LegalForge
·7 min read

Cookie Policy Template: What to Include and How to Stay Compliant

A practical guide to cookie policy requirements in 2026 — what cookies are, what the law says, and exactly what your policy needs to cover.

If your website uses cookies — and it almost certainly does — you are legally required to tell your visitors about them. That means you need a cookie policy. Not a vague banner that says “we use cookies,” but a proper document that explains what cookies you set, why you set them, and how users can control them.

The rules around cookies have tightened significantly in recent years, and enforcement in 2026 is no longer theoretical. Getting your cookie policy right is not optional — it is a legal requirement with real financial consequences.

Why You Need a Cookie Policy

Two major pieces of legislation govern how websites use cookies in Europe, and their influence extends well beyond EU borders.

The ePrivacy Directive

Often called the “Cookie Law,” the EU’s ePrivacy Directive (Directive 2002/58/EC, amended in 2009) specifically requires websites to obtain informed consent before placing non-essential cookies on a user’s device. It also requires clear information about what each cookie does. Unlike the GDPR, which deals with personal data broadly, the ePrivacy Directive targets cookies and similar tracking technologies directly.

The GDPR

The General Data Protection Regulation reinforces cookie consent requirements because most cookies involve processing personal data. Under GDPR, cookie consent must be freely given, specific, informed, and unambiguous. Pre-ticked boxes and implied consent (such as “by continuing to browse, you accept cookies”) do not meet the GDPR standard. EU visitors must actively opt in to non-essential cookies before those cookies are set.

Enforcement Is Real

Regulators are actively fining companies for cookie violations. In 2026, CNIL (France’s data protection authority) issued a €150 million fine against SHEIN for placing tracking cookies without obtaining valid consent. This followed earlier landmark fines against Google (€150M) and Facebook (€60M) for similar violations. These are not just penalties for large corporations — smaller businesses across Europe have also faced enforcement actions, with fines typically ranging from €10,000 to €100,000 depending on the severity and the regulator involved.

What Are Cookies, Exactly?

Cookies are small text files that a website stores on a visitor’s browser. They serve a variety of purposes, from remembering login sessions to tracking user behaviour across multiple sites. Your cookie policy needs to account for every type of cookie your site uses.

Essential Cookies

These are necessary for your website to function. They handle things like session management, shopping cart contents, and security tokens. Essential cookies do not require consent under the ePrivacy Directive because the site genuinely cannot work without them. However, you must still disclose them in your policy.

Analytics Cookies

Tools like Google Analytics, Plausible, and Hotjar place cookies to measure how visitors use your site — which pages they visit, how long they stay, and where they click. These are non-essential and require explicit opt-in consent in the EU. Many businesses mistakenly assume analytics cookies are essential. They are not.

Marketing and Advertising Cookies

These track visitors across websites to build a profile for targeted advertising. Facebook Pixel, Google Ads remarketing tags, and LinkedIn Insight tags all fall into this category. Marketing cookies require consent everywhere and are the most scrutinised by regulators.

Functional Cookies

These remember user preferences such as language selection, theme choice, or regional settings. They enhance the user experience but are not strictly necessary. Whether they require consent depends on how closely they are tied to a service explicitly requested by the user.

What to Include in Your Cookie Policy

A compliant cookie policy should cover the following sections. Whether you write it yourself or use a generator like LegalForge, make sure none of these are missing.

1. What Cookies You Use

List every cookie your site sets. For each one, provide the cookie name, its purpose, who sets it (first-party or third-party), and how long it lasts (session or persistent, with a specific expiry period). A table format works well for this section.

2. Why You Use Them

Group your cookies by purpose — essential, analytics, marketing, functional — and explain what each category does in plain language. Avoid jargon. “This cookie tracks your browsing behaviour to show you personalised advertisements across other websites” is far better than “used for ad targeting purposes.”

3. The Legal Basis for Each Category

For essential cookies, the legal basis is “legitimate interest” or “necessary for the service.” For everything else, it is consent. State this explicitly so users understand which cookies are optional and which are required.

