Cookie Policy Template

Cookies are small text files that websites place and store on the computers and mobile devices of their users. These files are generally used to improve the user experience, but may contain personal information about the user or their behavior on the website.

If your website uses cookies to track users, you need a dedicated cookie policy.

Download our free cookie policy template below and read our guide to create one for your own website.

Table of Contents

1. Cookie Policies Explained
2. Are You Legally Required to Have a Cookies Policy?
3. What's Inside a Cookie Policy?
4. Posting Your Cookie Policy
5. Getting User Consent for Your Cookies Policy
6. Examples of Cookie Policies
7. Generic Cookie Policy Template [Sample Text and Free Download]
8. FAQs About Cookie Policies
9. Summary

Cookie Policies Explained

A cookie policy is a legal document created to inform site visitors that you’re using cookies — and how — on your website, web app, or mobile app.

Maintaining proper cookie compliance requires your cookie policy to include the type of cookies collected, the methods used to obtain the information, the reasons why cookies are being collected, and an explanation of how users can manage their cookie preferences.

Cookies Policy vs Privacy Policy

A cookies policy is used solely to discuss the use of cookies on your website or mobile application and to outline whether you share cookie data with third parties. While cookies were initially limited to the sites that users had visited, technology can now track user movements from site to site.

The collection of tracking information needs to be presented to users, along with the ability to opt out of having information tracked. If this is not an option, your users may choose not to continue on your site, and you may violate certain laws.

A privacy policy is used to disclose information about how your business collects, shares, and treats your consumers’ data. Mandated by data privacy laws worldwide, privacy policies should clearly and explicitly detail which personal information (PI) is collected, why it’s collected, with whom it may be shared, and how users can control their data.

Are You Legally Required to Have a Cookies Policy?

Cookie policies are required in both the US and the EU.

Laws based in the EU apply to all businesses that target or have EU consumers. This means that US businesses with direct or potential EU customers need an informative cookie policy that also meets the transparency and consent requirements of the GDPR and the Cookie Law.

This added precaution regarding transparency and consent is an excellent way to stay ahead of impending changes in state, federal, and international laws.

US Requirements

If you have existing or potential consumers in California, you might need to comply with the California Consumer Privacy Act (CCPA). This broad state privacy law requires that you present a cookies policy that explains the cookies you collect and store and how you or third parties may use them.

The CCPA applies to businesses that operate in California that meet any of the following:

• Have a gross annual revenue of over $25 million
• Buy, receive, or sell the personal information of 50,000 or more California residents
• Derive at least 50% of their annual revenue from selling personal information

In November 2020, an addendum to the CCPA was put in place. The California Privacy Rights Act (CPRA) is a state-wide data privacy law that amends and expands the CCPA, tightening business regulations and strengthening data privacy rights.

The CPRA applies to businesses that operate in California that meet any of the following:

• Have a gross annual revenue of over $25 million in the preceding calendar year
• Buy, sell, or share the personal information of 100,000 or more Californians
• Derive at least 50% of their annual revenue from selling or sharing personal information

The significant addition in the CPRA is the increase in the volume of consumers and adding the sharing, rather than just the selling, of consumer personal information. While the number of threshold consumers has increased in the CPRA, the inclusion of “sharing” related to deriving 50% or more of annual revenue will likely increase the number of businesses that must comply with the CPRA.

The CPPA is authorized to enforce and penalize a business’s failure to:

1. Reasonably limit the collection of personal information, including sensitive data, to what is necessary for the purpose for which it was collected.
2. Limit the retention of personal information to the least amount of time necessary to fulfill the purpose for which it was collected.

With regard to consent, the CCPA doesn’t require prior consent. Therefore, you can collect, store, and use the cookie data right away without confirmation from the user.

However, while users in the US don’t need to give prior consent for cookies to be used, the relevant cookie policy must be prominent, clear, and accessible. Users must also have the option to adjust cookie collection preferences and opt out from further cookie processing.

Consent rules under the CPRA go further in safeguarding against the use of data from consumers under 16. Prior consent is required to sell or share a minor’s personal information.

