If you search "cookie policy template" and copy the first result, you will probably end up with something that was last updated in 2019, covers zero of the platform-specific requirements your site actually has, and gets you fined anyway.
This guide is different. You will get a complete, copy-paste-ready GDPR cookie policy template for 2026 — with every section explained, common mistakes flagged, and a clear answer to the question everyone skips: which cookies on your site actually need to be in this policy?
Before you start: Your policy needs to list the specific cookies your site sets. Use the free CookieGuard scanner to get an inventory of every cookie your site actually sets — then paste the results into your policy. Writing a policy without knowing your cookies is like writing a menu without knowing what's in the kitchen.
What a GDPR Cookie Policy Must Include
The GDPR (and ePrivacy Directive that runs alongside it) sets out specific disclosures required in any cookie policy. These are not optional add-ons — they are legal requirements. Regulators have issued fines for policies that omit them.
| Required Element | What It Means | Status |
|---|---|---|
| What cookies you use | Named list: cookie name, purpose, duration, and whether it's first- or third-party | Required |
| Legal basis for each category | Consent (Art. 6(1)(a)) for analytics/marketing; legitimate interest for functional cookies | Required |
| How to withdraw consent | User-facing mechanism to opt out at any time, not just "adjust browser settings" | Required |
| Third-party disclosure | Who third-party cookies belong to (Google, Meta, etc.) and links to their policies | Required |
| Data transfers outside EU | If any cookie data is processed outside the EU/EEA, you must disclose this and the legal basis | Required |
| Cookie categories | Strictly necessary, functional, analytics, marketing — clearly distinguished | Recommended |
| Last updated date | Regulators check whether your policy reflects your actual current cookie usage | Recommended |
| Contact / DPO details | Who users contact to exercise rights (access, erasure, portability) | Recommended |
| Link to full Privacy Policy | Cookie policy and privacy policy should cross-reference each other | Best Practice |
The enforcement trend in 2025-2026: DPAs (Data Protection Authorities) across France, Ireland, Italy, and Spain have shifted from warning letters to immediate fines for companies that can't demonstrate real-time accuracy of their cookie disclosures. A policy written 18 months ago that doesn't list your current analytics stack is non-compliant — even if it was perfect when you wrote it.
Free GDPR Cookie Policy Template (2026)
Copy each section below and fill in the highlighted placeholders. The yellow placeholders need your specific information.
Section 1: Introduction
Cookie Policy
Last updated: [Date — update every time your cookie usage changes]
This Cookie Policy explains how [Your Company Name] ("[we / us / our]"), operating the website [yourdomain.com] (the "Site"), uses cookies and similar tracking technologies when you visit our Site.
By continuing to use our Site after being presented with our cookie consent notice, you consent to the use of cookies as described in this policy. You may withdraw your consent at any time using the methods described in the "How to Control Cookies" section below.
This Cookie Policy should be read alongside our Privacy Policy, which explains how we handle the personal data we collect.
Section 2: What Are Cookies?
What Are Cookies?
Cookies are small text files placed on your device (computer, tablet, or smartphone) when you visit a website. They allow the website to recognise your device on subsequent visits and remember certain information about your session.
We use both first-party cookies (set directly by [yourdomain.com]) and third-party cookies (set by external services we use, such as analytics providers or advertising networks). First-party cookies are within our direct control; third-party cookies are governed by the privacy policies of those external services.
Cookies may be:
- Session cookies — deleted when you close your browser.
- Persistent cookies — remain on your device for a set period or until you delete them.
Section 3: Cookie Categories & Detailed Inventory
This is the section regulators inspect most closely. You need to list every cookie your site actually sets — not a generic list, your actual cookies. Run the free cookie scanner first, then populate this table.
