Every website sets cookies, but not every cookie plays the same role. Some keep the site functioning. Others measure traffic, remember preferences, or follow visitors around the internet with targeted ads. Privacy laws draw a hard line between these two groups, and getting the classification wrong can cost real money.
What Counts as an Essential Cookie?
An essential cookie - also called a strictly necessary cookie - is one the site genuinely needs to deliver the service a visitor asked for. If you remove it, something breaks. The checkout stops working, the login form forgets who you are mid-session, or the load balancer sends every request to the wrong server.
Article 5(3) of the ePrivacy Directive carves out two narrow exemptions from the consent requirement. A cookie qualifies if it is strictly necessary for carrying out a communication over the network, or if it is strictly necessary to provide a service the user explicitly requested. Everything else needs consent.
Common examples include:
PHPSESSIDor similar session identifiers that tie a visitor to their server-side stateShopping-cart cookies that remember items between page loads
Authentication tokens that keep a user logged in during a single visit
CSRF tokens that protect forms against cross-site request forgery
Cookie-consent-preference cookies that record the visitor's own banner choice
The key test is purpose, not technology. A first-party session cookie used purely for authentication is essential. The same cookie repurposed to feed an analytics dashboard is not.
What Counts as a Non-Essential Cookie?
Non-essential cookies are everything that falls outside those two exemptions. The site still works without them - visitors can browse, buy, and log in. These cookies exist to serve the site owner's goals rather than the visitor's immediate request.
Three sub-categories cover most cases:
| Category | Purpose | Common Examples |
|---|---|---|
| Analytics | Measure traffic, page views, bounce rates | _ga, _gid (Google Analytics), _hj* (Hotjar) |
| Functional | Remember preferences like language, region, font size | pll_language, theme-selection cookies |
| Marketing / Targeting | Profile visitors, serve personalised ads, retarget across sites | _fbp (Meta Pixel), IDE (Google DoubleClick) |
Functional cookies sit in a grey zone. A language-preference cookie feels harmless, but under GDPR it still requires consent because the visitor requested a web page, not a language-remembering service. The ICO in the UK and the CNIL in France have both confirmed this interpretation.
Why the Classification Matters Legally
Under the ePrivacy Directive (implemented across EU member states) and the GDPR's consent rules, non-essential cookies must not fire until the visitor gives informed, freely given, specific, and unambiguous consent. Pre-ticked boxes do not count. Scrolling past a banner does not count. Clicking "X" to dismiss a pop-up does not count.
Essential cookies, by contrast, can be set the moment the page loads. No banner interaction required. You still need to disclose them in your cookie policy, but you do not need to ask permission.
Regulators have made this distinction a top enforcement priority. In 2025, France's CNIL issued fines totalling close to 487 million euros across 83 sanctions, with cookie violations among the leading themes. Google received a 325-million-euro fine and Shein 150 million euros, both for setting advertising cookies before obtaining valid consent. The Conde Nast subsidiary behind Vanity Fair France was fined 750,000 euros after the CNIL found non-essential cookies firing despite visitors clicking "Refuse all." American Express France received a 1.5-million-euro penalty for the same pattern: cookies placed before consent, after refusal, and even after withdrawal of consent.
Grey Areas and Common Mistakes
Classification sounds simple in theory. Practice is messier. Here are the traps that catch site owners most often.
Multi-Purpose Cookies
A single cookie sometimes serves both an essential and a non-essential purpose. The CNIL has been explicit: if any purpose attached to a cookie requires consent, the entire cookie requires consent. You cannot split a cookie's purposes into "exempt" and "non-exempt" columns and run it without permission. Either separate the purposes into distinct cookies or treat the combined cookie as non-essential.
reCAPTCHA and Similar Services
Bot-detection tools like Google reCAPTCHA set cookies that appear security-related. But reCAPTCHA also collects data for Google's own purposes, making the cookie non-essential. The CNIL flagged this specifically. If you rely on reCAPTCHA, treat its cookies as requiring consent - or switch to a privacy-focused alternative like hCaptcha.
