Privacy Policy vs Cookie Policy — What's the Difference?
Many website owners confuse privacy policies and cookie policies, or assume one document covers both. Under European law (GDPR + ePrivacy Directive), these are two distinct legal requirements with different scopes. Here's what you need to know.
The Short Answer
- Privacy Policy — covers all personal data processing on your website or app (required by GDPR Art. 13)
- Cookie Policy — specifically covers cookie usage and tracking technologies (required by the ePrivacy Directive)
You need both. They can be separate documents or combined, but the cookie-specific requirements must be met regardless.
What Is a Privacy Policy?
A privacy policy (also called a data protection notice or privacy notice) is required by GDPR Art. 13 whenever you collect personal data directly from individuals.
It covers all your data processing activities, including but not limited to:
- Account registration data (names, emails, passwords)
- Payment data (billing information)
- Customer support communications
- Analytics and behavioral tracking
- Marketing and email campaigns
- Data from third-party sources
The privacy policy answers: what data you collect, why, on what legal basis, for how long, and what rights users have.
What Is a Cookie Policy?
A cookie policy is specifically about cookies and similar tracking technologies (pixels, fingerprinting, local storage, session storage). It's required by the ePrivacy Directive (the "Cookie Law") — a separate EU regulation from GDPR.
It must cover:
- What cookies your site uses (by name or category)
- What each cookie does (functionality, analytics, marketing)
- Who set the cookie (first-party vs third-party)
- How long each cookie lasts
- How users can opt out of each category
The cookie policy answers: exactly which tracking technologies you use and how to control them.
Can I Combine Them?
Yes — many websites have a single page titled "Privacy & Cookie Policy" that covers both. This is acceptable as long as the content is complete for both legal requirements.
However, there are practical reasons to keep them separate:
- Discoverability — users looking for cookie information often search specifically for a "Cookie Policy" link
- Updates — cookies change frequently (new analytics tools, marketing pixels). A separate cookie policy is easier to update without re-publishing the full privacy policy.
- Cookie banner linkage — your cookie consent banner should link directly to your cookie policy
The Cookie Consent Requirement
The most important difference: cookies require active consent before most of them are set.
Under the ePrivacy Directive (and confirmed by GDPR), you cannot set non-essential cookies until the user explicitly consents. This means:
- Strictly necessary cookies: no consent required (login sessions, shopping cart, security)
- Functional cookies: debatable — usually require consent
- Analytics cookies (Google Analytics, Hotjar): consent required
- Marketing cookies (Meta Pixel, Google Ads): consent required
The privacy policy alone is not sufficient. You need:
- A cookie consent banner shown before non-essential cookies are set
- A cookie policy explaining what's being used
- A mechanism for users to change their consent at any time
What Cookie Categories Should You Disclose?
Best practice is to categorize cookies as:
Strictly Necessary
Cookies required for the site to function. Cannot be disabled. Examples: session cookies, CSRF tokens, cookie consent preference cookie
Functional / Preferences
Cookies that remember user preferences but aren't strictly necessary. Examples: language preference, dark mode setting, remembered username
Analytics / Statistics
Cookies that track how visitors use the site to improve it.
Examples: Google Analytics (_ga, _gid), Hotjar (_hjSessionUser_*), Mixpanel
Marketing / Targeting
Cookies used for advertising and tracking across websites.
Examples: Facebook Pixel (_fbp), Google Ads (_gcl_au), LinkedIn Insight Tag
Common Cookie Policy Mistakes
Listing "Google Analytics" without the specific cookie names — regulators want cookie names, duration, and purpose.
Setting analytics cookies before consent — CJEU confirmed in Planet49 (2019) and Orange Romania (2020) that pre-ticked boxes and continued browsing are not valid consent.
A cookie banner that only has "Accept" — there must be an easy way to decline non-essential cookies. "Accept all" and "Reject all" must be equally prominent.
Not updating the cookie policy when you add new tools — added HubSpot tracking? That's a new cookie. Update your policy.
Ignoring "local storage" and "session storage" — these are covered by the ePrivacy Directive even though they're not technically cookies.
Summary
| Privacy Policy | Cookie Policy | |
|---|---|---|
| Legal basis | GDPR Art. 13 | ePrivacy Directive |
| Covers | All personal data processing | Cookies and tracking technologies |
| Consent required | No (usually) | Yes, for non-essential cookies |
| Must be linked | Website footer | Cookie consent banner + footer |
| Update frequency | When data practices change | When cookies change |
Both documents are required for any European website. They complement each other — the cookie policy covers the technical details of tracking, while the privacy policy covers the broader legal framework for all personal data.
Generate both documents — privacy policy and cookie policy — in 3 minutes →