Start your 7-day free trial - Full platform access
Cookie Policy Review

Cookie policy review.
Consent before the cookie, not after.

EU visitors. GDPR ePrivacy. Consent before non-essential cookies. Third-party disclosure by tool name. Most Australian business cookie banners and policies don't meet GDPR requirements. Kontractually reviews yours against the checklist.

Review your cookie policyGDPR requirements check

7-day free trial. Full platform access. No credit card required.

Before vs. after

What changes when you review your cookie policy first.

Before

Your website sets Google Analytics, Meta Pixel, and HubSpot cookies on page load - before the visitor clicks anything. An EU visitor files a complaint with their data protection authority. You receive a formal enquiry about your cookie consent mechanism.

With Kontractually

Kontractually reviews your cookie policy and flags that non-essential cookies are being set without prior consent, violating the ePrivacy Directive. You implement a consent-first banner that blocks analytics and marketing cookies until the visitor opts in.

ePrivacy violation caught before a complaint
Before

Your cookie policy lists 'analytics cookies' and 'marketing cookies' as categories but doesn't name the specific tools or third parties involved. Under GDPR, this level of disclosure is insufficient. A customer asks which third parties receive their browsing data and you can't answer from the policy alone.

With Kontractually

Kontractually flags the missing third-party disclosure. Your updated policy names each tool (Google Analytics 4, Meta Pixel, HubSpot tracking), its purpose, cookie duration, and the third party that receives the data - meeting GDPR transparency requirements.

Third-party cookie disclosure aligned with GDPR requirements
Before

Your consent banner has a large green 'Accept All' button and a small grey 'Manage Preferences' link. There is no 'Reject All' option. Under GDPR guidance, this is a dark pattern - rejecting cookies must be as easy as accepting them.

With Kontractually

Kontractually flags the asymmetric consent design as inconsistent with GDPR consent requirements. You add an equally prominent 'Reject Non-Essential' button, ensuring consent is freely given rather than nudged.

Dark pattern risk eliminated from consent flow
Requirements checklist

6 cookie policy requirements to check.

1
Cookie categories and disclosure
Cookies must be categorised: strictly necessary, functional, analytics, and marketing/advertising. Each category must be disclosed with the specific cookies used, their purpose, and duration. Blanket 'we use cookies' disclosure without categorisation is non-compliant under GDPR and best practice under APP.
2
Consent before non-essential cookies
Under GDPR ePrivacy Directive, consent must be obtained before setting non-essential cookies (analytics, advertising, functional). Consent must be freely given, specific, and informed - not pre-ticked boxes, not implied by continued browsing. Consent must be as easy to withdraw as to give.
3
Third-party cookie disclosure
Third-party cookies (Google Analytics, Meta Pixel, HubSpot, Intercom, etc.) must be individually disclosed. Users must know which third parties have access to their browsing data via cookies on your site. Disclosure by cookie category is insufficient - specific tool names are required under GDPR.
4
Cookie duration and storage
Session cookies vs persistent cookies must be distinguished. Persistent cookies must disclose their expiry period. GDPR doesn't set a maximum cookie duration, but excessive retention without justification is a risk. Analytics cookies with 2+ year duration are frequently challenged.
5
Consent management and records
How consent is recorded matters. You must be able to demonstrate that consent was obtained, when, and for what categories. Consent records must be stored. If consent is withdrawn, cookies must be removed. Cookie consent management platforms (CMPs) handle this, but the policy must explain the process.
6
Australian Privacy Act obligations
The Privacy Act applies to browsing data that can identify individuals. Cookies that track individual users across sessions are personal information under the APPs. Your cookie policy must align with your privacy policy on collection purpose, retention, and third-party disclosure.
FAQ

Cookie policy questions.

More questions? Email us.

If you have EU visitors or EU customers, yes - GDPR ePrivacy Directive requires consent before setting non-essential cookies. The Australian Privacy Act doesn't require a consent banner specifically, but it requires transparency about personal information collection. For Australian-only sites without EU visitors, a cookie policy that discloses cookie use may be sufficient. For any site with EU visitors, a consent banner before non-essential cookies is required. Kontractually reviews your cookie policy against these requirements.

Under GDPR, a cookie consent banner must: (1) appear before non-essential cookies are set, (2) clearly distinguish between essential and non-essential cookies, (3) allow users to accept or reject by category (not just 'accept all'), (4) not use dark patterns (pre-ticked boxes, misleading button placement, 'accept' and 'learn more' with no 'reject'), (5) be as easy to withdraw consent as to give it, and (6) record and honour consent. Kontractually can review your cookie policy and banner configuration against these requirements.

The ePrivacy Directive (Directive 2002/58/EC, amended by 2009/136/EC) specifically governs the use of cookies and similar tracking technologies. While GDPR provides the general framework for consent and personal data processing, the ePrivacy Directive adds a specific requirement: storing or accessing information on a user's device (cookies, local storage, fingerprinting) requires prior informed consent unless the cookie is strictly necessary for a service explicitly requested by the user. The ePrivacy Directive is sometimes called the 'cookie law' because of this specific focus. Both frameworks apply simultaneously to cookies that process personal data.

No. The European Data Protection Board (EDPB) has confirmed that analytics cookies are not strictly necessary for providing a service requested by the user. First-party analytics cookies (such as those set by self-hosted Matomo or Plausible) may qualify for an exemption in some EU member states if they are used solely for aggregate statistical purposes and do not track users across sites. However, Google Analytics cookies are consistently classified as non-essential because data is transferred to a third party (Google) and can be used for profiling. Consent is required before setting analytics cookies under the ePrivacy Directive.

The Privacy Act 1988 does not specifically mention cookies, but APP 3 applies to any collection of personal information - including information collected via cookies that can identify an individual. If a cookie tracks a user across sessions and can be linked to an identifiable person (through login, email, IP address, or device fingerprinting), that browsing data is personal information under the APPs. APP 5 requires that individuals are notified about the collection, and APP 1 requires your privacy policy to describe how personal information is managed. Your cookie policy should align with your APP privacy notice on these points.

Also useful

Privacy policy review
Privacy policies reviewed against Australian Privacy Principles.
GDPR requirements check
GDPR requirements check for Australian businesses with EU customers.
Terms and conditions review
T&Cs reviewed for ACL compliance and unfair contract terms.

Review your cookie policy and banner today.

Start 7-day free trial