Cookie Policy
COOKIE POLICY
[Company Name] — [Website URL]
Last Updated: [Effective Date]
This Cookie Policy explains how [Company Name] ("we", "us", or "our") uses cookies and similar tracking technologies on [Website URL] (the "Site"). By using our Site, you acknowledge the practices described in this policy.
1. WHAT ARE COOKIES?
Cookies are small text files placed on your device (computer, smartphone, or tablet) by websites you visit. They are widely used to make websites work more efficiently, remember your preferences, and provide analytics information to site operators. Cookies can be 'session cookies' (deleted when you close your browser) or 'persistent cookies' (remaining on your device for a defined period).
2. COOKIES WE USE
We use the following categories of cookies on this Site: [Cookie Types Used]
Analytics tools: [Analytics Tools]
Advertising and tracking pixels: [Advertising Tools]
Social media plugins: [Social Media Tools]
3. COOKIE DURATION
[Cookie Duration Info]
4. YOUR CHOICES AND OPT-OUT OPTIONS
4.1 Consent Mechanism. [Consent Mechanism].
4.2 California Residents. [CCPA Compliance].
4.3 Browser Controls. Most web browsers allow you to control cookies through the browser settings. You may delete or block cookies by modifying your browser settings. Note that disabling some cookies may affect the functionality of our Site. For more information, visit your browser's help documentation.
4.4 Industry Opt-Out Tools. You may opt out of interest-based advertising through the Digital Advertising Alliance (optout.aboutads.info) or the Network Advertising Initiative (optout.networkadvertising.org).
5. THIRD-PARTY COOKIES
Some cookies on our Site are set by third parties whose services we use, including the analytics and advertising providers listed in Section 2. We do not control third-party cookies. Please refer to the relevant third party's privacy policy for information about how they use cookies and how to opt out.
6. UPDATES TO THIS POLICY
[Policy Update Process]
7. CONTACT US
If you have questions about this Cookie Policy or how we handle your data, please contact us at: [Contact Email]
[Company Name]
[Website URL]
What Is a Cookie Policy?
A Cookie Policy in the United States establishes the obligations and procedures governing the conduct it regulates.
A Cookie Policy governs the placement, reading, and processing of small data files — cookies — that a web server stores in a visitor's browser, as well as related technologies including web beacons (pixel tags), local storage objects, session replay scripts, fingerprinting techniques, and third-party software development kits (SDKs) embedded in the site. Each of these technologies can collect information about the visitor's device, browser settings, IP address, pages visited, time spent on the site, clickstream data, and purchase behavior. Taken together, this data enables site operators to measure audience metrics, personalize content, retarget visitors through advertising networks such as Google Ads, Meta Pixel, and the Trade Desk, and share behavioral data with data brokers and analytics platforms.
The legal significance of a Cookie Policy in the United States differs from the EU framework under the General Data Protection Regulation (EU) 2016/679 (GDPR) and the ePrivacy Directive 2002/58/EC, which require prior informed consent before placing non-essential cookies. US law, by contrast, generally requires disclosure and opt-out mechanisms rather than opt-in consent — except where the data is sold or shared with third parties for cross-contextual behavioral advertising, in which case the CCPA/CPRA requires a conspicuous 'Do Not Sell or Share My Personal Information' link and honorable response to Global Privacy Control (GPC) signals. For websites that collect data from EU residents, GDPR consent requirements apply regardless of where the website operator is located.
A Cookie Policy differs from a Privacy Policy in scope: the Privacy Policy covers all personal data collected by the company across all channels (forms, email, purchases, employment), while the Cookie Policy focuses specifically on tracking technologies deployed on the website. Many companies publish the Cookie Policy as a standalone document and cross-reference it from the Privacy Policy. The Federal Trade Commission (FTC) Act, Section 5 (15 U.S.C. § 45), prohibits unfair or deceptive acts or practices, meaning that a Cookie Policy that misrepresents what data is collected or how it is used can be the basis for FTC enforcement action.
When Do You Need a Cookie Policy?
A Cookie Policy is needed for any US-based website or mobile application that deploys cookies, web beacons, pixels, or other tracking technologies to collect data about visitors, including websites that use Google Analytics, Google Tag Manager, Meta Pixel, LinkedIn Insight Tag, HubSpot, Hotjar, Intercom, or any third-party advertising or analytics script.
CalOPPA (Cal. Bus. & Prof. Code § 22575-22579) requires all commercial websites and online services that collect personally identifiable information from California residents — which includes IP addresses and device identifiers collected through cookies — to conspicuously post a privacy policy that discloses third-party tracking practices. California's Attorney General has authority to enforce this requirement.
The CCPA (Cal. Civ. Code § 1798.100 et seq.) applies to businesses that meet annual gross revenue thresholds over $25 million, collect personal information of 100,000 or more consumers or households, or derive 50% or more of annual revenue from selling or sharing personal information. Covered businesses must provide notice at collection (which includes cookie disclosures at the point of tracking) and must offer opt-out rights for the sale or sharing of data — a right triggered by sharing cookie data with advertising networks.
