Every cookie consent banner on the web groups cookies into categories. Visitors see toggles labelled "Necessary", "Analytics", "Marketing" and sometimes "Functional" or "Preferences". Behind those labels sits a classification decision that has real legal weight. Place a tracking cookie in the wrong category and you risk firing it without valid consent - exactly the kind of mistake that drew a EUR 150 million fine from France's CNIL against SHEIN in September 2025.
This guide covers how to audit the cookies on your site, assign each one to the correct category, and handle the grey areas that trip up even experienced developers.
The Four Standard Cookie Categories
The ICC UK Cookie Guide, first published in 2012 and endorsed by the UK's Information Commissioner's Office (ICO), established four categories based on cookie purpose. Most consent management platforms still use this framework, sometimes with minor label variations.
| Category | Purpose | Consent required? | Examples |
|---|---|---|---|
| Strictly necessary | Core site functionality the user explicitly requested | No (but must be disclosed) | PHPSESSID, csrf_token, cart cookies |
| Functional / Preferences | Remembers user choices that are not essential to basic operation | Yes | pll_language, theme selectors, live chat state |
| Analytics / Performance | Measures how visitors use the site in aggregated or pseudonymous form | Yes | _ga, _gid, _hjSessionUser |
| Marketing / Targeting | Tracks behaviour across sites for advertising | Yes | _fbp, _gcl_au, IDE |
Only strictly necessary cookies are exempt from consent requirements under Article 5(3) of the ePrivacy Directive. The exemption is narrow: the cookie must be essential to provide a service the visitor explicitly requested. A shopping cart cookie qualifies. A language-preference cookie does not, because the visitor asked for a web page, not a language-remembering service.
Step 1: Run a Full Cookie Scan
You cannot categorise what you have not found. Start by scanning every page and user flow on your site - including logged-in states, checkout funnels, and any page that loads third-party widgets. A cookie scanner will crawl the site, trigger scripts, and produce a list of every cookie set during the session along with its name, domain, expiry, and the script that created it.
Manual checking with Chrome DevTools is useful as a supplement, but it misses cookies set by scripts that fire only under specific conditions (such as a clicked consent button or a particular referrer). Automated scanning catches more.
Record each cookie's name, domain (first-party or third-party), lifespan (session or persistent, and for how long), and the HTTP response or JavaScript call that sets it. This raw inventory is what you will classify in the next step.
Step 2: Classify Each Cookie by Purpose
Work through your inventory cookie by cookie. For each one, ask a single question: what happens to the site if this cookie is removed?
If the site breaks - pages fail to load, login stops working, the cart empties on navigation - the cookie is strictly necessary. If the site still works but loses a convenience feature like remembering a language choice, it is functional. If removing it has no visible effect on the visitor but the site owner loses usage data, it is analytics. If removing it stops personalised ads from appearing elsewhere, it is marketing.
Use the Cookie Name and Domain as Clues
Well-known cookies can often be identified by name. The Kukie.io Cookie Database and Cookiepedia both maintain searchable indexes. A cookie named _ga set by .google-analytics.com is analytics. One named _fbp set by .facebook.com is marketing. A cookie named wp_woocommerce_session on your own domain is strictly necessary for WooCommerce cart functionality.
Unknown or custom cookies require more investigation. Check the script source, read the vendor's documentation, or remove the cookie in a staging environment and observe what changes.
Check the Vendor, Not Just the Cookie Name
A third-party embedded service may set cookies that technically support its own analytics, but because those cookies operate across multiple sites, they can be used for cross-site profiling. Cookiepedia's guidance is clear: cookies set by third-party services for purposes unknown to the site owner should be categorised by their most privacy-intrusive potential use, not their most benign one. A social sharing widget that sets a cookie tracking logged-in users across the web belongs in marketing, even though the button itself looks functional.
Step 3: Handle the Grey Areas
Not every cookie fits neatly into one box. Research published by ETH Zurich found that roughly 8% of websites misclassify Google Analytics cookies such as _ga, and about 2.7% label at least one GA cookie as strictly necessary - a classification the EU Court of Justice effectively ruled out in the Planet49 case (C-673/17, October 2019).
Common edge cases worth flagging:
Google Analytics with anonymised IP - some CMPs classify this as necessary. Regulators disagree. The CNIL and the EDPB treat all analytics cookies as non-essential regardless of anonymisation settings. Classify as analytics.
Live chat widgets - the chat functionality itself may feel necessary, but the cookies a chat service sets often track returning visitors across sessions for the vendor's own purposes. Check whether the cookie supports the chat session (functional) or the vendor's analytics and ad targeting (marketing).
Social sharing buttons - if the visitor must be logged into the social network for the button to function, the cookie relates to a service the user already consented to with the social platform. If the button sets cookies without any user interaction, those cookies are marketing or targeting.
