Free Cookies Policy Template (UK)

What is this document?

A cookies policy is a legal document that explains how your website uses cookies and similar tracking technologies. It tells visitors what cookies you set, why you set them, how long they last, and how visitors can control or delete them. Under UK law, you must provide clear and comprehensive information about your use of cookies and obtain consent before placing non-essential cookies on a user's device.

Who needs it?

Any person or organisation that operates a website accessible to users in the United Kingdom and uses cookies or similar technologies. This includes businesses of all sizes, sole traders, charities, and public sector bodies. If your website sets any cookies — including analytics cookies, advertising cookies, or session cookies — you need a cookies policy.

Why is it important?

The Privacy and Electronic Communications Regulations 2003 (PECR) require you to tell visitors about cookies on your website and obtain their consent before setting non-essential cookies. The UK GDPR and the Data Protection Act 2018 apply where cookies collect or process personal data. The Information Commissioner's Office (ICO) actively enforces these rules and has issued clear guidance that implied consent (such as a banner saying 'by continuing to browse you accept cookies') is not sufficient. Fines for non-compliance can reach up to £17.5 million or 4% of annual global turnover under the UK GDPR.

Key UK legislation

UK General Data Protection Regulation (UK GDPR)Privacy and Electronic Communications Regulations 2003 (PECR)Data Protection Act 2018

Template document

Cookies Policy

This cookies policy explains how [your organisation name] ("we", "us", or "our") uses cookies and similar technologies when you visit our website at [your website URL] (the "Website"). It explains what these technologies are, why we use them, and your rights to control their use.

This policy should be read alongside our privacy policy, which sets out how we collect and process personal data more generally.

This policy was last updated on [date].

1. About cookies

1.1 Cookies are small text files that are placed on your computer, tablet, smartphone, or other device when you visit a website. They are widely used to make websites work efficiently, to improve the user experience, and to provide information to the website operator.

1.2 Cookies may be set by the website you are visiting (known as first-party cookies) or by third parties, such as analytics providers or advertising networks (known as third-party cookies).

1.3 Cookies can be classified by how long they remain on your device:

(a) Session cookies — these are temporary cookies that expire when you close your browser. They are used to keep track of your activity during a single browsing session.

(b) Persistent cookies — these remain on your device for a set period of time or until you delete them manually. They are used to remember your preferences and actions across multiple visits.

1.4 We may also use other similar technologies, such as web beacons, pixel tags, and local storage, which function in a comparable manner to cookies. References to "cookies" in this policy include these similar technologies unless the context requires otherwise.

2. Consent for cookies

2.1 In accordance with the Privacy and Electronic Communications Regulations 2003 (PECR) and the UK General Data Protection Regulation (UK GDPR), we will ask for your consent before placing any non-essential cookies on your device. Note: The Data (Use and Access) Act 2025, commenced on 5 February 2026, introduces new exceptions to the PECR consent requirement for certain low-risk cookies used for web analytics and statistical purposes. You should review whether any of your analytics cookies qualify for these exceptions.

2.2 When you first visit our Website, you will be presented with a cookie consent banner that allows you to accept or reject different categories of cookies. You can change your cookie preferences at any time using the method described in Section 7 below.

2.3 Strictly necessary cookies do not require your consent, as they are essential for the Website to function properly. These cookies are set automatically when you access the Website.

2.4 If you do not consent to non-essential cookies, or if you later withdraw your consent, the Website will continue to function, although some features that rely on those cookies may not be available or may not work as intended.

3. Cookies we use

3.1 We use the following categories of cookies on our Website:

3A. Strictly necessary cookies

3.2 These cookies are essential for the operation of our Website. They enable core functionality such as security, session management, and accessibility. Without these cookies, the Website cannot function properly and they cannot be switched off in our systems.

3.3 Strictly necessary cookies we use include:

(a) [Cookie name] — [purpose, e.g., session management]. Duration: [session / specific period]. Type: first-party.

(b) [Cookie name] — [purpose, e.g., cookie consent preferences]. Duration: [specific period, e.g., 12 months]. Type: first-party.

(c) [Cookie name] — [purpose, e.g., security and fraud prevention]. Duration: [session / specific period]. Type: first-party.

3B. Analytics cookies

3.4 These cookies allow us to count visits and traffic sources so that we can measure and improve the performance of our Website. They help us understand which pages are the most and least popular and how visitors move around the site. All information these cookies collect is aggregated and is therefore anonymous for the purposes of identifying individual users.

