Cookie policy website requirements
Most websites need a cookie policy. Requirements vary by country. EU and UK require opt-in consent. US laws require opt-out. This guide covers all key jurisdictions.
Most websites need a cookie policy. Requirements vary by country. EU and UK require opt-in consent. US laws require opt-out. This guide covers all key jurisdictions.
If your website uses analytics tools, advertising pixels, embedded third-party tools, or cookies that store user preferences, you likely need cookie disclosures and, in many jurisdictions, consent controls. The real question is not just whether your website uses cookies, but what those cookies do, where your visitors are located, and whether data is collected or shared.
This guide covers what a cookie policy is, how it differs from a privacy policy and a cookie banner, what the rules are by country, and what a complete cookie policy should include.
A cookie policy is a legal document that explains how your website uses cookies and similar tracking technologies.
It typically covers:
Cookie policies are usually linked from the website footer, the cookie consent banner, and within the privacy policy.
No. A cookie policy and a privacy policy are different documents, though they are often confused.
A privacy policy explains how your organisation collects, uses, stores, shares, and protects personal data across your business. It covers contact forms, payment processing, email marketing, and any other data collection activity. A cookie policy focuses specifically on the tracking technologies used on your website.
Some businesses combine cookie disclosures inside their privacy policy. Others maintain a standalone cookie policy page. Both approaches can work, as long as the information is clear and easy to find. A separate cookie policy is often easier for users to locate and simpler to link from your cookie banner.
In most cases, yes. If your website collects personal data beyond cookies, such as form submissions or account registrations, you need a privacy policy. If your website uses cookies or tracking technologies, you need cookie disclosures. Whether those live in one document or two depends on your setup, but both sets of information must be available.
A cookie policy and a cookie consent banner serve different purposes. Having one does not replace the other.
Your cookie policy is the full document explaining how tracking technologies are used on your site. Your cookie banner is the mechanism through which users accept, reject, or customize their cookie preferences on their first visit.
Cookie policy | Cookie banner | |
|---|---|---|
What it is | A legal document explaining cookie use | A visible notice for accepting, rejecting, or managing cookies |
Purpose | Transparency and disclosure | Consent collection and preference management |
Required by | Most jurisdictions with data privacy laws | Jurisdictions requiring prior consent (EU, UK, Brazil, China) |
Contains | Full details: categories, durations, third parties, user rights | High-level summary plus a link to the full cookie policy |
Linked from | Footer, banner, privacy policy | Appears on first visit; links to the cookie policy |
Many businesses assume that adding a banner handles their compliance obligations. It does not. The banner manages consent. The policy provides the transparency and disclosure that underpins it. In opt-in jurisdictions such as the EU, UK, and Brazil, businesses generally need both: clear disclosures and a working consent mechanism.
If your website relies on Google Analytics, Meta Pixel, or other advertising tools, you should also review Google Consent Mode V2 to ensure your analytics and advertising tags respect user consent choices correctly.
Requirements vary by jurisdiction. The table below summarises the position across major markets, followed by details on the five most relevant jurisdictions for most websites.
Country/Region | Governing law | Consent model | Cookie disclosures needed? |
|---|---|---|---|
EU/EEA | GDPR + ePrivacy Directive | Opt-in | Yes |
United Kingdom | UK GDPR + PECR | Opt-in | Yes |
United States | State laws (CCPA/CPRA etc.) | Mostly opt-out | Yes |
Canada (federal) | PIPEDA | Implied/opt-out | Yes |
Canada (Quebec) | Law 25 | Opt-in | Yes |
Brazil | LGPD | Opt-in | Yes |
Australia | Privacy Act 1988 | No specific model | Yes |
India | DPDP Act 2023 | Opt-in (phased) | Yes |
China | PIPL | Opt-in | Yes |
Japan | APPI | Opt-out (some opt-in) | Yes |
South Korea | PIPA | Opt-in | Yes |
South Africa | POPIA | Opt-in | Yes |
Under the GDPR and the ePrivacy Directive, websites serving EU users must disclose what cookies they use, why, how long they remain active, and whether third parties receive any data.
This applies even to strictly necessary cookies that do not require consent.
The EU follows a strict opt-in model: analytics, advertising, and tracking cookies cannot load until the user actively accepts them. Pre-ticked boxes and banners that make rejecting cookies harder than accepting them do not meet the standard.
The UK follows an equivalent approach under the Privacy and Electronic Communications Regulations (PECR) and UK GDPR. The ICO expects websites to provide a genuine choice, with reject options as easy to use as accept options. A cookie policy is required, and a consent banner is needed for non-essential cookies.
The US has no single federal cookie law. Compliance is governed by state privacy laws, with California's CCPA/CPRA being the most comprehensive. Most US laws use an opt-out model, meaning tracking cookies can load by default, but users must have a clear way to opt out of data sharing and targeted advertising.
A 'Do Not Sell or Share My Personal Information' link is required for applicable businesses. For detail on California and other state requirements, see our CCPA and CPRA cookie compliance guide.
Under PIPEDA, implied consent may be acceptable for low-risk cookies where the purpose is clear. For behavioural advertising, users must be informed and given a straightforward opt-out. Quebec's Law 25 is stricter, requiring opt-in consent before non-necessary cookies are loaded for Quebec-based visitors.
