How to Write a Cookie Policy: Step-by-Step Guide

Write a compliant cookie policy in an afternoon: audit cookies, categorize them, build the disclosure table, and publish. Free example clauses inside.


by Riad Us Salehin • 5 July 2026


Writing a cookie policy means listing every cookie your site sets, explaining why you use each one, and telling visitors how to withdraw consent. You can do it yourself in an afternoon if you start from your site's actual cookies, not a generic template.

This guide covers auditing your cookies, categorizing them, drafting each required clause, building the disclosure table, publishing it correctly, and keeping it current. This is guidance, not legal advice; consult a lawyer for jurisdiction-specific review.

What a Cookie Policy Must Include: The 7 Required Clauses

A compliant cookie policy needs seven clauses. These cover a definition of cookies, why and how you use them, and the categories in use. They also cover a per-cookie disclosure table, a consent and withdrawal clause, a contact clause, and a last-updated date. Most published guides describe the first five well. The two they skimp on, the per-cookie duration field and the last-updated clause, are exactly where policies fail an audit.

ClauseWhat it covers
What cookies areA plain-language definition, no legalese
Why and how you use cookiesThe purposes tied to each cookie category
Types of cookies usedStrictly necessary, functional, analytics, advertising
Cookie disclosure tableName, provider, purpose, category, duration, first or third party
Consent and withdrawalHow visitors gave consent and how to change it
Contact informationCompany name and an email for privacy questions
Last-updated dateWhen the policy was last revised

GDPR Article 13 requires the second and fourth clauses specifically. Visitors have the right to know what data is collected, the legal basis, and who it is shared with. The ePrivacy Directive adds the consent requirement on top. If you want the full definition and legal background before drafting, start with what a cookie policy actually is.

What You Need Before You Start

The one prerequisite most people skip is an accurate, current list of the cookies your site actually sets, not a guessed list from memory. Everything else in this guide depends on that inventory being right.

Roles: the site owner or a developer can do this alone. A privacy reviewer is optional for higher-risk sites (e-commerce, ad-supported publishers, health or finance).

Time: a focused afternoon covers a small site with under 20 cookies. Sites running multiple ad or analytics vendors take longer, mostly for the audit step, not the writing.

Inputs: access to your site and tag manager, your company's legal name and a contact email, and the regions your visitors come from. This last item determines whether you need opt-in or opt-out consent language.

Tools: a cookie scanner, a cookie policy generator, or your browser's developer tools all work. Pick based on how many cookies you expect and how often your site changes.

Step 1: Audit Every Cookie and Tracker on Your Site

Auditing means listing every cookie and tracker your site sets, first-party and third-party, before you write a single clause. Skip this step and your policy will list cookies you don't use and miss ones you do.

Open your browser's developer tools, go to the Application tab in Chrome (Storage in Firefox), and expand the Cookies entry under your domain. Clear your cache first, then reload the page and click through a few pages, including login and checkout if you have them. Some cookies only fire after a specific action. A single page load misses them.

Manual audits miss cookies that load behind the scenes. Third-party scripts, embedded widgets, and ad tags often set cookies your dev-tools pass never triggers. They fire on a delayed script or a specific interaction instead. Note whether each cookie is one of your first-party and third-party cookies, because they carry different disclosure expectations.

A cookie scanner crawls every page and reports the trackers a manual pass would miss. Consently's scanner runs an initial full-site scan, then repeats weekly and on demand. New trackers show up in your inventory without you remembering to re-check.

Done: you have a complete raw list of every cookie, its source domain, and which pages set it.

Step 2: Categorize Your Cookies

Categorizing means sorting every audited cookie into one of four working categories: strictly necessary, functional, performance and analytics, or advertising and marketing. Get this step right and the rest of the policy writes itself, because each category maps to a purpose statement and a consent rule.

