Cookie Policy Template

Cookies are small text files that websites place and store on the computers and mobile devices of their users. These files are generally used to improve the user experience, but may contain personal information about the user or their behavior on the website.

If your website uses cookies to track users, you need a dedicated cookie policy.

Download our free cookie policy template below and read our guide to create one for your own website.

Table of Contents

Cookie Policies Explained
Are You Legally Required to Have a Cookie Policy?
What's Inside a Cookie Policy?
Posting Your Cookie Policy
Getting User Consent for Your Cookies Policy
Examples of Cookie Policies
Generic Cookie Policy Template [Sample Text and Free Download]
FAQs About Cookie Policies
Summary

A cookie policy is a legal document created to inform site visitors that you’re using cookies — and how — on your website, web app, or mobile app.

Maintaining proper cookie compliance requires your cookie policy to include the type of cookies collected, the methods used to obtain the information, the reasons why cookies are being collected, and an explanation of how users can manage their cookie preferences.

Cookies Policy vs Privacy Policy

A cookies policy is used solely to discuss the use of cookies on your website or mobile application and to outline whether you share cookie data with third parties. While cookies were initially limited to the sites that users had visited, technology can now track user movements from site to site.

The collection of tracking information needs to be presented to users, along with the ability to opt out of having information tracked. If this is not an option, your users may choose not to continue on your site, and you may violate certain laws.

A privacy policy is used to disclose information about how your business collects, shares, and treats your consumers’ data. Mandated by data privacy laws worldwide, privacy policies should clearly and explicitly detail which personal information (PI) is collected, why it’s collected, with whom it may be shared, and how users can control their data.

Create a Cookie Policy Using Termly

Here’s how you can use Termly’s generator to create a comprehensive and compliant cookie policy.

Step 1: Go to Termly’s cookie policy generator and scan your website.

Step 2: Review the cookie scan report and add or edit cookie information as needed.

Step 3: Click “Generate Cookie Policy” in your scan report to create a customized policy with your scan information.

Step 4: Add your cookie policy to your website using one of our embed options.

Cookie policies are required in both the US and the EU.

Laws based in the EU apply to all businesses that target or have EU consumers. This means that US businesses with direct or potential EU customers need an informative cookie policy that also meets the transparency and consent requirements of the GDPR and the Cookie Law.

This added precaution regarding transparency and consent is an excellent way to stay ahead of impending changes in state, federal, and international laws.

US Requirements

If you have existing or potential consumers in California, you might need to comply with the California Consumer Privacy Act (CCPA). This broad state privacy law requires that you present a cookies policy that explains the cookies you collect and store and how you or third parties may use them.

The CCPA applies to businesses that operate in California that meet any of the following:

Have a gross annual revenue of over $25 million
Buy, receive, or sell the personal information of 50,000 or more California residents
Derive at least 50% of their annual revenue from selling personal information

In November 2020, an addendum to the CCPA was put in place. The California Privacy Rights Act (CPRA) is a state-wide data privacy law that amends and expands the CCPA, tightening business regulations and strengthening data privacy rights.

The CPRA applies to businesses that operate in California that meet any of the following:

Have a gross annual revenue of over $25 million in the preceding calendar year
Buy, sell, or share the personal information of 100,000 or more Californians
Derive at least 50% of their annual revenue from selling or sharing personal information

The significant addition in the CPRA is the increase in the volume of consumers and adding the sharing, rather than just the selling, of consumer personal information. While the number of threshold consumers has increased in the CPRA, the inclusion of “sharing” related to deriving 50% or more of annual revenue will likely increase the number of businesses that must comply with the CPRA.

The CPPA is authorized to enforce and penalize a business’s failure to:

Reasonably limit the collection of personal information, including sensitive data, to what is necessary for the purpose for which it was collected.
Limit the retention of personal information to the least amount of time necessary to fulfill the purpose for which it was collected.

With regard to consent, the CCPA doesn’t require prior consent. Therefore, you can collect, store, and use the cookie data right away without confirmation from the user.

However, while users in the US don’t need to give prior consent for cookies to be used, the relevant cookie policy must be prominent, clear, and accessible. Users must also have the option to adjust cookie collection preferences and opt out from further cookie processing.

Consent rules under the CPRA go further in safeguarding against the use of data from consumers under 16. Prior consent is required to sell or share a minor’s personal information.

EU Requirements

The rise in the number of cookie policy alerts was primarily the result of having to comply with two different regulations in Europe: the General Data Protection Regulation (GDPR), a sweeping data privacy law enacted in the EU in 2018, and the European Cookie Directive, otherwise known as either the EU Cookie Law or the ePrivacy Directive — first passed in 2002 and updated in 2009.

If you have users in the EU, the GDPR requires you to present a privacy policy that includes a section on what personal information is being collected by cookies. However, as long as the information is presented to consumers in the privacy policy, you don’t need a separate cookie policy.

Technically, cookies are mentioned only once under GDPR Recital 30. Despite that limited reference, the regulations regarding cookies affect any business that uses personal cookie identifiers to track browser activity. When cookies keep data that can identify an individual, it is considered personal data, and you must inform users of their rights regarding cookie collection.

