Cookie Policy / Website Notice template
A cookie policy is the page on your website that tells visitors which cookies and similar technologies the site uses, what each one does, how long it lasts, and how visitors can accept, refuse, or change their choices. It works together with your consent banner: the banner collects the choice, the policy explains it.
The rules here come mainly from PECR rather than UK GDPR alone, and they catch tools most site owners never consciously chose — analytics scripts, embedded videos and maps, and marketing pixels all set cookies. If your site uses any of them, you need to say so and, for the non-essential ones, ask first.
This template gives you a complete policy: plain-language explanations, a cookie table by category to complete from a scan of your own site, how consent is collected and withdrawn, and third-party cookie disclosures.
Full text, ready to adapt.
Highlighted fields are placeholders — replace them with your organisation's specifics. A starting point, not legal advice.
Cookie Policy / Website Notice
Policy · Data & Privacy
1. Purpose and scope
This policy explains how [website address], operated by {{org.name}}, uses cookies and similar technologies, and the choices you have. It should be read alongside our privacy policy, which explains how we handle personal data more broadly.
2. What cookies are
Cookies are small text files placed on your device when you visit a website. Some are set by us (first-party cookies) and some by other companies whose tools appear on our site (third-party cookies). Some last only for your visit (session cookies); others remain for a set period (persistent cookies). This policy covers similar technologies too, such as pixels and local storage.
3. The cookies we use
- Strictly necessary: cookies the site cannot work without — [session management, security, shopping basket, remembering your cookie choices]. These do not require consent.
- Functional: cookies that remember your preferences, such as [language or region settings]. [Delete if unused.]
- Analytics: cookies from [analytics tool] that show us how the site is used — pages visited, time on page — so we can improve it. Set only with your consent.
- Marketing: cookies and pixels from [advertising platforms] that measure our advertising or show you relevant ads elsewhere. Set only with your consent. [Delete if unused.]
- For each cookie: name, who sets it, purpose, and how long it lasts — [complete this table from a scan of your own site].
4. How we ask for your consent
When you first visit, a banner asks whether you accept non-essential cookies, with a genuine choice per category — accepting and refusing are equally easy. Non-essential cookies are not set until you choose to accept them. Your choice is remembered for [period], after which we ask again.
5. Managing and withdrawing your consent
- Change your choices at any time via [cookie settings link, e.g. the "Cookie settings" link in the site footer].
- Withdrawing consent stops new non-essential cookies; you can also delete existing ones through your browser settings.
- Your browser can block or delete cookies for all sites — check its help pages.
- Blocking strictly necessary cookies may stop parts of the site working, such as [login or checkout].
6. Third-party cookies
Some content on our site is provided by other companies — [embedded videos, maps, social media widgets, payment forms] — and those companies may set their own cookies, governed by their own policies: [list providers and link their policies]. Where such cookies are non-essential, we load the content only after you consent.
7. Changes, contact, and review
We update this policy whenever the cookies on the site change — typically when we add or remove a tool — and show the last-updated date at the top. Questions go to [email address].
This policy is reviewed [frequency, e.g. annually] against a fresh scan of the site. Owner: [name/role]. Last updated: [date].
How to adapt this template.
Scan your own site first — use your browser's developer tools or a cookie scanner — and build the cookie table from what is actually set, not what you think is set.
Classify honestly: if a cookie is not essential to what the visitor asked for, it needs consent, however useful it is to you.
Check your consent banner blocks non-essential cookies until the visitor accepts — many default configurations do not.
Add a permanent "Cookie settings" link to the site footer so consent can be changed at any time.
Link this policy from the banner and from your privacy policy.
Re-scan and update the table whenever you add a plugin, pixel, or embedded tool.
Turn this template into trained, proven behaviour
A policy in a drawer proves nothing. In TrainedTeam this template becomes assigned training with knowledge checks, e-signature acknowledgments, version history, and an audit-ready record of who completed what, when.
Cookie Policy / Website Notice template FAQs
Is a cookie banner a legal requirement in the UK?
If your site sets any non-essential cookies — analytics, marketing, most embedded content — PECR requires consent before they are set, and a banner or similar control is the practical way to collect it. If you genuinely use only strictly necessary cookies, you do not need consent, but you must still tell visitors what you use.
Do analytics cookies need consent?
Yes, under the ICO's guidance. Analytics cookies are useful to you but not strictly necessary to deliver the service the visitor asked for, so PECR's consent requirement applies to them. Check current ICO guidance before treating any analytics setup as exempt.
What is the difference between a cookie policy and a privacy policy?
The privacy policy covers everything you do with personal data across the business; the cookie policy covers one specific channel — cookies and similar technologies on your website — in the detail PECR expects. Small sites sometimes fold the cookie content into the privacy policy as a section, which is fine if it is easy to find.
Is it enough to say "by continuing to use this site you accept cookies"?
No. Consent has to be a clear positive action with a real choice — the UK GDPR standard, which PECR uses. Implied consent from scrolling, pre-ticked boxes, and banners with no reject option do not meet it.
How do we find out what cookies our site actually sets?
Open the site in a private browsing window and inspect cookies via your browser's developer tools, or run a cookie scanning tool — plugins, themes, and embedded content often set cookies the owner never knew about. Re-scan whenever you add a tool and at every review of this policy.
Related templates
Privacy Policy
Free UK privacy policy template: the data you collect, lawful bases, sharing, retention, individuals' rights, and ICO complaint details. Ready to edit.
Data Protection Policy
Free UK GDPR data protection policy template: the principles in practice, staff handling rules, responsibilities, rights requests, and breach routing.
IT & Acceptable Use Policy
Free IT and acceptable use policy template for UK teams: security rules, email and internet use, monitoring, and incident reporting. Ready to edit.
Data Breach Response Procedure
Free data breach response procedure template for UK organisations: containment steps, risk assessment, the 72-hour ICO decision, and the breach log.