EU Requirements

The rise in the number of cookie policy alerts was primarily the result of having to comply with two different regulations in Europe: the General Data Protection Regulation (GDPR), a sweeping data privacy law enacted in the EU in 2018, and the European Cookie Directive, otherwise known as either the EU Cookie Law or the ePrivacy Directive — first passed in 2002 and updated in 2009.

If you have users in the EU, the GDPR requires you to present a privacy policy that includes a section on what personal information is being collected by cookies. However, as long as the information is presented to consumers in the privacy policy, you don’t need a separate cookie policy.

Technically, cookies are mentioned only once under GDPR Recital 30. Despite that limited reference, the regulations regarding cookies affect any business that uses personal cookie identifiers to track browser activity. When cookies keep data that can identify an individual, it is considered personal data, and you must inform users of their rights regarding cookie collection.

If you use cookie identifiers, the GDPR requires that you:

• Inform your users that your website or application uses cookies.
• Identify any third-party services that may collect cookies.
• Clearly explain what and how cookies work.
• Explain why and how you use the cookies.
• Provide information on adjusting or opting out of cookies.
• Obtain informed consent before storing those cookies on the user’s device.

The GDPR requires consent from website users to use cookies. It defines consent as freely given, specific, informed, and unambiguous — and must be supplied through an explicit affirmative action.

Having pre-ticked boxes or accepting a user’s silence is insufficient to obtain consent.

All users in the European Economic Area (EEA) must consent to non-essential cookies before a site can use them. Websites risk enormous fines if they are subject to the requirements of the EEA or GDPR and do not get a user’s consent or permission before they collect cookies that can personally identify them.

In the EU, consent for cookies is also required by the European Cookie Directive (known as the EU Cookie Law or the ePrivacy Directive). The Cookie Law requires websites to get consent from visitors to store or retrieve any information on a smartphone, computer, or tablet. The Cookie Law was designed to protect online privacy by making consumers aware of how their information is collected and used online and giving them a choice whether or not to consent.

What’s Inside a Cookie Policy?

Every cookie policy needs to include the same basic information:

The purpose of using a cookie policy template is to create a comprehensive cookie policy that will notify users that your site is using cookies and provide transparency about that cookie activity. Therefore, the language in your cookies policy should be accessible, straightforward, and easy to understand.

If users have navigated to your cookies policy, they likely want to know specific information about the cookies you use and what rights they have as consumers.

When filling in your cookie policy template, consider what information the average user is trying to discover by visiting your cookie policy.

Inform Users What Cookies Are

It’s important to outline details in your cookie policy using clear writing that your users can readily understand.

Explaining what cookies are is an essential step in your cookie policy. For example, you can state that cookies are bits of information that typically contain a distinct ID for each user and a site name.

You should further explain that cookies enable websites to retrieve this information when users revisit them to tailor the page content for each user based on data related to prior browsing experiences, habits, and preferences.

Be sure to use your cookie policy to remind your users that cookies can only retrieve the particular data they have previously been allowed to store on your hard drive or mobile browser. Cookies cannot access any other information about you from your device.

Inform Users That You Use Cookies

Inform users if your website uses cookies or other types of tracking technologies, including tracking users from site to site for the purposes of targeted advertising.

If your business shares or discloses personal information to third parties for cross-context behavioral advertising, the CPRA requires that you inform your users by posting a “Do Not Share My Personal Information” link and provide consumers the ability to opt out.

Under CPRA, consumers also have a new right to limit the use and disclosure of sensitive personal information, like race or sexual orientation. They can direct you to use the data only to perform a necessary service.

In terms of informing users, businesses have to provide a clear and conspicuous link on their website homepage titled “Limit the Use of My Sensitive Personal Information.”

Inform Users What Kind of Cookies You Use

You need to inform your users exactly what type of cookies are being used on your website. Some examples of the various types of internet cookies include:

Inform Users How You Use Cookies

By legal mandate in the GDPR, CCPA, and CPRA, you must inform users how you use cookies. You can place that information in your privacy policy under the GDPR or explain in a cookies policy as required by the CCPA and CPRA.

Your cookie policy should indicate that some cookies are inherently necessary. For example, authentication cookies are used to ascertain who you are when logging into an account.

