Cookie policy: what to include, obligations and GDPR template

TL;DR

A cookie policy is a standalone document, separate from your privacy policy. It details the trackers used on your website, their purpose, their lifespan and the options available to visitors to refuse or delete them. Data protection authorities such as the CNIL in France consider this policy as the "level 2" information layer, complementing the consent banner which serves as level 1. Without an accessible and complete cookie policy, your consent banner alone is not enough to demonstrate compliance.

What is a cookie policy?

A cookie policy is a dedicated page on your website that informs visitors about all the cookies and trackers your site sets or reads on their device. It complements the consent banner by providing detailed information that the banner, by its concise nature, cannot contain.

Data protection frameworks distinguish two levels of mandatory information. Level 1 is the consent banner displayed when the visitor arrives. It briefly presents the main categories of purposes. Level 2 is the cookie policy itself: a comprehensive document, accessible at all times, that details each tracker, each purpose, each data controller and the rights of the user.

This document is not optional. Any website that sets cookies, including cookies exempt from consent, must inform visitors of their existence and how they work.

What is the difference between a cookie policy and a privacy policy?

Both documents deal with personal data protection, but they do not cover the same scope.

The privacy policy (or data protection policy) covers all personal data processing carried out by your organisation: contact forms, user accounts, newsletters, HR data, subcontractors, transfers outside the EU, etc. It primarily derives from Articles 13 and 14 of the GDPR.

The cookie policy focuses exclusively on trackers set or read on the user's device during browsing. It derives from both the GDPR and the ePrivacy Directive (transposed in France into Article 82 of the Data Protection Act).

Some websites merge the two documents. While not explicitly prohibited, it is recommended to keep them separate for easier access and comprehension. A visitor looking to understand which cookies are set on their device should not have to scroll through ten paragraphs about your HR data processing to find the information.

Is a cookie policy mandatory?

Yes. As soon as a website uses cookies or trackers, it must inform visitors of their existence, their purpose and the means to refuse them. This obligation applies even for cookies exempt from consent (strictly necessary cookies, audience measurement under certain conditions).

The obligation stems from two complementary legal texts. The ePrivacy Directive requires information and prior consent for any access to or storage of information on the user's device. The GDPR (Articles 12, 13 and 14) requires transparent, clear and accessible information about any personal data processing, which includes data collected via cookies.

In practice, a website without an accessible cookie policy cannot demonstrate compliance with its information obligation, even if its consent banner is correctly configured.

What should a compliant cookie policy contain?

A compliant cookie policy must cover seven essential elements.

The identity of the data controller

Visitors must know who is responsible for the cookies set on the site. Include the company name, address and DPO (Data Protection Officer) contact details if you have appointed one. If third parties set cookies on your site (ad networks, social media, third-party analytics tools), they must also be identified.

The list of cookies used and their purposes

Each cookie or category of cookies must be described with its specific purpose. Include at minimum the cookie name, the provider (first-party or third-party), the purpose (analytics, advertising, personalisation, functional) and the retention period. The CNIL recommends that cookie lifespan should not exceed 13 months.

To organise this information, a table structured by category is the most readable approach.

The distinction between exempt cookies and cookies requiring consent

Clearly explain which cookies are set without consent (strictly necessary cookies) and which require prior agreement (analytics, advertising, social media). This distinction is fundamental because it determines the behaviour of your consent banner.

Cookies exempt from consent include, according to regulatory guidelines: consent choice trackers, authentication trackers, shopping cart trackers, interface personalisation trackers (language, layout) and audience measurement trackers under strict conditions.

Consent and refusal mechanisms

Describe how visitors can accept or refuse cookies and how they can change their choice at any time. Indicate that refusing is as easy as accepting (a regulatory requirement). Mention the cookie management mechanism permanently accessible on your site (footer link, settings button).

User rights

Remind visitors of the rights provided by the GDPR: right of access, right to rectification, right to erasure, right to object, right to data portability. Indicate how to exercise them (DPO email address, contact form) and mention the right to lodge a complaint with the relevant supervisory authority.

The legal basis for processing

For exempt cookies: legitimate interest or technical necessity. For cookies requiring consent: consent itself, as defined in Articles 4(11) and 7 of the GDPR.

How to delete cookies via browser settings

Briefly explain that users can also manage cookies directly from their browser settings, and provide links to the help pages of the main browsers (Chrome, Firefox, Safari, Edge).