Virginia's CDPA, Colorado's CPA, Connecticut's CTDPA, and Texas's TDPSA create similar disclosure and opt-out requirements that apply to controllers who process personal data of Virginia, Colorado, Connecticut, and Texas residents respectively, even if the controller is based in another state.
Any website using Google Analytics 4 (GA4), which processes data on Google servers and shares behavioral data with Google Ads, must disclose this data flow in a Cookie Policy. Google's updated Terms of Service require website operators to post a Cookie Policy when using GA4. Similarly, Meta's Business Terms of Service require disclosure of the Facebook Pixel or Conversions API.
E-commerce websites that deploy remarketing pixels (Google Shopping, Amazon Advertising, Criteo, AdRoll) are pooling visitor data with advertising networks in ways that constitute a 'sale' or 'sharing' under the CCPA — each of these data flows must be disclosed by document type, named technology provider, and purpose.
What to Include in Your Cookie Policy
A legally adequate US Cookie Policy must cover specific elements to satisfy the disclosure requirements of CalOPPA, the CCPA/CPRA, and applicable state privacy laws.
Cookie categories and descriptions: The policy must identify each category of cookie or tracking technology deployed on the site. Standard categories include strictly necessary cookies (session management, authentication, load balancing), performance and analytics cookies (Google Analytics 4, Mixpanel, Amplitude, Hotjar), functionality cookies (language preferences, saved form data, chat widget state), targeting and advertising cookies (Meta Pixel, Google Ads remarketing, LinkedIn Insight Tag, TikTok Pixel), and social media cookies (Share buttons from Facebook, Twitter/X, LinkedIn, Pinterest). Each category entry should name the specific technology provider, describe the cookie's function, and state its retention period.
First-party vs. third-party cookies: The policy must distinguish between cookies set by the website operator's own domain (first-party) and cookies set by third-party domains embedded in the site. Third-party cookies are the primary mechanism for cross-site tracking and behavioral advertising, and their disclosure is specifically required by CalOPPA regarding tracking by third parties.
Cookie duration disclosure: Each cookie entry should state whether it is a session cookie (deleted when the browser is closed) or a persistent cookie, and the persistent cookie's maximum retention period (e.g., 13 months for Google Analytics cookies, 90 days for certain Meta Pixel cookies).
Optout and consent mechanisms: For California residents, the policy must explain how to exercise the right to opt out of the sale or sharing of personal information, including a link to the 'Do Not Sell or Share My Personal Information' page and a statement that GPC signals will be honored. For browser-level controls, the policy should explain how to adjust cookie settings in Chrome, Firefox, Safari, and Edge. Industry opt-out tools such as the Digital Advertising Alliance (DAA) opt-out tool at optout.aboutads.info and the Network Advertising Initiative (NAI) opt-out tool at optout.networkadvertising.org should be referenced.
Do Not Track (DNT) disclosure: CalOPPA requires disclosure of whether the website responds to browser-sent Do Not Track signals. Most websites do not honor DNT and must state this explicitly.
Cross-border data transfers: Where cookies result in personal data being transferred outside the United States — for example, Google Analytics data processed in EU data centers — the policy should disclose this cross-border transfer and the legal basis or safeguard used (Standard Contractual Clauses, adequacy decisions).
Contact information and update date: The policy must identify the data controller (company name, address, email for privacy inquiries) and state the date it was last updated. CalOPPA requires the effective date to be displayed. Annual updates are recommended as cookie inventories change when new third-party scripts are added.
Sources & Citations
Statutory citations link to official government sources.
- 15 U.S.C. § 45US – Cornell LII
- Cal. Civ. Code § 1798.100CA (US) official
Cite this page
Reference this free template in an article, syllabus, or research note:
Forms Legal. (2026). Cookie Policy (United States) [Legal document template]. Forms Legal. https://forms-legal.com/usa/business/policies/cookie-policy
"Cookie Policy (United States)." Forms Legal, 2026, https://forms-legal.com/usa/business/policies/cookie-policy.
@misc{formslegal-cookie-policy,
author = {{Forms Legal}},
title = {Cookie Policy (United States)},
year = {2026},
howpublished = {\url{https://forms-legal.com/usa/business/policies/cookie-policy}},
note = {Free legal document template. Based on Uniform Commercial Code (UCC)}
}
Frequently Asked Questions
The United States does not have a single federal law that explicitly requires all websites to publish a cookie policy. However, several federal and state laws create cookie disclosure obligations for many websites. The California Online Privacy Protection Act (CalOPPA) requires operators of commercial websites that collect personal information from California residents to conspicuously post a privacy policy that discloses whether third parties can collect personally identifiable information about users' online activities over time and across different websites. The California Consumer Privacy Act (CCPA) and its amendment, the CPRA, require businesses meeting certain thresholds to disclose the categories of personal information collected, including data collected through cookies and tracking technologies, and to honor opt-out requests for the sale or sharing of personal information. Several other states — including Virginia, Colorado, Connecticut, and Texas — have enacted complete privacy laws with similar disclosure requirements. Additionally, if a US website collects data from EU residents, GDPR cookie consent requirements apply.
