Skip to main content
CompliantHQ

Do you need a cookie policy — and what must it contain?

Do you need a cookie policy? The law sets no formal requirement for a separate document with that exact name. But the consent requirement for cookies presupposes that consent is informed — the visitor must know what they are saying yes to — so the information has to live somewhere. In practice, a cookie policy, or a cookie section in the privacy policy, is the established way. What matters is not the document's name, but that its content matches what the website actually does.

ePrivacy art. 5.3GDPR art. 12–13

What does the law say?

The consent requirement comes from the ePrivacy rules — in Sweden the Electronic Communications Act (chapter 9, section 28): non-essential cookies may not be set without consent, and consent is only valid if it is informed. That is the core of the information duty: the visitor must be able to understand which cookies are set and why, before making the choice.

When cookies also process personal data — which tracking and analytics cookies generally do — the GDPR's information requirements in article 13 apply on top: purposes, recipients and the rest of the mandatory information. The practice of the European Data Protection Board (EDPB) has furthermore made category, purpose and lifespan per cookie the established expectation of what the information should contain.

What the cookie policy must contain

Whether the information lives in its own document or in the privacy policy, the visitor should be able to find:

  • Which cookies and trackers are used — not a selection, but the ones actually set on the website.
  • What each one does and why — category and purpose, for example necessary, functional, analytics or marketing, preferably in a cookie table.
  • How long they remain — lifespan per cookie or category, for example "session", "30 days" or "1 year". Not a hard statutory requirement, but an established expectation under the EDPB's guidelines.
  • Who receives the data — which third parties and service providers the cookies send data to.
  • How the visitor changes or withdraws their choice — a way back to the cookie settings, as easy to find as the banner was.

Common issues we see

  • The policy lists five cookies — the website sets twenty-five. The table was written once and never kept up as new tools were added.
  • The banner offers categories the policy never mentions — the visitor consents to "marketing" in the banner, but the policy doesn't explain what that category contains.
  • The policy claims "we don't share data with third parties" — while the traffic goes to advertising platforms.
  • "By continuing to browse you accept cookies" — a consent setup that is not valid; consent requires an active choice.
  • Lifespans are missing entirely, so the visitor cannot tell whether the tracking lasts a session or two years.

How CompliantHQ tests this

What makes the cookie policy special is that it can be checked against reality. The scanner visits the website in a real browser and records which cookies and trackers are actually set — and at the same time reads the cookie policy as a document. Then we compare: does the policy mention the trackers we observed? Does it describe the categories the banner offers? Do claims like "we don't share data" match the measured traffic?

The gap between what is stated and what is measured is often the most valuable finding — a policy can look complete and still describe a different website than the one actually running. We measure a sample of the pages, so the list of observed trackers covers what we actually saw. And assessments that require interpretation — for example whether the policy describes an invalid consent setup — are presented as assessments, never as established violations.

All of these checks already run during the trial.

How to fix it

  • Start by taking inventory of what is actually set — through a scan or the browser's developer tools — instead of assuming you know what is in use.
  • Build a cookie table with category, purpose and lifespan per cookie or group, and state which third parties receive data.
  • Keep the banner and the policy in sync: every category the banner offers should be described in the policy — what it contains and why.
  • Remove or adjust absolute claims like "we never share data" if you use external services — describe which providers you rely on instead.
  • Describe consent as an active choice in the banner — not as "continued browsing" — and link to the cookie settings so the choice can be changed.
  • Update the table when you add or replace tools — a cookie policy has a shelf life.

What the check covers

  • That cookie information exists — as its own document or a clear section.
  • That the cookie information explains what each cookie does and why it's used — not just that cookies exist.
  • That it's stated how long each cookie stays in the visitor's browser.
  • That every tracker we actually measured on the site is also mentioned in the cookie information — measured is compared against what's stated.
  • That the cookie banner and the cookie information say the same thing — the banner mustn't offer categories the information doesn't mention.
  • That a policy claiming data isn't shared with others isn't contradicted by what we actually measured on the site.
  • That a policy claiming no tracking cookies are used isn't contradicted by what the scan measured.
  • That the policy doesn't describe an invalid consent setup — "by continuing to browse you accept cookies" is not valid consent.

Common questions

Do we need a separate cookie policy?

No, the law sets no formal requirement for a separate document — the information can live as a section in the privacy policy. But it must exist, be findable and match the cookies actually in use.

Is the cookie table our consent platform generates enough?

It is often a good base, but verify it against reality — auto-generated tables don't always keep up when new tools are added, and the categories in the banner must match what the policy describes.

Does every cookie need a stated lifespan?

It is not a hard statutory requirement, but the EDPB's guidelines have made lifespan per cookie an established expectation — the visitor should be able to understand how long the tracking lasts.

Is "by continuing to browse you accept cookies" valid?

No. Consent must be an active, unambiguous action — a choice in a banner with both accept and reject. Continued browsing does not count as consent.

What do we do if the policy lists fewer cookies than the site sets?

Two routes: add the missing trackers to the policy — category and purpose per provider — or make sure the trackers you don't want to stand behind don't load, at least not before consent.

Want to see what we find on your site?

Run a free scan — all four modules included for 30 days, no card required.

Start free scanSee pricing

More deep dives