  • Strictly necessary: required for the site to function (login sessions, shopping carts, security tokens).
  • Functional: not required, but improve the experience (remembered language, saved preferences).
  • Performance and analytics: measure how visitors use the site (page views, session duration).
  • Advertising and marketing: track visitors across sites for ad targeting or retargeting.

The load-bearing rule: strictly necessary cookies need no consent, but you must still disclose them in the policy. A Reddit thread on cookie compliance for SaaS apps makes the same point.

A session cookie can be seen as a Strictly Necessary Cookie, which does not (necessarily) require consent.

The same thread's follow-up notes the policy still has to list what each cookie does. Skipping essential cookies because they don't need consent is one of the most common compliance gaps.

Consently auto-categorizes each detected cookie during the scan. Categories include essential, analytics, advertising, and similar buckets, plus custom categories. You edit an assigned category instead of classifying every row from zero. Review the full breakdown of how cookie categories work and how session and persistent cookies expire differently before you finalize the table.

Done: every cookie from Step 1 has exactly one category assigned.

Step 3: Draft the Introduction and "What Are Cookies" Clause

The opening clause defines cookies in plain language and states that your site uses them. Write it in two to three sentences a non-technical visitor understands on the first read.

Example you can adapt:

Cookies are small text files that our website stores on your device when you visit. We use them to keep the site working correctly, remember your preferences, and understand how visitors use our pages.

Keep this section functional, not a methodology treatise. Write in your site's own language and avoid legal jargon. A Reddit comment on cookie disclosures for a SaaS app makes this point well.

There is no real legalese language you need here, just providing transparency.

Save the technical detail (categories, third parties, GDPR basis) for the clauses that follow.

Done: a two- to three-sentence opening clause any visitor can read without a legal background.

Step 4: Explain Why You Use Cookies and What Data They Collect

This clause names the actual reason behind each cookie category, not a generic "to improve your experience" line. Map each category from Step 2 to a real purpose. Strictly necessary cookies keep visitors logged in and secure. Analytics cookies measure how people use the site. Advertising cookies personalize the ads visitors see.

GDPR Article 13 requires you to say what data is collected and the legal basis for collecting it. It also requires you to say how the data is used and who it is shared with. A verified Reddit answer from a policy-generator company representative confirms this duty.

They also must be presented with a cookie policy. They have the right to know what data is collected about them, the legal bases for collecting the data, how the data is used, and who it's shared with.

Write one sentence per category naming the real purpose and the third parties involved, if any. "Google Analytics cookies measure page views and session length to help us improve site navigation" is specific enough. "We use cookies to enhance your experience" is not.

Done: every cookie category has a named purpose and, where relevant, a named third party.

Step 5: Build Your Cookie Disclosure Table

The disclosure table is the centerpiece of a compliant policy: one row per cookie. It has six columns covering name, provider, purpose, category, duration, and whether it is first- or third-party.

Cookie nameProvider / domainPurposeCategoryDurationFirst or third party
session_idyourdomain.comKeeps the visitor logged in during a sessionStrictly necessarySession (expires on browser close)First-party
_gagoogle-analytics.comDistinguishes unique visitors for traffic reportingPerformance / analytics2 yearsThird-party
pref_langyourdomain.comRemembers the visitor's selected languageFunctional1 yearFirst-party
_fbpfacebook.comTracks visits for ad retargetingAdvertising / marketing90 daysThird-party

Find each column's value from the source you already have. Get name and expiry from the dev-tools cookie list in Step 1. Get provider from the domain that set the cookie. Get purpose and category from Step 2's classification. First-party cookies come from your own domain. Third-party cookies come from any other domain, most often analytics, ad, or embed vendors.

A hand-built table goes stale fast. A developer describing a cookie-policy generator on Reddit noted that the scan step works well. The output still needed a manual check afterward.

It scans your cookies, asks what services you use, etc.

Independent scans of live sites back the underlying problem. Most cookies load behind the scenes through third-party scripts, and roughly half of those change on repeat visits. A table built once in January is often wrong by March.