Brazil's LGPD requires a legal basis for processing personal data. Non-necessary cookies, including analytics and advertising cookies, need opt-in consent before loading. Brazil's data protection authority, the ANPD, has published guidance specifically covering cookie and tracking practices.
Australia requires transparency disclosures but does not currently mandate prior consent for most cookies. India’s DPDP Act 2023 is being phased in, with an emphasis on informed, specific consent for data processing. China’s PIPL, South Korea’s PIPA, and South Africa’s POPIA generally require opt-in consent before placing tracking cookies.
Japan’s APPI generally uses an opt-out model, although some third-party data sharing may require opt-in. If these markets are relevant to your business, Clym’s regulations hub covers requirements by region in more detail.
If these markets are relevant to your business, the Clym regulations hub covers requirements by region in more detail.
A well-structured cookie policy should cover the following:
Most cookie policies group cookies into four standard categories:
Strictly necessary cookies: required for core website functions such as login sessions, shopping carts, and security. These do not require consent but must still be disclosed.
Functional cookies: remember user settings and preferences, such as language or layout choices.
Analytics cookies: track how users interact with your site, such as Google Analytics 4 or Hotjar. These generally require consent in opt-in jurisdictions.
Marketing and advertising cookies: used for targeted ads, remarketing, and cross-site tracking, such as Meta Pixel or Google Ads. These almost always require prior consent.
In 2025, CNIL fines against Google and SHEIN alone reached €475 million for cookie and tracking-related violations, according to CNIL's 2025 enforcement report.
European data protection authorities issued over €1.2 billion in GDPR fines in 2025. In September 2025, France's CNIL fined SHEIN €150 million after finding that cookies were installed before users gave permission, and that the 'Reject all' option did not always work correctly. The CNIL fined Google €325 million for showing personalised ads in Gmail without adequate prior consent. Maximum GDPR penalties can reach €20 million or 4% of global annual turnover, whichever is higher.
California increased its fine thresholds on 1 January 2025 to $2,663 per unintentional violation and $7,988 per intentional violation. Recent enforcement actions have included Honda ($632,500) and Todd Snyder ($345,178) for broken opt-out mechanisms and vendor configuration issues.
Regulators can also issue enforcement orders requiring you to suspend data processing until issues are resolved. In healthcare, financial services, and other regulated sectors, non-compliance can affect contracts and licensing. For businesses that depend on advertising revenue, regulators have the authority to require immediate suspension of tracking activities.
Cookie inventories change over time. New plugins, embedded tools, analytics tags, and ad platforms can introduce new cookies without your team noticing. That means a policy that was accurate when published can become outdated within months. This usually happens because:
New tools or plugins add cookies
Regulations and guidance change
Different jurisdictions require different disclosures
Regularly scanning your website for active cookies and tracking services is the most practical way to keep disclosures accurate.
Managing cookie disclosures manually becomes difficult once your website uses multiple plugins, ad platforms, analytics tools, and regional consent rules. The challenge is not writing the policy once. It is keeping it accurate as your website and legal obligations change.
Clym helps teams scan for active cookies and third-party services, generate and manage cookie policy content, maintain version history, and support different consent experiences by jurisdiction. Policies can be published to your Clym Widget or Governance Portal, with past versions archived for internal records.
Clym’s ReadyCompliance® feature applies pre-configured consent settings based on each visitor’s location, helping your team manage different regional consent models without separate manual setups.
For most websites, a cookie policy is not optional. If you use analytics, advertising tools, or any third-party tracking technology, you need to disclose this to your visitors. In jurisdictions such as the EU, UK, and Brazil, you also need a consent mechanism that works correctly.
The most common mistake is treating a cookie policy as a one-time legal document. Cookie inventories change, regulations evolve, and what was accurate last year may not reflect what is actually running on your website today. A clear cookie policy, a working consent banner, and a process for keeping both updated can help reduce risk and support your privacy compliance efforts as your technology stack and legal obligations change.
To assess your current position, scan your website with Clym's free tool and see what cookies and tracking services are currently active.
Yes, in most cases. Even strictly necessary cookies require transparency disclosures under GDPR and similar frameworks. Consent is not required for these cookies, but you must still explain that they exist and why.
You risk regulatory fines and enforcement orders. In the EU, cookie-related violations can result in fines up to €20 million or 4% of global annual turnover. In California, each unintentional CCPA violation now carries a fine of up to $2,663.
No. A cookie banner collects consent, but it does not replace a cookie policy. The GDPR and the ePrivacy Directive require both a consent mechanism and a document explaining your cookie use in detail.
Yes. Under PECR and the UK GDPR, websites targeting UK users need a cookie policy explaining what cookies the website uses, their purpose, duration, and whether third parties have access to the data.
Yes, in many jurisdictions, cookie disclosures can sit inside your privacy policy if they are easy to find and detailed enough. A standalone cookie policy is often clearer for visitors and simpler to link from your banner.
Yes, if your website has visitors from jurisdictions with data privacy laws. The GDPR, UK GDPR, and CCPA apply based on where your visitors are located, not where your business is registered. A small business serving EU visitors is subject to EU rules.
The terms are often used interchangeably. A cookie policy is the full document with detailed disclosures. A cookie notice or banner is the on-screen prompt that appears on first visit and links to the policy. In opt-in jurisdictions like the EU, both are typically required.