At a glance
Cookies fall into four categories: Strictly Necessary (no consent needed), Functional, Analytics, and Marketing. The last three all require consent under ePrivacy.
Not all cookies are equal. Some are genuinely essential to make your website work. Others are entirely optional tools that benefit your business, but not the user. The distinction matters because ePrivacy treats them very differently.
Here’s the complete breakdown of cookie categories, what falls into each one, and the consent rules that apply.
1: Strictly Necessary Cookies
These are the cookies that are genuinely required to provide the service a user is “actively requesting”. Without them, the website simply can’t function properly for that user.
No consent is required for these cookies.
What counts as strictly necessary:
- Session cookies: maintain the user’s session while they browse (identifying them as the same user across pages).
- Authentication cookies: keep users logged in.
- Shopping basket cookies: retain the contents of a basket.
- Load balancing cookies: distribute traffic across servers to maintain performance.
- Security cookies: CSRF tokens and similar that protect against attacks.
- Cookie consent cookies: the cookie that remembers if your users consented to optional cookies or not. Yes, a cookie is required to refuse cookie consent, what a world!
Watch out
“Strictly necessary” doesn’t mean “important to us.” It means necessary for the user to receive the service they explicitly requested. Analytics tools, chatbots, and personalisation engines don’t qualify. They’re useful, but the site can function without them. If you’re unsure whether something is strictly necessary, apply this test: if I removed this cookie completely, would the site still work for the user? If yes, it’s not strictly necessary.
2: Functional Cookies
Functional cookies enhance the user’s experience by remembering preferences, but they’re not strictly essential. The site works without them; they just make it nicer.
Consent is required for these cookies, unless the feature is specifically requested by the user (like a language preference toggle). Functional cookies can include things like:
- Language preference cookies: remembering that a user chose to view the site in French.
- Theme cookies: remembering a user’s choice of dark mode.
- Saved form data: pre-filling information from previous visits.
- Video player preferences: remembering playback quality or subtitle settings.
- Live chat cookies: cookies set by chat widgets that maintain chat history.
3: Analytics Cookies
Analytics cookies measure how visitors use your website. They track page views, session duration, navigation paths, device types, and similar behavioural data. They’re enormously useful to website owners – but entirely for the website owner’s benefit, not the users’.
Consent is always required for analytics cookies. Some companies have argued that analytics cookies are actually to users’ benefit, because the data they capture is used to improve the website. But ePrivacy doesn’t have a “good intentions” exemption. If the cookie isn’t strictly necessary for the user to access the service they’re requesting, consent is required. The EDPB has confirmed this position repeatedly. Some common analytics cookies include:
- Google Analytics 4: sets _ga and _ga_* cookies, tracks sessions and events, transfers data to Google servers.
- Adobe Analytics: sets s_cc and corresponding cookies.
- Hotjar: sets _hjSession_* cookies, also captures session recordings.
- Mixpanel: uses both cookies and local storage for user identification.
- Microsoft Clarity: sets _clsk and _clck cookies, captures session recordings.
4: Marketing & Advertising Cookies
These cookies track users across websites to build profiles and serve targeted advertising. They often involve multiple third parties and extensive cross-site tracking. They represent the highest privacy risk of any cookie category.
Consent is always required, and in practice this is the category with the lowest opt-in rates. Some of the most common marketing cookies include:
- Meta Pixel: tracks conversions and builds Custom Audiences for Facebook/Instagram ads.
- Google Ads Remarketing: builds retargeting audiences for Google Ads campaigns (this is why sometimes you visit a website and then start getting ads for them immediately afterwards).
- LinkedIn Insight Tag: conversion tracking and audience building for LinkedIn ads.
- TikTok Pixel: conversion tracking for TikTok advertising.
- DoubleClick: Google’s advertising technology for ad serving and measurement.
Common cookies reference table
| Cookie / tool | Category | Consent needed? | What it does |
|---|---|---|---|
| Session / PHPSESSID | Strictly Necessary | No | Maintains user session |
| CSRF token | Strictly Necessary | No | Security – prevents request forgery |
| Cookie consent preference | Strictly Necessary | No | Stores consent choice |
| Language preference | Functional | Yes | Stores chosen language |
| Dark mode preference | Functional | Yes | Stores theme preference |
| _ga (Google Analytics) | Analytics | Yes | Distinguishes users, tracks sessions |
| _ga_XXXXXX (GA4) | Analytics | Yes | Stores session state for GA4 |
| _hjSession (Hotjar) | Analytics | Yes | Records session information for heatmaps |
| _clck, _clsk (Clarity) | Analytics | Yes | User identification for session replay |
| _fbp (Meta Pixel) | Marketing | Yes | Tracks conversions for Meta Ads |
| _gcl_au (Google Ads) | Marketing | Yes | Conversion measurement for Google Ads |
| li_fat_id (LinkedIn) | Marketing | Yes | Tracks visits originating from LinkedIn ads |
Other cookie categories
These are the most common four, but you can feel free to add other cookies categories to your site if you so wish, there’s no legal requirement to organise them this way. Most cookie management platforms will let you manually categorise cookies and add extra categories if you want to.