See how Apple, Google, BBC, Shopify, and 11 other top companies write their cookie policies. Each example includes the actual language they use and analysis of why it works — so you can build a compliant cookie policy for your own website.
Our AI generator creates GDPR, ePrivacy, and PECR compliant cookie policies tailored to your website. Free to start.
A cookie policy is a legal document that explains what cookies and similar tracking technologies (such as pixels, web beacons, and local storage) your website uses, why it uses them, and how visitors can manage or disable them. It serves as a transparency mechanism required by laws like the EU ePrivacy Directive, GDPR, and UK PECR.
Cookies are small text files stored on a user's device when they visit a website. They serve many purposes: keeping users logged in, remembering shopping cart contents, analyzing traffic patterns, and delivering targeted advertising. Because cookies can identify individuals and track behavior across websites, they are classified as personal data under the GDPR.
The best cookie policies go beyond legal compliance. As you'll see in the examples below, companies like BBC, Google, and the ICO use their cookie policies to build user trust, demonstrate respect for user choice, and set a standard for transparent data practices. A well-written cookie policy paired with a compliant consent banner shows your users you take their privacy seriously.
The EU ePrivacy Directive (the 'Cookie Law') and GDPR require websites to inform users about cookies and obtain consent before setting non-essential cookies. The UK PECR has similar requirements. Non-compliance carries fines up to 4% of annual global turnover under GDPR, and regulators like the CNIL have issued fines specifically for cookie violations.
82% of internet users say they are concerned about online tracking. A clear cookie policy with genuine consent choices shows users you respect their autonomy. Companies like Apple and the BBC have turned cookie transparency into a competitive advantage that builds brand loyalty.
Google Ads, Facebook Ads, and other advertising platforms require publishers and advertisers to have a cookie policy that discloses the use of their tracking technologies. Google's EU User Consent Policy specifically mandates cookie consent for sites using AdSense, Google Analytics, or Google Tag Manager.
Websites without proper cookie consent can face ranking penalties as search engines factor in user trust signals. Beyond SEO, cookie policy violations have resulted in significant fines: Amazon was fined EUR 746 million by Luxembourg's CNPD, and Google received a EUR 150 million fine from France's CNIL, both related to cookie consent failures.
We analyzed the cookie policies of 15 industry-leading companies across media, e-commerce, social media, developer tools, and more. For each example, we highlight what they do exceptionally well with cookie consent and disclosure — so you can apply the same principles to your own cookie policy.
Technology · Minimal, purpose-driven cookie usage
"Apple uses cookies and similar technologies in our websites, online services, and email messages for a number of purposes, including to make our websites and online services easier to use, to improve our recommendations, and to deliver relevant advertising. We explain these uses below and describe the choices available to you."
Why it works:
Apple's cookie policy is distinctly lean, reflecting their privacy-first brand. They categorize cookies by purpose rather than by technology, making it easy for non-technical users to understand. Their policy explicitly calls out that most Apple cookies are first-party, reinforcing their minimal third-party data sharing philosophy.
Technology · Comprehensive cookie controls and dashboard
"Google uses cookies, pixel tags, local storage, and similar technologies to run and improve our services, serve and measure ads, and improve user experience. Some cookies are needed to make our services work, for example to verify your identity and keep you signed in. Other cookies are used to remember your preferences and tailor content and ads."
Why it works:
Google offers an unmatched level of cookie transparency through their dedicated cookie management dashboard. Users can view every cookie set, its purpose, and its expiration in real time. Their policy also bridges the gap between cookies and similar technologies like local storage and pixel tags, giving a holistic view of tracking.
Media · Gold standard media cookie consent
"We use cookies and similar tracking technologies to provide the BBC services, to understand how people use the BBC, and to make our content and advertising more relevant to you. Cookies are small text files placed on your device by websites you visit. We also use web beacons, local storage, and similar technologies."
Why it works:
The BBC's cookie policy is often cited by regulators as a best-practice example for media publishers. Their layered cookie banner gives users genuine granular choice rather than a dark-pattern 'accept all' button. Their policy covers a huge range of content types, from news to iPlayer streaming, with specific cookie disclosures for each.
Music Streaming · Music streaming session and preference cookies
"Spotify and our partners use cookies and similar technologies to provide the Spotify Service, understand how people use the Spotify Service, and personalize content and ads. When you visit the Spotify Service, your browser or device automatically sends certain information including cookies. We use these technologies for authentication, security, preferences, and analytics."
