CompliKit › Cookie Policy Generator
Cookie Policy Generator — GDPR Compliant

A cookie policy that lists your actual cookies, not placeholders

Free cookie policy templates list every cookie category imaginable. CompliKit asks which analytics, advertising, and functional tools you actually use and generates a disclosure that's accurate — which is what GDPR actually requires.

Generate My Cookie Policy Includes 6 legal documents — $19 launch special

What is a cookie policy and why do you need one?

A cookie policy discloses the cookies your website sets on visitors' devices, why each cookie is used, who controls it (you or a third party), and how users can manage or opt out. Under the EU ePrivacy Directive and GDPR, this disclosure is legally required if your site uses any cookies beyond those strictly necessary for the site to function.

Most websites use at least three cookie categories without realizing it: session cookies from their backend, analytics cookies from Google Analytics, and advertising pixels from Meta or Google. Each of these requires disclosure in your cookie policy and — for non-essential cookies — prior consent from EU visitors.

The cost of getting this wrong is real. In 2022 and 2023, regulators issued millions in fines specifically over cookie consent. Google, Meta, and TikTok have all been targeted. The standard has moved: "we use cookies" in your footer is not sufficient disclosure. A policy that lists your actual cookies with accurate descriptions is.

EU ePrivacy Directive

Requires consent before setting non-essential cookies. Applies to any website with EU visitors — regardless of where you're based.

GDPR — Cookie Data as Personal Data

Tracking cookies that identify individual users are personal data under GDPR. Full disclosure and consent requirements apply.

CCPA — California

Advertising cookies used for cross-context behavioral advertising require opt-out options for California residents.

UK GDPR post-Brexit

The UK maintains its own version of GDPR with the same cookie consent requirements as the EU. UK visitors are covered separately.

The four types of cookies your policy must address

GDPR classifies cookies by function. Your policy needs to cover each category you use, accurately and specifically.

Strictly Necessary Cookies

No consent needed

Cookies essential for the website to function: session management, login state, shopping cart contents, security tokens. These don't require consent but must still be disclosed in your policy.

Examples: session_id, csrf_token, auth_cookie

Analytics & Performance Cookies

Consent required

Cookies that track how users interact with your site to improve performance and user experience. Must be disclosed with the specific provider and opt-out mechanism.

Examples: Google Analytics (_ga, _gid), Hotjar, Mixpanel

Functional / Preference Cookies

Consent required

Cookies that remember user preferences: language selection, dark/light mode, previously viewed items. Enhance experience but aren't strictly necessary.

Examples: locale, theme_preference, recently_viewed

Advertising & Targeting Cookies

Consent required

Cookies used for ad targeting, retargeting, and conversion tracking. The highest scrutiny category under GDPR — requires explicit consent, clear disclosure of each advertiser.

Examples: Meta Pixel (_fbp), Google Ads (gclid), LinkedIn Insight

What your generated cookie policy covers

CompliKit generates a policy based on the specific tools and cookies you actually use on your site.

Cookie inventory by category

A structured disclosure of every cookie type you use, organized by necessary vs. consent-required categories.

Third-party cookie disclosure

Named disclosure of each third-party platform: Google Analytics, Meta Pixel, Stripe, Intercom — with accurate descriptions of what each collects.

Cookie duration and expiry

Session vs. persistent cookie distinction, with retention periods for each major cookie category.

User opt-out and control instructions

How users can reject or manage cookies through browser settings, Google's opt-out tools, and your consent management approach.

Cross-border data transfer disclosure

For cookies that transfer data outside the EU (most US-based services), disclosure of the transfer mechanism under GDPR.

Policy update and contact information

When the policy was last updated and how to contact you with cookie-related privacy requests.

Cookie policy included in the complete compliance bundle

A cookie policy handles cookie disclosure. But GDPR compliance also requires a full privacy policy explaining your broader data practices, and terms of service establishing your user agreements. CompliKit generates all six legal documents in one session — each one customized to your business.

  • 🔒 Privacy Policy
  • 📄 Terms of Service
  • 🍪 Cookie Policy
  • ↩️ Refund Policy
  • ⚠️ Disclaimer
  • ✅ Acceptable Use Policy
Launch Special
$19
Regular $39
Get All 6 Documents

Cookie policy questions, answered

What you need to know about GDPR cookie compliance before you generate yours.

Yes. If your website uses cookies — including analytics cookies from Google Analytics, advertising pixels from Facebook/Meta, or even session cookies — you need a cookie policy under the EU ePrivacy Directive and GDPR. This applies to any website with EU visitors, regardless of where your business is based. If you run Google Analytics, you have analytics cookies and need a policy.
GDPR cookie consent means obtaining explicit, informed agreement from users before placing non-essential cookies on their device. Non-essential cookies include analytics (Google Analytics), advertising (Meta Pixel, Google Ads), and social media tracking. Strictly necessary cookies — like session cookies that keep users logged in — don't require consent but must still be disclosed. Consent must be freely given, specific, and as easy to withdraw as it was to give.
A privacy policy covers all personal data collection and processing. A cookie policy specifically addresses cookies and tracking technologies: what cookies you use, why, which third parties set them, and how users can manage or reject them. GDPR requires both. Many businesses include a cookie section within their privacy policy, but a standalone cookie policy provides clearer disclosure and is easier to link from cookie consent banners.
Without a cookie policy, you're in violation of the EU ePrivacy Directive and GDPR. Regulators have issued significant fines over cookie consent — the Italian DPA fined Google over cookie practices, and France's CNIL has fined multiple companies for inadequate cookie consent. Beyond regulatory risk, ad platforms including Google Ads and Meta Ads increasingly require cookie consent verification to run campaigns in the EU.
Yes. A cookie policy tells users what cookies you use. A cookie consent banner (or CMP — Consent Management Platform) collects and records their consent before non-essential cookies are set. You need both: the policy for disclosure, the banner for consent collection. Note that "by continuing to use this site, you agree to our use of cookies" does not meet GDPR's standard — consent must be an affirmative action.

Your cookie policy should list your cookies. Not hypothetical ones.

Answer 10 questions about your business and the tools you use. Get a cookie policy — and 5 other legal documents — that accurately reflects your actual setup.

Generate My Cookie Policy — $19