A cookie policy is a disclosure document. It tells visitors what cookies your site sets, why, for how long, and how to control them. Under the EU ePrivacy Directive (transposed as national law in every EU member state) and the UK PECR, a cookie policy is not optional for sites that use non-essential cookies — and since most sites embed analytics, ads, or social widgets, that's virtually every site. In California and 19 other US states, a cookie policy is required when cookies collect personal information, and the disclosure must include opt-out mechanisms plus a "Do Not Sell or Share My Personal Information" link. Brazil (LGPD) requires a Portuguese-language banner. India (DPDP Act) requires a multilingual banner and, from November 2026, forces consent managers to register as India-incorporated entities.
This generator produces a template that covers all of these jurisdictions at once. You pick the regions where you have traffic, the services your site uses, and the consent mechanics you've configured. The generator produces a full cookie policy, plus banner copy you can drop into any consent management platform (Cookiebot, CookieYes, OneTrust, iubenda, or a DIY implementation), plus a compliance scorecard that flags gaps against the criteria regulators actually check in enforcement actions.
Most free cookie-policy generators give you a thin template with "we use cookies for analytics and marketing" and leave you to fill in the rest. Paid tools (Termly, CookieYes, Cookiebot, iubenda, OneTrust) charge $10–99/month and paywall the useful features — pre-populated cookie databases, TCF v2.3 support, GPC handling, regional variants. This generator is free forever, runs 100% in your browser with no signup, and ships with:
Every cookie you set falls into one of four categories under the classification developed by the UK International Chamber of Commerce and adopted by the ICO, CNIL, EDPB, and most CMPs:
The generator assigns the correct category to every pre-populated cookie based on its actual function, not on what the vendor claims. Google Analytics is categorized as analytics (requires consent), even though some competitor tools miscategorize it as "necessary" — a mistake that's triggered multiple CNIL enforcement actions.
Cookie compliance stopped being a warning-letter topic in 2022 and has been a fines-and-consent-orders topic ever since. Relevant recent enforcement and regulatory changes the generator accounts for:
These are three different things and you probably need all of them:
For the actual cookie-blocking-until-consent mechanism, you need a technical implementation. Options range from DIY (a few hundred lines of JavaScript that blocks script tags with data-consent attributes) to full-featured CMPs. Your pick depends on your traffic, monetization model, and compliance posture.
Before you publish any cookie policy, you need to know what cookies your site actually sets. The generator pre-populates common services, but you might have embedded widgets, third-party scripts, or legacy integrations you forgot about. Real audit workflow:
A policy that lists cookies you don't actually set is misleading. A policy that misses cookies you do set is the kind of thing regulators flag in sweep investigations. The companion article walks through this with screenshots.
This generator is enough when: you run a content site, SaaS, e-commerce store, newsletter, agency site, or a mobile-app marketing site. You use a mainstream stack (Google Analytics, Meta Pixel, Stripe, HubSpot, Cloudflare, YouTube embeds). You operate in standard jurisdictions (EU, UK, US, Brazil, India). You've run a cookie audit and the policy reflects reality.
Get a lawyer involved when: you're in a regulated industry (health data, children's services, financial services); you run programmatic advertising with real-time bidding; you operate in jurisdictions not covered by the generator (China PIPL, Russia PDL, South Korea PIPA, etc.); you've had a prior DPA complaint or enforcement action; you're going through due diligence, fundraising, or M&A; you're a Consent Manager registering with the Indian DPB or an IAB-registered CMP. A 1–2 hour review from a privacy attorney ($300–1500) is cheap insurance at these scales.
A cookie policy is a disclosure document, not a contract, so "binding" isn't quite the right word. What matters is whether it accurately describes the cookies your site sets and meets the disclosure requirements of the laws that apply to your visitors. The generator produces a template that covers the EU ePrivacy Directive, GDPR, UK PECR, CCPA/CPRA, LGPD, India DPDP, and other regional laws. It is not legal advice. For regulated industries or complex cross-border operations, have a qualified attorney review before publishing.
Three ways. First, all features are free with no paywalls. Competitors gate cookie databases, GPC handling, TCF v2.3 support, and regional variants behind $10–99/month subscriptions. Second, depth: 62 pre-populated services and 104 individual cookies, 15 jurisdictions, and the full UK ICC 4-category taxonomy. Third, it runs 100% in your browser with no signup, which means your site's configuration never leaves your device. The generator produces the cookie policy text; it does not include a consent banner tag for your site, which is a separate compliance tool.
Yes. The generator includes disclosure language for the IAB Transparency and Consent Framework v2.3 Disclosed Vendors segment, which became mandatory on February 28, 2026. If your site uses a TCF-certified consent management platform and serves EU users, this language is required for lawful operation.
62 services and 104 individual cookies from common services: Google Analytics 4, Google Ads, Google Tag Manager, Meta Pixel, LinkedIn Insight Tag, TikTok Pixel, Pinterest Tag, X/Twitter Pixel, HubSpot, Mailchimp, Klaviyo, Stripe Checkout, PayPal, Shopify, Cloudflare, Hotjar, Mixpanel, Amplitude, Intercom, Drift, Zendesk, YouTube embeds, Vimeo, Spotify, Tidio, Crisp, Calendly, and more. Each cookie comes with name, provider, purpose, duration, and UK ICC category pre-filled. You just check the services you use.
Yes. California CCPA/CPRA requires honoring the Global Privacy Control browser signal as a valid opt-out request. The generator includes GPC disclosure language and a Do Not Sell or Share My Personal Information section with the required wording. For multi-state US compliance (Virginia, Colorado, Connecticut, Utah, Texas, Oregon, and others), the generator adapts the language to each state's terminology.
A unique feature that rates your configuration against the criteria regulators actually check in enforcement actions. It verifies TCF v2.3 compliance, GPC signal honoring, Google Consent Mode v2 integration, EU opt-in consent model, US opt-out mechanism, layered notice structure, absence of dark patterns (equal prominence for Accept and Reject), and cookie category granularity. Each check cites the regulator or case law behind it (CNIL dark-pattern guidance, ICO layered notice guidance, SHEIN €150M fine, Sephora $1.2M GPC case).
Yes, for most jurisdictions. The cookie policy is the detailed disclosure document; the consent banner is the mechanism users interact with to grant or withdraw consent. GDPR and ePrivacy require both: the banner captures consent, the policy explains the details. The generator produces consent banner copy as a separate output so you can wire it into whatever banner solution you use (a simple DIY implementation, a CMP like Cookiebot or CookieYes, or a framework-native solution like gdpr-cookie-consent for WordPress).
Yes. Your configuration auto-saves in your browser's localStorage and persists across sessions on the same device. You can also export your full configuration as JSON to back up, transfer to another device, or share with a team or attorney. When new cookie laws take effect, load the JSON, re-run through the wizard, and re-export.