If you would rather start from a pre-built document, grab our free cookie policy template and fill in the table yourself. A cookie policy generator fills the disclosure table from your scan. New and changed cookies land in the table without you re-auditing by hand.

Done: a complete table with all six fields, populated for every cookie from your audit.

Step 6: Add the Consent, Withdrawal, and Contact Clauses

This step covers three closing clauses. It covers how visitors gave consent and how to withdraw it. It also covers the regional consent wording your law requires and how to contact you with privacy questions.

The withdrawal clause must point to a real control, not just a promise. State how visitors gave consent (a banner action) and how to change it (a link back to your preference settings). Make the second step as easy as the first. Whether your site needs one at all depends on region, but once you publish a policy, the withdrawal mechanism is mandatory everywhere it applies.

The wording differs by law. GDPR and UK law require opt-in consent, so the clause should state that non-essential cookies only load after a visitor accepts. CCPA and other US state laws use opt-out consent instead. A US-facing site needs a "Do Not Sell or Share My Personal Information" link alongside the cookie disclosure. Opt-in versus opt-out consent changes what this clause has to say, so confirm which model applies to your visitor base first.

Close with your company's legal name, a contact email for privacy questions, and (if relevant) a link to a data protection contact.

A preference center gives the withdrawal clause something real to point to. Consently's revisit button reopens the same choices a visitor made at first consent. That makes "withdraw as easily as you consented" an actual feature, not a promise the policy makes on its own.

Done: the policy states how consent was given, links to a working withdrawal control, and lists contact details.

Step 7: Publish Your Cookie Policy and Link It Correctly

Publishing means putting the policy on its own reachable page. Link it from both the cookie banner and the site footer, one click from anywhere on the site.

  • Publish the policy as a standalone page, not buried inside your terms and conditions.
  • Link it from the cookie banner itself, so visitors can read it before or after choosing.
  • Link it from the site footer, so it stays reachable from every page.
  • If the policy lives inside your privacy policy as a section, link the banner to that specific section, not the top of the document.

Your cookie policy sits alongside the other website legal pages your site needs. Publish it standalone or as a section inside your privacy policy.

A CMP publishes the policy and wires the banner-to-policy link automatically. Consently embeds the generated policy directly on your domain and points the banner's policy link at it during setup. The reachability rule is handled without a separate publishing step.

Done: the policy is live on its own page, and both the banner and footer link to it.

Step 8: Keep Your Cookie Policy Up to Date

Cookies change constantly as you add scripts, swap vendors, or launch new features, so the policy needs a repeatable update process, not a one-time document.

Re-audit on a fixed schedule (monthly or quarterly) and every time you add a new tracker or vendor. Update the disclosure table with any new or changed cookies, and refresh the last-updated date each time. Re-request consent whenever you add a new non-essential cookie category the visitor has not already agreed to.

Consently re-scans your site weekly and updates the generated policy automatically. The hardest part of this step, remembering to re-check, runs on its own instead of depending on a calendar reminder.

Done: a re-audit schedule exists, the table reflects your current cookies, and the last-updated date matches your most recent change.

Cookie Policy Example (Filled-In Sections You Can Adapt)

A finished policy stitches the seven clauses into one document. Here is a compact skeleton showing how the pieces fit together; adapt it, don't copy it verbatim, since your actual cookies will differ.

Cookies are small text files that our website stores on your device when you visit. We use them to keep the site working correctly, remember your preferences, and measure site traffic.

Analytics cookies, such as _ga, help us understand which pages visitors find useful. Strictly necessary cookies, such as session_id, keep you logged in and are not optional.

Cookie nameProviderPurposeCategoryDurationParty
session_idyourdomain.comKeeps visitors logged inStrictly necessarySessionFirst-party
_gagoogle-analytics.comMeasures page viewsAnalytics2 yearsThird-party

You can withdraw consent at any time using the preference link in our cookie banner. Contact us at privacy@yourdomain.com with any questions.

