How to Write a Cookie Policy: Step-by-Step Guide
A cookie policy is only as good as its accuracy and clarity. This guide walks you through the process of creating a cookie policy that meets legal requirements, serves your users, and stays accurate over time. Follow these nine steps to produce a policy that is comprehensive, transparent, and maintainable.
Step 1: Audit Your Cookies
Before you can write about your cookies, you need to know exactly which cookies your website sets. This is the foundation of your entire policy — and the step most organizations get wrong.
A thorough cookie audit involves:
- Scanning every page. Cookies can vary between pages. Your homepage may set different cookies than your checkout page, your blog, or your account pages. A complete audit must cover all page types.
- Capturing first-party and third-party cookies. First-party cookies are set by your own domain. Third-party cookies are set by external services — analytics platforms, advertising networks, social media widgets, embedded videos, chat widgets, payment processors, and more.
- Identifying non-cookie storage. Modern websites also use localStorage, sessionStorage, IndexedDB, and pixel tags. A comprehensive policy covers all client-side storage mechanisms, not just HTTP cookies.
- Testing with and without consent. Some cookies are set regardless of consent (strictly necessary cookies). Others should only appear after consent is granted. Your audit should verify that non-essential cookies are genuinely blocked until consent is given.
Manual audits are unreliable. Manually opening browser developer tools on a handful of pages will miss cookies set by third-party scripts that load asynchronously, cookies set only on specific user actions, and cookies that appear only on subsequent visits. Use automated scanning tools for a complete picture.
Passiro's automated cookie scanner crawls your entire website, identifies every cookie and storage mechanism, and provides a categorized report — the ideal starting point for your policy.
Step 2: Categorize Each Cookie
Once you have a complete list of cookies, organize them into standard categories. The most widely accepted categorization, used by the IAB Transparency and Consent Framework and recommended by most data protection authorities, is:
Strictly Necessary
Cookies without which the website cannot function. Examples: session cookies for login state, shopping cart cookies, CSRF protection tokens, load balancer cookies, cookie consent preference cookies. These are exempt from the consent requirement under ePrivacy Directive Article 5(3), but you must still disclose them in your policy.
Preferences / Functional
Cookies that enable enhanced functionality and personalization. Examples: language selection, region/currency preference, font size settings, recently viewed items. These are not strictly necessary — the site would function without them — but they improve the user experience. They require consent.
Analytics / Statistics
Cookies used to collect data about how visitors interact with the website. Examples: Google Analytics cookies (_ga, _gid), Hotjar session cookies, Plausible Analytics. These require consent in most EU jurisdictions, though some DPAs (notably the French CNIL) have created limited exemptions for audience measurement tools that meet strict conditions.
Marketing / Advertising
Cookies used for targeted advertising, retargeting, and ad performance measurement. Examples: Google Ads (_gcl_*), Meta Pixel (_fbp), LinkedIn Insight Tag, advertising network cookies. These always require consent and are the most scrutinized category.
For each cookie, assign a category and verify that the categorization is accurate. A common error is categorizing analytics or marketing cookies as "functional" to avoid the consent requirement — this is non-compliant and easily detected by regulators.
Step 3: Write the Introduction
Your cookie policy should open with a brief introduction that covers:
- Who you are. The legal entity operating the website (company name, registered address).
- What this document covers. "This cookie policy explains how [Company Name] uses cookies and similar technologies on [website URL]."
- When it was last updated. Include a prominent date.
- How to contact you. Provide a contact email and, if applicable, your Data Protection Officer's details.
Keep the introduction to two or three sentences. Users are here for specific information, not a corporate preamble.
Step 4: Explain What Cookies Are
Include a brief, non-technical explanation of what cookies are. Many of your visitors will not know. A good explanation is:
Cookies are small text files that are stored on your device (computer, tablet, or phone) when you visit a website. They are widely used to make websites work, to improve efficiency, and to provide information to website owners. Cookies set by the website you are visiting are called "first-party cookies." Cookies set by other companies (for example, analytics or advertising services) are called "third-party cookies."
If your site uses technologies beyond HTTP cookies — such as localStorage, pixel tags, or fingerprinting — mention those as well. "In this policy, we use the term 'cookies' to refer to cookies and similar technologies unless otherwise stated."