4. How Users Can Control Cookies

Explain how visitors can accept or reject non-essential cookies. This should cover your cookie consent banner or preference centre, how to change their mind after consenting, and how to delete cookies through browser settings. Provide specific instructions for major browsers (Chrome, Firefox, Safari, Edge).

5. Third Parties

Identify every third party that sets cookies through your site. For each one, link to their own cookie or privacy policy. Common examples include Google (Analytics, Ads), Meta (Facebook Pixel), Stripe (payment processing), and HubSpot (marketing).

6. Updates and Contact

State when the policy was last updated and how users will be notified of changes. Provide an email address or contact form for cookie-related questions.

GDPR Cookie Consent: Getting It Right

The consent mechanism is where most websites fall short. Under GDPR cookie consent rules, you must follow these principles:

  • Prior consent. Non-essential cookies must not be set until the user actively clicks “Accept” or selects specific categories. Loading analytics or marketing scripts before consent is obtained is a violation.
  • Genuine choice. The “Reject” or “Manage preferences” option must be as easy to find and use as the “Accept all” button. Dark patterns — such as making “Accept” prominent while hiding “Reject” behind multiple clicks — are explicitly against GDPR guidance.
  • Granular control. Users should be able to accept some categories (e.g., analytics) while rejecting others (e.g., marketing). An all-or-nothing approach does not meet the “specific” requirement of GDPR consent.
  • Easy withdrawal. It must be as easy to withdraw consent as it is to give it. A persistent link to your cookie preferences (often in the footer) satisfies this requirement.
  • Record keeping. You should be able to demonstrate that consent was obtained — when, how, and what the user agreed to. Most consent management platforms handle this automatically.

Common Cookie Policy Mistakes

  • Setting cookies before consent. This is the most common violation. If your analytics or marketing scripts load on page load regardless of consent, you are non-compliant.
  • Using a notice-only banner. A banner that says “This site uses cookies” with only an “OK” button is not valid consent. Users must have a real choice.
  • Not listing all cookies. Audit your site regularly. Third-party scripts can add cookies you are not aware of, and you are responsible for disclosing them.
  • Treating cookie walls as consent. Blocking access to your site unless users accept all cookies is considered coercive and has been ruled invalid by several EU data protection authorities.
  • Ignoring non-EU requirements. While the EU has the strictest cookie rules, other jurisdictions are catching up. Brazil’s LGPD, South Africa’s POPIA, and several US state laws now have requirements around tracking technologies.

How to Implement Your Cookie Policy

Getting compliant involves two things: the policy document itself and the technical implementation of consent.

Step 1: Audit your cookies. Use a tool like Cookiebot, CookieYes, or your browser’s developer tools to scan your site and identify every cookie that is set. Categorise each one as essential, analytics, marketing, or functional.

Step 2: Write your cookie policy. Document every cookie you found, grouped by category, with the details outlined above. If you want a tailored policy without the cost of a lawyer, LegalForge generates a Cookie Policy as part of its £19 legal documents bundle — you answer a questionnaire about your site, and it produces a policy that matches your actual cookie usage.

Step 3: Implement a consent mechanism. Add a cookie consent banner that blocks non-essential cookies until consent is given. Free options include Cookiebot (limited free tier), Osano, and CookieYes. If you use Google Tag Manager, its Consent Mode can handle conditional script loading based on user preferences.

Step 4: Link your policy. Your cookie policy should be accessible from your consent banner, your website footer, and ideally from your main privacy policy as well.

Step 5: Review regularly. Every time you add a new tool, script, or integration, check whether it sets cookies and update your policy accordingly. A quarterly audit is good practice.

The Bottom Line

A cookie policy is not just a compliance checkbox — it is an enforceable legal requirement with significant penalties for getting it wrong. The good news is that creating a proper cookie policy is straightforward once you understand what cookies your site uses and what the law requires you to disclose.

If you are building or updating your website’s legal documents, LegalForge can generate a Cookie Policy, Privacy Policy, and Terms of Service tailored to your business in 60 seconds. Answer a short questionnaire, and receive all three documents for a one-time £19 payment — no subscription, no recurring fees.

Generate your cookie policy in 60 seconds

Tailored to your website. Compliant with GDPR, ePrivacy Directive, and more.

Get Started — £19 One-Time