A cookie policy is often treated like a footer formality, but under the GDPR (and the EU ePrivacy rules that sit alongside it) it is part of how you prove lawful, transparent processing. If your website is accessible to EU/UK visitors, the expectations around cookies can apply even if your business is based in Jamaica.
This guide breaks down what a GDPR-compliant cookie policy should include, why each element matters, and provides ready-to-adapt examples you can tailor to your site.
Cookie policy GDPR basics (and why “just having a banner” is not enough)
GDPR transparency obligations require you to tell people, in clear language, what personal data you collect and why. Cookies and similar technologies can trigger GDPR because they can identify a device or user, directly or indirectly.
Separately, consent rules for storing or accessing information on a user’s device typically come from the ePrivacy framework (implemented differently across EU Member States). In practice, most organisations manage this by:
Using a consent banner (or consent management platform) to collect and record choices.
Publishing a cookie policy to explain cookies in detail and provide ongoing transparency.
A banner without a policy is usually incomplete, and a policy without a functioning consent mechanism often fails in practice.
What counts as “cookies” for GDPR purposes
A cookie policy should cover more than literal browser cookies. Regulators generally treat these as part of the same compliance topic:
HTTP cookies (first party and third party)
Similar identifiers such as local storage, SDK identifiers (in mobile apps), pixels, tags, and fingerprinting techniques
Analytics and advertising identifiers
If your site uses third-party tools (analytics, marketing, embedded videos, social plugins), your cookie policy should reflect that.
When do you need a cookie policy?
In most cases, you should publish a cookie policy if your site uses any cookies beyond those that are strictly necessary for the site to function.
A common, practical approach is:
Always publish a cookie policy (as a dedicated page linked in the footer and from the cookie banner).
Treat it as a “layer” beneath your banner, with deeper detail than what a banner can display.
If you are targeting or serving EU/UK visitors, you should also ensure your approach aligns with GDPR transparency requirements and the relevant ePrivacy standard applied in that jurisdiction.
Cookie policy GDPR: what to include (the required building blocks)
A strong cookie policy typically contains the following sections.
1) Who you are and how to contact you
Identify the website operator (company name, registered address where appropriate, and contact route). If you have a Data Protection Officer (DPO) or privacy contact, list that.
Example (adapt):
“We are [Company Name], the operator of this website. If you have questions about our use of cookies, contact us at [privacy email] or [address].”
2) What cookies are (and what “similar technologies” are)
Define cookies and acknowledge that comparable technologies may be used.
Example (adapt):
“Cookies are small text files placed on your device when you visit a website. We may also use similar technologies (such as pixels and tags) to understand how our services are used and to improve your experience.”
3) Why you use cookies (purposes)
Explain purposes in plain language, not just technical labels. Typical purposes include:
Site functionality (security, load balancing, form submissions, shopping cart)
Preferences (language, region)
Analytics (site performance and usage insights)
Marketing (ad measurement, retargeting)
Embedded content (video players, maps, social media)
Example (adapt):
“We use cookies to keep the site secure, make it work properly, remember your preferences, measure website performance, and (if you choose) tailor marketing.”
4) Your legal basis (and when consent is required)
Be careful here: for many cookie categories, the legal basis under GDPR is consent, and ePrivacy-style rules also generally require consent before placing non-essential cookies.
You can explain this at a high level:
Strictly necessary cookies: typically do not require consent (but still require transparency)
Analytics and marketing cookies: typically require prior consent in many jurisdictions
Example (adapt):
“We use strictly necessary cookies because they are required for the website to operate. We use analytics and marketing cookies only where you have given consent through our cookie settings.”
For additional context, see the GDPR text on lawful bases and transparency at the EU GDPR portal.
5) Cookie categories, with clear explanations
Most policies organise cookies into categories. Keep descriptions understandable.
Common categories:
Strictly necessary
Preferences / functionality
Analytics / performance
Marketing / targeting
Where relevant, add an “unclassified” category if your cookie scanner detects items you have not yet mapped, but treat that as a temporary state and resolve it.
6) A cookie list (name, provider, purpose, expiry, type)
A GDPR-aligned cookie policy usually includes a cookie table (or a dynamically generated list from a consent tool). The key is that it must be accurate for your site.
If your cookies change frequently, a dynamic list can be safer than maintaining a manual table, but you still need to review it.
Here is a model structure:
Cookie / Identifier | Provider | Purpose | Category | Typical expiry |
session_id | Your website | Maintains user session and security | Strictly necessary | Session |
analytics_id | Analytics provider | Measures page visits and interactions | Analytics | 13 months (example) |
marketing_id | Ad partner | Tracks ad performance and helps prevent fraud | Marketing | 90 days (example) |
Only include expiries you can verify. Cookie lifetimes vary by configuration and vendor.
7) Third parties and international transfers
If third-party cookies or tags are used, name the third parties (or at least the categories of third parties), and explain that data may be shared with them.
If those third parties involve transfers outside the UK/EU (for example, to the United States), your policy should link to more detail in your privacy notice about international transfers and safeguards (such as Standard Contractual Clauses, where applicable).
Regulators can scrutinise third-party ad tech heavily, so this section should be concrete, not vague.
Useful background guidance is available from the European Data Protection Board (EDPB).
8) How users can manage cookies and withdraw consent
Your cookie policy should tell users:
How to change cookie choices on your website (for example, a “Cookie Settings” link)
How to withdraw consent at any time
How to manage cookies via browser settings
Example (adapt):
“You can change your cookie preferences at any time by selecting ‘Cookie Settings’ in the footer. You can also delete cookies through your browser settings. If you disable certain cookies, parts of the website may not function properly.”