1. Strictly Necessary Cookies
These cookies are essential for the Site to function and cannot be disabled. They do not require consent under GDPR. They are set in response to actions you take, such as logging in or filling in forms.
| Cookie Name | Provider | Purpose | Expiry |
|---|---|---|---|
| [e.g. __session] | [yourdomain.com] | [Maintains user login session] | [Session] |
| [e.g. csrf_token] | [yourdomain.com] | [Security: prevents cross-site request forgery] | [Session] |
2. Functional Cookies
These cookies enable enhanced functionality and personalisation. They may be set by us or by third-party providers. If you disable them, some functionality may not work as expected. Legal basis: Legitimate interests (where functionality is strictly required) or consent.
| Cookie Name | Provider | Purpose | Expiry |
|---|---|---|---|
| [e.g. locale] | [yourdomain.com] | [Remembers language preference] | [1 year] |
3. Analytics Cookies
These cookies collect information about how visitors use the Site — which pages are visited, how long visitors stay, and where they came from. This data is aggregated and anonymised where possible. Legal basis: Consent (required under ePrivacy Directive before firing analytics cookies).
| Cookie Name | Provider | Purpose | Expiry | Third-Party Policy |
|---|---|---|---|---|
| _ga, _ga_* | Google Analytics | Tracks unique visitors and session data for traffic analysis | 2 years / 2 years | Google Privacy Policy |
| [Add other analytics cookies found by scanner] | [Provider] | [Purpose] | [Duration] | [Link] |
4. Marketing / Targeting Cookies
These cookies track your browsing activity to deliver relevant advertising and measure ad campaign effectiveness. They are set by our advertising partners and are always governed by those partners' privacy policies. Legal basis: Consent (required; cannot rely on legitimate interest for advertising cookies per EDPB guidance).
| Cookie Name | Provider | Purpose | Expiry | Third-Party Policy |
|---|---|---|---|---|
| _fbp, _fbc | Meta (Facebook) | Tracks ad conversions and builds audience profiles for targeting | 3 months / session | Meta Privacy Policy |
| [Add other marketing cookies found by scanner] | [Provider] | [Purpose] | [Duration] | [Link] |
🔍 Not sure which cookies your site sets?
Paste your URL into the CookieGuard scanner and get a full inventory in 30 seconds — free, no account required. Use the results to fill in the cookie tables above.
Scan your site free →Section 4: Legal Bases for Processing
Legal Bases for Cookie Processing
We process cookie data on the following legal bases under GDPR Article 6:
- Consent (Art. 6(1)(a)): For analytics and marketing cookies, we obtain your explicit consent before setting them. You may withdraw consent at any time.
- Legitimate Interests (Art. 6(1)(f)): For strictly necessary and functional cookies where processing is required to deliver the service you have requested.
Where cookies involve the transfer of personal data outside the European Economic Area (EEA) — for example, to Google LLC (USA) or Meta Platforms Inc. (USA) — such transfers are covered by [Standard Contractual Clauses / adequacy decisions — specify which apply]. Copies of these safeguards are available on request.
Section 5: How to Control Cookies
How to Control and Withdraw Consent
You have the right to withdraw your cookie consent at any time. You can do this through:
- Our consent management tool: Click the cookie settings button [describe where — e.g., "in the footer of any page" or "via the 🍪 icon in the bottom-left corner"] to adjust your preferences at any time.
- Browser settings: All major browsers allow you to block or delete cookies. Note that blocking strictly necessary cookies will affect site functionality.
- Opt-out tools for third parties:
- Google Analytics: GA Opt-out Browser Add-on
- Meta: Ad Preferences
- All EU ad networks: Your Online Choices
Withdrawing consent does not affect the lawfulness of processing based on consent before your withdrawal. We will not process non-essential cookies until you provide explicit consent.
Section 6: Updates to This Policy
Changes to This Cookie Policy
We review and update this Cookie Policy whenever our cookie usage changes — for example, when we add a new analytics tool, install a new third-party widget, or change how we serve advertising. The "Last updated" date at the top of this policy reflects the most recent revision.
We recommend reviewing this policy periodically. For significant changes, we will re-present the consent notice to existing users.
Contact us: For questions about this Cookie Policy, contact our Data Protection Officer at [privacy@yourdomain.com] or write to [Your Company Name, Your Address].
Common Mistakes That Make Cookie Policies Non-Compliant
These are the patterns that have resulted in actual enforcement actions across the EU. Tick them off against your own policy.
Mistake 1: Generic cookie lists instead of your actual cookies. Listing "analytics cookies" without naming specific cookies (e.g., _ga, _ga_XXXXXX) fails the transparency requirement. CNIL (France) fined Google and Facebook for exactly this. Your policy must name the actual cookies your site sets — which means you need to audit first.
