Lawyer reviewed templates

how to draft a cookie policy uk

How to Draft a Cookie Policy in the UK

If you run a UK website that uses cookies, you need a cookie policy — and getting it wrong can land you in trouble with the ICO. This guide walks you through exactly how to draft a cookie policy in the UK, covering what the UK GDPR and PECR require, what categories of cookies you must disclose, and how to write something that actually makes sense to your users. Most cookie policies fail because they're copied from a US template or buried in a privacy policy with no real structure. UK law is specific: you need to tell users what cookies you use, why you use them, how long they last, and how users can control or withdraw consent. This guide is written for founders and small business owners who want a compliant, readable cookie policy without paying a solicitor £300 to draft one from scratch. We'll cover the legal requirements, the practical structure, and where Atornee can help you generate a solid first draft in minutes.

Generate Cookie Policy Now

Instant Access

Lawyer Reviewed

Verified

Ready for export

PDF • Word Doc

Why this matters

Most UK founders either skip the cookie policy entirely, paste in a generic template they found online, or bury a few lines inside their privacy policy and hope for the best. None of those approaches hold up under UK GDPR or PECR. The ICO has been increasingly active on cookie compliance, and a vague or missing policy is a real liability — especially if you're running paid ads, using analytics tools, or collecting any kind of user data. The pain here is practical: you know you need one, you're not sure what it has to say, and you don't want to spend hours researching data protection law just to publish a policy page.

The Atornee approach

Atornee isn't a cookie policy generator that spits out the same boilerplate every other site uses. When you use Atornee, you answer questions specific to your business — what cookies you actually run, whether you use third-party tools like Google Analytics or Meta Pixel, and what consent mechanism you have in place. The output is a structured UK-compliant cookie policy drafted around your actual setup, not a generic placeholder. You still own the document and can edit it. If your situation is complex — say, you're processing sensitive data or operating across multiple jurisdictions — Atornee will flag that and tell you when it's worth getting a solicitor involved. No upselling, just honest guidance.

What you get

A clear breakdown of every section a UK-compliant cookie policy must include under UK GDPR and PECR

Plain-English explanations of cookie categories — strictly necessary, functional, analytics, marketing — so you can accurately describe what your site uses

Guidance on how to handle third-party cookies from tools like Google Analytics, Meta Pixel, and Hotjar

A practical checklist to audit your existing cookies before drafting or updating your policy

Honest advice on when your cookie policy alone isn't enough and you need a full consent management setup

Before you sign checklist

1. Run a cookie audit on your website using a tool like CookieMetrix or your browser's developer tools to list every cookie currently set

2. Categorise each cookie as strictly necessary, functional, analytics, or marketing — you cannot lump them all together

3. Identify every third-party service setting cookies on your site and check their own documentation for cookie names and durations

4. Confirm whether you have a consent mechanism in place — a cookie banner that records opt-in before non-essential cookies fire

5. Draft your cookie policy using the categories above, including cookie name, purpose, duration, and whether it is first or third party

6. Link your cookie policy clearly from your website footer and from your cookie consent banner

7. Set a review date — cookie policies should be updated whenever you add or remove tools that set cookies

FAQ

Is a cookie policy a legal requirement in the UK?

Yes. Under PECR (Privacy and Electronic Communications Regulations) and UK GDPR, if your website sets any non-essential cookies, you must inform users about them and obtain their consent before those cookies are placed. A cookie policy is the document that fulfils the transparency requirement. Strictly necessary cookies are exempt from consent, but you still need to disclose them.

Can I just include my cookie information inside my privacy policy?

Technically you can reference cookies within a privacy policy, but the ICO recommends a separate, clearly accessible cookie policy. In practice, combining them often makes the information harder to find and harder to update. A standalone cookie policy page linked from your footer and consent banner is the cleaner, safer approach.

What happens if I don't have a cookie policy in the UK?

The ICO can issue warnings, enforcement notices, and fines for non-compliance with PECR and UK GDPR. While large fines tend to target bigger organisations, the ICO has investigated smaller businesses and charities. Beyond regulatory risk, missing or inadequate cookie disclosures can also undermine user trust and create issues if you're ever audited by an advertising platform or enterprise client.

Do I need a cookie policy if I only use Google Analytics?

Yes. Google Analytics sets cookies that are not strictly necessary — they are analytics cookies that require user consent under UK law. You need to disclose them in your cookie policy, categorise them correctly, and ensure your consent banner blocks them until the user opts in. Simply having a banner that says 'we use cookies' is not sufficient.

How often should I update my cookie policy?

Every time you add, remove, or change a tool that sets cookies on your site. That includes adding a new analytics platform, switching chat tools, or integrating a new ad pixel. A cookie policy that lists cookies you no longer use, or omits ones you do, is non-compliant. Build a review into your process whenever you update your tech stack.

Does a cookie policy generated by AI need a solicitor to review it?

For most straightforward UK websites — a SaaS product, an e-commerce store, a service business — a well-structured AI-generated cookie policy is a solid starting point and may be sufficient. You should escalate to a solicitor if you're processing sensitive personal data, operating in regulated sectors like finance or healthcare, or if you have complex cross-border data flows. Atornee will flag these scenarios when they arise.

Related Atornee Guides

Cheap Contract Solicitor Alternative (UK)

Useful if you need broader legal document support beyond your cookie policy.

Cheap Solicitor for NDA (UK)

Relevant when you also need confidentiality protections alongside your data policies.

Atornee Use Cases

See how UK founders use Atornee across different legal document workflows.

External References

ICO Guidance for Organisations

The ICO is the UK's data protection authority and publishes definitive guidance on cookie compliance under PECR and UK GDPR.

UK Legislation

Primary statutory reference for PECR and UK GDPR as they apply to cookie policies.

GOV.UK Business and Self-employed

Official UK government guidance on business compliance obligations including data protection.

Trust & Verification Policy

Authored By

Atornee Editorial Team

UK Data Protection and Compliance Content

Reviewed By

Compliance Review Desk

UK Business Legal Content QA

Last reviewed on 3/4/2026

"This content is based on analysis of ICO enforcement guidance, PECR statutory requirements, and common compliance gaps observed across UK small business websites. It reflects practical drafting considerations for founders without in-house legal resource."

References & Sources

10k+

4.9★

Ready to generate your document?

Review, edit, and export your legal document in minutes. Stop wasting time reading templates from 2010.

Generate Cookie Policy Now

No hidden fees
Instant PDF/Word Export
Lawyer Reviewed Templates

By continuing, you agree to our Terms. This is AI-generated guidance, not legal advice.