Cookie Policy vs Cookie Consent: What's the Difference (and Why You Need Both)

The confusion that's everywhere

Ask most founders "do you have a cookie policy?" and they'll point to a page buried in their footer. Ask if they have cookie consent and they'll say "yeah, the banner." Many use "cookie policy" and "cookie consent" interchangeably. They're not the same thing — and confusing them means you're probably violating GDPR even if you have both.

Cookie policy: what it is

A cookie policy is a disclosure document. It tells users:

• What cookies your site sets
• What category each cookie belongs to (necessary, analytics, marketing, etc.)
• The purpose of each cookie
• Who sets it (you, or a third party like Google Analytics)
• How long it persists (session vs. persistent; expiry date)
• How users can opt out or delete cookies

A cookie policy is a legal requirement under GDPR Art. 13/14 (transparency) and the ePrivacy Directive. You must have one. But having one doesn't give you permission to set cookies.

Cookie consent: what it is

Cookie consent is the mechanism by which users grant permission for you to set non-necessary cookies. Under GDPR Art. 6(1)(a) and the ePrivacy Directive, you need valid consent before setting any cookie that isn't strictly necessary for the service to function.

Valid consent means:

• Freely given — not bundled with acceptance of terms; no "pay or consent" walls unless they meet strict criteria
• Specific — for each category or purpose (analytics ≠ marketing)
• Informed — users know what they're consenting to
• Unambiguous — an active action (clicking "Accept"), not pre-ticked boxes
• Withdrawable — as easy to withdraw as to give

A cookie banner that says "By using this site, you accept our cookie policy" does not constitute valid consent. This is one of the most common violations DPAs see.

What cookies are "strictly necessary"?

Strictly necessary cookies don't require consent. These are cookies that are essential for the service to function as requested by the user. Examples:

• Session cookies (keeping you logged in)
• Load balancing cookies
• Security cookies (CSRF tokens)
• Shopping cart cookies
• User preference cookies for accessibility (if user-requested)

What's not strictly necessary:

• Google Analytics (even with IP anonymization)
• Facebook Pixel / Meta Pixel
• Hotjar, Mixpanel, Amplitude
• Google Ads / remarketing pixels
• LinkedIn Insight Tag
• Intercom/Crisp/LiveChat (for tracking purposes)

The test is not "does this help our business" — it's "would the service fail to work as requested by the user without this cookie?" Analytics fail this test. They help you, not the user.

The legal framework: GDPR + ePrivacy Directive

Cookie compliance is governed by two overlapping regulations:

GDPR (General Data Protection Regulation)

Applies when cookies process personal data. This includes most analytics cookies because they collect IP addresses (personal data under GDPR). GDPR requires a legal basis for processing — for non-necessary cookies, that legal basis is consent.

ePrivacy Directive (the "Cookie Law")

Older EU law that specifically governs storing/accessing information on a user's device. Requires consent for any non-essential cookie. Has been implemented differently across EU member states (ICO in UK, CNIL in France, etc.).

The forthcoming ePrivacy Regulation (long delayed) will replace the Directive and harmonize rules across the EU. Until then, national implementations vary slightly.

What does a valid cookie consent mechanism look like?

Required elements

• Granular controls: Users must be able to accept/reject by category (necessary / analytics / marketing / preferences) — not just "accept all" or "reject all"
• No pre-ticked boxes: Analytics and marketing categories must start unchecked
• Equal prominence: "Accept all" and "Reject all" buttons must be equally visible — you can't hide the reject button or make it grey while "accept" is bright green
• Easy withdrawal: Users must be able to change their consent at any time (a "Cookie settings" link in the footer)
• Consent records: You must be able to prove consent was obtained (timestamp, what version of the banner, what was accepted)

What's not valid

• "Implied consent" (continuing to browse = acceptance)
• Pre-ticked analytics/marketing categories
• No "reject all" button, or making it much harder to find than "accept all"
• Loading third-party scripts before consent is obtained
• Blanket "accept cookies to use this site" with no granularity

Cookie Management Platforms (CMPs)

Building a compliant consent system from scratch is complex — you need to block scripts conditionally, store consent, and regenerate consent records. This is why most sites use a CMP:

Free / low-cost options

• Cookiebot — free up to 100 pages, then €9/month
• Osano — free tier available
• Cookie Information — freemium
• Klaro — open source, self-hosted

What to look for in a CMP

• IAB TCF 2.2 compatibility (important if you run ads)
• Consent storage and audit logs
• Script blocking integration
• Geo-targeting (show banner to EU/UK users only, if applicable)
• Regular cookie scanning (cookies change as you add tools)

Summary: cookie policy vs cookie consent

Aspect	Cookie Policy	Cookie Consent
What it is	A disclosure document	A permission mechanism
Legal basis	GDPR Art. 13/14 (transparency)	GDPR Art. 6(1)(a) + ePrivacy Directive
Required?	Yes, always	Yes, for non-necessary cookies
What it achieves	Informs users about cookies	Gives you legal permission to set them
Where it lives	Static page (linked in footer)	Banner + preference centre (UI component)

Quick action checklist

1. Audit every cookie and script on your site (browser DevTools → Application → Cookies)
2. Categorize each: necessary / analytics / marketing / preferences
3. Generate a cookie policy listing all of them
4. Install a CMP that blocks non-necessary scripts until consent is given
5. Ensure your banner has granular controls and equal prominence for accept/reject
6. Add a "Cookie settings" link in your footer for consent withdrawal
7. Set a reminder to re-audit every time you add a new tool

Generate your cookie policy free

ComplyKit's cookie policy generator creates a complete, GDPR-compliant cookie policy in minutes. Select your cookie categories and tools — we handle the legal language.