How to Use This Checklist
Click each checkbox to mark items as complete. Your progress is automatically saved to your browser. Use this checklist to verify every requirement before, during, and after creating your Cookie Policy.
✅ Preparing Your Cookie Policy
1. Before starting: Gather all relevant documentation and information before starting
2. While completing: Verify every section against all 48 compliance points
3. Before signing: Review all sections for completeness before finalising
⚠️ Key Cookie Policy Requirements
📋 Key Purpose: A Cookie Policy explains what cookies and similar technologies your website uses, why they are used, and how users can manage their preferences. Required by UK law for most websites.
⚖️ Legal Framework: Governed by the Privacy and Electronic Communications Regulations 2003 (PECR) and UK GDPR. The ICO requires informed consent for non-essential cookies before they are set.
🚫 Critical Requirements: Must list all cookies used, explain their purpose, obtain consent before setting non-essential cookies, and provide a mechanism for users to manage preferences.
📝 Best Practice: Conduct regular cookie audits, implement a compliant cookie consent banner, categorise cookies clearly (essential, analytics, marketing), and keep the policy updated when new cookies are added.
🔵 Understanding Importance Levels
🔴 Critical: Must have — legally required or essential for enforceability
🟡 Important: Should have — protects your position and prevents disputes
🔵 Recommended: Nice to have — best practice for comprehensive coverage
Website URL Identified
Must clearly state which website the cookie policy applies to. Users need to know the exact domain covered. Required by UK GDPR transparency obligations.
🔴 Critical
Company Name & Details
Clear identification of the organization operating the website: company name, registered address, company number. Required for data controller transparency under UK GDPR Article 13.
🔴 Critical
Last Updated Date
Date showing when the policy was last revised. Demonstrates ongoing compliance review. Helps users know if changes have been made since their last visit.
🔴 Critical
Contact Email Address
Provide email address for cookie-related inquiries. Required for users to exercise their rights and ask questions about cookie usage under UK GDPR.
🔴 Critical
Privacy Policy Cross-Reference
Statement that cookie policy should be read alongside privacy policy. Cookies collect personal data, so both policies must work together for full transparency.
🟡 Important
⚠️ UK PECR Cookie Disclosure Requirement
The Privacy and Electronic Communications Regulations (PECR) require clear explanation of what cookies are and how they work. You cannot simply assume users understand cookies - you must explain in plain English what cookies do, why you use them, and how users can control them.
Plain English Definition of Cookies
Clear explanation that cookies are small text files stored on user's device when visiting website. Must be understandable to non-technical users. Required by PECR transparency obligations.
🔴 Critical
First-Party vs Third-Party Cookies Explained
Distinguish between cookies set by your website (first-party) and cookies set by external services like analytics or advertising (third-party). Critical for informed consent under PECR.
🔴 Critical
Purpose of Using Cookies
General explanation of why websites use cookies: making sites work, improving user experience, understanding behavior, providing personalized content. Sets context for detailed disclosures that follow.
🟡 Important
Consent Statement for Cookie Use
Clear statement that by using the website, users consent to cookies in accordance with the policy (subject to consent mechanism for non-essential cookies). Required by PECR Regulation 6.
🔴 Critical
⚠️ Mandatory Cookie Categorization
UK PECR requires you to clearly categorize and explain each type of cookie you use. Generic statements like "we use cookies to improve your experience" are insufficient. You must specify: strictly necessary cookies, performance cookies, functionality cookies, targeting cookies - with examples and purposes for each category.
Strictly Necessary Cookies Disclosed
Essential cookies required for website to function: session management, security, load balancing. These are exempt from consent under PECR Regulation 6(4) but must still be disclosed.
🔴 Critical
Performance/Analytics Cookies Disclosed
Cookies that collect anonymous information about website usage: Google Analytics, page views, bounce rates, traffic sources. Require consent under PECR unless truly anonymous.
🔴 Critical
Functionality Cookies Disclosed
Cookies that remember user preferences: language settings, font size, region selection, saved preferences. Enhance user experience. Require consent under PECR.
🟡 Important
Targeting/Advertising Cookies Disclosed
Cookies used to deliver personalized advertising: tracking browsing behavior, building profiles, targeting ads, measuring campaign effectiveness. Require explicit consent under PECR.
🔴 Critical
Session vs Persistent Cookies Explained
Distinguish between temporary session cookies (deleted when browser closes) and persistent cookies (stored for longer periods). Duration impacts privacy considerations.
🟡 Important
Purpose Explained for Each Cookie Type
Specific explanation of what each cookie category does: "Performance cookies help us understand which pages are most popular", not just generic descriptions. Required for informed consent.
