Cookie Policy Guide
A cookie policy is a document that tells visitors what cookies your website uses, why, and how they can control them. Privacy laws require you to inform visitors about cookies and similar tracking technologies. A cookie policy is the standard way to do this.
Cookie policy vs. privacy policy
A privacy policy covers all personal data processing on your website (forms, accounts, newsletters, etc.). A cookie policy focuses specifically on cookies and similar tracking technologies: pixels, web beacons, localStorage, and device fingerprinting.
They can be combined into a single document or kept separate. A separate cookie policy has practical advantages: it's easier for visitors to find cookie-specific information, easier for your consent banner to link to, and easier to keep up to date when your cookie usage changes without rewriting the entire privacy policy.
What a cookie policy should contain
To meet the transparency requirements of GDPR and other privacy regulations, your cookie policy should include:
What cookies and tracking technologies you use
A list of all cookies set by your website, including their names, the domain that sets them, and what type they are (necessary, analytics, marketing, etc.). This should also cover similar technologies like tracking pixels and localStorage if used.
Purpose of each cookie
A clear explanation of what each cookie does and why it's used. "This cookie is used for analytics" is a minimum; more specific descriptions are better.
Legal basis
Under GDPR, you must state the legal basis for processing data through each cookie category. For non-essential cookies this is typically consent. For strictly necessary cookies, it's legitimate interest or contractual necessity. This is one of the most commonly missing elements in cookie policies.
Duration
How long each cookie is stored on the visitor's device. Session cookies are intended to expire when the browser closes, though some browsers that restore sessions may retain them. Persistent cookies should list their specific expiry period.
Third parties
If cookies are set by third-party services (Google, Meta, etc.), identify them and explain what data they receive. Link to their privacy policies where possible.
How to manage cookies
Instructions on how visitors can change their cookie preferences, withdraw consent, or delete cookies through your consent banner and through their browser settings.
Contact information
How to reach your privacy contact or, if applicable, your data protection officer for questions about cookies or data processing.
Example cookie entry
Here's what a well-documented cookie record looks like:
| Field | Value |
|---|---|
| Name | _ga |
| Provider | Google Analytics |
| Category | Analytics |
| Purpose | Distinguishes unique visitors by assigning a randomly generated number as a client identifier. Used to calculate visitor, session, and campaign data for site analytics reports. |
| Duration | 2 years |
| Type | First-party, persistent |
| Legal basis | Consent |
Every cookie in your policy should have this level of detail. LiteConsent generates these records automatically when you scan your site.
How often to update
Your cookie policy should be reviewed and updated whenever:
- You add or remove third-party services (analytics, ads, chat widgets, payment processors)
- You change how you use existing cookies (different purposes, longer retention)
- Privacy laws change or new regulations take effect
- You expand to new markets or jurisdictions
- A scan reveals cookies you didn't know about (third-party scripts often set additional cookies when they update)
Rather than relying on a fixed calendar, the best approach is to re-run the Setup Assistant periodically to catch new cookies. If your site changes frequently (new features, new integrations), check quarterly. For stable sites, twice a year is reasonable.
Common mistakes
Using a generic template without customizing
Cookie policies must accurately reflect the cookies on your specific website. A generic template will list cookies you don't use and miss cookies you do. The information must match reality to be compliant.
Vague descriptions
"We use cookies to improve your experience" tells the visitor nothing useful. Each cookie should have a specific, honest description of its purpose.
Outdated information
A cookie policy that hasn't been updated since the site launched will likely be inaccurate. Third-party scripts change, new tools get added, and cookie names evolve.
Missing cookies
Only listing cookies you know about isn't enough. Third-party scripts often set additional cookies that aren't documented. A thorough cookie scan is the only way to ensure completeness.
No legal basis stated
Under GDPR, each cookie category should have a stated legal basis (consent for non-essential, legitimate interest for strictly necessary). Many cookie policies skip this entirely.
How LiteConsent helps
LiteConsent auto-generates a hosted cookie policy page that stays in sync with your banner configuration. When you add or remove cookies in the Categories tab, the cookie policy updates automatically. Each cookie is listed with its name, category, provider, description, and duration.
The generated content is fully editable. You can customize cookie descriptions, adjust category names, and add your own text. The policy page is accessible at a public URL (/p/YOUR_SITE_ID) and can be linked from your consent banner and privacy policy. It supports all languages you've configured for your banner.
For setup details, see Cookie Policy Page.