3.5 Analytics cookies we use include:

(a) [Cookie name, e.g., _ga] — [purpose, e.g., Google Analytics — distinguishes unique users by assigning a randomly generated number]. Duration: [e.g., 2 years]. Type: third-party ([provider name]).

(b) [Cookie name, e.g., _ga_*] — [purpose, e.g., Google Analytics — used to persist session state]. Duration: [e.g., 2 years]. Type: third-party ([provider name]).

3.6 If you do not consent to analytics cookies, we will not be able to include your visit in our statistics, but this will not affect your experience of the Website.

3C. Functional cookies

3.7 These cookies enable enhanced functionality and personalisation, such as remembering your preferences (for example, your preferred language or the region you are in), remembering your login details, and providing enhanced features. They may be set by us or by third-party providers whose services we have added to our pages.

3.8 Functional cookies we use include:

(a) [Cookie name] — [purpose, e.g., remembers user language preferences]. Duration: [period]. Type: [first-party / third-party ([provider name])].

(b) [Cookie name] — [purpose, e.g., stores live chat session information]. Duration: [period]. Type: third-party ([provider name]).

3.9 If you do not consent to functional cookies, some features of the Website may not function correctly or may not remember your preferences.

3D. Advertising and targeting cookies

3.10 These cookies are used to deliver advertisements that are more relevant to you and your interests. They are also used to limit the number of times you see an advertisement and to help measure the effectiveness of advertising campaigns. They are usually placed by advertising networks with our permission and remember that you have visited our Website. This information may be shared with other organisations, such as advertisers.

3.11 Advertising cookies we use include:

(a) [Cookie name] — [purpose, e.g., tracks conversions from advertising campaigns]. Duration: [period]. Type: third-party ([provider name, e.g., Google Ads / Meta / LinkedIn]).

(b) [Cookie name] — [purpose, e.g., builds a profile of visitor interests for targeted advertising]. Duration: [period]. Type: third-party ([provider name]).

3.12 If you do not consent to advertising cookies, you will still see advertisements, but they will not be tailored to your interests.

3.13 [If you do not use advertising cookies, you may delete Section 3D and replace it with the following statement: "We do not currently use advertising or targeting cookies on our Website."]

4. Cookies used by third-party service providers

4.1 Some cookies on our Website are set by third-party services that appear on our pages. We do not control the setting of these cookies. You should check the relevant third party's website for more information about their cookies and how to manage them.

4.2 Third-party services that may set cookies through our Website include:

(a) [Service provider name, e.g., Google Analytics] — used for [purpose, e.g., website analytics]. Privacy policy: [URL of the provider's privacy policy].

(b) [Service provider name, e.g., YouTube / Vimeo] — used for [purpose, e.g., embedded video content]. Privacy policy: [URL].

(c) [Service provider name, e.g., Stripe / PayPal] — used for [purpose, e.g., payment processing]. Privacy policy: [URL].

(d) [Service provider name] — used for [purpose]. Privacy policy: [URL].

4.3 We encourage you to review the privacy policies and cookie policies of these third-party providers to understand how they collect and use your data.

5. Managing cookies in your browser

5.1 In addition to the controls provided through our cookie consent mechanism, you can manage cookies through your browser settings. Most browsers allow you to refuse cookies, delete cookies, or be notified when a cookie is set. Please note that if you disable or delete cookies, some features of our Website may not function correctly.

5.2 Instructions for managing cookies in commonly used browsers are set out below. For other browsers, please consult the browser's help documentation.

5.3 Google Chrome: Open the menu (three dots in the top right corner), click "Settings", then "Privacy and security", then "Cookies and other site data" (or navigate to chrome://settings/cookies). From here you can block third-party cookies, block all cookies, or clear cookies when you close the browser. You can also delete individual cookies by clicking "See all site data and permissions".

5.4 Mozilla Firefox: Open the menu (three lines in the top right corner), click "Settings", then "Privacy & Security". Under "Cookies and Site Data", you can manage and delete cookies. Under "Enhanced Tracking Protection", you can choose Standard, Strict, or Custom protection levels to control which cookies are blocked automatically.

5.5 Apple Safari: On macOS, open Safari, click "Safari" in the menu bar, then "Settings" (or "Preferences"), then "Privacy". Here you can block all cookies, prevent cross-site tracking, and manage website data. On iOS, go to "Settings", then "Safari", then "Privacy & Security" to manage cookie settings.