For browser-level controls, you can point users to helpful vendor documentation, for example Google Chrome cookie controls (link only if you actually reference Chrome controls, and avoid overwhelming users with too many links).
9) Whether cookies are essential, and what happens if users refuse
This improves transparency and reduces complaints. Be honest about impact.
Example (adapt):
“Strictly necessary cookies are required to run the website and cannot be switched off in our systems. You can refuse analytics and marketing cookies without losing access to core content.”
10) How often you update the cookie policy
You do not need artificial “last updated” banners, but you should explain that cookies can change and you will update the policy.
Example (adapt):
“We may update this cookie policy from time to time to reflect changes in the cookies we use or for legal and regulatory reasons.”
Cookie policy examples you can copy and tailor
Below are short examples you can adapt. They are intentionally generic, because the final text must match your actual cookie inventory.
Example A: Short “plain English” overview section
“We use cookies and similar technologies to make our website work, keep it secure, remember your preferences, and understand how the site is used. Some cookies are strictly necessary and are always on. Others (such as analytics and marketing cookies) are used only if you choose to enable them. You can change your choices at any time using our cookie settings.”
Example B: Strictly necessary cookies section
“Strictly necessary cookies help the website function and keep it secure. They are usually set in response to actions you take, such as submitting a form, setting privacy preferences, or navigating between pages. Because these cookies are required to provide the website, they do not require your consent in many jurisdictions, but we still explain them in this policy.”
Example C: Analytics cookies section
“Analytics cookies help us understand how visitors interact with our website, for example which pages are visited most often and how visitors move through the site. We use this information to improve website performance and user experience. We will only use analytics cookies where you have provided consent through our cookie settings.”
Example D: Marketing cookies section
“Marketing cookies may be set by us or by third-party partners to build a profile of your interests and show you relevant content or advertisements on other sites. They may also be used to measure the effectiveness of advertising campaigns. These cookies are used only if you consent.”
Example E: Third-party cookies and embedded content section
“Some pages may include content provided by third parties (for example, embedded video players, maps, or social media features). These third parties may set cookies or use similar technologies. Where required, we will ask for your consent before enabling these third-party features.”
A practical cookie compliance workflow (what good looks like)
A well-run cookie compliance process usually follows a loop:
Identify cookies and similar technologies on your site (including third-party tags)
Classify them correctly (strictly necessary vs optional)
Configure your banner so optional cookies do not load before consent
Publish a cookie policy that reflects the inventory
Record consent choices and make it easy to change them
Re-scan and review after website updates
Common mistakes that can make a cookie policy non-compliant
Vague third-party disclosure
Saying “we may share data with partners” is rarely enough for cookie transparency. Name key vendors where possible, or clearly describe the third-party categories and link to vendor information.
Listing cookies that do not match reality
A copied cookie table is risky. Regulators and privacy-savvy users can detect mismatches quickly. Your policy should reflect what your site actually sets.
Treating analytics as always exempt
Some organisations assume analytics cookies are automatically “strictly necessary.” Many regulators do not treat them that way. If you rely on an exemption, confirm it fits your jurisdiction and implementation.
Loading marketing tags before consent
This is a technical implementation failure, not a drafting problem. If tags fire before consent, your banner and policy will not save you.
How this connects to Jamaica’s data protection landscape
Even for Jamaica-based organisations, cookie and tracking compliance is relevant because:
Websites often have international reach (including EU/UK visitors).
Jamaica has its own developing data protection expectations, including the Data Protection Act framework.
In practice, many organisations choose to align their web privacy programme with GDPR-style transparency and governance because it provides a robust standard that also supports broader compliance and risk management.
If you are unsure whether GDPR applies to your organisation, the answer often turns on facts such as where your visitors are, whether you market to them, and how tracking is implemented.
Quick checklist: what your cookie policy should contain
Clear definition of cookies and similar technologies
Purposes for each category
Whether consent is used, and how to withdraw it
A cookie list (name, provider, purpose, expiry, category)
Disclosure of third parties and any relevant international transfers (with links to more detail in your privacy notice)
How to manage cookies (site settings and browser controls)
A commitment to update the policy when cookies change
Frequently Asked Questions
Do I need a cookie policy if I already have a privacy policy? A privacy policy and a cookie policy overlap, but they are not the same. A cookie policy focuses on device tracking technologies, categories, and cookie-by-cookie detail, while a privacy policy covers broader personal data processing.
Are “strictly necessary” cookies exempt from consent? Often yes, but the definition is narrow. Strictly necessary generally means required to provide a service the user requested (security, load balancing, session management). Analytics and advertising cookies typically require consent in many jurisdictions.
Should I list every cookie by name? In most cases, yes. A cookie table (or an accurate, dynamically generated cookie list) is a common expectation for transparency, especially where multiple third parties are involved.
How often should I update my cookie policy? Update whenever you change vendors, add new tags, alter analytics/marketing tools, or redesign the site. Many organisations also schedule periodic scans (for example quarterly) to catch unexpected changes.
Can my business in Jamaica be subject to GDPR cookie rules? It can be, depending on whether you target EU/UK individuals or monitor their behaviour (for example through tracking). The analysis is fact-specific and often benefits from legal review.
Need help reviewing your cookie policy and tracking compliance?
If your website serves clients across borders, cookie compliance is both a legal issue and a reputational one. Henlin Gibson Henlin advises organisations on data privacy, compliance and risk, and can help you align your cookie banner, cookie policy, and wider privacy documentation with your actual website setup.
Explore the firm at Henlin Gibson Henlin or contact your legal counsel to review your cookie inventory, consent approach, and cross-border data protection obligations.