If you use cookie identifiers, the GDPR requires that you:

Inform your users that your website or application uses cookies.
Identify any third-party services that may collect cookies.
Clearly explain what and how cookies work.
Explain why and how you use the cookies.
Provide information on adjusting or opting out of cookies.
Obtain informed consent before storing those cookies on the user’s device.

The GDPR requires consent from website users to use cookies. It defines consent as freely given, specific, informed, and unambiguous — and must be supplied through an explicit affirmative action.

Having pre-ticked boxes or accepting a user’s silence is insufficient to obtain consent.

All users in the European Economic Area (EEA) must consent to non-essential cookies before a site can use them. Websites risk enormous fines if they are subject to the requirements of the EEA or GDPR and do not get a user’s consent or permission before they collect cookies that can personally identify them.

In the EU, consent for cookies is also required by the European Cookie Directive (known as the EU Cookie Law or the ePrivacy Directive). The Cookie Law requires websites to get consent from visitors to store or retrieve any information on a smartphone, computer, or tablet. The Cookie Law was designed to protect online privacy by making consumers aware of how their information is collected and used online and giving them a choice whether or not to consent.

Every cookie policy needs to include the same basic information:

An explanation of what cookies are
The types of cookies in use by you or third parties
How you collect information (e.g., forms, sign-ups, subscriptions)
Why you or a third party is collecting the information
How a user can opt out of having cookies placed on a device
Detailed instructions on how users can set their cookie preferences or opt out from them

The purpose of using a cookie policy template is to create a comprehensive cookie policy that will notify users that your site is using cookies and provide transparency about that cookie activity. Therefore, the language in your cookies policy should be accessible, straightforward, and easy to understand.

If users have navigated to your cookies policy, they likely want to know specific information about the cookies you use and what rights they have as consumers.

When filling in your cookie policy template, consider what information the average user is trying to discover by visiting your cookie policy.

Inform Users What Cookies Are

It’s important to outline details in your cookie policy using clear writing that your users can readily understand.

Explaining what cookies are is an essential step in your cookie policy. For example, you can state that cookies are bits of information that typically contain a distinct ID for each user and a site name.

You should further explain that cookies enable websites to retrieve this information when users revisit them to tailor the page content for each user based on data related to prior browsing experiences, habits, and preferences.

Be sure to use your cookie policy to remind your users that cookies can only retrieve the particular data they have previously been allowed to store on your hard drive or mobile browser. Cookies cannot access any other information about you from your device.

Inform Users That You Use Cookies

Inform users if your website uses cookies or other types of tracking technologies, including tracking users from site to site for the purposes of targeted advertising.

If your business shares or discloses personal information to third parties for cross-context behavioral advertising, the CPRA requires that you inform your users by posting a “Do Not Share My Personal Information” link and provide consumers the ability to opt out.

Under CPRA, consumers also have a new right to limit the use and disclosure of sensitive personal information, like race or sexual orientation. They can direct you to use the data only to perform a necessary service.

In terms of informing users, businesses have to provide a clear and conspicuous link on their website homepage titled “Limit the Use of My Sensitive Personal Information.”

Inform Users What Kind of Cookies You Use

You need to inform your users exactly what type of cookies are being used on your website. Some examples of the various types of internet cookies include:

Session cookies
Persistent cookies
Tracking cookies
Advertising Cookies
Analytics Cookies
Personalization Cookies
Security/Authentication Cookies

Inform Users How You Use Cookies

By legal mandate in the GDPR, CCPA, and CPRA, you must inform users how you use cookies. You can place that information in your privacy policy under the GDPR or explain in a cookies policy as required by the CCPA and CPRA.

Your cookie policy should indicate that some cookies are inherently necessary. For example, authentication cookies are used to ascertain who you are when logging into an account.

Inform Users How They Can Opt Out of Cookies or Adjust Cookie Settings

Your cookie template must inform a user how they can opt out and control the use of the data collected by a particular site. You can also inform users that it’s possible to opt out of some third-party cookies through the Network Advertising Initiative’s Opt-Out Tool.

Privacy laws strive to give users as much control as possible over their data and how it is being used. For example, the recent CPRA law allows California consumers to opt out of both the sale and the sharing of their data.

Consumers can take further steps by adjusting cookie settings to select which cookies are acceptable to the consumer. These steps include:

Unsubscribing to the particular website that is collecting cookies
Deleting the application requesting cookie collection
Unchecking a marked box
Directly withdrawing consent by contacting the website owner
Choosing not to proceed with that particular online activity

You should post your cookies policy in a prominent and clearly marked place on your site or app. There are multiple locations where you can post your cookie policy, as long as the policy is clear, accessible, and easy to understand.

You can choose to post your policy in just one prominent spot or place it in your header or footer. Additional locations include the main menu of your website or application. Many businesses choose to create a privacy policy center, but that is not required.

Inside Current Legal Policies

Many website or application owners choose to place their cookie policy alongside other relevant policies, like terms of use or privacy policies. This method is especially useful for obtaining informed consent to place cookies on a user’s device. Users can generally not move forward on your site unless they affirmatively check a box agreeing to the cookie collection.

