Which cookies need consent?

Under GDPR and ePrivacy rules, all cookies except strictly necessary ones require the user's prior consent. That means preference, analytics, and marketing cookies must be off until the visitor accepts them through a consent banner.

What is the difference between a cookie policy and a privacy policy?

A cookie policy specifically lists the cookies and tracking technologies you use and how to control them. A privacy policy covers all personal data processing more broadly. Many sites link the two together.

How long can cookies last?

Session cookies expire when the browser closes. Persistent cookies have a set lifespan; common practice is up to 12 months for analytics and preferences and around 13 months for advertising, after which consent should be refreshed.

Do I need a consent banner as well as a policy?

Yes. The policy explains your cookies; the banner is how you obtain and record consent for non-essential ones. Visitors must be able to reject as easily as accept and to change their choice later.

Is this template legally binding?

No, it is a starting point, not legal advice. Have a data-protection professional review it and make sure it matches a cookie scan of your actual site before publishing.

Cookie Policy Builder

Email me this result

Get this tool's output sent to your inbox, plus one useful tool a week. No spam, unsubscribe any time.

List your cookies clearly and lawfully

Cookie laws require you to tell visitors which cookies you use, what they do, and how to control them — and to obtain consent before setting any that aren’t strictly necessary. A cookie policy is the document that does the explaining; this builder assembles one from the categories you actually use.

How it works

Cookies are grouped into four standard categories, each with a different consent status:

Strictly necessary — always on, no consent required, because the site cannot function without them.
Preferences / functional — remember settings; require consent.
Analytics / performance — measure usage; require consent.
Marketing / advertising — cross-site tracking; require consent.

The generator writes sections on what cookies are, the categories you selected, third-party cookies, retention, your consent mechanism, changes, and contact. If you select any consent-required category, it describes a banner with accept and reject options and a way to change choices later.

Tips and notes

Run an actual cookie scan of your site so the policy matches reality — undeclared trackers are the most common compliance gap. Make rejecting non-essential cookies as easy as accepting them, and store the user’s choice so you don’t re-prompt every visit. Keep the third-party list current as you add or remove tools. This is a template, not legal advice.