A baseline cookie policy without the lawyer fees
Under the UK Privacy and Electronic Communications Regulations (PECR) and the EU ePrivacy Directive, any site that sets non-essential cookies must tell visitors what those cookies do and obtain consent before setting them. This generator produces a structured, transparent cookie policy from a short questionnaire about the cookies you actually use, so a small business or indie developer can ship a compliant page quickly without commissioning a document from scratch. It does not replace a consent banner — it is the document the banner links to.
What a cookie policy must cover
Regulators expect a cookie policy to address several distinct points:
- What cookies are — a plain-language explanation for users who may not be technical.
- Categories in use — each category with its purpose. The standard categories are strictly necessary, preferences/functional, analytics/performance, and marketing/advertising.
- Specific third parties — naming Google Analytics, Meta Pixel, Hotjar, or other tools is expected, not just a vague mention of “third-party services.” Users have a right to know who receives their data.
- Retention periods — how long each cookie stays on the device. Session cookies expire when the browser closes; persistent cookies have a fixed expiry, which should be stated.
- User controls — how visitors can withdraw consent, change preferences, or delete cookies manually in their browser.
- Contact details — an email address for cookie-related questions.
How it works
The tool maps your answers directly onto those sections, including only the categories you tick, so the policy reflects your actual setup rather than a generic template. You name specific third-party tools and the generator surfaces them in the relevant section. It assembles the complete document as HTML or Markdown entirely in your browser.
Before you use this: audit your actual cookies
The most common compliance gap is not the policy wording — it is that the policy does not match the site’s real cookies. Before generating, open your browser dev tools, load your site, and note every cookie: its name, purpose, which third party set it, and how long it lasts. Then tick only the categories that actually apply. A policy that claims you only use strictly necessary cookies while you also load Google Analytics is worse than no policy at all from an enforcement standpoint.
Tips for keeping it current
- Update when you add a tool. If you add a new analytics or marketing tag, update the policy and your banner. Regulators have taken action on stale policies.
- List cookie names and durations explicitly if you have the information. Concrete entries like
_ga | Google Analytics | 2 yearsare more auditable than category descriptions alone. - Link from your banner. The banner must link to this policy so users can read the detail before deciding to accept or reject.
This generator produces a solid starting document suitable for most small sites. For a high-risk or regulated business, review the output with a legal adviser familiar with data protection law in your jurisdiction.