Inform Users How They Can Opt Out of Cookies or Adjust Cookie Settings

Your cookie template must inform a user how they can opt out and control the use of the data collected by a particular site. You can also inform users that it’s possible to opt out of some third-party cookies through the Network Advertising Initiative’s Opt-Out Tool.

Privacy laws strive to give users as much control as possible over their data and how it is being used. For example, the recent CPRA law allows California consumers to opt out of both the sale and the sharing of their data.

Consumers can take further steps by adjusting cookie settings to select which cookies are acceptable to the consumer. These steps include:

• Unsubscribing to the particular website that is collecting cookies
• Deleting the application requesting cookie collection
• Unchecking a marked box
• Directly withdrawing consent by contacting the website owner
• Choosing not to proceed with that particular online activity

Posting Your Cookie Policy

You should post your cookies policy in a prominent and clearly marked place on your site or app. There are multiple locations where you can post your cookie policy, as long as the policy is clear, accessible, and easy to understand.

You can choose to post your policy in just one prominent spot or place it in your header or footer. Additional locations include the main menu of your website or application. Many businesses choose to create a privacy policy center, but that is not required.

Inside Current Legal Policies

Many website or application owners choose to place their cookie policy alongside other relevant policies, like terms of use or privacy policies. This method is especially useful for obtaining informed consent to place cookies on a user’s device. Users can generally not move forward on your site unless they affirmatively check a box agreeing to the cookie collection.

Informational Menus or Sections

You may use informational menus or dedicated sections to guide an interested user to more information on your cookies policy. However, the location of the menu or section must still be prominent to allow users to navigate to the various parts they wish to learn more about.

Website Footer

Website footers that appear along the bottom of your site can provide links to areas of user interest. For example, your website footer can list items like company contact information or a link to your website’s cookies policy.

Banners and Pop-Ups

Banners and pop-ups have gained popularity as a method of maintaining privacy compliance. Website owners are required to obtain the prior consent (GDPR) from users to legally process their personal data, or they need to create opt-out mechanisms so users can be removed from cookie placement (CCPA).

Cookie notification messages, as well as pop-ups, can be seen on many websites today. Below is a typical cookie banner that alerts users to cookie usage and provides options to customize cookie settings:

Pop-ups are also a convenient method of informing users and ensuring that users are moving forward with both knowledge and consent.

For example, the global furniture company, Ikea, uses a pop-up feature on their UK website where users are directly provided with a choice to accept all cookies or customize settings.

Getting User Consent for Your Cookies Policy

Consent for your cookies policy requires that a user affirmatively check a box, provide information to proceed onto the website, or click on cookie settings to acknowledge they have read, understood, and wish to proceed with the accompanying policy. You can check out some consent banner examples for inspiration on how to display your cookie notice.

 

Examples of Cookie Policies

An effective cookies policy is designed to alert users of the existence of cookies and the fact that your website collects data in this manner. In addition, the best cookie policies describe how a user can manage their preferences and require affirmative consent.

Here are some good cookie policy examples to draw inspiration from.

1. Ikea Cookie Policy (Bullet Point Format)

Ikea’s cookie policy uses bullet points to describe the different reasons they collect cookies. It is clear, straightforward, and written in a manner that is easily understood.

2. Termly’s Cookie Policy (Question and Answer Format)

Termly’s cookie policy is a great example for you to draw from. We include a question-and-answer format and inform our users what cookies are, how they are used, and how users can control them.

Our cookie policy follows up with a table listing specific notations regarding each type of cookie that is collected, the purposes for the collection, and when they expire:

3. BBC Cookie Policy (FAQ Format)

In the BBC’s cookie policy, they approach gaining your knowledge and consent through the use of a Frequently Asked Questions format. By formatting the cookies policy in an FAQ format, you can anticipate what users are there to find out — and make finding the answers to those questions easy.

Generic Cookie Policy Template [Sample Text and Free Download]

You can download our free cookie policy template below in Word Doc, PDF, or Google Doc format. You can also just copy & paste the HTML directly to your website.

Before using it, read through the entire cookie policy template – fill in all of the [brackets], remove any sections that do not apply to your app, and tweak any language as needed.

