GDPR Cookie Policy Generator
A cookie policy that satisfies ePrivacy + GDPR Art. 7 consent + EDPB dark-pattern guidance — not just a list of cookie names.
- Satisfies ePrivacy + GDPR Art. 7 + EDPB Guidelines 05/2020
- Names specific cookies and third parties (EDPB requires this)
- Describes the consent banner + re-open-preferences mechanism
A GDPR cookie policy has to satisfy three things at once: the ePrivacy Directive (consent for non-essential cookies), GDPR Art. 7 (the standard for what counts as consent — freely given, specific, informed, unambiguous, as easy to withdraw as to give), and EDPB Guidelines 05/2020 plus the post-2022 dark-pattern guidance from CNIL and ICO. Most templates handle one of these and skip the other two. This page generates a cookie policy that addresses all three plus describes the consent banner and re-open mechanism.
Disclosures grounded in the actual statutory text.
ePrivacy consent for non-essential cookies
ePrivacy Directive 2002/58/EC Art. 5(3) — storing or accessing information on a user's device requires consent for non-essential purposes. Strictly necessary cookies are exempt; analytics, marketing, personalization are not.
GDPR Art. 7 consent standard
Consent must be freely given, specific, informed, unambiguous, and as easy to withdraw as to give. Pre-ticked boxes are invalid (CJEU C-673/17 Planet49). "Accept all" without an equally accessible "reject all" violates EDPB Guidelines 05/2020.
EDPB Guidelines 05/2020
Specific cookies disclosed individually with their duration and recipient. Generic categories without specific cookie names fall short. The withdrawal mechanism must be as easy as the giving.
CNIL / ICO dark-pattern guidance
Equal-prominence Accept vs. Reject buttons, no nag walls, no "Accept All" that's visually dominant over a hidden Reject. CNIL has fined Google €150m and Meta €60m for cookie violations.
Re-open consent mechanism
Once consent is given, the user has to be able to withdraw as easily. A persistent re-open link (footer or floating icon) is the de-facto standard.
Cross-link to the privacy policy
The cookie policy explains what cookies you use. The privacy policy explains what personal data you process. Cross-link both so a regulator (or curious user) can navigate between them.
Where GDPR + ePrivacy templates usually go wrong.
Pre-ticked boxes for analytics
Direct violation per CJEU C-673/17. Most common critical for EU cookie audits.
"Accept All" without "Reject All"
Per EDPB Guidelines 05/2020, the reject option has to be equally accessible. CNIL has fined for missing this.
No persistent re-open mechanism
Once consent is given, the user has to be able to withdraw as easily. A cookie-settings link in the footer or a floating shield icon is standard.
Ready to generate your GDPR + ePrivacy cookie policy?
A 2-minute wizard with the GDPR + ePrivacy jurisdiction pre-selected. Free preview shows the first three sections — pay $2 only if you want to unlock the full document.
Questions about GDPR + ePrivacy compliance.
Generate your GDPR + ePrivacy cookie policy now.
Free preview, no signup. Two minutes through the wizard. Only pay if you want to unlock the full document.