Step 5: List Cookies in a Table Format
Present your cookies in a structured table, organized by category. For each cookie, include:
| Field | Description | Example |
|---|---|---|
| Name | The cookie's technical name | _ga |
| Provider | Who sets this cookie | Google Analytics (google.com) |
| Purpose | What the cookie does, in plain language | Generates a unique ID to record statistical data about how you use the website |
| Type | First-party or third-party; HTTP cookie, localStorage, etc. | Third-party HTTP cookie |
| Duration | How long the cookie persists | 2 years |
Here is an example of a well-structured cookie table for the analytics category:
| Cookie Name | Provider | Purpose | Type | Duration |
|---|---|---|---|---|
_ga |
Google Analytics | Assigns a unique ID to distinguish visitors and compile statistical reports | Third-party | 2 years |
_gid |
Google Analytics | Assigns a unique ID for each browsing session to compile statistical reports | Third-party | 24 hours |
_gat_UA-* |
Google Analytics | Limits the rate of data collection on high-traffic sites | Third-party | 1 minute |
Repeat this table for each category: Strictly Necessary, Preferences, Analytics, and Marketing.
Step 6: Describe Each Category
Before each cookie table, provide a brief description of the category:
- What cookies in this category do — in general terms.
- Whether consent is required — strictly necessary cookies do not require consent; all others do.
- What happens if the user refuses — "If you decline analytics cookies, we will not collect data about your visits. The website will function normally."
This contextual information helps users make informed decisions and meets the GDPR's transparency requirements.
Step 7: Explain How Users Can Control Cookies
This section must cover two control mechanisms:
Through Your Consent Banner
Explain that users can manage their cookie preferences at any time by clicking your cookie settings link or icon. Describe where to find it (e.g., "Click the cookie icon in the bottom-left corner of any page" or "Click 'Cookie Settings' in the footer"). Be specific — do not just say "through our cookie banner."
Through Browser Settings
Provide links to cookie management instructions for major browsers:
Note the consequence: "Please be aware that disabling cookies through your browser settings may affect the functionality of this and other websites you visit."
Step 8: Add Contact Information and DPO Details
Provide clear contact information for privacy-related inquiries:
- Data controller identity: Company name, registered address, registration number.
- Privacy contact email: A monitored email address (e.g., [email protected]).
- Data Protection Officer: If you have appointed a DPO (mandatory for certain organizations under GDPR Article 37), provide their name and contact details.
- Supervisory authority: Identify the relevant data protection authority and provide a link to their complaint mechanism. For example: "You have the right to lodge a complaint with [Name of DPA] at [URL]."
Step 9: Date the Policy and Plan Updates
Include a clear "Last updated" date. Commit to reviewing and updating the policy at regular intervals and whenever your cookie usage changes.
Consider adding a statement such as: "We review this cookie policy regularly and will update it when necessary. Any significant changes will be communicated through a notice on our website."
As a practical matter, plan for at least a quarterly review. Third-party services change their cookies frequently, and even a minor integration update can introduce new cookies that must be declared.
Common Mistakes to Avoid
Even carefully written cookie policies often contain these errors:
- Vague purpose descriptions. "This cookie improves your experience" tells the user nothing. Be specific: what data does the cookie collect, and what is it used for?
- Outdated cookie lists. If your policy lists cookies from a tool you removed six months ago, or fails to list cookies from a tool you added last week, it is inaccurate. Inaccurate disclosure undermines transparency.
- Missing third-party cookies. Many organizations list their own cookies but forget to document third-party cookies set by embedded content (YouTube videos, social media buttons, chat widgets, etc.). These are often the most privacy-invasive cookies on the site.
- Categorization errors. Classifying marketing or analytics cookies as "functional" or "necessary" to avoid the consent requirement. Data protection authorities specifically look for this.
- No mechanism to change preferences. Stating that users can manage their preferences but not providing a clearly described, always-available mechanism to do so.
- Copying a template without customization. Generic cookie policy templates that do not reflect your actual cookies, your actual services, or your actual data processing. A template is a starting point, not a finished document.
- Inaccessible language. Legal jargon, technical terminology, and unnecessarily complex sentence structures. The GDPR requires clear and plain language. Write for a non-specialist audience.
Keeping Your Policy in Sync with Actual Cookies
The hardest part of maintaining a cookie policy is not writing it — it is keeping it accurate. Websites are dynamic. Marketing teams add new tools, developers integrate new services, content management systems install plugins with tracking capabilities. Each change can introduce cookies that your policy does not mention.
The solution is automated, continuous monitoring. Rather than relying on manual audits (which are infrequent, incomplete, and error-prone), use a scanning tool that regularly crawls your website, identifies all active cookies, and compares them to your declared cookie list.
Passiro scans your website automatically, detects undeclared cookies, and alerts you when your policy needs updating. This ensures your cookie policy always reflects reality — not a snapshot from the last time someone remembered to check. Learn about Passiro's automated cookie compliance.
¿Cumple tu sitio web con la normativa de cookies?
Escanea tu sitio web gratis y encuentra todas las cookies en minutos.
Escanea tus cookies gratis