Cookie Policy Template [Text Format]

Last updated [Date]

This Cookie Policy explains how [Company Name] (“Company,” “we,” “us,” or “our”) uses cookies and similar technologies to recognize you when you visit our websites at [Website URL] (“Websites“). It explains what these technologies are and why we use them, as well as your rights to control our use of them.

In some cases we may use cookies to collect personal information, or that becomes personal information if we combine it with other information.

What are cookies?

Cookies are small data files that are placed on your computer or mobile device when you visit a website. Cookies are widely used by website owners in order to make their websites work, or to work more efficiently, as well as to provide reporting information.

I Cookies set by the website owner (in this case, [Company Name]) are called “first-party cookies.” Cookies set by parties other than the website owner are called “third-party cookies.” Third-party cookies enable third-party features or functionality to be provided on or through the website (e.g., advertising, interactive content, and analytics). The parties that set these third-party cookies can recognize your computer both when it visits the website in question and also when it visits certain other websites.

Why do we use cookies?

We use first- and third-party cookies for several reasons. Some cookies are required for technical reasons in order for our Websites to operate, and we refer to these as “essential” or “strictly necessary” cookies. Other cookies also enable us to track and target the interests of our users to enhance the experience on our Online Properties. Third parties serve cookies through our Websites for advertising, analytics, and other purposes. This is described in more detail below.

How can I control cookies?

You have the right to decide whether to accept or reject cookies. You can exercise your cookie rights by setting your preferences in the Cookie Consent Manager. The Cookie Consent Manager allows you to select which categories of cookies you accept or reject. Essential cookies cannot be rejected as they are strictly necessary to provide you with services.

The Cookie Consent Manager can be found in the notification banner and on our website. If you choose to reject cookies, you may still use our website though your access to some functionality and areas of our website may be restricted. You may also set or amend your web browser controls to accept or refuse cookies.

The specific types of first- and third-party cookies served through our Websites and the purposes they perform are described in the table below (please note that the specific cookies served may vary depending on the specific Online Properties you visit):

Essential website cookies:

These cookies are strictly necessary to provide you with services available through our Websites and to use some of its features, such as access to secure areas.

Name:	[Cookie Name]
Purpose:	[Purpose]
Provider:	[Domain]
Service:	[Service] [Service’s Privacy Policy URL]
Country:	[Country]
Type:	[Tracker Type]
Expires in:	[Expiry]

Performance and functionality cookies:

These cookies are used to enhance the performance and functionality of our Websites but are non-essential to their use. However, without these cookies, certain functionality (like videos) may become unavailable.

Name:	[Cookie Name]
Purpose:	[Purpose]
Provider:	[Domain]
Service:	[Service] [Service’s Privacy Policy URL]
Country:	[Country]
Type:	[Tracker Type]
Expires in:	[Expiry]

Analytics and customization cookies:

These cookies collect information that is used either in aggregate form to help us understand how our Websites are being used or how effective our marketing campaigns are, or to help us customize our Websites for you.

Name:	[Cookie Name]
Purpose:	[Purpose]
Provider:	[Domain]
Service:	[Service] [Service’s Privacy Policy URL]
Country:	[Country]
Type:	[Tracker Type]
Expires in:	[Expiry]

Advertising cookies:

These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

Name:	[Cookie Name]
Purpose:	[Purpose]
Provider:	[Domain]
Service:	[Service] [Service’s Privacy Policy URL]
Country:	[Country]
Type:	[Tracker Type]
Expires in:	[Expiry]

Social networking cookies:

These cookies are used to enable you to share pages and content that you find interesting on our Websites through third-party social networking and other websites. These cookies may also be used for advertising purposes.

Name:	[Cookie Name]
Purpose:	[Purpose]
Provider:	[Domain]
Service:	[Service] [Service’s Privacy Policy URL]
Country:	[Country]
Type:	[Tracker Type]
Expires in:	[Expiry]

Unclassified cookies:

These are cookies that have not yet been categorized. We are in the process of classifying these cookies with the help of their providers.