Labelling Cookies as "Strictly Necessary" Without Justification
The Conde Nast case highlighted another mistake: marking cookies as strictly necessary in your banner without providing any information about their actual purpose. Regulators will check. If a cookie labelled "essential" turns out to serve advertising or analytics, the mislabelling itself becomes a compliance failure.
Analytics as "Essential"
Google Analytics cookies are never essential, regardless of how important traffic data feels to your business. The visitor did not request analytics. The site works without it. This applies to every analytics provider, including GA4, Hotjar, Microsoft Clarity, and Matomo when running with cookies enabled.
How the Rules Differ Outside the EU
The essential/non-essential distinction is not unique to Europe, though the consequences vary.
Under the CCPA and CPRA in California, the framework is opt-out rather than opt-in. Non-essential cookies can load by default, but visitors must be able to opt out of the sale or sharing of their personal information. The practical result is still a consent mechanism - just triggered differently.
Brazil's LGPD follows a consent-based model closer to GDPR, though it also permits legitimate interest as a legal basis in limited cases. Canada's PIPEDA requires meaningful consent for non-essential cookies, with implied consent acceptable only for low-risk, well-explained purposes. South Africa's POPIA and the UK GDPR paired with PECR both follow the same essential/non-essential logic as the EU.
The safest approach for a site with international visitors is to treat every non-essential cookie as requiring opt-in consent by default, then relax the rules only where a specific jurisdiction permits it. Geo-detection in your consent management platform handles this automatically.
How to Classify Cookies on Your Site
Run a cookie scan to get a full inventory of what your site sets. For each cookie, ask two questions:
1. Does the site break without this cookie? If login fails, the cart empties, or a security feature stops working, the cookie is probably essential. If the site still loads and visitors can still complete the core task, it is not.
2. Did the visitor ask for the service this cookie provides? A visitor who clicks "Add to basket" has explicitly requested a cart service - so the cart cookie qualifies. A visitor who simply lands on a page has not requested analytics, ads, or personalisation. Those cookies need consent.
Document every cookie with its name, purpose, duration, and classification. This list feeds directly into your cookie categories within your consent banner and your written cookie policy.
Essential vs Non-Essential at a Glance
| Feature | Essential Cookies | Non-Essential Cookies |
|---|---|---|
| Consent required (EU) | No | Yes - opt-in before the cookie fires |
| Consent required (US) | No | Opt-out right under CCPA/CPRA |
| Must be disclosed | Yes, in cookie policy | Yes, in cookie policy and banner |
| Can load before banner interaction | Yes | No (in opt-in jurisdictions) |
| Typical examples | Session IDs, CSRF tokens, cart cookies | Analytics, ad trackers, preference cookies |
| Legal basis (GDPR) | Legitimate interest or contract | Consent (Article 6(1)(a)) |
| Affected by "Reject All" | No - keeps running | Yes - must be blocked immediately |
Frequently Asked Questions
Are preference cookies like language selection essential?
Usually not. A language cookie improves the experience but the site still functions without it. Under EU law, the visitor requested a web page, not a language-remembering service, so consent is required.
Can Google Analytics ever be classified as essential?
No. Analytics cookies measure site performance for the site owner, not for the visitor. The site works without them. Every major data protection authority has confirmed that analytics cookies require prior consent in opt-in jurisdictions.
Do essential cookies need to appear in the cookie banner?
You do not need to ask consent for them, but you should list them for transparency. Most consent management platforms display essential cookies in a read-only category that visitors can view but not toggle off.
What happens if a cookie serves both an essential and a non-essential purpose?
The whole cookie requires consent. The CNIL has ruled that multi-purpose cookies cannot be partially exempted. Either split the purposes into separate cookies or treat the combined cookie as non-essential.
How often should cookie classifications be reviewed?
At least quarterly, and after any change to your tech stack. New plugins, analytics tools, or ad scripts can introduce cookies you have not classified. A scheduled scan catches these before a regulator does.
Get Your Cookie Classification Right
Sorting cookies into the right bucket is the foundation of every compliant consent setup. If you are unsure what your site sets, a scan takes seconds. Kukie.io detects every cookie, assigns it to the correct category, and blocks non-essential cookies until your visitors give the green light.