A/B testing cookies - a cookie that assigns a visitor to test variant A or B for your own UX experiment is functional. If the A/B tool also feeds data into a third-party analytics or advertising profile, classify as analytics or marketing, depending on the data flow.
Content delivery network (CDN) cookies - load-balancing cookies from a CDN like Cloudflare (
__cflb) are strictly necessary. They carry no personal data and exist purely to route requests correctly.
When genuinely unsure, apply the conservative rule: classify the cookie in the category that requires consent. Placing a marketing cookie into the functional bucket fires it before the visitor opts in. Placing a functional cookie into the marketing bucket simply delays it until consent is given - an inconvenience, not a violation.
Step 4: Document Everything in Your Cookie Policy
A cookie policy must list every cookie by name, state its category, describe its purpose in plain language, and note its lifespan. Group cookies by category so visitors can see at a glance what each toggle in the banner controls.
Vague labels do not count. Writing "This cookie is used to improve your experience" tells the visitor nothing. Writing "_ga - set by Google Analytics - counts page views and traffic sources - expires after 2 years - category: analytics" gives the visitor enough to make an informed choice. The GDPR requires consent to be informed, and informed consent demands specifics.
Step 5: Map Categories to Your Consent Banner
Your cookie banner should present one toggle per category (excluding strictly necessary cookies, which remain always on). When a visitor switches off "Analytics", every cookie you classified as analytics must be blocked - not just most of them. This is where accurate categorisation pays off. A missed cookie that fires despite a visitor's refusal is exactly what regulators test for.
The ICO's 2025 review of the UK's 1,000 most-visited websites specifically checked whether cookie categorisation matched actual behaviour. Regulators now test sites directly, loading pages with consent denied and inspecting which cookies appear regardless. The CNIL follows the same approach, and its 2025 enforcement round resulted in 21 entities sanctioned for tracker-related breaches.
Keep Categories in Sync After Launch
Cookies change. A plugin update can introduce new cookies. A marketing tag added by a colleague can slip in without review. Scheduled scans - weekly or monthly - catch drift before a regulator does. Each new cookie found needs to be classified and added to the policy and the CMP configuration before it fires on a live page.
Common Mistakes to Avoid
Three errors appear repeatedly in audits. The first is over-claiming "strictly necessary" status. If your site would still function without the cookie, it is not strictly necessary. Regulators in France and the UK have been explicit: the bar is high, and convenience is not necessity.
The second mistake is ignoring third-party cookies. A tag manager, a font service, an embedded map, or an analytics platform can all set cookies on your visitors' devices. You are responsible for those cookies even though a third party created them.
The third is setting categories once and never revisiting them. Websites evolve. The cookie inventory from six months ago is probably already out of date. Treat categorisation as a recurring task, not a one-off project.
Frequently Asked Questions
How many cookie categories should a consent banner have?
Most banners use four categories: strictly necessary, functional (or preferences), analytics, and marketing. Some CMPs merge functional and analytics into one group, but keeping them separate gives visitors more granular control - which regulators prefer.
Can I classify Google Analytics cookies as strictly necessary?
No. The EU Court of Justice's Planet49 ruling and guidance from the CNIL, EDPB, and ICO all treat analytics cookies as non-essential. Even with anonymised IP settings enabled, Google Analytics cookies require consent before they fire.
What happens if I put a cookie in the wrong category?
If a non-essential cookie is labelled strictly necessary, it fires without consent - a direct violation of Article 5(3) of the ePrivacy Directive. In 2025, the CNIL sanctioned 21 entities for exactly this type of tracker breach, with combined fines in the hundreds of millions of euros.
How often should I re-audit my cookie categories?
At least quarterly, or whenever you add a new plugin, script, or third-party integration. Automated scheduled scans can flag new or changed cookies between full audits.
Do functional cookies always need consent under GDPR?
Yes, under the current regulatory interpretation. The ePrivacy Directive's consent exemption covers only cookies that are strictly necessary to provide a service the user explicitly requested. A language-preference cookie improves the experience but is not strictly necessary for the page to load, so it requires consent.
How do I categorise cookies set by social media share buttons?
It depends on what the cookie does. If the button sets a cookie that tracks the visitor across other sites for ad targeting - even without a click - classify it as marketing. If the cookie only activates after the visitor logs into the social platform and uses the share feature, it may be functional, but check the vendor's documentation carefully.
Get Your Cookie Categories Right From the Start
If your current cookie inventory is a spreadsheet last updated a year ago, a fresh scan is the fastest way to close the gap. Kukie.io scans your site, identifies every cookie, and maps each one to the correct category - so your banner, your policy, and your actual cookie behaviour all tell the same story.
