Non-essential cookies are any cookies that a website does not strictly need in order to function. Remove them, and the site still loads, pages still render, forms still submit, and users can still complete their transactions. That single test - does the site break without this cookie? - is the dividing line that privacy regulators care about most.
The distinction matters because Article 5(3) of the ePrivacy Directive requires prior consent before any information is stored on or read from a visitor's device, with only two narrow exemptions: cookies used solely to transmit a communication over a network, and cookies strictly necessary to provide a service the visitor explicitly requested. Everything else - analytics, advertising, social media widgets, personalisation engines - falls outside those exemptions and demands opt-in consent before it fires.
What Makes a Cookie Non-Essential?
The label "non-essential" is not a technical property of the cookie itself. What determines its legal classification is its purpose.
A session cookie that keeps a user logged in while they browse an online shop is essential - it provides a service the user actively requested. The same technology, set by Google Analytics to assign a unique visitor identifier via _ga, is non-essential because the visitor never asked to be tracked. The distinction applies equally to first-party and third-party cookies, and to technologies beyond traditional cookies such as tracking pixels, local storage, and device fingerprinting.
The Three Main Categories
Most cookie classification frameworks break non-essential cookies into three groups.
| Category | Purpose | Common Examples | Typical Lifespan |
|---|---|---|---|
| Analytics / Performance | Measure how visitors interact with the site: page views, session duration, traffic sources | _ga, _gid (Google Analytics), _hjid (Hotjar) | 24 hours to 2 years |
| Advertising / Marketing | Track browsing behaviour to serve targeted ads and measure conversions | _fbp (Meta Pixel), _gcl_au (Google Ads), IDE (DoubleClick) | 90 days to 2 years |
| Functional / Preference | Remember user choices beyond strict necessity: language, region, display settings | pll_language (Polylang), chat widget cookies | Session to 1 year |
The functional category is the grey area. A language preference cookie could be argued as strictly necessary if the site cannot serve content without it, but regulators have generally held that remembering a preference between sessions is a convenience, not a necessity. The CNIL has stated that where a single cookie combines an exempt purpose with a non-exempt one, consent is required for the entire cookie.
Why Non-Essential Cookies Require Consent
The ePrivacy Directive establishes the consent-first rule for accessing or storing information on a user's terminal equipment. This applies regardless of whether the cookie collects personal data - even a cookie that stores a random hash requires consent if it is non-essential, because the Directive protects the integrity of the device, not just personal data.
The GDPR enters the picture when cookies process personal data - which most non-essential cookies do, since unique identifiers like _ga or _fbp can identify individuals when combined with other data. Under the GDPR, consent must be freely given, specific, informed, and unambiguous. Pre-ticked boxes do not count. Bundled consent - one "accept all" with no granular choice - does not count either.
Outside the EU, similar requirements apply in different forms. The UK GDPR and PECR mirror the EU position. Brazil's LGPD expects consent for tracking cookies. PIPEDA requires meaningful consent for personal information collection. The CCPA/CPRA takes an opt-out approach rather than opt-in, but still requires a prominent "Do Not Sell or Share My Personal Information" mechanism.
Enforcement Is Escalating
Regulators are not treating non-essential cookie violations as minor paperwork failures. In September 2025, the CNIL fined Google EUR 325 million and Shein EUR 150 million for cookie consent violations - the largest cookie-specific sanctions in the authority's history. Both companies placed advertising cookies on visitors' devices before any consent interaction and used manipulative banner designs that made rejection harder than acceptance.
Between December 2022 and December 2024, the CNIL alone issued combined fines exceeding EUR 139 million for breaches of the French implementation of Article 5(3). In 2024, 11 organisations were penalised specifically for making cookie rejection more difficult than acceptance - a practice now firmly classified as a dark pattern.
The ICO in the UK has expanded its enforcement programme to audit cookie compliance across the top 1,000 UK websites, and the EDPB's guidelines broadened Article 5(3)'s scope to cover tracking pixels, URL-based tracking, and other non-cookie technologies.
How to Handle Non-Essential Cookies Correctly
Block Before Consent
Non-essential cookies must not fire until the visitor actively consents. The scripts that set these cookies - Google Analytics tags, Meta Pixel snippets, advertising scripts - need to be blocked from executing on page load. A consent management platform handles this by intercepting script loading and only releasing tagged scripts once the visitor opts in for the relevant category.