🔴 Critical
Similar Technologies Disclosed (if applicable)
If you use web beacons, pixels, local storage, or other tracking technologies beyond cookies, these must be disclosed and explained. PECR applies to all tracking technologies.
🟡 Important
⚡
Instant Download
You've Done the Research. Now Finish It.
Complete cookie policy template – all clauses included, professionally drafted.
Fill in your details in minutes and you're done.
£20 – Own It Forever
Create Your Cookie Policy Now
→
✅ 30-day money-back guarantee*
Preview before you buy • Lifetime updates • No subscription
Complete List of Third-Party Services
Name all third-party services that set cookies through your website: Google Analytics, Facebook Pixel, Hotjar, advertising networks, etc. Required by PECR - users must know who is tracking them.
🔴 Critical
Google Analytics Disclosed (if used)
If using Google Analytics, explicitly state this with explanation of data collected: page views, session duration, traffic sources, device information. Most common third-party cookie service.
🔴 Critical
Social Media Cookies Disclosed (if applicable)
If you have Facebook Like buttons, Twitter feeds, LinkedIn share buttons, etc., disclose the cookies these set. Social plugins are prolific cookie setters requiring explicit disclosure.
🔴 Critical
Advertising Networks Disclosed (if applicable)
If you use Google Ads, Facebook Ads, or other advertising platforms that track users across sites, disclose these. Advertising cookies require explicit consent and detailed disclosure under PECR.
🔴 Critical
Purpose Explained for Each Third-Party Service
For each third-party service listed, explain specifically why you use it: "Google Analytics to understand website traffic patterns", "Hotjar to improve user experience through session recordings".
🔴 Critical
Cookie Duration/Expiry Stated
For key cookies, state how long they remain on user's device: "Google Analytics cookies expire after 2 years", "Session cookies deleted when browser closes". Duration impacts privacy risk assessment.
🟡 Important
Data Collected by Each Service Explained
Specify what data each third-party service collects: IP addresses, device identifiers, browsing behavior, timestamps. Shows comprehensive transparency about third-party tracking.
🟡 Important
Links to Third-Party Privacy Policies
Provide links to privacy policies of major third-party services (Google, Facebook, etc.) so users can understand how these companies use their data. Demonstrates comprehensive transparency.
🔵 Recommended
⚠️ PECR Consent Requirements
UK PECR Regulation 6 requires prior consent before setting non-essential cookies. Consent must be informed, specific, freely given, and obtained through clear affirmative action. Pre-ticked boxes, cookie walls, and implied consent do NOT meet PECR standards. The ICO can impose penalties up to £17.5M for non-compliant cookie consent.
Cookie Consent Mechanism Described
Clear explanation of how you obtain cookie consent: cookie banner, consent management platform, settings page. Must explain how users give consent before non-essential cookies are set. Required by PECR Regulation 6.
🔴 Critical
Consent Timing Explained
State that non-essential cookies will not be set until user provides consent. Critical for PECR compliance - you cannot set tracking cookies before consent is obtained through clear affirmative action.
🔴 Critical
Consent Management Platform Disclosed (if applicable)
If using OneTrust, Cookiebot, Termly, or similar consent platform, name the service and explain how it manages cookie preferences. Shows robust consent infrastructure.
🟡 Important
Granular Consent Options Explained
Explain that users can accept/reject different cookie categories (essential, analytics, advertising) separately. PECR requires granular control - users must be able to accept some categories while rejecting others.
🔴 Critical
Compliance with UK PECR Stated
Explicit statement that cookie consent practices comply with Privacy and Electronic Communications Regulations (PECR) and UK GDPR. Demonstrates awareness of legal obligations and commitment to compliance.
🟡 Important
Strictly Necessary Cookie Exemption Explained
State that strictly necessary cookies (essential for website function) do not require consent under PECR Regulation 6(4) but must still be disclosed. Clarifies why some cookies are set immediately.
🟡 Important
Browser Cookie Controls Explained
Explain how users can control cookies through browser settings: blocking all cookies, blocking third-party cookies, deleting existing cookies. Required transparency about technical controls available to users.
🔴 Critical
Instructions for Major Browsers Provided
Provide guidance or links for managing cookies in Chrome, Firefox, Safari, Edge. Practical information helps users exercise control. Best practice for user empowerment.
🔵 Recommended
Cookie Preference Management Explained
Explain how users can change their cookie preferences: revisiting cookie banner, accessing preference center, adjusting settings. Must provide easy way to withdraw consent previously given.
🔴 Critical
Opt-Out Links Provided (if applicable)
For key services like Google Analytics, provide opt-out links: Google Analytics Opt-Out Browser Add-on. Demonstrates commitment to user choice and control over tracking.
