Logo Logo

Try our free compliance test to check if your website’s use of cookies and online tracking is GDPR/ePR compliant.

The test also shows what data your website collects and which third parties it shares with, a requirement under the CCPA.

A cookie policy is essential for all law-abiding websites

Updated July 13, 2020.

What is a cookie policy? Do you need one for your website? What are the requirements? And how can you get a cookie policy?

In this article, we explain what the cookie policy is, what the requirements are and how you can become compliant with Cookiebot consent management platform (CMP).

What is a cookie policy?

A cookie policy is a declaration to your users on what cookies are active on your website, what user data they track, for what purpose, and where in the world this data is sent.

Also, a cookie policy should contain information on how your users may opt out of the cookies or change their settings in regard to the cookies on your website.

Many website owners choose to incorporate the cookie policy as a section of their privacy policy. You can also leave your website cookie policy as a stand-alone section.

Regardless, you are legally required by the European GDPR and the Californian CCPA to have one available to your users on your website.

The privacy policy is a document, usually a page on the website, in which all of the methods and purposes of the data processing activities on the site are outlined, including contact forms, mailing lists etc.

Cookies are a potential privacy risk, because they are able to track, store and share user behavior.

Whereas most of the remaining privacy policy may be static, the cookies used on a website are dynamic and might change often.

Therefore, an adequate cookie policy should be regularly updated to make sure that the information is accurate.

How does the GDPR affect my cookie policy?

The EU law on personal data, the General Data Protection Regulation (GDPR), gives website visitors the right to receive specific, up-to date information on what data is registered about them at all times, for what purpose, and where in the world it is sent (along with the possibility to prevent it from happening). 

These rules affect your cookie policy as well as your cookie notification, your cookie consent and your documentation of consents.

Learn more about the GDPR

Learn more about the ePrivacy Directive (EU cookie law or cookie directive)

Test to see if your website is GDPR compliant with a free compliance test.

How does the CCPA affect my cookie policy?

The California Consumer Privacy Law (CCPA) empowers California residents with rights to know what of their personal information companies and websites collect and sell, plus the rights to have it deleted and to opt out of having their data sold to third parties.

The CCPA states that businesses must inform their visitors at or before the point of collection of what categories of personal information they collect and process, including to which third parties they sell/share/disclose this data.

The CCPA empowers California residents with the following:

A CCPA compliant cookie policy must include the categories of personal information collected on the website, information about the third parties this information is shared with, types of cookies and other tracking technology and a description of the consumer rights and how to exercise these rights.

Last but not least, websites must feature a Do Not Sell My Personal Information link, through which users can opt out of third party data sales.

Learn more about the CCPA

Try Cookiebot CMP free for 30 days... or forever if you have a small website.

Requirements for my cookie policy

In order to be CCPA and GDPR compliant, your cookie policy should state:

Cookie policy generator - how to get a cookie policy on your website

“Do I need a cookie policy on my website?”, you might be wondering.

The answer is yes, you do.

A cookie policy is legally required by both the GPDR and CCPA. So, the more pressing question is probably: “how do I get a cookie policy on my website?”

The first thing to do is to discover what cookies are in use on your website. This is fundamental for creating a specific and accurate policy, as required, because every website is different.

In other words, you need to know exactly what cookies and other forms of tracking technology is present and operating on your website.

Keep in mind that you have to take into account both your own use of cookies, and the ones that are set by third parties present on your website. Read your third party services’ cookie policies to find out what cookies they may be using on your site.

This is done by using a cookie policy generator like Cookiebot CMP.

Cookiebot CMP scans and reveals all cookies, both first and third party, on your website. It does so by simulating real-life user interaction with your website. It basically crawls your website and all of its subpages and shows you what hides under the surface. It does this automatically once a month.

CCPA compliant cookie policy

The result of our cookie policy generator: a detailed cookie declaration by Cookiebot CMP.

CCPA compliance with Cookiebot CMP.

A CCPA compliant cookie declaration by Cookiebot CMP.

Our cookie policy generator assembles a cookie declaration – a report on all cookies and tracking present, their technical specification, providence and purpose. This information forms the main part of your cookie policy. It is a requirement in the GDPR that your cookie policy is always up to date.

Cookiebot CMP – its comprehensive scanning abilities and automatic cookie control based on user consent – makes it an ideal cookie policy generator, since you can be sure that no stone is left unturned and that the information that you are giving to your users about your website is always up to date.

The cookie policy may be part of your privacy policy or be published as an independent page on your website. Keep the language of the cookie policy plain and intelligible: this is a specific requirement of the GDPR.

A GDPR and CCPA compliant cookie policy is one that informs the users of all cookies and tracking, how user data is being handled, with whom it is shared, informs users on their rights and how to exercise them, and states the technical specifications and purpose of each tracker.

Check out Cookiebot CMP cookie policy and see how it’s done.

