Do I need a cookie policy if I sell online?

If you have any EU / UK visitors, yes — ePrivacy + PECR + GDPR consent rules apply. US-only stores selling into California also need cookie disclosure under CCPA / CPRA for any marketing pixels. Almost every meaningful e-commerce store needs one.

What's the difference between a cookie policy and a privacy policy?

A privacy policy covers all personal data collection (forms, accounts, orders, etc.). A cookie policy is the specific subset about cookies and tracking technologies — what cookies, what they do, how to manage consent. Most regulators expect them as separate documents that cross-reference each other.

Do I need a cookie banner if I have a cookie policy?

For non-essential cookies on EU / UK visitors, yes — the policy explains the cookies; the banner gets consent before they load. Both are required. The banner can be a CMP product or a custom build, but consent has to be obtained before non-essential cookies are set.

Home / Cookie Policy / Cookie Policy for E-commerce

Cookie Policy for E-commerce

A cookie policy calibrated for an online store — checkout, abandoned-cart, marketing pixels, analytics — with the right consent framing per region.

Generate my e-commerce cookie policy → Free preview · No signup · 2 minutes

Calibrated for the e-commerce cookie footprint
Distinguishes essential from functional from marketing
Cross-jurisdiction: EU consent, UK PECR, US CCPA opt-out

An e-commerce site has a more aggressive cookie footprint than a content site — checkout session cookies, abandoned-cart tracking, retargeting pixels (Meta, Google, TikTok, Pinterest), email-platform tracking, and at least one analytics tool. Each one has its own consent / disclosure status. A generic cookie policy that lumps everything as "cookies for analytics and marketing" is not just thin — it contradicts the named integrations on the page. This generator produces a policy that names what an e-commerce store actually runs.

What your e-commerce cookie policy needs to cover

Disclosures that matter for e-commerce.

Checkout + session cookies

Strictly necessary — cart contents, session state, checkout step tracking. These are exempt from consent requirements but should still be disclosed.

Abandoned-cart tracking

Most email platforms (Klaviyo, Mailchimp, ActiveCampaign) set cookies to enable abandoned-cart sequences. These are marketing cookies requiring consent in EU / UK.

Retargeting pixels

Meta Pixel, Google Ads conversion, TikTok Pixel, Pinterest tag — all marketing cookies. EU / UK require consent; CCPA / CPRA require opt-out mechanism in the US.

Analytics (GA4 + alternatives)

Google Analytics 4 is the default; Plausible / Fathom are cookieless alternatives. Disclose what you use and the legal basis (consent in EU / UK, legitimate interest in US).

Review widgets + chat tools

Yotpo, Judge.me, Intercom, Tidio — each sets its own cookies. Small footprint but should be named individually per EDPB guidance.

Consent management

A real Consent Management Platform (CMP) — Cookiebot, Iubenda, Osano, etc. — or a custom banner. The policy references the CMP and explains how to re-open preferences.

Common mistakes

Where e-commerce policies usually go wrong.

Lumping all third parties as "analytics providers"

Per EDPB Guidelines 05/2020, third parties should be named individually. "Analytics providers" passes a quick read but fails a regulator complaint.
Pre-ticked consent for non-essential cookies

Direct violation of CJEU C-673/17 (Planet49). EU regulators have fined for this. Default-to-decline is the only safe pattern.
No CCPA opt-out

US stores running ad pixels are processing personal info under CCPA / CPRA "sharing" definition. Need a real "Do Not Sell or Share" mechanism or risk regulator action.