Mistake 2: Outdated policy that doesn't match your current stack. If you added Hotjar six months ago but your cookie policy still doesn't mention it, you're non-compliant. Regulators have issued fines where the policy was perfectly written for a prior version of the site. The only way to avoid this is to re-audit every time you add a new tool — or to automate it.
Mistake 3: No mechanism to withdraw consent. "To opt out, adjust your browser settings" is not sufficient. GDPR requires withdrawing consent to be as easy as giving it. You need an actual preference centre — a UI where users can toggle consent categories — not just a link to browser docs.
Mistake 4: Claiming legitimate interest for marketing cookies. The European Data Protection Board (EDPB) guidelines are clear: legitimate interest cannot be used as a legal basis for advertising/tracking cookies. Consent is required. Some sites still list "legitimate interests" for targeting cookies — that's a fine waiting to happen.
Mistake 5: Failing to disclose international data transfers. If Google Analytics processes your users' data in the US, your policy must say so and explain the transfer mechanism (Standard Contractual Clauses). This is not a technicality — it was the core of the Schrems II ruling that made EU-US data transfers a compliance flashpoint.
Mistake 6: Placing the cookie policy where users can't find it. Your cookie policy must be accessible from your consent banner and from every page (typically via a footer link). A policy buried three links deep, or only accessible from the consent banner (not the footer), has been flagged in several DPA audits.
Which Cookies Need to Be in Your Policy?
All cookies your site sets — including third-party cookies loaded by embedded scripts — must be disclosed. This is where most policies fail: they list only the cookies they knowingly set, while ignoring everything loaded by Google Tag Manager, third-party chat widgets, social sharing buttons, and CDN-served scripts.
The practical answer: run a headless browser scan against your site (simulating an incognito session with no prior consent) and capture every cookie set on page load and during navigation. That list is your disclosure obligation.
Common sources of undisclosed third-party cookies:
- Google Tag Manager — fires GA4, Google Ads, and other tags that each set their own cookies. GTM itself is not the cookie — the tags it fires are.
- Embedded YouTube videos — even in "privacy-enhanced mode," YouTube sets cookies on play. Disclose
YSC,VISITOR_INFO1_LIVE. - Live chat tools — Intercom, Crisp, Drift all set persistent identification cookies.
- Social proof widgets — Trustpilot, G2, and review widgets frequently set third-party tracking cookies.
- A/B testing tools — Optimizely, VWO, and similar tools use cookies to maintain consistent variant assignments.
- Affiliate tracking — even if you don't use them, your marketing team might have installed pixels that set cookies without telling engineering.
📋 Know exactly what you need to disclose
The CookieGuard scanner identifies every cookie your site sets — including third-party cookies from embedded scripts, marketing pixels, and CDN libraries — and categorises them by severity. Takes 30 seconds.
Scan your site free →How to Keep Your Policy Updated Automatically
The fundamental problem with cookie policies is not writing them — it's maintaining them. Your site's cookie footprint changes every time you:
- Add a new analytics or marketing tool
- Install a third-party widget or plugin
- Update a CMS or e-commerce platform (Shopify and WooCommerce updates frequently change cookie behaviour)
- Your marketing team adds a pixel via GTM without telling anyone
Manual auditing doesn't scale. The options for keeping a policy accurate over time are:
Option 1: Quarterly manual audits
Schedule a quarterly cookie audit using a combination of browser DevTools (open an incognito window, visit your site, check Application > Cookies) and a network analysis tool. Effective but time-consuming — a thorough audit takes 2–4 hours for a medium-complexity site. See our full cookie compliance audit guide for the step-by-step process.
Option 2: Automated monitoring with CookieGuard
CookieGuard scans your site continuously, alerts you when new cookies appear, and maintains an always-current cookie inventory you can export directly into your policy. When your marketing team fires a new GTM tag that drops a tracking cookie at 3am, you'll know by morning — not at the next quarterly review.
This matters because the gap between "a new cookie appeared" and "regulators notice your policy is outdated" can be as short as 30 days in active enforcement jurisdictions like France, Germany, and Italy.
Get GDPR enforcement alerts by email
New DPA decisions, cookie compliance updates, and policy changes that affect your site — weekly, no spam.
Join 500+ developers. Unsubscribe anytime.