Why it works:
Spotify's cookie policy effectively explains how cookies power the music experience, from remembering your playback position to personalizing Discover Weekly. They separate session cookies that maintain playback state from longer-lived preference cookies, making the connection between cookies and user experience tangible.
E-commerce · E-commerce merchant and storefront cookies
"Shopify uses cookies to provide, secure, and improve our services. Cookies help us identify your account and the devices you use to access our services, keep you logged in, and remember your preferences. Some cookies are necessary for our platform to work, while others help us understand how merchants and shoppers interact with our platform."
Why it works:
Shopify addresses the unique challenge of a platform that sets cookies on both its own domain and thousands of merchant storefronts. Their policy clearly distinguishes between cookies Shopify sets for platform functionality and cookies that merchants may configure via their stores, preventing confusion about who is responsible for what.
E-commerce · Complex ecosystem cookie management
"Amazon.com uses cookies, pixels, and similar technologies to improve your shopping experience, provide our services, understand how customers use our services so we can make improvements, and display relevant advertising across our properties. Amazon approved third parties also use these technologies in connection with our services."
Why it works:
Amazon manages an extraordinarily complex cookie ecosystem spanning retail, Prime Video, Alexa, Kindle, AWS, and advertising services. Their policy organizes this complexity by mapping cookies to specific services and use cases rather than listing hundreds of individual cookies, making a massive footprint digestible.
Financial Technology · Financial services and security cookies
"Stripe uses cookies and similar technologies to recognize your browser or device, learn more about your interests, provide essential features and services, and for additional purposes including fraud prevention, security, and measuring advertising effectiveness. We use strictly necessary cookies to make our Services work."
Why it works:
Stripe's cookie policy is a masterclass in security-focused cookie disclosure. As a payments processor handling billions in transactions, they clearly explain how cookies contribute to fraud detection and transaction security. Their policy gives developers integrating Stripe.js precise information about what cookies will appear on their customers' browsers.
Social Platform · Session management and analytics cookies
"Discord uses cookies and similar technologies such as local storage to operate our services, help us understand how our services are used, and to personalize your experience. We use necessary cookies to authenticate users, prevent fraud, and keep our service secure. We also use cookies for preferences, analytics, and advertising."
Why it works:
Discord effectively explains how cookies maintain persistent sessions across desktop, web, and mobile clients. Their policy acknowledges the real-time nature of their platform, where session cookies keep you connected to voice channels and message streams. The distinction between cookies in the web app versus the desktop app is clearly drawn.
Professional Network · Professional targeting and advertising cookies
"LinkedIn uses cookies, web beacons, pixels, ad tags, and similar technologies. These technologies are used for authentication, security, preferences, and analytics on our platform. We also use these technologies for advertising, including measuring the performance of ads and delivering relevant ads to you on and off LinkedIn."
Why it works:
LinkedIn's cookie policy stands out for its transparency around professional advertising cookies. They clearly explain how cookies power their advertising platform, including Matched Audiences and the LinkedIn Insight Tag. Their policy gives both individual users and enterprise advertisers clear information about how cookie-based targeting works.
Productivity · Productivity SaaS minimal cookie usage
"Notion uses cookies and similar technologies on our website and services. We use cookies to authenticate users, remember user preferences, and understand how our services are being used. Some cookies are strictly necessary for the operation of our site, while others help us improve your experience."
Why it works:
Notion demonstrates that SaaS products can maintain a minimal cookie footprint. Their cookie policy is refreshingly short because they genuinely use fewer cookies than most platforms. This brevity itself is a trust signal, and their policy clearly explains which cookies support workspace functionality versus which are used for marketing.
Media Publishing · Media publisher with sophisticated consent
"The New York Times and our advertising partners set cookies and similar technologies on our sites and apps to collect information about your browsing activities, which is used to provide more relevant advertising and measure the effectiveness of advertising campaigns. We use strictly necessary cookies, performance cookies, functional cookies, and targeting cookies."
Why it works:
The New York Times operates one of the most sophisticated cookie consent mechanisms in digital media. Their policy balances the needs of a subscription-funded newsroom with advertising-funded free content, clearly explaining how cookies differ for subscribers versus ad-supported readers. Their consent management platform is often cited as a GDPR compliance benchmark.
