prompt-pack-cookie-policy
Category: Browser automation
Risk: High risk
★ 3.9 · Rating 3.9/5 (8)
sboghossian/mini-claude-for-legal
MIT
Rating is derived from the repo's GitHub stars and shown for reference.
network_accessfilesystem_accesscredential_accessautomation_control
name: prompt-pack-cookie-policy
description: Use when a company needs to draft or update a Cookie Policy for its website or app, explaining the types of cookies used (essential, analytics, marketing), their purposes and durations, third-party cookies, and how users manage preferences. Must comply with the jurisdiction's applicable law — GDPR and ePrivacy Directive for EU; UAE PDPL and TDRA guidance; KSA NDMO regulations; DIFC/ADGM DP Law; Lebanon Law No. 81 of 2018 (where applicable). Requires a cookie consent mechanism to be implemented alongside the policy.
license: MIT
metadata:
id: prompt-pack.cookie-policy
category: prompt-pack
practice_area: privacy-data-protection
priority: P2
intent: [drafting, cookie-policy, privacy, consent-management, data-protection]
related: [prompt-pack-data-processing-agreement, prompt-pack-data-retention-policy, prompt-pack-privacy-policy, prompt-pack-cross-border-data-transfer-assessment]
source: Louis — HAQQ Legal AI (github.com/sboghossian/mini-claude-for-legal)
version: "1.0"
Cookie Policy
A Cookie Policy is a disclosure document, but it is also a legal instrument: in GDPR jurisdictions, an inadequate cookie notice can constitute a violation of the consent requirement, exposing companies to regulatory fines and private claims. In MENA jurisdictions, the law is evolving — but the direction of travel is consistent with the EU framework.
When to use this
- A website or app is being launched and requires a Cookie Policy to comply with applicable privacy law.
- The company has changed its cookie practices (new analytics tools, new advertising networks, new consent management platform) and needs to update its policy.
- A regulatory audit or data protection review has identified the cookie notice as non-compliant.
- A company is expanding from a MENA-only operation to serving EU or UK users and must upgrade its cookie compliance to meet GDPR/UK GDPR standards.
- A company is implementing a Consent Management Platform (CMP) and needs the policy to align with the consent categories the CMP will manage.
Required inputs
| Input | Why it matters | Sensible default |
|---|---|---|
| Company name | The policy identifies the controller | Ask the user |
| Website or app name and URL | The policy is specific to a digital property | Ask the user |
| Jurisdiction(s) of users | The applicable legal standard (GDPR / UAE PDPL / KSA / other) | Ask the user — different standards apply |
| Types of cookies in use | Policy must describe cookies actually used; cannot be generic | Ask the user to provide their cookie audit or list of tools |
| Whether a consent mechanism exists | If no CMP exists, the policy must refer to alternative opt-out methods | Ask the user |
Optional inputs
- Names of specific third-party cookies (Google Analytics, Meta Pixel, LinkedIn Insight Tag, etc.) — enhances transparency and regulatory compliance.
- Whether the site targets children under 13/16 (higher consent standards apply).
- Whether an existing Privacy Policy should be cross-referenced.
- Language requirements (Arabic version for MENA onshore users).
Document structure
1. Introduction
- Identifies the company as the data controller.
- States the purpose of the policy (explain what cookies are and how the company uses them).
- States the effective date and when the policy was last updated.
- Provides a link to the company's Privacy Policy.
2. What are cookies?
Plain-language explanation:
- Cookies are small text files placed on the user's device by the website.
- They serve different purposes — from making the website function (essential) to tracking user behavior for analytics or advertising (non-essential).
- Distinguish between first-party cookies (set by the website itself) and third-party cookies (set by external services embedded in the website).
- Distinguish between session cookies (deleted when the browser closes) and persistent cookies (remain on the device for a set period).
3. Categories of cookies used
Present in a table:
| Category | Purpose | Examples | Duration | Can users opt out? |
|---|---|---|---|---|
| Strictly necessary / essential | Required for the website to function; cannot be disabled without breaking the site | Session tokens, login state, security cookies | Session or short-term persistent | No (essential function) |
| Analytics / performance | Measure how users interact with the site; help improve performance | Google Analytics, Hotjar, Amplitude | 30 days – 2 years typically | Yes (via CMP or opt-out tools) |
| Functionality / preferences | Remember user preferences (language, region, display settings) | Locale cookies, preference tokens | 30 days – 1 year typically | Yes |
| Marketing / advertising | Track users across sites to serve targeted advertising | Meta Pixel, Google Ads, LinkedIn Insight Tag | 90 days – 2 years typically | Yes (via CMP and opt-out) |
For each named third-party cookie, include the name of the provider and a link to their own privacy/cookie policy.