Name:	[Cookie Name]
Purpose:	[Purpose]
Provider:	[Domain]
Service:	[Service] [Service’s Privacy Policy URL]
Country:	[Country]
Type:	[Tracker Type]
Expires in:	[Expiry]

How can I control cookies on my browser?

As the means by which you can refuse cookies through your web browser controls vary from browser to browser, you should visit your browser’s help menu for more information. The following is information about how to manage cookies on the most popular browsers:

• Chrome
• Internet Explorer
• Firefox
• Safari
• Edge
• Opera

In addition, most advertising networks offer you a way to opt out of targeted advertising. If you would like to find out more information, please visit:

• Digital Advertising Alliance
• Digital Advertising Alliance of Canada
• European Interactive Digital Advertising Alliance

What about other tracking technologies, like web beacons?

Cookies are not the only way to recognize or track visitors to a website. We may use other, similar technologies from time to time, like web beacons (sometimes called “tracking pixels” or “clear gifs”). These are tiny graphics files that contain a unique identifier that enables us to recognize when someone has visited our Websites or opened an email including them. This allows us, for example, to monitor the traffic patterns of users from one page within a website to another, to deliver or communicate with cookies, to understand whether you have come to the website from an online advertisement displayed on a third-party website, to improve site performance, and to measure the success of email marketing campaigns. In many instances, these technologies are reliant on cookies to function properly, and so declining cookies will impair their functioning.

Do you use Flash cookies or Local Shared Objects?

Websites may also use so-called “Flash Cookies” (also known as Local Shared Objects or “LSOs”) to, among other things, collect and store information about your use of our services, fraud prevention, and for other site operations.

If you do not want Flash Cookies stored on your computer, you can adjust the settings of your Flash player to block Flash Cookies storage using the tools contained in the Website Storage Settings Panel. You can also control Flash Cookies by going to the Global Storage Settings Panel and following the instructions (which may include instructions that explain, for example, how to delete existing Flash Cookies (referred to “information” on the Macromedia site), how to prevent Flash LSOs from being placed on your computer without your being asked, and (for Flash Player 8 and later) how to block Flash Cookies that are not being delivered by the operator of the page you are on at the time).

Please note that setting the Flash Player to restrict or limit acceptance of Flash Cookies may reduce or impede the functionality of some Flash applications, including, potentially, Flash applications used in connection with our services or online content.

Do you serve targeted advertising?

Third parties may serve cookies on your computer or mobile device to serve advertising through our Websites. These companies may use information about your visits to this and other websites in order to provide relevant advertisements about goods and services that you may be interested in. They may also employ technology that is used to measure the effectiveness of advertisements. They can accomplish this by using cookies or web beacons to collect information about your visits to this and other sites in order to provide relevant advertisements about goods and services of potential interest to you. The information collected through this process does not enable us or them to identify your name, contact details, or other details that directly identify you unless you choose to provide these.

How often will you update this Cookie Policy?

We may update this Cookie Policy from time to time in order to reflect, for example, changes to the cookies we use or for other operational, legal, or regulatory reasons. Please therefore revisit this Cookie Policy regularly to stay informed about our use of cookies and related technologies.

The date at the top of this Cookie Policy indicates when it was last updated.

Where can I get further information?

If you have any questions about our use of cookies or other technologies, please email us at [Email Address] or by post to:

[Company Name]

[Street Address]

[City, State ZIP Code]

[Country]

Phone: [Phone Number]

FAQs About Cookie Policies

Summary

The best way to stay compliant with state, federal, and international privacy laws is to be transparent with your users. For example, instead of just inserting a cookies section in your privacy policy, create a dedicated and comprehensive cookie policy that requests informed consent from your users.

Be sure to link to your cookie policy from other relevant places, like your header, footer, or main menu. Furthermore, make your cookie policy clear and conspicuous, and users will appreciate your straightforward handling of their most private and personal data.

More about the author

Written by Masha Komnenic CIPP/E, CIPM, CIPT, FIP

Masha is an Information Security and Data Privacy Specialist and a Certified Data Protection Officer. She has been a Data Protection Officer for the past six years, helping small and medium-sized enterprises achieve legal compliance. She has also been a privacy compliance mentor to many international business accelerators. She specializes... More about the author