Travel Marketplace · Travel marketplace search and booking cookies
"Airbnb uses cookies, mobile identifiers, tracking URLs, log data, and similar technologies to help provide, protect, and improve the Airbnb Platform. Cookies help us with things like remembering your search preferences, recognizing you when you return, and keeping your account secure during the booking process."
Why it works:
Airbnb's cookie policy addresses the unique needs of a travel marketplace where search, booking, and post-stay cookies serve different purposes. They explain how cookies remember search filters, save wishlists, maintain booking sessions, and personalize travel recommendations. Their two-sided marketplace context means cookies serve both guests and hosts.
Developer Platform · Developer platform session and security cookies
"GitHub uses cookies to provide, secure, and improve our Service. Cookies help us keep you logged in, remember your preferences, provide information for future development, and serve relevant advertising. We use essential cookies for authentication and security, and non-essential cookies for analytics and personalization."
Why it works:
GitHub's cookie policy is developer-friendly by design, including technical details that their audience appreciates. They explain session tokens, CSRF protection cookies, and how cookies interact with API authentication. Their policy also addresses cookies in the context of GitHub Pages, Actions, and Codespaces, covering the full developer workflow.
Streaming · Streaming recommendation and preference cookies
"Netflix uses cookies, pixel tags, and other similar technologies to collect and store information about how you interact with the Netflix service. These technologies help us understand viewing behavior, remember your preferences, customize your experience, and deliver and measure advertising for our ad-supported plan."
Why it works:
Netflix's cookie policy effectively connects cookie usage to the viewing experience users value. They explain how cookies power the recommendation engine, maintain viewing history across devices, and enable features like 'Continue Watching.' Their recent addition of ad-supported tiers added a new layer of advertising cookie disclosure that they handle with clarity.
Regulatory Authority · The regulator's own cookie policy as gold standard
"The ICO website uses cookies to make the site work and to collect information about how you use our site. We use necessary cookies to make our website work. We would like to use analytics and advertising cookies to understand how you use the site and improve it. You can choose to accept or reject these cookies."
Why it works:
The UK Information Commissioner's Office practices what it preaches. Their cookie policy is the definitive reference implementation of PECR and UK GDPR cookie compliance. Their consent banner gives truly equal prominence to accept and reject options, they provide a complete cookie inventory table, and they update it whenever they add new cookies. If you want to know what the regulator expects, look at what they do themselves.
$500–$2,000+
per document
5–15 hours
of research & writing
Free
to get started
Get our step-by-step checklist for cookie consent, classification, and banner implementation under GDPR and ePrivacy.
Based on the patterns we see in the best cookie policy examples above, here are six essential steps to writing a cookie policy that is both legally compliant and user-friendly.
Before writing anything, scan your website to identify every cookie it sets. Use a cookie scanning tool or browser developer tools to catalogue all first-party and third-party cookies. Document each cookie's name, domain, purpose, duration, and whether it is first-party or third-party. Pay special attention to cookies set by third-party scripts like Google Analytics, Facebook Pixel, and advertising networks, as these often set cookies you may not be aware of.
Group your cookies into the four standard categories: strictly necessary, functional, analytics, and marketing/advertising. This categorization is required by most consent management platforms and aligns with the IAB Transparency & Consent Framework. As shown in the BBC and ICO examples, clear categorization helps users make informed choices and demonstrates compliance with the ePrivacy Directive's requirement for specific consent.
For each cookie category, explain in plain language what the cookies do and why they are used. Avoid technical jargon. Follow Apple's approach of purpose-driven language: instead of saying 'this cookie stores a unique identifier,' say 'this cookie keeps you logged in so you don't have to sign in every time you visit.' Include a cookie table listing each cookie's name, provider, purpose, and expiration period.
Clearly describe how users can manage, disable, or delete cookies. This includes your own consent mechanism (cookie banner), browser settings for blocking cookies, and any opt-out links for third-party cookies (like Google's Ad Settings or the Network Advertising Initiative opt-out page). As Google and LinkedIn demonstrate, linking directly to control mechanisms from your policy gives users immediate actionable power.
Your cookie policy works hand-in-hand with your consent banner. Ensure your banner: appears before non-essential cookies are set, provides granular category-level choices, gives equal prominence to accept and reject options, does not use dark patterns or pre-checked boxes, and records consent for compliance evidence. The ICO's own implementation is the gold standard reference for what regulators expect.