🔵 Recommended
Impact of Disabling Cookies Explained
Honest explanation that blocking cookies may affect website functionality: unable to stay logged in, preferences not saved, some features may not work. Sets realistic expectations for users exercising cookie controls.
🟡 Important
Strictly Necessary Cookies Cannot Be Disabled
Clarify that essential cookies required for website to function cannot be disabled through consent settings (but can be blocked via browser). Explains why some cookies persist despite user preferences.
🟡 Important
⚡
Instant Download
You've Done the Research. Now Finish It.
Complete cookie policy template – all clauses included, professionally drafted.
Fill in your details in minutes and you're done.
£20 – Own It Forever
Create Your Cookie Policy Now
→
✅ 30-day money-back guarantee*
Preview before you buy • Lifetime updates • No subscription
Cookie Data Storage Location Disclosed
State where cookie data is stored: UK, EEA, or international locations. Many third-party services (Google, Facebook) transfer data to USA. Required disclosure under UK GDPR Chapter V.
🔴 Critical
International Transfer Safeguards Explained
If data transferred outside UK/EEA, explain safeguards: adequacy decisions, Standard Contractual Clauses, International Data Transfer Agreements. Required by UK GDPR for lawful international transfers.
🔴 Critical
Third-Party Service Data Transfers Disclosed
For services like Google Analytics or Facebook Pixel that transfer data internationally, explicitly state this and explain how third parties protect data. Comprehensive international transfer transparency.
🟡 Important
Policy Update Process Explained
State that cookie policy may be updated to reflect changes in cookie usage, legal requirements, or operational needs. Explain how users will be notified: updated date, website notice, email.
🟡 Important
Material Changes Notification Commitment
Confirm you'll notify users of material changes to cookie policy and may require fresh consent for significant changes to cookie usage. Demonstrates respect for user expectations.
🟡 Important
Contact Information for Cookie Queries
Provide email address and website URL for users to ask questions about cookie policy or cookie usage. Required for user right to information under UK GDPR.
🔴 Critical
External Cookie Resources Provided
Links to independent cookie information resources: ICO cookie guidance, AboutCookies.org, AllAboutCookies.org. Helps users learn more about cookies beyond your specific policy.
🔵 Recommended
ICO Website Link Provided
Include link to Information Commissioner's Office cookie guidance: https://ico.org.uk/for-the-public/online/cookies/. Directs users to authoritative UK regulatory guidance on cookies and privacy.
🔵 Recommended
Cookie Table/Detailed List Included
Comprehensive table listing all cookies: cookie name, provider, purpose, type, duration. Provides maximum transparency about every cookie set on your website. ICO best practice recommendation.
🔵 Recommended
Plain Language Throughout Policy
Entire policy written in clear, plain English avoiding excessive technical jargon. PECR and UK GDPR require information to be accessible and easily understood by average users, not just legal experts.
🔴 Critical
Regular Policy Review Commitment
Statement encouraging users to review policy periodically to stay informed about cookie usage changes. Shows ongoing commitment to transparency and keeping users informed.
🔵 Recommended
Additional Clauses/Custom Requirements
Space for any additional cookie-related clauses specific to your business: industry-specific requirements, additional tracking technologies, special consent mechanisms. Customization for unique business needs.
🔵 Recommended
⚡
Instant Download
You've Done the Research. Now Finish It.
Complete cookie policy template – all clauses included, professionally drafted.
Fill in your details in minutes and you're done.
£20 – Own It Forever
Create Your Cookie Policy Now
→
✅ 30-day money-back guarantee*
Preview before you buy • Lifetime updates • No subscription
Next Steps
Now that you've reviewed the compliance checklist, you have three options:
✅ Use Our Ready-Made Template
Save hours of research and drafting. Our professionally-crafted Cookie Policy template covers all 48 compliance points with comprehensive cookie categorisation, PECR-compliant consent mechanisms, cookie audit frameworks, and user preference management. Structured following ICO cookie guidance. Available in both Smart Interview (guided) and Classic Editor (direct editing) modes for just £20.
✔ UK Law Only | ✔ Instant Download | ✔ Lifetime Updates | ✔ No Subscriptions
✅ 30-day money-back guarantee*
📝 Draft Your Own Cookie Policy
Use this checklist as your guide, but remember: non-compliant cookie practices can result in ICO enforcement action. The most common mistakes are: setting cookies before consent, incomplete cookie lists, and missing consent management tools.
Disclaimer: This checklist is for general informational purposes only and does not constitute legal advice. While we strive to keep information accurate and up to date, the law is complex and subject to change. Every situation is unique. This checklist applies to cookie policies in England and Wales. Last updated: May 2026.
www.templatesuk.com