4. How we use cookies
Narrative description of the purposes for which each category is used, mapped to the company's specific use case.
5. Legal basis for cookies
State the legal basis per jurisdiction:
GDPR (EU/UK) and DIFC/ADGM DP Law:
- Essential cookies: legitimate interests (Art. 6(1)(f) GDPR) or contractual necessity. No prior consent required.
- Non-essential cookies: prior, freely given, specific, informed, and unambiguous consent (Art. 6(1)(a) GDPR and ePrivacy Directive). Consent must be obtained before non-essential cookies are placed.
UAE PDPL (Federal Decree-Law No. 45 of 2021):
- Consent is required for personal data processing unless another lawful basis applies.
- The TDRA has not yet issued detailed cookie-specific guidance as of 2026; align with GDPR best practice.
KSA PDPL (Personal Data Protection Law, Royal Decree M/19, 2021):
- Consent is the primary lawful basis for processing; NDMO guidance should be monitored.
- As of 2026, cookie-specific guidance is not yet published; GDPR-aligned consent is the conservative approach.
Lebanon:
- Law No. 81 of 2018 (Electronic Transactions) and access to information principles apply.
- GDPR alignment is recommended for companies also serving EU users.
6. Third-party cookies
- List each third party by name and describe the type of data collected.
- State that the company is not responsible for third-party cookie practices and link to each provider's policy.
- Note that some third parties may use the data for their own purposes (cross-context behavioral advertising) subject to their own policies.
7. How to manage cookie preferences
Describe all available mechanisms:
- Consent Management Platform (CMP): If the site has a CMP, describe how users access and change their consent preferences (banner, preference center, link in the footer).
- Browser settings: Most browsers allow users to block or delete cookies; provide links to the instructions for major browsers.
- Opt-out tools: For specific third parties (e.g., Google Analytics opt-out browser add-on, NAI opt-out, DAA opt-out).
- Effect of opting out: Be clear that opting out of non-essential cookies may affect site functionality.
8. Data transfers
If cookies cause personal data to be transferred to servers outside the jurisdiction (e.g., Google Analytics data transferred to the US, Meta Pixel data transferred to the US):
- Disclose the transfer.
- State the safeguard: adequacy decision (for EU to certain countries), Standard Contractual Clauses, or equivalent mechanism.
- In DIFC context: transfers outside DIFC require adequate protection per DIFC Data Protection Law.
- In UAE PDPL context: cross-border transfers require compliance with Chapter 6 of the PDPL.
9. Updates to this policy
- The company may update this policy to reflect changes in cookies or law.
- Users will be notified of material changes.
- The "last updated" date at the top of the policy reflects the most recent revision.
10. Contact information
- Data Protection Officer name or role (if a DPO is appointed).
- Email address for cookie-related queries.
- Postal address.
- How to exercise data subject rights (link to DSR procedure or Privacy Policy).
Jurisdictional compliance notes
| Jurisdiction | Key requirement |
|---|---|
| EU / GDPR + ePrivacy | Prior opt-in consent for all non-essential cookies; "cookie walls" (no access without consent) are prohibited in most EU member state guidance; cookie banner must not use dark patterns |
| UK GDPR + PECR | Same as EU; ICO guidance published; similar prohibition on dark patterns |
| DIFC / ADGM | DIFC DP Law 2020 / ADGM DP Regulations 2021; equivalent to GDPR; consent required for non-essential processing |
| UAE PDPL | Consent required; TDRA and DIFC/ADGM-registered entities should align with GDPR pending specific guidance |
| KSA | NDMO implementing regulations; consent required; Arabic-language policy recommended |
| Lebanon | Law No. 81 of 2018; GDPR alignment recommended |
Common mistakes
- Publishing a Cookie Policy without implementing a working Consent Management Platform — the policy is then legally meaningless because consent cannot be obtained before cookies are placed.
- Cookie Policy that lists generic categories but does not name the specific cookies and third parties in use — regulators and DPAs increasingly require specific disclosure.
- "Cookie walls" — blocking site access unless the user accepts all cookies — are likely non-compliant under GDPR and leading MENA frameworks.
- Not updating the policy when new tracking tools are added. Each new tool that places a cookie must be disclosed.
- Combining the Cookie Policy with the Privacy Policy in a way that makes neither readable — keep them as separate documents with cross-links.
Related skills
- [[prompt-pack-data-processing-agreement]]
- [[prompt-pack-data-retention-policy]]
- [[prompt-pack-privacy-policy]]
- [[prompt-pack-cross-border-data-transfer-assessment]]
- [[prompt-pack-data-subject-access-request-procedure]]