Companion guide
How to Write a Cookie Policy (2026)
The 4-category UK ICC taxonomy, TCF v2.3 deadline, how to run a DevTools cookie audit, and when a generator is enough.
Read the guide \u2192
About the Cookie Policy Generator
A cookie policy is a disclosure document. It tells visitors what cookies your site sets, why, for how long, and how to control them. Under the EU ePrivacy Directive (transposed as national law in every EU member state) and the UK PECR, a cookie policy is not optional for sites that use non-essential cookies — and since most sites embed analytics, ads, or social widgets, that's virtually every site. In California and 19 other US states, a cookie policy is required when cookies collect personal information, and the disclosure must include opt-out mechanisms plus a "Do Not Sell or Share My Personal Information" link. Brazil (LGPD) requires a Portuguese-language banner. India (DPDP Act) requires a multilingual banner and, from November 2026, forces consent managers to register as India-incorporated entities.
This generator produces a template that covers all of these jurisdictions at once. You pick the regions where you have traffic, the services your site uses, and the consent mechanics you've configured. The generator produces a full cookie policy, plus banner copy you can drop into any consent management platform (Cookiebot, CookieYes, OneTrust, iubenda, or a DIY implementation), plus a compliance scorecard that flags gaps against the criteria regulators actually check in enforcement actions.
What makes this different
Most free cookie-policy generators give you a thin template with "we use cookies for analytics and marketing" and leave you to fill in the rest. Paid tools (Termly, CookieYes, Cookiebot, iubenda, OneTrust) charge $10–99/month and paywall the useful features — pre-populated cookie databases, TCF v2.3 support, GPC handling, regional variants. This generator is free forever, runs 100% in your browser with no signup, and ships with:
- 62 pre-populated services, 104 individual cookies — Google Analytics 4, Google Ads, Google Tag Manager, Meta Pixel, LinkedIn Insight Tag, TikTok Pixel, Pinterest Tag, X/Twitter Pixel, HubSpot, Mailchimp, Klaviyo, Stripe Checkout, PayPal, Shopify, Cloudflare, Hotjar, Mixpanel, Amplitude, Intercom, Drift, Zendesk, YouTube embeds, Vimeo, Spotify, Tidio, Crisp, Calendly, Firebase, AppsFlyer, and more. Each cookie comes with name, provider, purpose, duration, and UK ICC category pre-filled.
- 6 jurisdictions with the correct consent model — EU (opt-in), UK (opt-in with DUAA 2025 exemptions), California (opt-out with GPC), other US states (opt-out), Brazil (Portuguese opt-in), India (multilingual opt-in). Plus 19 US state laws individually referenced.
- TCF v2.3 compliance — the Disclosed Vendors segment became mandatory on February 28, 2026. Most competitor generators still haven't updated for this.
- Global Privacy Control handling — required by CCPA/CPRA. Sephora was fined $1.2M in 2022 for failing to honor GPC. Only a handful of free generators include this.
- Google Consent Mode v2 — required by Google for EEA advertisers since March 2024. The generator adds the required disclosure clause when you enable it.
- Compliance scorecard — 13 checks citing CNIL dark-pattern guidance, the SHEIN €150M fine, the Sephora GPC case, ICO layered-notice guidance, and the TCF v2.3 deadline.
- Consent banner copy generator — 6 regional variants ready to paste into any consent system, including a fully translated Portuguese variant for LGPD compliance.
- 7 export formats — styled HTML, Markdown, plain text, PDF (via browser print), JSON config for backup, iframe embed code, direct-to-clipboard.
- Browser-based, privacy-preserving — your configuration never leaves your device. No signup, no account, no tracking.
The 4-category UK ICC taxonomy (and why it matters)
Every cookie you set falls into one of four categories under the classification developed by the UK International Chamber of Commerce and adopted by the ICO, CNIL, EDPB, and most CMPs:
- Strictly Necessary — essential for the site to function (session authentication, shopping cart, CSRF tokens, load balancing, the consent cookie itself). Exempt from consent.