You can find many examples and templates for your cookie policy on the internet. Keep in mind, however, that your policy should be revised and updated regularly, to make sure that it informs about the actual cookies in use on your site. The GDPR demands that it is correct, specific and up to date.

What is the difference between a privacy policy and cookie policy?

The cookie policy deals specifically with the use of cookies on your site, whereas the privacy policy is a general document regarding all of the data processes on a website, including contact forms, mailing lists, etc.

Often, the cookie policy is integrated as a part of the privacy policy of a website or an app. Arguably, it is the most challenging part. At the heart of this is the nature of cookies:

Read more about cookie and website tracking here.

The easiest way to ensure full control over your cookies, and to be sure that you have an accurate and updated cookie policy for your website, is to get a GDPR/ePR and CCPA compliant cookie solution, where the cookie policy is integrated with the actual monitoring of cookies on your website.

With Cookiebot CMP, the monthly report from the cookie scan can with a few lines of JavaScript be integrated as an automatically updated part of your privacy policy or cookie policy, guaranteeing that they always are up to date and accurate.

Cookiebot CMP is a solution that enables full GDPR/ePR and CCPA compliance for your website.

We empower you to take care of all that is cookie-related on your website, so that you can have peace of mind, knowing that your website complies with the regulations.

Does the GDPR affect websites in the US?

The short and simple answer 'yes'.

First and foremost, the GDPR is a universal law for the European Union.

This means that the GDPR not only regards all websites that are operating within the EU but also, all websites that are dealing with users from the EU.

So, since its enforcement in May 2018, all sites but strictly local ones outside of the EU are affected.

In a PwC survey of American multinational organizations, 92 percent said GDPR compliance was a top priority, and 71 percent had already started preparations (in January 2017). These included privacy policies, IT security and discovery of all the data they currently had.

In the US, the laws on the protection of data are more fragmented, because they are a patchwork of sector specific laws, regarding for example healthcare companies or financial institutions, or restricted to specific states, like California.

However, the GDPR being the most thorough and far-reaching data protection regulation ever passed, it is likely to go global or in the least to serve as a model for future regulations the protection of data.

Therefore, it is in any case relevant to take measures to comply.

The regulations might here and now seem like an annoying obstacle for companies, but in the long run they are helping to restore the trust and equity between companies and consumers in a data driven world.

Does the CCPA affect websites outside the US?

A short and simple yes here too.

The California Consumer Privacy Act (CCPA) has extraterritorial jurisdiction. It means that it applies to any business that collects or processes the personal information of California residents, regardless of where in the world that business is located.

However, to be regarded as a business under the CCPA rules, a company has to meet one of the three following attributes:

This means that if a company is based in, say, Singapore or Italy, but buys or sells the personal information of at least 50.000 California residents, that company is liable for CCPA compliance.

You can find many examples and templates for your cookie policy on the internet.

Keep in mind, however, that your policy should be revised and updated regularly, to make sure that it informs about the actual cookies in use on your site.


What is a cookie policy?

A cookie policy is your website’s way of telling its users what cookies and trackers it uses, what data these collect, for what purposes, for how long they are active and with whom it shares this data. Users must also be informed via your cookie policy of how they can revoke consent to or opt out of having their personal data collected, processed and shared.

Test for free to see what cookies your website uses

What cookies do my website use?

Your website uses first-party cookies that are strictly necessary for its basic function, but it’s very likely that it also uses third-party cookies for analytical or marketing purposes, e.g. through analytics tools, marketing software or social media plugins. To be sure what cookies your website uses, use a consent management platform to perform deep-scans of your domain.

Scan your website for free to find all cookies and trackers

How does my cookie policy become GDPR compliant?

The EU’s General Data Protection Regulation (GDPR) requires your website to have an up-to-date cookie policy that informs users what type of cookies it sets, how long they are activate on users’ browsers, what kind of data they collect, what purpose they collect it for, where the data is sent to and with whom it’s shared, and how users can reject cookies or revoke already given consent.

Learn more about GDPR and cookie consent

How does my cookie policy become CCPA compliant?

The California Consumer Privacy Act (CCPA) requires your website to inform California residents at or before the point of data collection about the categories of personal information it collects, to which third parties this is sold or disclosed, what types of cookies and trackers are in operation and a description of consumer rights and how to exercise them.

Learn more about CCPA and cookies


Try Cookiebot CMP and our cookie policy generator for free today.

General Data Protection Regulation (GDPR)

California Consumer Privacy Act (CCPA)

Article in Forbes on the GDPR in the US

General Data Protection Regulation

Infographic: What does the GDPR mean for Global Data Protection

Data Protection in the US vs EU

California Online Privacy Protection Act (CALoppa)

BBC on Brexit

PwC survey on GDPR preparations in US Companies

Google Privacy Policy

Cookie Policy of LinkedIn

Cookie Policy of Facebook

New: Cookiebot™ for Partners 

Deliver automated cookie compliance at scale with Cookiebot™ for Partners.

Make your website’s use of cookies and online tracking compliant today

Try for free