risk the same kind of finding that led the CNIL to fine Shein 150 million euros in September 2025 - in part because its cookie information banners were incomplete.
Step 1: Run a Cookie Scan
Before writing a single word, you need a complete inventory of every cookie your site actually sets. Open your browser's developer tools, clear all storage, visit your site, and check the Application tab. Better yet, use a cookie scanning tool that crawls multiple pages and captures cookies set by embedded iframes, third-party scripts, and delayed-load tags.
Record four things for each cookie: its name (for example _ga, _fbp, or PHPSESSID), its purpose, its duration, and whether it is first-party or third-party. This inventory becomes the backbone of your policy.
A one-time scan is not enough. Plugins get updated, marketing teams add tracking pixels, and platform providers change their cookie behaviour. The CNIL's 2025 enforcement actions specifically targeted sites whose declared cookies did not match what was actually being set. Schedule recurring scans - monthly at minimum, weekly if your site changes frequently.
Step 2: Categorise Your Cookies
Group each cookie into one of the standard cookie categories. Regulators and consent platforms alike use these groupings to structure banner choices and policy disclosures.
| Category | Purpose | Consent required? | Examples |
|---|---|---|---|
| Strictly necessary | Core site functionality: sessions, authentication, security, load balancing | No (but must be disclosed) | PHPSESSID, csrftoken |
| Functional | User preferences: language, region, display settings | Yes, in most EU jurisdictions | pll_language, wp_lang |
| Analytics | Usage measurement and performance tracking | Yes | _ga, _gid, _hjSession |
| Marketing | Ad targeting, retargeting, cross-site tracking | Yes | _fbp, IDE, NID |
Be honest about categorisation. Regulators in 2025 and 2026 have begun scrutinising sites that classify marketing cookies as "functional" to avoid collecting consent. Misclassification is treated as a dark pattern.
Step 3: Write Each Section of the Policy
A compliant cookie policy follows a predictable structure. Here is a section-by-section breakdown with guidance on what to include.
Introduction
State what the document is, who publishes it (your company name and contact details), and when it was last updated. One paragraph is enough. Avoid jargon - the ICO guidance recommends language a general audience can understand.
What Cookies Are
Briefly explain that cookies are small text files stored on a visitor's device. Mention related technologies too - local storage, session storage, and pixels - since the ePrivacy Directive covers any technology that stores or accesses information on terminal equipment, not just HTTP cookies.
Cookie Table
This is the core of the policy. List every cookie with its name, provider, purpose, category, duration, and whether it is first-party or third-party. A table format works best. If you have dozens of cookies, group them by category and make the table sortable or collapsible.
How Consent Is Collected
Explain your consent mechanism. If you use a consent management platform, say so. Describe which cookie categories are blocked by default and only activated after opt-in consent. Note that strictly necessary cookies are set without consent but are disclosed in the policy.
How to Manage or Withdraw Consent
Tell visitors how to change their preferences - through your banner's preference centre, through browser settings, or both. The GDPR requires that withdrawing consent be as easy as giving it. Include practical instructions or link to browser-specific guides.
Third-Party Cookies and Data Recipients
Name every third party whose cookies appear on your site: Google, Meta, LinkedIn, Hotjar, and so on. Link to each provider's own privacy policy. This is where many cookie policies fall short. The CNIL requires that the cookie consent banner link to a page listing all data controllers and processors involved in cookie-based data collection.
Data Retention and Cookie Duration
State how long each cookie persists. The ePrivacy Directive recommends persistent cookies should not exceed 12 months, though in practice many analytics cookies default to longer periods. Cookie duration information belongs both in the cookie table and in a summary section so visitors can see the overall picture.
Contact Details and Updates
Provide an email address or contact form for cookie-related queries. State how often the policy is reviewed and how visitors will be notified of changes. If you have a Data Protection Officer, list their contact information here.
Step 4: Connect the Policy to Your Cookie Banner
A cookie policy sitting on a page nobody visits is useless. Link it from three places: your cookie banner (at the point where visitors make a consent choice), your website footer, and your privacy policy. The CNIL and ICO guidance both require that the policy be accessible at the moment consent is requested and at any point afterwards.
Your banner text should reference the policy directly. Something like "Read the full cookie policy" with a hyperlink works. Avoid burying the link behind multiple clicks - regulators treat inaccessibility as insufficient transparency.
Step 5: Keep the Policy Accurate Over Time
Cookie policies go stale faster than most legal documents. Every time you install a new WordPress plugin, add a Meta Pixel, embed a YouTube video, or switch analytics providers, your cookie inventory changes. If the policy does not reflect those changes, it is non-compliant.
Build a review trigger into your deployment process. Before any new script goes live, check whether it sets cookies, and if so, update the policy. Pair this with regular cookie audits to catch cookies introduced by third-party updates you did not initiate.
Common Mistakes to Avoid
Vague purpose descriptions are the most frequent problem. "This cookie improves your experience" tells a visitor nothing. Be specific: "This cookie stores your selected language preference so the site displays content in that language on return visits."
Generic copy-paste policies rank second. If your policy lists cookies that your site does not actually set, or omits cookies that it does, the document is worse than useless - it actively misleads visitors and gives regulators evidence of negligence.
Third is forgetting about social media embeds. A Facebook Like button, a Twitter feed widget, or an embedded Instagram post each sets its own cookies. These third-party cookies must appear in your policy even though you did not write the code that creates them.
Frequently Asked Questions
Is a cookie policy the same as a privacy policy?
No. A privacy policy covers all personal data processing across your organisation. A cookie policy focuses specifically on cookies and similar tracking technologies used on your website, including their names, purposes, durations, and categories. Many sites publish them as separate documents and link between the two.
Do I need a cookie policy if my site only uses strictly necessary cookies?
Yes. The ePrivacy Directive and GDPR still require you to inform visitors about all cookies, including strictly necessary ones. You do not need consent for them, but you must explain what they do and why they are necessary. A short cookie policy fulfils that transparency obligation.
How often should I update my cookie policy?
Review it every time you add a new third-party script, plugin, or analytics tool. At minimum, run a cookie scan quarterly. The CNIL's 2025 enforcement actions specifically penalised sites whose cookie policies did not reflect the actual cookies being set.
Can I use a cookie policy generator instead of writing one manually?
Generators can create a starting template, but they rarely capture every cookie accurately. Pair a generator with a proper cookie scan to identify all first-party and third-party cookies. Then review the output for accuracy before publishing.
Where should the cookie policy be accessible on my website?
Link it from your cookie banner, your website footer, and your privacy policy. Regulatory guidance from the ICO and the CNIL requires that the policy be easy to find both at the moment consent is requested and at any later point.
Get Your Cookie Compliance in Order
Writing a cookie policy is one part of a larger compliance picture that includes scanning, categorising, and blocking cookies before consent. Kukie.io detects all cookies on your site, groups them by category, and generates the disclosure data your policy needs.