Link your cookie policy from your website footer, your cookie consent banner, and your main privacy policy. Set a quarterly reminder to re-scan your website for new cookies, especially after adding new tools or integrations. Include a 'last updated' date and maintain a change log. As The New York Times and Netflix demonstrate, cookie policies for complex sites need regular maintenance as advertising partners and analytics tools evolve.
A cookie policy is a specific document that explains what cookies and similar tracking technologies your website uses, why it uses them, and how users can control them. While a privacy policy covers all personal data collection broadly, a cookie policy focuses exclusively on cookies, pixels, local storage, and similar technologies. Under the EU ePrivacy Directive and GDPR, many websites need both documents. Some businesses include cookie information within their privacy policy, but having a dedicated cookie policy makes it easier to maintain and demonstrates greater transparency.
Yes, in many jurisdictions. The EU ePrivacy Directive (often called the 'Cookie Law') requires that websites inform users about cookies and obtain consent before setting non-essential cookies. The GDPR reinforces this by treating cookie identifiers as personal data. The UK PECR (Privacy and Electronic Communications Regulations) has similar requirements. In California, the CCPA requires disclosure of cookies used for tracking and advertising. Even outside these jurisdictions, major platforms like Google Ads and Facebook Ads require cookie disclosures from advertisers.
Under the ePrivacy Directive and GDPR, you need prior consent for all cookies except 'strictly necessary' ones. Strictly necessary cookies are those essential for the website to function, such as session cookies for login, shopping cart cookies, and security cookies like CSRF tokens. All other cookies, including analytics cookies (e.g., Google Analytics), advertising cookies, social media cookies, and functional preference cookies (like language selection) require explicit, informed consent before they are set. The user must take a clear affirmative action to consent.
A compliant cookie consent banner should: (1) appear before any non-essential cookies are set, (2) clearly explain what cookies you use and why, (3) give users the ability to accept or reject cookies with equal prominence (no dark patterns), (4) allow granular choices by cookie category, (5) not use pre-checked boxes, (6) make it as easy to reject cookies as to accept them, and (7) remember the user's choice so the banner does not reappear on every page. The ICO and CNIL have both issued guidance stating that 'cookie walls' that force consent to access a site are generally not compliant.
Under the GDPR, cookie consent must be freely given, specific, informed, and unambiguous. This means you must tell users exactly what cookies you use and for what purpose before setting them. Users must actively opt in (no pre-ticked boxes), and you must provide a genuine choice without penalizing users who decline. Consent must be recorded and demonstrable, meaning you need to log when and how consent was given. Users must also be able to withdraw consent as easily as they gave it. The GDPR applies to any website processing data of EU residents, regardless of where the website owner is based.
You should update your cookie policy whenever you add or remove cookies from your website, integrate new third-party services (like a new analytics tool or ad network), change how existing cookies are used, or when relevant privacy laws change. Best practice is to audit your cookies at least quarterly using a cookie scanning tool, as third-party scripts can introduce new cookies without your knowledge. Always update the 'last modified' date and notify users of material changes to your cookie practices.
First-party cookies are set by the website you are visiting directly. They are used for essential functions like keeping you logged in, remembering your shopping cart, and saving your preferences. Third-party cookies are set by domains other than the one you are visiting, typically by advertising networks, social media platforms, or analytics services embedded on the page. Third-party cookies can track users across multiple websites, which is why they face stricter regulation. Major browsers like Safari and Firefox already block third-party cookies by default, and Chrome is phasing them out in favor of the Privacy Sandbox APIs.
If your website genuinely only uses strictly necessary cookies, you do not need a consent banner in most jurisdictions. However, you still need a cookie policy that explains what those essential cookies do. In practice, very few websites use only essential cookies. If you use Google Analytics, social media share buttons, embedded YouTube videos, or any advertising tools, those set non-essential cookies that require consent. It is important to audit your website thoroughly, as third-party scripts often set cookies you may not be aware of.
Generate a customized cookie policy in minutes
Download a free, editable cookie policy template
15 real privacy policy examples from top companies
Create a GDPR-compliant privacy policy for your site
Understanding the EU's data protection regulation
Check and improve your GDPR compliance status
Join thousands of businesses using PolicyForge to create compliant cookie policies. No legal expertise required.
No credit card required. Takes less than 5 minutes.