5.6 Microsoft Edge: Open the menu (three dots in the top right corner), click "Settings", then "Cookies and site permissions", then "Manage and delete cookies and site data" (or navigate to edge://settings/content/cookies). You can block third-party cookies, block all cookies, and clear cookies when you close the browser.

5.7 Please be aware that blocking all cookies may affect the functionality of many websites, not just ours. If you block all cookies, you may not be able to use all the features on our Website.

5.8 You can also opt out of certain third-party cookies using the following platforms:

(a) Your Online Choices (www.youronlinechoices.com) — a service run by the European Interactive Digital Advertising Alliance that allows you to opt out of behavioural advertising from participating companies.

(b) Google Ads Settings (adssettings.google.com) — allows you to manage the information Google uses to show you ads.

(c) Network Advertising Initiative (optout.networkadvertising.org) — allows you to opt out of interest-based advertising from participating ad networks.

6. Do Not Track signals

6.1 Some browsers include a "Do Not Track" (DNT) feature that signals to websites that the user does not wish to be tracked. There is currently no universally accepted standard for how websites should respond to DNT signals.

6.2 [Our Website does / does not] respond to DNT signals. Regardless of your DNT setting, we will not place non-essential cookies on your device without your consent as described in this policy.

7. Cookie preferences

7.1 You can review and change your cookie preferences at any time by [describe how users can access cookie preferences, e.g., "clicking the 'Cookie Settings' link in the footer of our Website" / "clicking the cookie icon displayed in the bottom [left/right] corner of our Website" / "visiting [URL of cookie preferences page]"].

7.2 When you change your preferences, any non-essential cookies that you have previously accepted but no longer consent to will be deleted from your device, although this may take a short time to take effect.

7.3 If you clear your browser's cookies, your cookie preferences will be reset and you will be asked to consent again on your next visit.

8. Changes to this cookies policy

8.1 We may update this cookies policy from time to time to reflect changes in the cookies we use, changes in legislation, or updates to ICO guidance.

8.2 Any changes will be posted on this page and the "last updated" date at the top of this policy will be revised accordingly.

8.3 If we make material changes to the types of cookies we use or the purposes for which we use them, we will seek your consent again where required by law.

8.4 We encourage you to check this page periodically to stay informed about our use of cookies.

9. Our details

9.1 This Website is owned and operated by [your full legal company name], a company registered in [England / England and Wales / Scotland / Northern Ireland] under company number [company registration number], whose registered office is at [registered office address].

9.2 You can contact us:

(a) By post: [your postal address]

(b) By email: [your email address]

(d) Through our website: [your contact page URL]

9.3 For detailed information about how we collect and process personal data, please see our privacy policy.

9.4 If you have any questions about this cookies policy or our use of cookies, please contact us using the details set out above.

9.5 If you wish to raise a complaint about our use of cookies, you may also contact the Information Commissioner's Office (ICO):

(a) Website: www.ico.org.uk

(b) Telephone: 0303 123 1113

This document was created using a template from website-contracts.co.uk.

Clause-by-clause guide

Plain English explanations of the key sections.

This is arguably the most important section of your cookies policy from a compliance perspective. The ICO has made clear that consent for non-essential cookies must be freely given, specific, informed, and unambiguous — meaning you must use a consent mechanism (such as a cookie banner) that gives users a genuine choice before non-essential cookies are set. Pre-ticked boxes, 'cookie walls' that force acceptance, and 'by continuing to browse you accept cookies' banners do not meet the PECR consent standard as interpreted under the UK GDPR. You must ensure your cookie consent tool does not load any non-essential cookies until the user has given positive, affirmative consent. Strictly necessary cookies are exempt from the consent requirement under Regulation 6(4) of PECR, but you must still inform users about them.

You must provide specific, accurate information about every cookie your Website sets. For each cookie, state its name, purpose, duration (session or persistent, and if persistent, how long), whether it is a first-party or third-party cookie, and which provider sets it. Vague descriptions such as 'we use cookies to improve your experience' are not sufficient. Audit your website regularly to identify all cookies in use — tools such as browser developer consoles, cookie scanning services, and your cookie consent platform's built-in audit tool can help. Categorise each cookie correctly: strictly necessary cookies must genuinely be essential for the website to function; do not classify analytics or advertising cookies as strictly necessary, as this is a common compliance error.

