How to write a cookie policy for your website

How to write a cookie policy for your website

Monique Holtman

Monique Holtman
18th July 2019

Every time you visit a website, a cookie file is saved to your device. This stores the website’s name and gives you a unique ID so it knows you’ve been there before.

Cookies can also be used to store other information including:

  • How long you spend on the website
  • The links you’re clicking on
  • The options, preferences or settings you’ve chosen
  • Accounts you log into
  • The pages you’ve visited
  • Which items you’ve placed in a shopping basket

All your previous browsing behaviours allow the server to deliver a page tailored to you.

What is a cookie policy?

A cookie policy tells your users which cookies are active on your website, what data you’re tracking, what you’re using this information for and where their data is being sent.

It should also tell people how they can opt out or change their settings. Because the cookies used on a website tend to change, it’s important to update your policy on a regular basis to ensure it’s still accurate.

Why do I need a cookie policy?

Although cookies are generally used to improve user experience, they’ve generated a lot of controversy in recent years as users have become increasingly conscious about their online privacy and security.

Cookies are a potential privacy risk because they have the ability to track, store and share what an individual is doing when they’re on a website. For this reason, it’s now a legal requirement that websites have to get clear consent from visitors in order to store or retrieve information based on their browsing habits.

You need to notify your site’s visitors that you’re using cookies, you must get consent for this and consumers also need to be made aware of how they can opt out if they wish. This applies to any business based in the EU or to those who are targeting their services to EU citizens.

When GDPR came into force last year, it became even more important that website owners have a cookie policy.

GDPR gives consumers the right to receive specific, up-to date information which details the data that’s registered about them, what its being used for, where it’s being sent and what options a user has with regards to accepting or rejecting them.

As long as you do this the first time you set cookies, you don’t have to repeat the process every time the same person visits your website. However, bear in mind that devices may be used by different people so you may want to consider repeating this process at suitable intervals.

How to write a cookie policy for your website

Below is a step-by-step guide which details everything you need to know about writing a cookie policy.

Find out what cookies are being used on your website

The first step is to find out exactly which cookies are being used on your website. This is fundamental for creating a specific and accurate policy because every website uses them differently.

Keep in mind that you have to take into account both your own use of cookies and the ones that are set by any third parties present on your website. Read your third party services’ cookie policies to find out what they may be using on your site.

If you’re unsure how to find this information, you can use Cookiebot to complete an audit. This tool analyses your website and sends you a report with a complete overview of all the cookies in use, including their purpose and provenance.

Design a pop-up

Most websites display a pop-up or a notification at the bottom of the screen when a visitor first lands on the site. This is typically a brief notification which lets users know that the site uses cookies. They can then click for more information which will be the page your full cookie policy sits on.

Below is a perfect example of the type of information you typically see in a pop-up. It lets people know they use cookies, what they use them for and then gives you the option to consent or not.

privacy popup

Plan the content for your policy

Your cookie policy can be part of your privacy policy or be published as an independent page on your website.

As laid out in GDPR compliance regulations, your language needs to be plain and intelligible and should include the following information:

  • The type of cookies you’re using
  • The data you’re tracking
  • How long cookies stay on a user’s browser
  • Why you’re using cookies (for marketing purposes for example)
  • Where the data is sent and with whom it’s shared
  • How to reject cookies and how to change cookie settings

It’s unlikely that you have the time or the knowledge to write a cookie policy from scratch. Fortunately, there are plenty of free templates available to download online. All you need to do is fill in the relevant sections to make the template applicable to your business.

Some great resources for free cookie templates include:

Cookie policy generators are also great because you simply select the information that’s relevant to your business and it puts it all together for you. They’re ideal for SMEs who don’t have the time or the legal knowledge to put together a policy themselves.

Some great resources for cookie policy generators include:

Your final option is to ask your website provider (if you have one) to put together a policy for you. If you’re using an agency, they will have multiple clients and should therefore already have a template they can send you. Alternatively, they can put together the whole document from scratch although this will probably cost more than simply receiving a template.

What if a user rejects cookies?

If someone declines your cookie policy, it means that you can’t track their activity on your website.

There are strict rules on gaining consent and in order for it to be valid, it must be freely given, specific and informed. Consent must involve some form of unambiguous positive action – for example, ticking a box or clicking a link. The person must also fully understand that they’re giving consent.

Simply providing information about cookies as part of a privacy policy which is hard to find, difficult to understand or rarely read does not count as consent.

Your cookie policy should be very easy for first-time visitors to see. Because people might land on a page that’s not the homepage, it’s a good idea to display the notification on all pages on your website.

Don’t forget to provide an easy-to-find link to your policy and simple instructions for opting out of your cookies use. For further information about complying with the UK cookie law and the penalties of failing to do so, please head over to