If your website uses Google Analytics, displays ads, embeds YouTube videos, or runs a social share button, it sets cookies — and in most of the world, you are legally required to tell your users about it. Creating a cookie policy does not require a lawyer or weeks of work. This guide explains what a cookie policy is, which laws require it, exactly what it needs to contain, and how to generate a compliant one in minutes using a free online tool.
What is a cookie policy?
A cookie policy is a legal document published on your website that explains which cookies your site sets, why it sets them, who places them (your own server or third-party services), and how long they persist. It also tells users how to control or opt out of non-essential cookies. Think of it as the transparency disclosure for the invisible tracking layer of your website.
What counts as a cookie?
The legal definition of "cookie" in most privacy laws is broader than just HTTP cookies. It covers all technologies that store or access information on a user's device: traditional cookies, local storage, session storage, web beacons, tracking pixels, fingerprinting scripts, and browser-based identifiers. If a third-party analytics or advertising script you embed does any of these things — even passively — it needs to be disclosed in your cookie policy.
The four standard cookie categories
- Strictly necessary — session management, shopping carts, login authentication. No consent required; cannot be opted out.
- Functional — saved preferences, language settings, accessibility options. Consent required in most EU interpretations.
- Analytics — Google Analytics, Matomo, Hotjar, Microsoft Clarity. Consent required before setting under GDPR.
- Advertising — Google Ads, Facebook Pixel, programmatic ad networks, affiliate tracking pixels. Highest consent threshold.
Note
Do you legally need a cookie policy?
Whether you legally need a cookie policy depends on which cookies you use and where your users are located. Most websites serving a global audience need one under at least one jurisdiction. Understanding the key regulations helps you calibrate the level of detail your policy requires.
GDPR and the ePrivacy Directive (EU/EEA/UK)
The EU's General Data Protection Regulation (GDPR) and the ePrivacy Directive (often called the EU Cookie Law) together require websites to: disclose every cookie and tracking technology used, obtain explicit prior consent for non-essential cookies, allow users to withdraw consent as easily as they granted it, and document the legal basis for each processing activity. The UK's PECR (Privacy and Electronic Communications Regulations) mirrors the ePrivacy Directive post-Brexit. Non-compliance fines under GDPR can reach €20 million or 4% of global annual turnover.
CCPA (California, USA)
California's Consumer Privacy Act requires businesses that meet certain size or revenue thresholds to disclose what personal information they collect (including via cookies), to provide a "Do Not Sell My Personal Information" link if they sell data, and to honour opt-out requests. The CPRA (California Privacy Rights Act, 2023) expanded these requirements. Even smaller sites that do not meet the CCPA thresholds often adopt California-friendly language because many ad networks require it.
Storing or accessing information on a user's terminal equipment requires their prior informed consent — unless the storage or access is strictly necessary for a service the user has explicitly requested.
| Regulation | Region | Consent required? | Policy required? |
|---|---|---|---|
| GDPR + ePrivacy Directive | EU/EEA | ✓ Prior opt-in for non-essential | ✓ Yes |
| PECR | UK | ✓ Prior opt-in for non-essential | ✓ Yes |
| CCPA / CPRA | California, USA | ✗ Opt-out model | ✓ Yes (above thresholds) |
| LGPD | Brazil | ✓ Consent for sensitive data | ✓ Yes |
| PIPEDA | Canada | ✗ Implied consent acceptable | ✓ Recommended |
| No specific law | Other | ✗ Not required by law | ✓ Best practice |
Warning
What to include in a cookie policy
A legally adequate cookie policy contains several specific elements. Vague statements like "we use cookies to improve your experience" do not satisfy GDPR requirements. Regulators expect concrete, specific disclosures for each category of cookie your site uses.
Required elements under GDPR
- Cookie inventory — a list of each cookie name, its purpose, who sets it, and its expiry duration
- Cookie categories — clearly distinguish strictly necessary, functional, analytics, and advertising cookies
- Third-party names — explicitly name every third party whose scripts or pixels you load (Google Analytics, Facebook, YouTube, etc.)