A complete cookie policy should disclose all categories of cookies used on the website, organized by function. The standard categories are: (1) Strictly necessary cookies — session cookies essential for the website to function, such as authentication tokens and shopping cart identifiers, which do not require consent; (2) Performance and analytics cookies — cookies that collect data about how users interact with the website, such as Google Analytics, which enable site operators to understand page popularity, error rates, and user flow; (3) Functionality cookies — cookies that remember user preferences and settings, such as language selection, font size, and saved form data; (4) Targeting and advertising cookies — cookies placed by advertising networks (Google Ads, Facebook Pixel, etc.) to deliver personalized advertising and track conversion; and (5) Social media cookies — cookies placed by embedded social sharing buttons or widgets. The policy should identify each specific cookie or cookie category, state its purpose, identify the party setting the cookie (first party or named third party), and specify the cookie's duration.
US privacy laws provide several mechanisms for users to opt out of cookie-based tracking. Under the CCPA/CPRA, California residents have the right to opt out of the 'sale' or 'sharing' of their personal information, which includes sharing data via cookies with advertising networks for cross-contextual behavioral advertising. Websites subject to the CCPA must provide a 'Do Not Sell or Share My Personal Information' link on their homepage. The Global Privacy Control (GPC) signal — a browser setting that broadcasts a user's opt-out preference — must be honored by CCPA-covered businesses. Several other state privacy laws provide similar opt-out rights. At the browser level, users can clear cookies, block third-party cookies, or use private/incognito mode. Most advertising networks participate in industry self-regulatory programs such as the Digital Advertising Alliance's (DAA) opt-out tool at optout.aboutads.info. The cookie policy should explain all available opt-out mechanisms with links or instructions.
First-party cookies are set by the website domain the user is visiting — for example, visiting example.com causes example.com to set cookies in the user's browser. First-party cookies are typically used for session management, user preferences, and first-party analytics. Third-party cookies are set by a domain different from the website being visited — for example, visiting example.com may cause ad networks (doubleclick.net), analytics providers (google-analytics.com), or social media platforms (facebook.com) to set cookies in the user's browser through embedded scripts, pixels, or iframes. Third-party cookies are the primary mechanism for cross-site tracking and behavioral advertising, and they are the focus of most privacy regulation. Major browsers — including Safari, Firefox, and Chrome (in the process of transitioning) — are blocking or phasing out support for third-party cookies, which is forcing advertisers and publishers to develop alternative tracking methodologies.
A cookie policy should be reviewed and updated whenever: (1) the website adds or removes cookies or tracking technologies; (2) the website adds new third-party services — analytics platforms, advertising networks, chat widgets, social plugins — that set their own cookies; (3) applicable privacy laws change, such as when new state privacy laws take effect or existing laws are amended; (4) the company's data practices change, such as expanding into a new market or launching a new product; or (5) any of the third-party cookie vendors named in the policy change their data practices or cookie specifications. As a general practice, the cookie policy should be audited at least annually. Many companies use cookie scanning tools — such as Cookiebot, OneTrust, or TrustArc — that automatically detect all cookies on the site and generate updated cookie lists, which can then be incorporated into the policy. The policy should display the date it was last updated.
This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer
Found an error? Let us knowRelated Documents
You may also find these documents useful:
Remote Work Policy
Establish clear expectations for remote and hybrid employees with a comprehensive Remote Work Policy for US employers. This template covers eligibility, work hours, communication standards, equipment and expense reimbursement, data security, performance expectations, and the right to revoke remote work privileges. Compliant with FLSA overtime rules, state wage and hour laws, and OSHA home office safety guidance.
Workplace Harassment Policy
Protect your workforce and limit employer liability with a comprehensive Workplace Harassment Policy for US employers. This template addresses prohibited conduct, reporting procedures, investigation protocols, confidentiality, anti-retaliation protections, and disciplinary consequences. Compliant with Title VII of the Civil Rights Act, the EEOC Harassment Guidance, and state-specific requirements in California (FEHA), New York, and other jurisdictions.
Web Design Contract
Hiring a web designer or freelance developer? Or delivering web projects as a professional? A Web Design Contract prevents the most common disputes in creative work: scope creep, ownership of the finished site, how many revisions are included, and what happens if the client disappears mid-project. Without a written contract, both sides are exposed. Our free Web Design Contract template covers project scope, revision limits, IP ownership, payment milestones, hosting handoff, and termination. Fill it out and download as PDF or Word.
Marketing Services Agreement
Engaging a marketing agency, freelance marketer, or digital advertising consultant? A Marketing Services Agreement protects your business by defining exactly what campaigns will be run, what deliverables are expected, who owns the creative content, and what happens if results fall short. Marketing engagements often involve significant budgets and access to brand assets — a written contract is essential. Our free template covers scope, deliverables, IP ownership, confidentiality, performance reporting, and termination. Fill it out online and download as PDF or Word in minutes.