- Functional — remember user choices (language, region, UI preferences). Requires consent in the EU/UK; disclosure in the US.
- Analytics / Performance — measure how visitors use the site (pages, errors, load times). Requires consent in the EU/UK. The CNIL specifically rejects classifying Google Analytics as strictly necessary.
- Marketing / Advertising — deliver targeted ads, track campaigns, build profiles. Requires consent in the EU/UK; subject to "Do Not Sell or Share" and GPC in California.
The generator assigns the correct category to every pre-populated cookie based on its actual function, not on what the vendor claims. Google Analytics is categorized as analytics (requires consent), even though some competitor tools miscategorize it as "necessary" — a mistake that's triggered multiple CNIL enforcement actions.
The 2026 enforcement landscape
Cookie compliance stopped being a warning-letter topic in 2022 and has been a fines-and-consent-orders topic ever since. Relevant recent enforcement and regulatory changes the generator accounts for:
- CNIL €150M fine on SHEIN (2024) for cookie dark patterns — making Reject harder than Accept. The generator includes an equal-prominence check.
- Sephora $1.2M settlement (2022) for failing to honor Global Privacy Control signals. The generator includes a GPC clause and scorecard check.
- CNIL's €139M+ combined fines December 2022 — December 2024 across cookie-related cases.
- IAB TCF v2.3 Disclosed Vendors segment mandatory since February 28, 2026. The generator produces the required disclosure.
- Google Consent Mode v2 mandatory for EEA advertisers since March 2024. 67% of implementations fail compliance checks, usually because consent defaults are not set to "denied".
- UK Data Use and Access Act 2025 added 5 narrow cookie exemptions to PECR, effective June 2025. The generator's UK clauses reflect these.
- India DPDP Act Consent Manager registration opens November 2026 — only India-incorporated entities qualify. The generator surfaces this in the India regional disclosure.
- Minnesota Consumer Data Privacy Act (2025) — $7,500 per violation with a cure period that expired January 31, 2026.
Cookie policy vs. consent banner vs. cookie declaration
These are three different things and you probably need all of them:
- Cookie policy — the full disclosure document. This generator produces it.
- Consent banner — the UI that captures user choices. This generator produces the copy but not the JS implementation — wire it into your CMP or a DIY solution.
- Cookie declaration — the cookie list itself (name/provider/purpose/duration/category). This generator produces it as part of the policy document and as a standalone table you can re-use.
For the actual cookie-blocking-until-consent mechanism, you need a technical implementation. Options range from DIY (a few hundred lines of JavaScript that blocks script tags with data-consent attributes) to full-featured CMPs. Your pick depends on your traffic, monetization model, and compliance posture.
The cookie audit: the one step nobody does
Before you publish any cookie policy, you need to know what cookies your site actually sets. The generator pre-populates common services, but you might have embedded widgets, third-party scripts, or legacy integrations you forgot about. Real audit workflow:
- Open your site in a private/incognito browser window.
- Open DevTools (F12) \u2192 Application tab \u2192 Storage \u2192 Cookies \u2192 your domain.
- Reload the page. Screenshot everything that appears.
- Accept cookies in your banner. Reload. Screenshot everything.
- Visit 5–10 different pages (checkout, blog post, contact form). Screenshot.
- Cross-reference every cookie with the generator's pre-populated services. Add anything missing via the custom-cookie form in the Cookies step.
A policy that lists cookies you don't actually set is misleading. A policy that misses cookies you do set is the kind of thing regulators flag in sweep investigations. The companion article walks through this with screenshots.
When this generator is enough, and when it isn't
This generator is enough when: you run a content site, SaaS, e-commerce store, newsletter, agency site, or a mobile-app marketing site. You use a mainstream stack (Google Analytics, Meta Pixel, Stripe, HubSpot, Cloudflare, YouTube embeds). You operate in standard jurisdictions (EU, UK, US, Brazil, India). You've run a cookie audit and the policy reflects reality.