- Consent mechanism — how users can accept or reject non-essential cookies, and how to withdraw consent later
- Legal basis — the legal basis for each processing activity (consent, legitimate interest, etc.)
- Contact details — how users can submit privacy requests or questions about your cookie usage
- Last updated date — when the policy was last reviewed and updated
Additional elements for CCPA
California residents have the right to know what personal information is collected, sold, or disclosed. If your analytics or advertising cookies involve selling data to third parties, your cookie policy (or a linked privacy policy section) must include a "Do Not Sell or Share My Personal Information" link that is prominently accessible. The Cookie Policy Generator includes a CCPA-specific section when you indicate you serve California users.
Tip
How to create a cookie policy for free
Generating a cookie policy from scratch takes under three minutes with the right tool. The steps below use the Quasar Tools Cookie Policy Generator, which produces customised output based on your specific website details, cookie types, and jurisdictions — no signup required.
Open the Cookie Policy Generator
Navigate to the Cookie Policy Generator. The form asks for your website name, website URL, and a contact email address for privacy enquiries. These details are embedded in the generated policy so users know how to reach you about cookie-related requests.
Select your cookie categories and third-party services
Indicate which cookie categories your site uses: strictly necessary, functional, analytics, and advertising. Then select the specific third-party services you embed — Google Analytics 4, Google Tag Manager, YouTube embeds, Facebook Pixel, Google Ads, and others. Each service gets named explicitly in the generated policy, which is what GDPR requires rather than generic references to "analytics cookies."
Set your jurisdiction and consent settings
Select the jurisdictions applicable to your audience. Choosing EU/EEA adds GDPR-specific language about prior consent, legal bases, and user rights. Choosing California adds CCPA opt-out language. Choosing both generates a combined policy that satisfies the requirements of each. The generator tailors the consent mechanism language to the strictest applicable standard.
Copy, review, and publish the policy
Copy the generated policy text and publish it to a dedicated page on your website — typically at /cookie-policy. Review it to confirm every third-party service you actually use is named. Then link to the policy page from your cookie consent banner, your privacy policy, and your website footer. Regenerate the policy whenever you add or remove a tracking service.
Cookie Policy Generator
Generate a comprehensive, customised cookie policy covering GDPR, ePrivacy, and CCPA in under three minutes — free, no signup, runs in your browser.
Best free cookie policy generators compared
Several free cookie policy generators exist, ranging from basic templates to fully customised outputs. The right choice depends on how much customisation you need, whether you want browser-local processing (no data sent to a server), and whether you need to generate companion documents like a privacy policy or terms of service at the same time.
Quasar Tools Cookie Policy Generator
The Quasar Tools Cookie Policy Generator generates a fully customised policy based on your specific inputs — website name, cookie categories, named third-party services, and applicable jurisdictions. It runs entirely in the browser, so no data is sent to any server. There is no account, no email required, and no premium tier. The companion Privacy Policy Generator and Terms of Service Generator are available on the same platform for a complete legal document suite.
TermsFeed (third-party)
TermsFeed is a well-known legal document generator that offers a free cookie policy tier with limited customisation. The free version produces a basic template; advanced customisation and automatic policy updates (as laws change) require a paid subscription. It is a reasonable option for businesses that want automatic update notifications, though the free output requires manual review against your actual cookie inventory.
