Cookie Policy: What It Is and What It Must Contain

A cookie policy is a document that explains to your website visitors which cookies and similar tracking technologies your site uses, why it uses them, and how users can control them. It is a legal requirement under both the ePrivacy Directive and the GDPR, and it is a cornerstone of transparent data processing.

This guide covers what a cookie policy is, how it differs from a privacy policy, what it must contain under current regulations, and how to keep it accurate over time.

What Is a Cookie Policy?

A cookie policy is a dedicated document — either a standalone page or a clearly identifiable section within your privacy policy — that provides comprehensive information about your website's use of cookies and similar technologies (local storage, session storage, pixel tags, web beacons, fingerprinting, and similar).

The legal basis for requiring a cookie policy comes from two intersecting regulations:

• ePrivacy Directive (2002/58/EC), Article 5(3) — requires that users are provided with "clear and comprehensive information" about the purposes of cookies before consent is obtained.
• GDPR, Articles 12-14 — require transparency about data processing, including what data is collected, for what purposes, with whom it is shared, and for how long it is retained.

Together, these regulations require you to tell your users exactly what tracking technologies you use and give them meaningful control over those technologies.

Cookie Policy vs Privacy Policy

A cookie policy and a privacy policy are complementary but distinct documents. Understanding the difference is important:

Aspect	Cookie Policy	Privacy Policy
Scope	Cookies and tracking technologies specifically	All personal data processing (forms, accounts, purchases, etc.)
Legal basis	ePrivacy Directive + GDPR transparency requirements	GDPR Articles 12-14
Content focus	Cookie names, purposes, durations, types, categories, control mechanisms	Data categories, legal bases, rights, transfers, DPO, retention
Format	Standalone page or section within privacy policy	Standalone page (required)
Update frequency	Whenever cookies change (add/remove tools, vendors)	Whenever data processing practices change

You may include your cookie policy as a section within your privacy policy, but it must be clearly identifiable and easy to navigate to. Many organizations maintain a separate cookie policy page for clarity and because cookie information can be quite detailed.

Your cookie banner should link to your cookie policy. If your cookie information is a section within your privacy policy, the link should anchor directly to that section — do not force users to scroll through pages of unrelated privacy information to find cookie details.

Legal Requirement for a Cookie Policy

The ePrivacy Directive requires "clear and comprehensive information" as a precondition for valid consent. The GDPR's transparency principle (Article 5(1)(a)) and information requirements (Articles 13-14) further require that this information be:

• Concise, transparent, and intelligible (Article 12(1))
• Provided in clear and plain language (Article 12(1))
• Easily accessible (Article 12(1))
• Provided free of charge (Article 12(5))

In practical terms: your cookie policy must be written in language that a non-technical person can understand, it must be linked from your cookie banner and your website footer, and it must contain specific information about each cookie your site uses.

What a Cookie Policy Must Contain

Based on the combined requirements of the ePrivacy Directive, the GDPR, and guidance from data protection authorities including the ICO (UK), CNIL (France), and the Article 29 Working Party, your cookie policy must include the following information:

1. What Cookies You Use

Provide a complete list of all cookies and similar technologies active on your website. This includes cookies set by your own code (first-party) as well as cookies set by third-party services you use (analytics platforms, advertising networks, social media widgets, embedded content, chatbots, etc.).

Each cookie should be identified by name. "We use analytics cookies" is not sufficient — you must list the specific cookies: _ga, _gid, _gat for Google Analytics, for example.

2. Purpose of Each Cookie

For each cookie or group of related cookies, explain what it does in plain language. Avoid technical jargon. Effective purpose descriptions:

• "Stores your cookie consent preferences so we don't ask again on every visit."
• "Helps us count how many people visit our website and which pages are most popular."
• "Allows us to show you advertisements relevant to your interests on other websites."

3. First-Party vs Third-Party

Indicate whether each cookie is set by your website directly (first-party) or by an external service (third-party). For third-party cookies, identify the provider and link to their privacy policy. Users have a right to know not only that their data is being collected, but by whom.

4. Duration / Expiry

State how long each cookie persists. There are two types:

• Session cookies — deleted when the user closes their browser. State this clearly: "Session (deleted when you close your browser)."
• Persistent cookies — remain on the user's device for a set period. State the specific duration: "2 years," "30 days," "13 months." Do not use vague terms like "long-term."

