Document Generator
Cookie Policy Generator from Your Code
The ePrivacy Directive and GDPR require you to inform users about every cookie and tracking technology your site uses. Most cookie policy generators ask you to list them manually. Codepliant scans your codebase to detect cookie-setting services, analytics SDKs, tracking scripts, and session storage — then generates an accurate cookie policy based on what your code actually does.
What a cookie policy must contain
The ePrivacy Directive (2002/58/EC) and GDPR set specific requirements for cookie disclosures. Every compliant cookie policy must address these elements:
What cookies you set
A complete list of cookies placed on user devices — first-party and third-party — including their names, domains, and expiration periods.
Purpose of each cookie
Why each cookie exists: authentication, analytics, advertising, preferences, or security. The ePrivacy Directive requires this disclosure before consent is obtained.
Cookie categories
Cookies grouped by type: strictly necessary (exempt from consent), analytics and performance, functional/preferences, and targeting/marketing.
Third-party cookies
Every third party that sets cookies through your site — Google Analytics, Facebook Pixel, ad networks — with links to their own cookie policies.
How users can manage cookies
Clear instructions for accepting, rejecting, or withdrawing consent. Browser-level controls alone are not sufficient under GDPR — you need a consent mechanism.
Consent mechanism
How consent is collected (cookie banner, preference center) and how users can change their choices at any time. Pre-ticked checkboxes are not valid consent under GDPR.
Data transfers
If third-party cookies send data to servers outside the EU/EEA, you must disclose the transfer mechanisms (SCCs, adequacy decisions).
Policy updates
How and when the cookie policy is updated, and how users are notified of material changes.
Missing even one cookie from your policy can constitute non-compliance. The challenge is that developers often do not know which dependencies set cookies — a single analytics SDK can place multiple tracking cookies silently.
The four types of cookies
Regulators and consent management platforms categorize cookies into four types. Each has different consent requirements under the ePrivacy Directive:
Essential / Strictly Necessary
No consent requiredCookies that are strictly necessary for the service the user explicitly requested. Includes session IDs, authentication tokens, CSRF protection, shopping cart state, and load balancer affinity. These are exempt from consent under Article 5(3) of the ePrivacy Directive.
Detected by Codepliant: express-session, next-auth session tokens, connect.sid, CSRF tokens, Clerk session cookies
Analytics / Performance
Consent requiredCookies that measure how users interact with your site — page views, session duration, bounce rate, feature usage. Even when data is anonymized, most EU DPAs require consent for analytics cookies.
Detected by Codepliant: Google Analytics (_ga, _gid), PostHog, Mixpanel, Amplitude, Plausible, Fathom
Marketing / Targeting
Consent requiredCookies used to track users across websites, build advertising profiles, and serve targeted ads. These always require explicit consent and are the primary enforcement target for regulators.
Detected by Codepliant: Facebook Pixel (_fbp), Google Ads (IDE, _gcl_au), LinkedIn Insight Tag, TikTok Pixel, Twitter conversion tracking
Preferences / Functional
Consent requiredCookies that remember user choices like language, theme, layout, or region. Not strictly necessary for the service to function, so consent is required — though enforcement is less aggressive than for marketing cookies.
Detected by Codepliant: Language preferences, dark mode settings, LaunchDarkly feature flags, Statsig, dismissed banners
How Codepliant detects cookie-setting services
Instead of asking you to list your cookies, Codepliant reads your project and identifies cookie-setting services automatically. Here is what happens when you run the CLI:
Scan dependencies
Codepliant reads your package.json, requirements.txt, go.mod, Cargo.toml, Podfile, or equivalent manifest. It identifies packages known to set cookies — analytics SDKs, authentication libraries, advertising pixels, and session middleware.
Scan source code imports
Dependencies alone miss inline scripts and CDN-loaded libraries. Codepliant scans your source files for import statements, require calls, and script tags that reference cookie-setting services like Google Tag Manager, Facebook SDK, or custom tracking code.
Scan environment variables
API keys and tracking IDs in your .env files reveal which services are active. NEXT_PUBLIC_GA_MEASUREMENT_ID means Google Analytics is in use. FACEBOOK_PIXEL_ID means the Meta pixel is loaded. Codepliant maps each env pattern to the correct service.
Categorize and map cookies
Each detected service is mapped to a cookie category (essential, analytics, marketing, preferences) and tagged with the specific cookies it sets. Google Analytics triggers _ga, _gid, and _gat disclosures. Stripe triggers __stripe_mid and __stripe_sid disclosures.
Generate the cookie policy
The policy is assembled with a table of cookies grouped by category, each with its name, purpose, provider, and expiration. It includes the correct consent requirements per category and instructions for managing cookie preferences.
Cookie-setting services Codepliant detects
Generic template vs. Codepliant-generated
Here is the difference between a typical cookie policy template and what Codepliant produces for the same codebase — a Next.js SaaS app using Google Analytics, Stripe, Clerk, and Facebook Pixel.
Cookies We Use
Our website uses cookies and similar tracking technologies to enhance your browsing experience. We use essential cookies to make the site work, and we may also use analytics and advertising cookies.
