A cookie banner and a privacy policy are not the same thing, and having one does not mean you don't need the other. Both are required under GDPR, and they serve different legal purposes.
What a cookie banner is for
A cookie banner is a consent mechanism. Its job is to obtain the user's consent before placing non-essential cookies on their device. It must appear before those cookies fire, give the user a genuine choice to accept or decline, and be visible enough that users can't miss it. It is an active tool — it collects a consent signal that you may be asked to prove to regulators.
What a privacy policy is for
A privacy policy is an information document. It explains your data practices to users: what personal data you collect, why you collect it, how long you keep it, who you share it with, and what rights users have. Under GDPR Article 13, you must provide this information to every person whose data you process. Unlike a cookie banner, a privacy policy doesn't collect consent — it fulfils your transparency obligations.
What a cookie policy is for
A cookie policy (sometimes a section within your privacy policy) specifically lists the cookies your website uses. For each cookie it should state: the cookie name, its purpose, whether it is first-party or third-party, how long it persists, and whether it requires consent. Regulators increasingly expect a detailed cookie list, not just a general statement that "we use cookies".
Do I need all three?
Yes. You need a cookie banner to collect consent before non-essential cookies fire. You need a privacy policy to explain your data practices generally. And you need a cookie policy (or section) that gives users a detailed breakdown of every cookie on your site. Many websites combine the cookie policy into their privacy policy to keep things simple — that's fine, as long as both sets of information are present.
Common mistakes
The most common mistake is having a privacy policy but no cookie banner, or having a cookie banner that links to a generic privacy policy with no cookie-specific information. Another frequent issue is having a cookie policy that lists only the "nice" cookies and omits third-party tracking cookies added by Google Analytics or advertising platforms. A cookie audit — which MyCookieKit's built-in scanner can do — helps you make sure your policy matches what's actually on your site.
The quick checklist
Before your cookies load: a cookie banner with accept/decline options. Linked from your banner and footer: a privacy policy covering all GDPR Article 13 requirements. Also linked or within your privacy policy: a cookie policy listing every cookie by name, purpose, and duration. Accessible at any time: a way for users to change their cookie preferences (a "cookie settings" button or link).