How to structure your cookie policy?

The most effective structure combines short explanatory paragraphs with a summary table of cookies.

Start with a 2 to 3 sentence introduction explaining what cookies are and why your site uses them. Follow with a section distinguishing cookie categories (strictly necessary, analytics, advertising, social media). Then include a detailed table.

The table should contain at minimum four columns: cookie name, provider, purpose and lifespan. This format allows visitors to quickly scan the information, and it is well interpreted by search engines and AI crawlers.

This table must be kept up to date. Each time you add or remove a third-party service on your site, the cookie policy must be updated. A regular scan of your site detects the cookies actually set and verifies that your policy reflects reality.

Where to place the cookie policy on your site?

The cookie policy must be accessible from at least two places: the consent banner (a "Learn more" or "Cookie policy" link) and the footer of your site (a permanent link visible on all pages).

Regulators insist that users must be able to find this information at any time, not only when the banner is first displayed. A footer link is the market standard, but you can also integrate it into a preference centre accessible via a floating button or a cookie management link.

Do not confuse the cookie policy page with the cookie preference centre. The preference centre is the interactive interface that allows visitors to change their choices (enable/disable categories). The cookie policy is an informational document. Both are complementary.

Common mistakes in cookie policies

Merging the cookie policy and privacy policy without clear distinction. Visitors cannot find information about trackers. Separate the two documents, or at minimum create a clearly identifiable dedicated section.

Not listing third-party cookies. Many sites only mention their own cookies and forget trackers set by Google Analytics, Facebook Pixel, chat widgets or embedded video players. You share responsibility for informing visitors about these trackers.

Copy-pasting a generic template without customising it. A template can serve as a starting point, but it must reflect the cookies actually present on your site. A document that lists cookies you do not use, or omits others, does not demonstrate compliance.

Not updating the policy after adding a new service. Adding a chat tool, a conversion pixel or an embedded YouTube video changes the cookies set. The policy must be updated accordingly.

Omitting cookie retention periods. The CNIL recommends a maximum lifespan of 13 months for cookies. This information must appear in your policy, cookie by cookie or by category.

Not mentioning the right to withdraw consent. The GDPR requires that withdrawing consent is as easy as giving it. Your policy must explain how visitors can change their mind.

The role of a CMP in managing your cookie policy

A CMP (consent management platform, or consent management platform) makes it easier to keep your cookie policy compliant in several ways.

Automatic cookie scanning identifies the trackers actually present on your site, including those set by third-party scripts you may not have manually identified. This scan produces an inventory you can use directly in your policy.

The CMP manages consent dynamically: it blocks non-consented scripts, records visitor choices and stores proof of consent. It complements your cookie policy by ensuring that the rules described in the document are actually enforced.

Some CMPs, including FlowConsent, can automatically generate and maintain the cookie table to include in your policy. This avoids discrepancies between the cookies actually present and those documented.

If your site uses Google Consent Mode v2, your CMP must also handle the transmission of consent signals to Google tags, a point that can be mentioned in your policy for more technically-minded visitors.

Checklist: writing your cookie policy

1. Create a dedicated page, separate from the privacy policy.
2. Identify the data controller and DPO contact details.
3. Run a scan of your site to inventory all cookies actually set.
4. Classify cookies by category: strictly necessary, analytics, advertising, social media.
5. For each cookie, document the name, provider, purpose and lifespan.
6. Clearly distinguish cookies exempt from consent and those requiring it.
7. Explain the mechanisms for consent, refusal and withdrawal.
8. List user rights (access, rectification, erasure, objection, portability).
9. Indicate the legal basis for each cookie category.
10. Add links to the cookie management pages of the main browsers.
11. Make the policy accessible from the consent banner and the footer.
12. Schedule a policy review each time third-party services on the site are modified.

Conclusion

The cookie policy is a mandatory document, separate from the privacy policy, that details the trackers present on your site and the rights of your visitors. Writing it is straightforward if you have a complete inventory of your cookies, a clear structure and a regular update process.

The most effective starting point is to scan your site to identify all trackers actually set, then structure the information in a table by category. A CMP like FlowConsent automates part of this work by keeping the inventory up to date and ensuring that the rules described in your policy are actually enforced.

Run a free scan of your site to get a complete inventory of your cookies and start writing your policy.