Cookiebot CMP (managed compliance)
Cookiebot is a Cookie Management Platform that automatically scans your site for cookies, generates a compliant banner, and maintains an up-to-date cookie declaration on a hosted page. It is the most comprehensive option for GDPR compliance but operates on a subscription model and injects its own scripts into your site. It is overkill for simple sites; the right choice for high-traffic sites in regulated industries.
| Generator | Customised output | Browser-local | Free tier | Companion docs |
|---|---|---|---|---|
| Quasar Tools | ✓ Full customisation | ✓ Yes — no upload | ✓ Fully free | ✓ Privacy + ToS |
| TermsFeed | ✓ Basic customisation | ✗ Server-side | ✓ Limited | ✓ Privacy + ToS |
| Cookiebot CMP | ✓ Auto-scan | ✗ Hosted service | ✓ Up to 50 pages | ✗ Banner only |
| GetTerms.io | ✓ Good customisation | ✗ Server-side | ✓ Limited | ✓ Privacy |
| PrivacyPolicies.com | ✓ Moderate | ✗ Server-side | ✓ Watermarked | ✓ Privacy |
Cookie policy vs privacy policy
Many website owners confuse cookie policies and privacy policies, or assume one document covers both requirements. They are distinct documents with different scope, different legal triggers, and different audiences.
What each document covers
A privacy policy covers all personal data your business collects, processes, stores, and shares — account information, contact form submissions, IP addresses, transaction data, email marketing lists, and cookie data. It is required by virtually every privacy law globally and by most third-party services' terms of use. A cookie policy is a focused document specifically about cookies and similar tracking technologies: what they are, who sets them, and how to control them. GDPR and the ePrivacy Directive treat the cookie disclosure as a distinct requirement from the general privacy policy.
Can they be combined?
Yes. Many sites publish a single page called "Privacy and Cookie Policy" or a privacy policy with a dedicated "Cookies" section. This is acceptable under GDPR provided the cookie-specific information is clearly labelled and complete. The advantage of separate documents is that the cookie policy URL can be linked directly from the consent banner — keeping it focused makes it more readable for users who just want cookie information without reading the full privacy policy. The Privacy Policy Generator on Quasar Tools generates the companion document if you prefer to publish both.
Note
Keeping your cookie policy up to date
A cookie policy published once and never updated is a compliance risk. The cookie and tracking landscape changes constantly — new analytics tools get added, advertising partners change, and regulations evolve. A policy that no longer reflects your actual practices is potentially worse than no policy at all, because it actively misrepresents your data processing to users and regulators.
Triggers for an update
- Adding a new analytics or marketing tool — any new script that sets cookies or uses fingerprinting needs to be added to the policy
- Removing a tool — tools you no longer use should be removed from the cookie list to avoid overclaiming
- A third-party changes its cookie names or duration — e.g. Google Analytics 4 replaced Universal Analytics with different cookie names
- Entering a new market — launching in the EU, UK, or California for the first time triggers new compliance obligations
- Regulatory guidance changes — national data protection authorities regularly issue new interpretations of existing rules
How to manage updates efficiently
The simplest approach is to keep the generator inputs (which services you use, which jurisdictions you serve) in a document and regenerate the policy whenever a trigger event occurs. Re-run the Cookie Policy Generator, paste the updated output, and increment the "last updated" date on the policy page. Notify users of material changes via a banner or email if the change significantly affects how you use their data.
Warning
Privacy Policy Generator
Generate a full privacy policy covering data collection, user rights, GDPR and CCPA compliance, and third-party service disclosures — free, browser-local, no signup.
Key takeaways
- A cookie policy is a legal requirement in the EU, UK, and for many US sites — it must disclose every cookie category, name each third-party service, and explain how users can opt out.
- GDPR and the ePrivacy Directive require prior consent for non-essential cookies from EU users — disclosure alone is not sufficient.
- The Cookie Policy Generator creates a customised, jurisdiction-specific policy in under three minutes with no signup required.
- Strictly necessary cookies do not require consent; analytics, functional, and advertising cookies all require explicit opt-in under GDPR.
- A cookie policy and a privacy policy are distinct documents with different scope — both are typically required for GDPR compliance.
- Update your cookie policy every time you add, remove, or change a third-party tracking service — a stale policy misrepresents your actual data practices.
- Link your cookie policy directly from your consent banner, your privacy policy, and your website footer for full GDPR layered-notice compliance.