Privacy Policy vs Cookie Policy: What's the Difference Under GDPR?
If you run a website that collects any data from EU visitors, you need both a privacy policy and a cookie policy. These documents are related but distinct. Many site owners conflate them, copy one into the other, or worse, omit one entirely. This article explains the precise legal and practical differences between a privacy policy and a cookie policy under GDPR, what each must contain and how they work together.
The legal foundation
The privacy policy is rooted in GDPR Articles 13 and 14, which require controllers to provide information about processing personal data. The cookie policy is rooted in the ePrivacy Directive (soon to be the ePrivacy Regulation), which specifically governs storage and access on user devices. While GDPR applies to all personal data processing, the ePrivacy Directive narrows in on cookies, trackers and similar technologies.
| Aspect | Privacy Policy | Cookie Policy |
|---|---|---|
| Legal basis | GDPR Articles 13-14 | ePrivacy Directive + GDPR Article 7 |
| Scope | All personal data processing | Cookies, storage, device fingerprinting |
| When required | Always, if you process personal data | Always, if you use non-essential cookies |
| Consent mechanism | May use various legal bases (contract, LI, consent) | Almost always requires explicit consent |
| Updates needed | When processing changes | When cookies or vendors change |
| Placement | Footer, checkout, forms | Consent banner link, footer |
What a privacy policy must include
A GDPR-compliant privacy policy is a comprehensive document. It must cover every aspect of how your organization collects, uses, stores and shares personal data. Here are the mandatory elements.
- Identity and contact details of the controller: Your company name, address and DPO contact if applicable.
- Purposes of processing: Why you collect data (service provision, marketing, analytics, legal obligation).
- Legal basis: Which GDPR Article 6 basis applies to each purpose.
- Recipients or categories of recipients: Who else gets the data (vendors, partners, authorities).
- Transfers to third countries: If data leaves the EEA, specify the safeguards (SCCs, adequacy decisions).
- Retention periods: How long you keep each category of data.
- Data subject rights: How users can access, correct, delete or port their data.
- Right to complain: How to lodge a complaint with a supervisory authority.
- Automated decision-making: Whether profiling or algorithmic decisions occur.
What a cookie policy must include
A cookie policy is narrower and more technical. Its job is to inform users about the specific technologies used on the website and to justify their presence.
- What cookies are: A brief explanation for non-technical users.
- Which cookies you use: A complete list, ideally in a table format.
- Purpose of each cookie: Necessary, functional, analytics, marketing.
- Who sets the cookie: First-party or third-party, and if third-party, which vendor.
- Duration: Session or persistent, with specific expiration times.
- How to manage cookies: Browser settings, your consent tool, or opt-out links.
Why you cannot just merge them
Some site owners try to save time by putting cookie information inside the privacy policy. While this is better than omitting cookie information entirely, it creates practical problems. Users looking for cookie-specific information must scroll through pages of general privacy text. Regulators reviewing cookie compliance want a focused, easily accessible cookie disclosure. And your consent banner typically links directly to the cookie policy, not the full privacy policy.
The best practice is to maintain two separate documents, cross-linked from each other. The cookie policy should link to the privacy policy for broader data protection questions. The privacy policy should link to the cookie policy for detailed cookie information.
How to keep both documents accurate
The biggest practical challenge is keeping these documents up to date. Every new analytics tool, advertising partnership or CMS plugin can introduce cookies that are not yet documented. Our recommendation is to tie documentation updates to your deployment process. Before any code goes live, the developer or marketer responsible must update the cookie policy. Quarterly audits catch anything that slips through.
FAQ
Do I need a cookie policy if I only use necessary cookies?
Technically, the ePrivacy Directive requires information about all storage and access, including strictly necessary cookies. However, because necessary cookies do not require consent, the information requirement is lighter. Most sites still include them in the cookie policy for transparency.
Can I use a cookie policy generator?
Generators are a good starting point, but they are only as accurate as the information you feed them. If you miss a cookie during the input phase, the generated policy will be incomplete. Always verify generated policies against a real cookie scan.
ConsentScope Team
Verified authorPrivacy Engineers & Chrome Extension Developers
We build tools that help developers, agencies and privacy advocates detect GDPR cookie violations automatically. Our team analyzes consent banners, cookie behavior and third-party scripts across thousands of websites every month.
Related articles
How to Check If Cookies Are Set Before Consent (Complete GDPR Audit Guide)
Learn how to check if cookies are set before user consent. Step-by-step GDPR audit guide for developers, agencies and privacy professionals.
How to Audit Website Cookies for GDPR Compliance (Step-by-Step)
Step-by-step guide to auditing website cookies for GDPR compliance. Built for developers, agencies and privacy professionals who need a repeatable process.
What Is a GDPR Cookie Violation? Real Examples & How to Fix Them
Real-world GDPR cookie violation examples with screenshots and fixes. Learn what counts as a violation and how to fix it before your next audit.