Present Granular Choices
Visitors must be able to accept or reject cookies by category. A banner offering only "Accept All" with no reject option, or burying the reject button behind a secondary screen, fails the consent validity test under Article 7 of the GDPR. Accepting and rejecting must be equally easy - same screen, same visual prominence, same number of clicks.
Classify Every Cookie
You cannot ask for informed consent if you do not know what cookies your site sets. Run a cookie scan to identify every cookie and tracker, then classify each one. Pay attention to third-party scripts: embedding a YouTube video, a Google Maps widget, or a social sharing button may trigger cookies you did not anticipate.
Respect Withdrawal
Consent must be as easy to withdraw as it was to give. If a visitor revokes consent for analytics cookies, those cookies should be deleted or expired - not silently ignored. The CNIL has specified that organisations should set an expiry date in the past for cookies needing removal, triggering browser deletion.
Legitimate Interest Does Not Apply to Cookies
A persistent misconception is that legitimate interest under Article 6(1)(f) of the GDPR can justify non-essential cookies without consent. It cannot. The ePrivacy Directive is lex specialis - a more specific law that takes precedence over the GDPR's general provisions. Article 5(3) requires consent for storing or accessing information on a user's device, and legitimate interest is not one of its exemptions. The CNIL, EDPB, and ICO have all confirmed this position.
Non-Essential Cookies and Google Consent Mode
Google Consent Mode v2 offers a middle ground for sites that want some analytics data even when visitors decline cookies. When consent is denied, GA4 operates in a cookieless mode that collects aggregated, modelled data without writing _ga or _gid to the browser. The data is less granular but preserves basic traffic and conversion metrics while respecting the visitor's choice.
Consent Mode does not eliminate the need for a consent banner. It adjusts what happens after the visitor makes their choice. The consent signal itself still needs to come from a properly configured CMP that blocks scripts until the visitor interacts with the banner.
What Counts as Strictly Necessary?
The Article 29 Working Party (now the EDPB) identified two criteria in Opinion 04/2012. First, the cookie is used solely for transmitting data over an electronic communication network - for example, a load-balancing cookie. Second, the cookie is strictly necessary to provide a service the user explicitly requested - for example, a PHPSESSID session cookie or an authentication cookie.
Cookies that merely make a site faster, more convenient, or more personalised do not meet the threshold. Functional cookies that remember display preferences, analytics cookies measuring traffic, and advertising cookies tracking conversions all fall outside the exemption.
Frequently Asked Questions
Are analytics cookies always non-essential?
Under general EU law, yes. Analytics cookies such as _ga are not strictly necessary to deliver the service the visitor requested and therefore require consent. A narrow exception exists in France and Spain, where the CNIL and AEPD allow privacy-focused analytics tools to operate under a consent exemption if configured to collect only aggregated, anonymised data with no cross-site tracking.
Can I use legitimate interest instead of consent for non-essential cookies?
No. The ePrivacy Directive's Article 5(3) requires consent for storing or accessing information on a user's device, and legitimate interest is not among its exemptions. This applies regardless of whether the cookie processes personal data.
What happens if non-essential cookies load before consent is given?
This constitutes a violation of the ePrivacy Directive and potentially the GDPR. The CNIL fined Shein EUR 150 million in 2025 partly because advertising cookies were placed before visitors could interact with the consent banner.
Do non-essential cookies on US-only websites need consent?
If the website has no EU, UK, or Brazilian visitors, GDPR and ePrivacy rules do not apply. Under the CCPA/CPRA, the approach is opt-out rather than opt-in. However, if your site receives any traffic from the EU or UK, the stricter opt-in rules apply to those visitors.
How do I know which cookies on my site are non-essential?
Run an automated cookie scan to catalogue every cookie and tracker. For each one, ask whether the site would still function without it. If yes, the cookie is non-essential and requires consent.
Is a cookie wall that blocks content until the visitor accepts cookies legal?
In most EU jurisdictions, no. The EDPB's guidelines state that consent is not freely given if access to a service is conditional on accepting non-essential cookies. Some national regulators allow limited cookie walls where a genuine paid alternative is offered, but the legality varies by jurisdiction.
How often should I re-scan my website for new non-essential cookies?
At minimum, re-scan whenever you add new third-party integrations, update plugins, or deploy new marketing tags. A monthly scan is good practice for active sites, as third-party scripts can introduce new cookies without your knowledge.
Stay Ahead of Cookie Compliance
If you are unsure which cookies your site sets - or whether they fire before consent - start with a free scan. Kukie.io detects, categorises, and blocks non-essential cookies automatically, giving visitors a clear choice and keeping your site on the right side of the regulations.