Last updated: [date]

For real, published examples from live sites rather than a skeleton, browse cookie policy examples from real sites. If you need the companion document too, use our privacy policy template.

Common Cookie Policy Mistakes to Avoid

The single most damaging mistake is copying another site's cookie policy. It lists cookies you don't use and omits the ones you do, which makes the published document inaccurate on day one.

  1. Copying another site's policy verbatim: the copied document lists cookies you never set and misses ones you do, so it is inaccurate the moment it goes live. Audit your own site first (Step 1) instead of adapting someone else's list.
  2. Omitting essential cookies because they don't need consent: every cookie belongs in the table regardless of whether it needs consent. Include strictly necessary cookies alongside the rest (Step 5).
  3. Forgetting the duration and provider columns: a table without expiry and provider falls short of the per-cookie disclosure detail regulators expect. Use the full six-field table from Step 5.
  4. No working withdrawal mechanism: a policy that promises "withdraw as easily as you consented" but has no real control to point to fails that promise the moment a visitor tries it. Point the clause at a real preference center (Step 6).
  5. Writing it once and never re-scanning: the table drifts out of date as your site adds new scripts and vendors. Schedule re-scans and refresh the last-updated date on every change (Step 8).

FAQs

Can I write my own cookie policy or do I need a lawyer?

Yes, you can write your own cookie policy for a standard site. A lawyer is optional review, not a requirement, for most small and mid-sized sites. This guide is not legal advice, so consult one if your site handles sensitive data or operates in a high-risk category.

Can I use ChatGPT to write my cookie policy?

ChatGPT can draft the wording for a clause, but it cannot scan your actual cookies. It also cannot determine which privacy laws apply to your specific site and audience. Use it only to polish clauses you have already sourced from a real cookie audit, never as the source of the facts themselves.

Is it "cookie policy" or "cookies policy"?

Both terms mean the same thing and both appear across live sites. "Cookie policy" is the more common form in US-facing content.

Can I put my cookie policy inside my privacy policy?

Yes, as a dedicated section, and your cookie banner should link directly to that section rather than the top of the privacy policy. Some jurisdictions and reviewers prefer two separate linked documents instead of one combined page.

Do I need a cookie policy if I only use essential cookies?

If your site sets any cookies at all, disclose them, even if none require consent. Strictly necessary cookies need no opt-in, but they still belong in the policy.

Where should I put my cookie policy on my website?

Publish it on its own reachable page, linked from both the cookie banner and the site footer, one click away from any page. Do not bury it inside your terms and conditions.

How long does a cookie policy need to be?

As long as it takes to disclose every cookie your site actually sets. Length follows your cookie count, not a fixed target. A small site with ten cookies needs one short page.

How often do I have to update my cookie policy?

Update it whenever your cookies change and on a regular re-scan schedule, at minimum monthly for an active site. Refresh the last-updated date every time you make a change. See how to comply with cookie laws for the full banner and blocking picture beyond the document itself.

Writing a cookie policy by hand is doable. Keeping the table accurate every time a new tracker sneaks onto your site is the part that breaks. Consently's cookie policy generator scans your site, sorts every cookie into the right category, and builds the disclosure table. It publishes a policy that updates itself as your cookies change, across every domain on your plan. Generate your cookie policy and let the scan keep the table current.

AUTHOR

Riad Us Salehin is the content lead at Dorik. He is a passionate content creator who lets the work speak for itself. Focused on taking brands and causes to the next level.

Read More

Subscribe to Consently
Newsletter

Subscribe to our newsletter to stay updated with latest articles from our blog.

Built with ❤️ by the team @ Dorik.com 

GET IN TOUCH

Any questions? Feel free to chat with us or reach out to us at

For any queries:
support@consently.net

Follow us:


©2026 Dorik, Inc. All rights reserved.