Topic · DOCUMENTS

Cookie policy requirements

When a cookie policy is required and what to include.

A cookie policy is a separate document from the privacy policy that lists every cookie, tracker, or terminal-equipment access on your site. The EU treats it as part of the transparency obligation under ePrivacy Directive + GDPR Art 13.

When required

Mandatory across the EU/EEA + UK for any site with non-essential cookies, localStorage entries, or third-party trackers. Recommended in Canada, Australia, Singapore. Not strictly mandatory in California (the privacy policy disclosures cover it) or Virginia/Texas.

What it must contain

Per-cookie inventory: name, domain, purpose, category (essential / analytics / advertising / personalization), retention period, third party (if any).
Categories with definitions: explain what “strictly necessary” means in plain language. The CNIL and ICO publish templates.
How to refuse, accept, or change preferences: link to your CMP’s preferences UI and to browser-level controls.
Third-party opt-outs: link to Google Analytics, Facebook Pixel, etc. opt-out pages.
Last-updated date and changelog.

Where the inventory comes from

Most CMPs (Cookiebot, OneTrust, Iubenda, Usercentrics) auto-scan your site and produce a sortable cookie list that updates monthly. Self-built solutions need a manual scan: Chrome DevTools → Application → Cookies + Storage gives you the per-domain dump, but you must annotate each one.

Don’t trust GTM tag names or vendor docs alone — third-party cookies often have undocumented names that vary by tag version.

13-month rule and other duration limits

The CNIL position is that consent and the cookies it justifies are valid for at most 13 months. After that, the user must re-consent. German DSK aligns. Spanish AEPD recommends 24 months max. The UK ICO doesn’t fix a hard limit but expects “reasonable” periods.

Common mistakes

Listing only first-party cookies. Calling Google Analytics “essential”. Confusing session cookies (auto-deleted on tab close) with “session” durations of 12 hours. Promising “no cookies are set without consent” while the page sets a consent-id cookie.

See the templates for starting points and per-jurisdiction language requirements.