Third-Party Cookies
We may use third-party cookies from our advertising and analytics partners. These cookies help us understand how visitors use our website.
Managing Cookies
You can control cookies through your browser settings. Note that disabling cookies may affect site functionality.
Essential Cookies
__clerk_session (Clerk, Inc.): Maintains user authentication state. Duration: session. No consent required — strictly necessary.
__stripe_mid, __stripe_sid (Stripe, Inc.): Fraud prevention for payment processing. Duration: 1 year / session. No consent required — strictly necessary.
Analytics Cookies
_ga, _gid (Google LLC): Distinguishes unique users and tracks session data. Duration: 2 years / 24 hours. Consent required — Article 5(3) ePrivacy Directive.
Marketing Cookies
_fbp (Meta Platforms, Inc.): Tracks users across websites for targeted advertising. Duration: 90 days. Consent required — Article 5(3) ePrivacy Directive.
International Data Transfers
Cookie data is transferred to the United States via: Google LLC (Mountain View, CA), Meta Platforms, Inc. (Menlo Park, CA), Stripe, Inc. (San Francisco, CA), Clerk, Inc. (San Francisco, CA). Transfers governed by Standard Contractual Clauses.
The difference: The generic template says "we may use analytics and advertising cookies." Codepliant names Google Analytics and Facebook Pixel — because it found them in your code. It lists the specific cookies each service sets, their durations, the provider company, and whether consent is required under the ePrivacy Directive. No "may" — just what your code actually does.
ePrivacy Directive requirements for cookies
Article 5(3) of the ePrivacy Directive sets the rules for storing information on user devices. Here is what it requires and how Codepliant helps you comply:
Prior informed consent
Users must consent before non-essential cookies are set. Codepliant separates essential from non-essential cookies so you know which require consent.
Clear, comprehensive information
Users must be told what cookies do, who sets them, and how long they last. Codepliant generates this information per cookie from its service signature database.
Freely given consent
Cookie walls (blocking access unless cookies are accepted) are generally not permitted. Your cookie policy must describe a genuine choice mechanism.
Easy withdrawal
Withdrawing consent must be as easy as giving it. Codepliant includes instructions for managing preferences through your consent mechanism.
Generate your cookie policy in seconds
Scan your codebase. Get a cookie policy that names your actual tracking services, lists every cookie they set, and categorizes them for ePrivacy Directive compliance.
Free, open source, no account required. Works offline.
Frequently asked questions
What is the ePrivacy Directive and how does it affect cookies?
The ePrivacy Directive (2002/58/EC, amended by 2009/136/EC) — often called the "Cookie Law" — requires websites to obtain informed consent before placing non-essential cookies on a user's device. It works alongside GDPR: the ePrivacy Directive governs the act of storing or accessing cookies, while GDPR governs the processing of any personal data those cookies collect. Codepliant detects cookie-setting services in your code so your policy accurately reflects what cookies are placed and why.
What is the difference between a cookie policy and a privacy policy?
A privacy policy covers all personal data processing — collection, storage, sharing, retention, and user rights. A cookie policy is specifically about cookies and similar tracking technologies: what cookies your site sets, their purpose, their duration, and how users can manage them. Many regulators expect both documents. Codepliant generates each one separately, tailored to your actual codebase.
Does Codepliant detect all four types of cookies?
Yes. Codepliant categorizes detected cookies into four types: essential (session management, authentication, CSRF tokens), analytics (Google Analytics, PostHog, Mixpanel), marketing (Facebook Pixel, Google Ads, LinkedIn Insight Tag), and preferences (language settings, theme choices, feature flags). Each category is listed in the generated policy with the correct consent requirements.
How does Codepliant detect cookie-setting services?
Codepliant scans your package.json (or equivalent), source code imports, and environment variables. It matches against a database of service signatures — for example, detecting @google-analytics/data or gtag.js in your code triggers analytics cookie disclosures. It also detects session middleware, authentication libraries, and consent management platforms.
Do essential cookies require consent?
No. Under the ePrivacy Directive, strictly necessary cookies — those required for the service the user explicitly requested — are exempt from consent requirements. This includes session cookies, authentication tokens, CSRF protection, and shopping cart cookies. However, you must still disclose them in your cookie policy. Codepliant marks these as essential so users understand no consent is needed.
How often should I regenerate my cookie policy?
Regenerate whenever you add or remove analytics, marketing, or tracking services. Adding Google Analytics, switching from Mixpanel to PostHog, or integrating a new consent management platform all change your cookie footprint. Use codepliant diff to see what changed since the last generation. Many teams add Codepliant to their CI pipeline to catch changes automatically.
Is this free to use?
Yes. The CLI is open source (MIT licensed) and free. Run npx codepliant go in your project directory and the cookie policy is generated locally — no account, no API key, no network calls.
Related resources
Privacy Policy Generator
Generate privacy policies from detected services and data flows.
GDPR Compliance Tool
Full GDPR documentation suite from code scanning.
Data Privacy Hub
Overview of global privacy regulations and compliance.
Terms of Service Generator
Generate terms of service based on your actual tech stack.