Many cookies on your website will be set by third-party services such as Google Analytics, YouTube, social media widgets, payment processors, and advertising networks. You do not directly control these cookies, but you are responsible for informing users about them and obtaining consent before they are loaded. List all third-party services that set cookies through your site, describe their purpose, and link to their privacy and cookie policies. Under the UK GDPR, if a third party processes personal data collected through cookies on your site, you may need a data processing agreement with that provider. Review your third-party services regularly, as they may change the cookies they set without notifying you.

While your primary consent mechanism should be a cookie banner or consent management platform, it is good practice (and expected by the ICO) to also explain how users can manage cookies through their browser settings. Provide clear, up-to-date instructions for the most popular browsers. Browser settings allow users to block or delete cookies, but they are a blunt tool — blocking all cookies will break many websites. For this reason, a granular consent mechanism on your website is a better and more user-friendly approach. You should also mention opt-out platforms such as Your Online Choices, which allow users to opt out of behavioural advertising from participating companies.

The ICO requires that it must be as easy to withdraw consent as it was to give it. Your cookies policy must clearly explain how users can change their cookie preferences after their initial choice. Common approaches include a 'Cookie Settings' link in the website footer, a persistent cookie icon, or a dedicated cookie preferences page. Your consent management platform should support this functionality. When a user changes their preferences, non-essential cookies they no longer consent to should be deleted promptly. Be aware that if a user clears their browser cookies, your consent record is lost and you must seek consent again on their next visit.

Frequently asked questions

There is no strict legal requirement under UK law to have a separate cookies policy — you could include the relevant information within your privacy policy. However, the ICO recommends providing clear, accessible, and prominent information about cookies, and a separate cookies policy is generally the best way to achieve this. Privacy policies are often long and detailed, and burying your cookie information within one makes it harder for users to find. A separate, clearly linked cookies policy allows users to quickly understand what cookies you use, why you use them, and how to manage them. It also makes it easier for you to keep the information up to date, particularly if you change your analytics or advertising tools frequently.

The Privacy and Electronic Communications Regulations 2003 (PECR) and the UK GDPR work together but cover different aspects of cookies. PECR specifically regulates the storage of, and access to, information on a user's device — this is the regulation that requires consent before setting non-essential cookies, regardless of whether they process personal data. The UK GDPR applies where cookies collect or are used to process personal data (such as IP addresses, unique identifiers, or browsing behaviour linked to an individual). In practice, most non-essential cookies will involve personal data, so both PECR and the UK GDPR will apply simultaneously. The consent standard under PECR is interpreted in line with the UK GDPR definition of consent, meaning it must be freely given, specific, informed, and unambiguous.

Yes, if your website uses any non-essential cookies. Under PECR, you must obtain the user's consent before storing or accessing information on their device, except for strictly necessary cookies. The most practical and widely accepted way to do this is through a cookie consent banner or consent management platform that is displayed when a user first visits your website. The banner must give the user a genuine choice to accept or reject different categories of cookies, and non-essential cookies must not be loaded until the user has given affirmative consent. A banner that only says 'This site uses cookies — OK' or 'By continuing to browse, you accept cookies' does not meet the legal standard. The ICO has published detailed guidance on cookies and similar technologies confirming these requirements.

Strictly necessary cookies are cookies that are essential for the website to perform a basic function requested by the user. Examples include cookies that manage your shopping basket, maintain your login session, remember your cookie consent preferences, and provide security features such as CSRF token validation. These cookies are exempt from the consent requirement under Regulation 6(4) of PECR because the website cannot function properly without them. However, you must still inform users about strictly necessary cookies in your cookies policy. It is important not to abuse this exemption — analytics cookies, advertising cookies, and social media tracking cookies are not strictly necessary, even if they are useful for your business. The ICO applies a narrow interpretation of this exemption.

You should audit your cookies regularly — at a minimum every six months, and whenever you make significant changes to your website, such as adding new third-party services, plugins, or functionality. Cookies can be added to your site without your knowledge, for example when you embed a YouTube video, add a social media sharing button, or install a new WordPress plugin. An audit involves scanning your website to identify every cookie that is set, verifying that your cookies policy accurately lists all cookies, checking that your consent mechanism correctly categorises them, and confirming that non-essential cookies are not loaded before consent is obtained. Several tools can automate this process, including built-in features in consent management platforms such as Cookiebot, CookieYes, and OneTrust.