Do I need a cookie policy even if I don’t sell anything?

Yes, in most cases. If your site collects any visitor data through forms, analytics tools, or third-party integrations, you need a cookie policy. The requirement isn't tied to whether you sell products—it's tied to whether you track or collect data, which most websites do even without an online store.

What’s the difference between a cookie policy and a privacy policy?

A privacy policy covers all the ways your business collects, uses, and stores personal data. A cookie policy is narrower: it specifically explains the tracking technologies your website uses, why, and how visitors can control them. Most websites need both, and the cookie policy is often either its own page or a dedicated section within the privacy policy.

Do I need a cookie consent banner if I have a cookie policy page?

These are two different things and you typically need both. The cookie policy page explains your cookie use. The consent banner gives visitors an active choice before non-essential cookies load on their device. Having a policy page without a banner is generally not sufficient for GDPR compliance if you have EU visitors.

What makes a cookie consent banner legally compliant?

A compliant banner gives visitors a genuine, equally weighted choice to accept or decline non-essential cookies. It cannot use pre-checked boxes, it cannot make declining harder than accepting, and it needs to clearly explain what visitors are consenting to. Tools like Termageddon stay current with regulatory requirements so the banner configuration updates automatically as standards evolve.

How often does a cookie policy need to be updated?

Whenever your site's cookie use changes, which happens more often than most people realize: when you add or remove analytics tools, add social sharing buttons, install new plugins, or change payment processors. Auto-updating solutions like Termageddon handle this automatically. If you're using a static policy, review it any time you add a new tool to your site and at minimum once a year.

Do You Need a Cookie Policy on Your Website?

A ceramic cup sits on a desk next to an open laptop, with a small vase of dried flowers in the background against a white brick wall.

TL;DR Summary

Cookie Policies

If your site has contact forms, analytics tools, social media buttons, or an email signup, you almost certainly need a cookie policy
A cookie policy explains what tracking technologies your site uses, why, and how visitors can control them
In many jurisdictions (including the EU), you also need a consent banner that gives visitors a real choice before non-essential cookies load
Termageddon is my favorite solution for cookie policies and consent banners, and I can install/embed all your legal pages and consent banner at any time

Have Liz Set Up My Legal Pages & Cookie Banner

Disclaimer: This post provides general information and is not legal advice. Requirements vary by country and business type. Consult a legal professional for guidance specific to your situation.

This post may contain affiliate links, which means I may receive a commission, at no extra cost to you, if you make a purchase through a link. Please see my full affiliate disclosure for further information.

About Those Cookie Pop-Ups…

Ever landed on a website and been greeted by one of those pop-ups about cookies? I find them a bit annoying, too, if I’m being honest. But I also appreciate being informed when a site is tracking my activity, and that’s exactly the point.

Most online business owners know they’re supposed to have a cookie policy. What’s less clear is why, what it actually needs to say, and whether a consent banner is also required. This post answers all three, without the legal jargon.

You can also check out this blog post for a full overview of the legal pages most online businesses need.

Cover of "The Intentional Website Checklist: 20 Essential Website Elements," showing two women looking at a laptop, with checklist pages in the background.

What Your Website Needs Right Now

Cookies 101: What You Actually Need to Know

Cookies are small files that websites save on a visitor’s device. They’re not harmful—they help websites work better by remembering useful information, like whether someone is logged in, what’s in their cart, or which language they prefer.

Some cookies are essential for your website to function at all. Others are optional: analytics tools that track page visits, advertising pixels that follow visitors across the web, or social media buttons that report back to their platforms. The distinction between essential and non-essential cookies matters legally, because most privacy laws only require consent for the optional kind.

People care more about their online privacy than they used to. Being transparent about what your site tracks and why builds trust with visitors and demonstrates that you take their privacy seriously.

“Liz has been genuinely wonderful to work with. I’ve had my website for over a decade now, and have never really loved it until Liz helped me revamp it into something that is so much more professional, user-friendly, and streamlined. She also takes care of all the maintenance (which I hated doing myself) and has helped me make sure I am in compliance.

Her pricing is so reasonable and she was able to work with me and my budget for my website renovation. Whenever I have a question she is right there with detailed and professional answers and also goes above and beyond to provide examples and personal experiences to help me make decisions.

She is personable, friendly, and so easy to work with! I have already recommended her to several people looking for website help!”
Beth Geoffroy
My Tutoring Bee

Do You Need a Cookie Policy? (In Most Cases, Yes)

If your website has any of the following, you almost certainly need a cookie policy:

A contact form
Google Analytics or any other analytics tool that uses cookies
Social media sharing buttons
A newsletter signup form
Online store features
Facebook Pixel or other advertising tools
Embedded video players (YouTube, Vimeo)

Essentially: if your site collects any information about visitors, even indirectly through third-party tools, a cookie policy is needed.

