How to create a cookie notice for your website

A cookie notice tells visitors what storage and tracking a website wants to use, what is necessary for the site to work, and what the visitor can choose before optional analytics, advertising, or personalization tools start running. On modern sites it usually covers cookies together with similar browser storage, tracking pixels, and consent signals passed to third-party tags.

For a webmaster, the notice is not just copy in a banner. It is the control layer that decides which scripts can load, which categories stay blocked by default, how a visitor can change that choice later, and whether the privacy page, tag manager, and site behavior all tell the same story.

A strong cookie notice matches the site's real tags and visitor regions. If the site says it offers a choice but analytics or advertising cookies still appear before consent, or if rejection is harder than acceptance, the notice becomes a compliance and trust problem instead of a safeguard.

1. List every cookie and similar storage item the public site can set before designing the banner.

   Essential
   Analytics
   Advertising
   Personalization
   Embedded media
   A/B testing or feature flags

   Check the homepage, landing pages, checkout or sign-in flows, and any page that embeds videos, maps, chat widgets, or ad tags so the notice reflects the real site rather than only the CMS theme.

2. Separate the list into strictly necessary functions and optional categories before you choose the default state.

   Essential: login session, security, load balancing, cart state
   Optional: analytics, advertising, remarketing, social embeds, personalization

   Do not label analytics or advertising cookies as essential just because the business wants the data, because the banner logic and the published explanation need to match the real purpose of each category.

3. Decide whether the site will use a consent management platform or a custom banner, then set the strictest regional default your audience requires.

   Global audience with ads or analytics: default optional categories to off until consent
   Necessary-only site: informational notice may be enough if no optional storage is used
   Multi-region site: geotarget banner behavior only if the routing is reliable and maintained

   If the site serves multiple jurisdictions or regulated ad stacks, confirm the final wording and default behavior with the legal owner or compliance team before launch.

4. Draft the first layer so it names the optional categories, links to the detailed policy, and offers immediate action buttons in the first view.

   We use essential cookies to keep the site working.
   We would also like to use analytics cookies to understand site use and advertising cookies only if you allow them.
   Accept all
   Reject non-essential
   Manage preferences

   Do not rely on implied consent wording such as by continuing to browse, and do not make rejection harder than acceptance by hiding it behind an extra screen or weaker button treatment.

5. Connect each banner choice to the actual loading behavior of scripts, tags, and embeds instead of only saving a cosmetic preference.

   Page load: essential scripts only
   Accept analytics: analytics tags may load
   Accept advertising: advertising tags may load
   Reject non-essential: optional tags stay blocked
   Withdraw consent: future optional writes stop and optional tags stay blocked on the next page view

   Review both third-party tags and self-hosted scripts because either can set optional cookies or trigger optional network calls before the visitor chooses.

6. Pass the consent state to the measurement or advertising platforms that depend on it before those tags initialize.

   Default before interaction:
   analytics_storage = denied
   ad_storage = denied
   ad_user_data = denied
   ad_personalization = denied
   
   Update after choice:
   grant only the categories the visitor accepted

   If the site serves Google ads in the EEA, the UK, or Switzerland through products such as AdSense, Ad Manager, or AdMob, Google currently requires a certified CMP integrated with the TCF for those users.

7. Store the visitor's choice for a reasonable period and publish a permanent way to reopen the settings after the banner closes.

   Footer link: Cookie settings
   Policy link: Cookie notice or Cookie policy
   Banner memory: store the last consent choice and timestamp

   A footer or account-area Cookie settings link keeps withdrawal practical and lets the site update consent when categories, vendors, or purposes change.

8. Publish the matching detail page so the short banner text and the longer explanation stay aligned.

   Category name
   Purpose
   Provider or vendor
   Duration
   How to withdraw or change consent
   Link to the privacy policy when personal data processing is involved

   The banner is the short control surface; the longer page is the maintained reference that explains what each category actually does.

9. Test the published notice in a fresh browser session at desktop and mobile widths and confirm the accepted state matches the storage that appears.

   Reject non-essential:
   Only essential cookies remain
   Analytics and ad requests do not fire
   Banner closes and Cookie settings stays available
   
   Accept analytics only:
   Analytics requests begin
   Advertising cookies stay blocked
   
   Accept all:
   Approved categories load without covering the page content or shifting the layout

   Use browser storage and network panels, not only visual inspection, because a banner can look correct while still loading optional tags too early or hiding important content on small screens.