Data protection authorities have scrutinized cookie durations. The CNIL, for example, recommends that consent cookies (the cookies that store the user's consent choice) should not exceed 13 months.

5. How to Manage and Delete Cookies

Explain how users can control cookies through two mechanisms:

• Your consent banner. Explain that users can change their cookie preferences at any time through your cookie settings (provide the location of the settings link/icon).
• Browser settings. Provide general instructions for managing cookies in common browsers (Chrome, Firefox, Safari, Edge). You do not need to provide step-by-step instructions, but you should explain that browser settings exist and link to the relevant support pages for each browser.

6. How to Withdraw Consent

GDPR Article 7(3) requires that withdrawing consent must be as easy as giving it, and that users are informed of this right before giving consent. Your cookie policy must explain:

• That the user has the right to withdraw consent at any time.
• How to do so (typically: click the cookie settings icon/link visible on every page, or clear cookies through browser settings).
• That withdrawing consent does not affect the lawfulness of processing based on consent before its withdrawal.

7. Cookie Categories

Organize cookies into the standard categories used by your consent banner. The most widely adopted categorization is:

• Strictly Necessary — cookies required for the website to function (login sessions, shopping carts, security tokens). These do not require consent under the ePrivacy Directive.
• Preferences / Functional — cookies that remember user choices (language, region, display settings). These enhance the experience but are not essential.
• Analytics / Statistics — cookies used to collect anonymous usage data (page views, traffic sources, user behavior patterns).
• Marketing / Advertising — cookies used for targeted advertising, retargeting, and ad measurement.

Your cookie policy's categories should match the categories in your consent banner. Inconsistency between the two documents undermines transparency.

8. Contact Information

Provide contact details for questions about your cookie practices. This typically includes:

• The identity of the data controller (your company name and registered address)
• Email address for privacy inquiries
• Data Protection Officer (DPO) contact details, if you have appointed one
• Your supervisory authority (the relevant data protection authority)

Where to Display Your Cookie Policy

Your cookie policy must be easily accessible from multiple locations:

• Website footer. A "Cookie Policy" link in your footer, visible on every page. This is the standard location that users expect.
• Cookie banner. A direct link from your cookie banner to the full cookie policy. This is a legal requirement — users must be able to access detailed information from the consent interface.
• Cookie settings/preferences panel. The second layer of your consent interface should link to the cookie policy for users who want more information.
• Privacy policy. If your cookie policy is a separate document, cross-reference it from your privacy policy and vice versa.

Presenting Cookie Information

The most effective and transparent format for presenting individual cookies is a table. Data protection authorities, including the ICO, recommend this format:

Cookie Name	Provider	Purpose	Type	Duration
_ga	Google Analytics	Distinguishes unique visitors by assigning a randomly generated number	Third-party, analytics	2 years
_gid	Google Analytics	Distinguishes unique visitors for the current day	Third-party, analytics	24 hours
cookie_consent	This website	Stores your cookie consent preferences	First-party, necessary	12 months

This format is clear, scannable, and provides all required information at a glance.

How Often to Update

Your cookie policy must be accurate at all times. Update it whenever:

• You add a new third-party service that sets cookies (a new analytics tool, a new marketing platform, a new chatbot).
• You remove a service that previously set cookies.
• A third-party service changes its cookies (new names, new durations, new purposes).
• You change the categories in your consent banner.
• Regulatory guidance changes (new requirements, new best practices).

Include a "Last updated" date at the top or bottom of your cookie policy. This demonstrates that the policy is actively maintained and helps users assess its currency.

The challenge, of course, is knowing when your cookies change. Third-party services update their tracking frequently, and a cookie that existed three months ago may have been replaced or renamed. Manual audits are unreliable because they depend on someone remembering to check.

Keeping Your Policy Accurate with Automated Scanning

The most common compliance failure in cookie policies is not the absence of information — it is inaccurate information. A policy that lists cookies you no longer use, or that fails to mention cookies added by a recent marketing tool integration, is not compliant.

Automated cookie scanning solves this problem. A scanner visits your website at regular intervals, identifies all cookies being set, compares them to your declared cookies, and alerts you to discrepancies.

Passiro automatically scans your website for cookies, categorizes them, and highlights any undeclared cookies that are not yet reflected in your policy. This means your cookie policy stays accurate without manual audits. Learn more about Passiro's automated cookie scanning.