Informational Menus or Sections

You may use informational menus or dedicated sections to guide an interested user to more information on your cookies policy. However, the location of the menu or section must still be prominent to allow users to navigate to the various parts they wish to learn more about.

Website Footer

Website footers that appear along the bottom of your site can provide links to areas of user interest. For example, your website footer can list items like company contact information or a link to your website’s cookies policy.

Banners and Pop-Ups

Banners and pop-ups have gained popularity as a method of maintaining privacy compliance. Website owners are required to obtain the prior consent (GDPR) from users to legally process their personal data, or they need to create opt-out mechanisms so users can be removed from cookie placement (CCPA).

Cookie notification messages, as well as pop-ups, can be seen on many websites today. Below is a typical banner that alerts users to cookie usage and provides options to customize cookie settings:

Pop-ups are also a convenient method of informing users and ensuring that users are moving forward with both knowledge and consent.

For example, the global furniture company, Ikea, uses a pop-up feature on their UK website where users are directly provided with a choice to accept all cookies or customize settings.

Consent for your cookies policy requires that a user affirmatively check a box, provide information to proceed onto the website, or click on cookie settings to acknowledge they have read, understood, and wish to proceed with the accompanying policy. You can check out some consent banner examples for inspiration on how to display your cookie notice.

An effective cookies policy is designed to alert users of the existence of cookies and the fact that your website collects data in this manner. In addition, the best cookie policies describe how a user can manage their preferences and require affirmative consent.

Here are some good cookie policy examples to draw inspiration from.

1. Ikea Cookie Policy (Bullet Point Format)

Ikea’s cookie policy uses bullet points to describe the different reasons they collect cookies. It is clear, straightforward, and written in a manner that is easily understood.

2. Termly’s Cookie Policy (Question and Answer Format)

Termly’s cookie policy is a great example for you to draw from. We include a question-and-answer format and inform our users what cookies are, how they are used, and how users can control them.

Our cookie policy follows up with a table listing specific notations regarding each type of cookie that is collected, the purposes for the collection, and when they expire:

3. BBC Cookie Policy (FAQ Format)

In the BBC’s cookie policy, they approach gaining your knowledge and consent through the use of a Frequently Asked Questions format. By formatting the cookies policy in an FAQ format, you can anticipate what users are there to find out — and make finding the answers to those questions easy.

Simply click the box below to see an example of a generic cookies policy, or click the button beneath it to download the document in Microsoft Word and PDF file formats.

Cookie Policy Template [Text Format]

Last updated [Date]

This Cookie Policy explains how [Company Name], doing business as [Company Short Name] (“Company,” “we,” “us,” and “our“) uses cookies and similar technologies to recognize you when you visit our websites at [Website URLs] (“Websites“). It explains what these technologies are and why we use them, as well as your rights to control our use of them.

In some cases we may use cookies to collect personal information, or that becomes personal information if we combine it with other information.

This cookie policy template was created by Termly’s Cookie Consent Manager.

What are cookies?

Cookies are small data files that are placed on your computer or mobile device when you visit a website. Cookies are widely used by website owners in order to make their websites work, or to work more efficiently, as well as to provide reporting information.

Cookies set by the website owner (in this case, [Company Name]) are called “first party cookies”. Cookies set by parties other than the website owner are called “third party cookies”. Third party cookies enable third party features or functionality to be provided on or through the website (e.g. like advertising, interactive content and analytics). The parties that set these third party cookies can recognize your computer both when it visits the website in question and also when it visits certain other websites.

Why do we use cookies?

We use first and third party cookies for several reasons. Some cookies are required for technical reasons in order for our Websites to operate, and we refer to these as “essential” or “strictly necessary” cookies. Other cookies also enable us to track and target the interests of our users to enhance the experience on our Online Properties. Third parties serve cookies through our Websites for advertising, analytics and other purposes. This is described in more detail below.

The specific types of first and third party cookies served through our Websites and the purposes they perform are described below (please note that the specific cookies served may vary depending on the specific Online Properties you visit):

How can I control cookies?

You have the right to decide whether to accept or reject cookies. You can exercise your cookie rights by setting your preferences in the Cookie Consent Manager. The Cookie Consent Manager allows you to select which categories of cookies you accept or reject. Essential cookies cannot be rejected as they are strictly necessary to provide you with services.

The Cookie Consent Manager can be found in the notification banner and on our website. If you choose to reject cookies, you may still use our website though your access to some functionality and areas of our website may be restricted. You may also set or amend your web browser controls to accept or refuse cookies. As the means by which you can refuse cookies through your web browser controls vary from browser-to-browser, you should visit your browser’s help menu for more information.

In addition, most advertising networks offer you a way to opt out of targeted advertising. If you would like to find out more information, please visit https://optout.aboutads.info/ or https://www.youronlinechoices.com/.

The specific types of first and third party cookies served through our Websites and the purposes they perform are described in the table below (please note that the specific cookies served may vary depending on the specific Online Properties you visit):

Essential website cookies:

These cookies are strictly necessary to provide you with services available through our Websites and to use some of its features, such as access to secure areas.