When you absolutely need one

You have no real wiggle room on a cookie policy if any of these apply:

You have visitors from the EU (GDPR applies)
You have visitors from California (CCPA applies)
You collect any personal information through your site
You use tools that track visitor behavior
You run an online store or membership site

A laptop displays a world map on the screen, with a stack of documents labeled "Cookie Policy for Website" placed on top.

A note about privacy-focused analytics

Most analytics tools use cookies to track visitors, but not all of them do. Fathom Analytics is the alternative to Google Analytics I recommend. Instead of tracking visitors with cookies, Fathom uses a privacy-first approach that collects the meaningful data you actually need (pages visited, referral sources, visit duration) without compromising visitor privacy.

If you use Fathom as your only analytics tool, you may not need a cookie consent banner specifically for analytics. That said, other tools on your site may still require one, so it’s worth auditing everything that’s running. My affiliate link includes $10 off your first Fathom invoice after a free trial if you’d like to try it.

What a Cookie Policy Needs to Cover

Your cookie policy doesn’t need to be complicated, but it does need to be clear. Here’s what to include:

What types of cookies your site uses (essential, analytics, advertising, etc.)
Why you use them and what purpose each serves
How long they stay on visitors’ devices
Who else has access to cookie data (analytics providers, payment processors, social platforms)
How visitors can control or opt out of non-essential cookies

Write it the way you’d explain it to a friend. Plain language that a real person can understand is both more trustworthy and more likely to satisfy regulators than walls of legal jargon.

Cookie Consent Banners: What They Are and When You Need One

A cookie policy page tells visitors what cookies you use. A consent banner gives them a choice about whether to accept non-essential cookies before they load. In many places, particularly the EU under GDPR, the banner is legally required alongside the policy.

What makes a consent banner compliant

Clear explanation of what visitors are consenting to
A genuine choice: accept or decline non-essential cookies
No pre-checked boxes (this is explicitly prohibited under GDPR)
Easy to dismiss or decline without being buried in fine print
A link to your full cookie policy for visitors who want more detail

Common mistakes to avoid

Making the ‘decline’ option harder to find than ‘accept.’ Regulators are actively looking for this.
Using pre-checked boxes. Consent must be actively given, not assumed.
Having the banner but not the policy page. You need both.
Setting it up once and never updating it. As you add or remove tools from your site, your cookie use changes and your policy should too.

A laptop screen displays a cookie icon and a checkmark. Text below reads, "This website uses cookies to ensure you get the best experience on our website." A "Learn More" button links to the cookie policy for website users.

How to Get Your Cookie Policy Set Up Properly

The solution I use and recommend for cookie policies (and all website legal policies) is Termageddon. Here’s why it’s the option I point clients toward:

Policies update automatically. Privacy laws change regularly. Termageddon embeds your policies as code, so when laws change, the published version on your site updates without you doing anything. This is the biggest practical advantage over a static policy page you’d have to update manually.
Tailored to your business. Setup involves a detailed questionnaire about how your site actually operates. The resulting policy reflects your specific tools and practices, not a generic template.
Consent banner included. The cookie consent banner is part of the Termageddon setup, not a separate thing to figure out.
Works on any platform. WordPress, Showit, Squarespace, Systeme—the embedded code approach works across all of them.

Use code EHOUSTON at checkout for 10% off your first year with Termageddon.

What about free policy generators?

Free generators produce generic policies that may not accurately reflect how your site operates. They also don’t update automatically as laws change. For a simple informational site with minimal data collection, a free generator may be better than nothing. For an active business with multiple tools running, auto-updating policies are worth the investment.

A woman in a pink blouse sits at a wooden table, focused on copywriting and content writing on her laptop. A coffee cup, purse, and glass jars are arranged neatly beside her.

Installing Your Policy & Banner On Your Site

Having a completed cookie policy is only part of the job. It also needs to be properly published on your site: formatted to match your design, linked in your footer, and connected to a functioning consent banner that loads before non-essential cookies do.

This is where a lot of people stall. The policy is ready, the intent is there, and then the technical side of actually setting it all up sits on the to-do list for longer than it should.

The Legal Page Setup Boost handles this for you. You provide your completed Termageddon setup or other customized policy templates, and I publish your cookie policy (along with your Privacy Policy, Terms of Service, and Disclaimer), add footer links across your site, and install and configure the cookie consent banner. Any platform, 3 to 5 business days.

I Need the Legal Page Setup Boost