Privacy Policy vs Cookie Policy: They Are Not the Same Thing

The Most Common Compliance Mistake on the Internet

Walk through almost any website and you will find one of two problems: either the privacy policy and cookie policy are merged into one confusing document, or there is a privacy policy but no cookie policy at all.

Both are GDPR violations. Both carry fine risk. And both are completely preventable.

Understanding exactly what each document is, what it must contain, and why they are legally separate will save your business from a regulatory headache.

What Is a Privacy Policy?

A Privacy Policy (also called a Privacy Notice under GDPR) is a comprehensive legal document that explains everything your organisation does with personal data.

It covers the full picture of how you collect, use, store, share, and delete personal information — from the moment a user visits your website to how you handle their data years later.

What a Privacy Policy Must Contain (Under GDPR Articles 13–14)

Who you are:

Full legal name and contact details of your organisation (the data controller)

Contact details of your Data Protection Officer (if you have one)

What data you collect and why:

Categories of personal data collected (name, email, payment data, IP address, etc.)

The specific purposes for processing each type of data

The legal basis for each processing activity (consent, contract, legitimate interest, legal obligation)

Who you share data with:

Third parties who receive personal data (email platforms, payment processors, analytics tools, advertising networks)

Whether data is transferred outside the EU/EEA or UK (and what safeguards apply)

How long you keep data:

Retention periods for each category of personal data

How you decide when to delete or anonymise data

Your rights:

The right to access, correct, delete, restrict, and port personal data

The right to withdraw consent at any time

The right to object to processing based on legitimate interests

The right to lodge a complaint with a supervisory authority (e.g. your national DPA)

How to contact you:

Clear mechanism for data subjects to exercise their rights

A Privacy Policy is the foundation of your entire data protection compliance. Without one — or with one that doesn't accurately reflect your actual data practices — you are non-compliant from day one.

What Is a Cookie Policy?

A Cookie Policy is a focused legal document that explains specifically how your website uses cookies and similar tracking technologies (pixels, local storage, session tokens, fingerprinting scripts, etc.).

It is required under the EU ePrivacy Directive (often called the Cookie Law) and the UK PECR (Privacy and Electronic Communications Regulations) — separate legislation from GDPR, but closely linked.

What a Cookie Policy Must Contain

A complete list of all cookies used:

Cookie name

Provider (first-party or third-party)

Purpose (strictly necessary, functional, analytics, marketing)

Duration (session vs persistent; exact expiry period)

Categories of cookies:

Strictly necessary — essential for the website to function (login, shopping cart, security). No consent required but must still be disclosed.

Functional/preference — remember user choices (language, region). Consent required.

Analytics — track behaviour and performance (Google Analytics, Hotjar). Consent required.

Marketing/advertising — track users across sites for targeted ads (Meta Pixel, Google Ads). Consent required.

How users can manage consent:

How to accept or reject each category of cookie

How to change preferences after initial consent

Instructions for deleting cookies through browser settings

Cookie banner requirements:

Must appear before any non-essential cookies are set

Must offer a genuine "Reject" option as prominent as "Accept"

Pre-ticked boxes are not valid consent

Hiding the reject button or making it hard to find is a violation

The 4 Critical Differences

| | Privacy Policy | Cookie Policy |

|--|---------------|--------------|

| Legal basis | GDPR Articles 13–14 | ePrivacy Directive / PECR |

| Covers | All personal data processing | Cookies and tracking technologies only |

| Trigger | Any processing of personal data | Any use of cookies or trackers |

| Linked to | All data practices site-wide | Cookie consent banner specifically |

Can You Combine Them Into One Document?

Technically, you can include a cookie section within your Privacy Policy. However, regulators and privacy lawyers strongly advise against this for three reasons:

Length and readability — combining them creates an impractically long document that users won't read

Consent management — the cookie consent banner must link directly to cookie information; a combined document makes this harder to implement cleanly

Update frequency — cookie lists change frequently (every time you add a new tool or pixel); updating a standalone Cookie Policy is faster and less risky than amending your entire Privacy Policy

Best practice: Separate documents, both linked from your footer and from your cookie consent banner.

What Happens When You Get It Wrong

Missing Cookie Policy:

The French DPA (CNIL) fined Google €150 million and Facebook €60 million in 2022 specifically for making it difficult for users to reject cookies

The Irish DPC issued a €310 million fine to LinkedIn in 2024 related to consent failures

The Cyprus DPA (Commissioner for Personal Data Protection) has issued warnings and fines to local businesses for non-compliant cookie banners

Inaccurate Privacy Policy:

If your Privacy Policy doesn't reflect what you actually do with data, it can be used as evidence against you in an investigation

Regulators consider the gap between stated policy and actual practice as an aggravating factor in fine calculations

No documents at all:

Maximum fines under GDPR: €20 million or 4% of global annual turnover

Even small businesses have received fines in the €5,000–€50,000 range from national DPAs for having no privacy documentation

The Practical Checklist

For your Privacy Policy:

✅ Reflects your actual current data practices (not copy-pasted from another site)

✅ Lists all third-party tools you use that process personal data

✅ States retention periods for each data type

✅ Explains the legal basis for each processing activity

✅ Explains international transfer safeguards if applicable

✅ Updated every time you add a new tool, change processes, or expand to new markets

For your Cookie Policy:

✅ Lists every cookie by name, provider, purpose, and duration

✅ Separates cookies into clear categories

✅ Linked directly from your cookie consent banner

✅ Cookie banner blocks non-essential cookies until consent is given

✅ Reject option is as easy to use as Accept

✅ Updated every time you add or remove a tracking tool

Two Documents. Both Mandatory. Both Different.

A Privacy Policy without a Cookie Policy leaves you exposed to ePrivacy enforcement. A Cookie Policy without a proper Privacy Policy leaves you exposed to GDPR enforcement. You need both, and they need to be accurate.

Need both documents drafted correctly? Our Website Compliance Bundle includes a GDPR-compliant Privacy Policy, Cookie Policy, cookie consent banner, and Terms of Service — all customised to your actual website and business practices. Delivered in 24–72 hours.