Cookie Policy Guide: What to Include and How to Display It

Q: Do I need a separate cookie policy or can I include it in my privacy policy?

You can include cookie information within your privacy policy or create a separate cookie policy document. Regulators generally accept either approach. A separate cookie policy is cleaner for users and makes it easier to update when you add or remove cookies. However, both must be easily accessible from every page of your website.

Q: What types of cookies require user consent under GDPR?

Under GDPR, all cookies except strictly necessary cookies require prior user consent. This includes analytics cookies (Google Analytics), advertising cookies (Google AdSense), functional cookies (preferences, language settings), and social media cookies (embedded content). Strictly necessary cookies — those essential for the website to function — do not require consent.

Q: What is the difference between first-party and third-party cookies?

First-party cookies are set by your own website domain. Third-party cookies are set by external services (Google, Facebook, advertising networks) that are embedded in your website. Third-party cookies are of particular regulatory concern because users often don't know they're being tracked by a company they've never interacted with.

Cookies are one of the most regulated aspects of modern websites. If your website uses analytics, advertising, or any third-party embedded content, you almost certainly use cookies — and the law requires you to tell your visitors about them and, in most cases, obtain their consent before setting them. This guide explains what your cookie policy must include and how to display it correctly.

Cookie Policy vs Privacy Policy

A cookie policy specifically covers cookies and tracking technologies used on your website. A privacy policy covers all personal data you process — including but not limited to cookies. You can:

Include cookie information within your privacy policy (combining the two into one document)
Create a standalone cookie policy that is separate from your privacy policy

Either approach is acceptable to regulators. A standalone cookie policy is cleaner and easier to update when you add or remove tracking services. Whichever you choose, it must be easily accessible from every page of your website — typically via a footer link.

Types of Cookies and Consent Requirements

GDPR (UK/EU) divides cookies into categories based on whether consent is required:

Strictly necessary cookies: Essential for the website to function (session cookies, security cookies, shopping cart). No consent required.
Functional/preference cookies: Remember user preferences like language or region. Consent required unless strictly necessary for a requested service.
Analytics cookies: Track user behaviour, page views, and traffic sources (Google Analytics, Hotjar). Consent required.
Advertising/targeting cookies: Used to display personalised adverts (Google AdSense, Facebook Pixel). Consent required — and most strictly enforced by regulators.
Social media cookies: Set by embedded social media content (YouTube videos, Twitter feeds). Consent required.

What Your Cookie Policy Must Include

A compliant cookie policy should cover:

What cookies are: A brief, plain-English explanation of what cookies are and how they work
Which cookies you use: List each cookie or category of cookie, what it does, who sets it (you or a third party), and how long it lasts
Why you use them: The purpose of each cookie category
Who has access to cookie data: Third parties (Google, advertising networks) who receive data from your cookies
How to control or delete cookies: Links to browser cookie settings and third-party opt-out tools
How to withdraw consent: Explain how users can withdraw consent they've already given
Last updated date

Cookie Table: A Practical Format

The clearest format for listing cookies is a table with columns for: Cookie name, Provider, Purpose, Duration, and Category. For example:

_ga | Google Analytics | Track unique visitors | 2 years | Analytics
_gid | Google Analytics | Distinguish users | 24 hours | Analytics
IDE | Google DoubleClick | Advertising targeting | 1 year | Advertising
CONSENT | Google | Store consent choices | 2 years | Strictly Necessary

You can find the names of all cookies set by your website by opening your browser's developer tools (F12), navigating to Application → Cookies, and listing all entries. Third-party services also publish their own cookie lists.

Google AdSense and Cookie Disclosure

If you use Google AdSense, you must specifically disclose in your cookie policy that:

Google uses cookies to serve ads based on users' visits to your site and other sites on the internet
Users can opt out of personalized advertising by visiting Google's Ads Settings
Your site participates in the Google EU User Consent Policy (if you have EU/UK visitors)

Without these disclosures, your AdSense application may be rejected or your account suspended.

First-Party vs Third-Party Cookies

Your cookie policy must distinguish between cookies set by your own domain (first-party) and cookies set by external services embedded in your site (third-party). Third-party cookies are particularly important to disclose because users typically don't expect to be tracked by companies they haven't interacted with.

Keeping Your Cookie Policy Up to Date

Your cookie policy must accurately reflect the cookies present on your website at any given time. Update it whenever you:

Add a new analytics or tracking service
Install a new advertising network
Embed social media or video content from new providers
Remove services that previously set cookies

An outdated cookie policy — one that lists cookies you no longer use or fails to disclose cookies that are present — is a compliance risk.

Generate a GDPR-Compliant Privacy Policy

Create a privacy policy that covers cookies, GDPR, and CCPA requirements — free.

Generate Privacy Policy →

Frequently Asked Questions

Do I need a separate cookie policy or can I include it in my privacy policy?

You can include cookie information in your privacy policy or create a separate document. Both approaches are acceptable to regulators. A separate cookie policy is cleaner and easier to update. Both must be accessible from every page via a footer link.

What types of cookies require user consent under GDPR?

All cookies except strictly necessary cookies require prior consent under GDPR. This includes analytics cookies (Google Analytics), advertising cookies (Google AdSense), functional cookies, and social media cookies. Strictly necessary cookies — essential for the website to function — do not require consent.

Does Google Analytics require cookie consent?

Yes. Google Analytics uses cookies to track user behaviour, which requires prior consent under GDPR for UK and EU visitors. Obtain consent before the Analytics script loads, or use Google Analytics in consent mode which sends anonymised signals without setting cookies for non-consenting users.

What is the difference between first-party and third-party cookies?

First-party cookies are set by your own domain. Third-party cookies are set by external services (Google, Facebook) embedded in your website. Third-party cookies are of particular regulatory concern because users are being tracked by companies they haven't directly interacted with.

How often should I update my cookie policy?

Update your cookie policy whenever you add or remove a service that uses cookies — analytics tools, advertising networks, embedded content. Your policy must accurately reflect the cookies actually present on your website at all times.