Get a lawyer involved when: you're in a regulated industry (health data, children's services, financial services); you run programmatic advertising with real-time bidding; you operate in jurisdictions not covered by the generator (China PIPL, Russia PDL, South Korea PIPA, etc.); you've had a prior DPA complaint or enforcement action; you're going through due diligence, fundraising, or M&A; you're a Consent Manager registering with the Indian DPB or an IAB-registered CMP. A 1–2 hour review from a privacy attorney ($300–1500) is cheap insurance at these scales.
Frequently Asked Questions
Is this cookie policy legally binding?
A cookie policy is a disclosure document, not a contract, so "binding" isn't quite the right word. What matters is whether it accurately describes the cookies your site sets and meets the disclosure requirements of the laws that apply to your visitors. The generator produces a template that covers the EU ePrivacy Directive, GDPR, UK PECR, CCPA/CPRA, LGPD, India DPDP, and other regional laws. It is not legal advice. For regulated industries or complex cross-border operations, have a qualified attorney review before publishing.
How is this different from Termly, CookieYes, or Cookiebot?
Three ways. First, all features are free with no paywalls. Competitors gate cookie databases, GPC handling, TCF v2.3 support, and regional variants behind $10–99/month subscriptions. Second, depth: 62 pre-populated services and 104 individual cookies, 15 jurisdictions, and the full UK ICC 4-category taxonomy. Third, it runs 100% in your browser with no signup, which means your site's configuration never leaves your device. The generator produces the cookie policy text; it does not include a consent banner tag for your site, which is a separate compliance tool.
Does it cover TCF v2.3?
Yes. The generator includes disclosure language for the IAB Transparency and Consent Framework v2.3 Disclosed Vendors segment, which became mandatory on February 28, 2026. If your site uses a TCF-certified consent management platform and serves EU users, this language is required for lawful operation.
What cookies are pre-populated?
62 services and 104 individual cookies from common services: Google Analytics 4, Google Ads, Google Tag Manager, Meta Pixel, LinkedIn Insight Tag, TikTok Pixel, Pinterest Tag, X/Twitter Pixel, HubSpot, Mailchimp, Klaviyo, Stripe Checkout, PayPal, Shopify, Cloudflare, Hotjar, Mixpanel, Amplitude, Intercom, Drift, Zendesk, YouTube embeds, Vimeo, Spotify, Tidio, Crisp, Calendly, and more. Each cookie comes with name, provider, purpose, duration, and UK ICC category pre-filled. You just check the services you use.
Does it handle GPC and Do Not Sell/Share?
Yes. California CCPA/CPRA requires honoring the Global Privacy Control browser signal as a valid opt-out request. The generator includes GPC disclosure language and a Do Not Sell or Share My Personal Information section with the required wording. For multi-state US compliance (Virginia, Colorado, Connecticut, Utah, Texas, Oregon, and others), the generator adapts the language to each state's terminology.
What is the compliance scorecard?
A unique feature that rates your configuration against the criteria regulators actually check in enforcement actions. It verifies TCF v2.3 compliance, GPC signal honoring, Google Consent Mode v2 integration, EU opt-in consent model, US opt-out mechanism, layered notice structure, absence of dark patterns (equal prominence for Accept and Reject), and cookie category granularity. Each check cites the regulator or case law behind it (CNIL dark-pattern guidance, ICO layered notice guidance, SHEIN €150M fine, Sephora $1.2M GPC case).
Do I need a consent banner in addition to a cookie policy?
Yes, for most jurisdictions. The cookie policy is the detailed disclosure document; the consent banner is the mechanism users interact with to grant or withdraw consent. GDPR and ePrivacy require both: the banner captures consent, the policy explains the details. The generator produces consent banner copy as a separate output so you can wire it into whatever banner solution you use (a simple DIY implementation, a CMP like Cookiebot or CookieYes, or a framework-native solution like gdpr-cookie-consent for WordPress).
Can I save my progress?
Yes. Your configuration auto-saves in your browser's localStorage and persists across sessions on the same device. You can also export your full configuration as JSON to back up, transfer to another device, or share with a team or attorney. When new cookie laws take effect, load the JSON, re-run through the wizard, and re-export.