Every website sets cookies. Some keep a shopping cart alive for five minutes; others track a visitor across dozens of sites for months. The difference between those two scenarios is not just technical - it determines whether your site complies with privacy law or risks a six-figure fine.
Article 5(3) of the ePrivacy Directive requires informed, prior consent before any non-essential cookie is stored on a visitor's device. The GDPR reinforces that requirement and adds accountability obligations on top. Getting cookie classification right is the foundation of every compliant consent banner.
What Is a Cookie, Technically?
A cookie is a small text file that a web server sends to a browser via the Set-Cookie HTTP header. The browser stores it locally and attaches it to every subsequent request to the same domain. Cookies carry a name-value pair, an expiry date, a domain scope, and optional flags such as Secure, HttpOnly, and SameSite.
Cookies are not programs. They cannot execute code, install software, or read files on a device. Their power - and their privacy risk - comes from their ability to identify a returning visitor, tie browsing sessions together, and build profiles over time.
Classification by Origin: First-Party vs Third-Party Cookies
The most important distinction in cookie law is origin. A first-party cookie is set by the domain the visitor is currently on. If someone visits example.com, a cookie set by example.com is first-party. These cookies typically handle authentication, language preferences, shopping carts, and analytics.
Third-party cookies come from a different domain. If example.com loads an advertising script from adnetwork.com, the cookie set by adnetwork.com is third-party. These cookies enable cross-site tracking, retargeting, and behavioural advertising - which is precisely why regulators focus on them.
Safari and Firefox block third-party cookies by default. Chrome, which holds roughly 67% of the global browser market, reversed its plan to deprecate them in July 2024 and in April 2025 confirmed it would not introduce a separate user consent prompt either. Third-party cookies remain enabled by default in Chrome, but their effectiveness is steadily declining as users block or delete them.
| Feature | First-Party Cookies | Third-Party Cookies |
|---|---|---|
| Set by | Domain the user visits | External domain (ad network, pixel, widget) |
| Typical uses | Login, cart, language, analytics | Cross-site tracking, retargeting, ad measurement |
| Blocked by default | No | Yes (Safari, Firefox, Brave) |
| Consent required (EU) | Depends on purpose | Almost always yes |
| Examples | _ga, PHPSESSID, pll_language | _fbp, IDE, fr |
Classification by Duration: Session vs Persistent Cookies
A session cookie has no explicit expiry date. It lives in the browser's memory and is deleted the moment the user closes the browser (or, in some browsers, when the tab closes). Session cookies are the backbone of stateful web interactions - they keep a user logged in as they move between pages, maintain form data during a multi-step checkout, and prevent a user from being asked to re-authenticate on every click.
A persistent cookie carries a specific expiry date via the Expires or Max-Age attribute. It survives browser restarts and can last anywhere from a few hours to several years. The _ga cookie set by Google Analytics, for example, has a default lifetime of two years. Safari's Intelligent Tracking Prevention (ITP) caps first-party cookies set via JavaScript at seven days, which has pushed many analytics providers to move cookie-setting to the server side.
Cookie duration matters for compliance. A persistent analytics cookie that lasts two years raises more proportionality questions than one that expires after 24 hours. Regulators expect the cookie consent notice to disclose the lifespan of each cookie.
Classification by Necessity: Essential vs Non-Essential
This is the classification that determines whether consent is legally required.
Essential (Strictly Necessary) Cookies
A cookie qualifies as strictly necessary if it is needed to provide a service that the user has explicitly requested. Typical examples include session cookies that maintain a login state, shopping cart cookies, load-balancing cookies, and CSRF tokens. Under Article 5(3) of the ePrivacy Directive, strictly necessary cookies are exempt from the consent requirement.
The exemption is narrow. A cookie that remembers a user's language preference is debatable - the user requested a web page, not a preference-storage service. Most data protection authorities treat preference cookies as non-essential.
Non-Essential Cookies
Everything else falls here - analytics, advertising, social media widgets, A/B testing, personalisation. Non-essential cookies require informed, freely given, specific, and unambiguous consent before they are set. Pre-ticked boxes, implied consent from scrolling, and cookie walls that block site access do not count.
The French CNIL fined SHEIN EUR 150 million in September 2025 for, among other things, installing cookies before users had given permission and failing to make the "Reject all" option work properly. The same month, the CNIL fined Google EUR 325 million for displaying promotional ads in Gmail without prior consent and for consent designs that steered users toward accepting personalised ads.
Classification by Purpose: The Four Standard Categories
Most consent management platforms group cookies into four categories. This is not a legal requirement, but it maps neatly onto how regulators expect consent to work - granular, per-purpose, and clearly explained.
1. Necessary Cookies
Covered above. These keep the site running and cannot be disabled without breaking core functionality. They do not require consent.
2. Functional (Preference) Cookies
Functional cookies remember choices a visitor has already made - language, region, font size, whether a chat widget should be open or closed. They improve the experience but are not strictly necessary. Most EU regulators require consent for these.
3. Analytics Cookies
Analytics cookies measure how visitors use a site: page views, bounce rates, session duration, traffic sources. The most common is Google Analytics' _ga cookie. France's CNIL and Spain's AEPD offer limited exemptions for audience-measurement cookies if certain conditions are met - such as using a first-party-only analytics tool configured to anonymise IP addresses and not share data with third parties. Outside those narrow exemptions, analytics cookies need consent.
4. Marketing (Advertising) Cookies
Marketing cookies track visitors across websites, build interest profiles, and serve targeted advertisements. They include retargeting pixels, conversion-tracking tags, and social media sharing buttons that set cookies. Cookies like _fbp (Meta Pixel), IDE (Google DoubleClick), and _uetsid (Microsoft Advertising) all fall into this category. Consent is always required - no jurisdiction exempts advertising cookies.
Other Cookie Types Worth Knowing
Secure Cookies and HttpOnly Cookies
A cookie marked with the Secure flag is only transmitted over HTTPS. A cookie marked HttpOnly cannot be read by JavaScript, which protects it from cross-site scripting (XSS) attacks. These are security attributes, not separate legal categories, but they reflect good engineering practice that data protection authorities expect under data protection by design principles.
SameSite Cookies
The SameSite attribute controls whether a cookie is sent with cross-site requests. It has three values: Strict (never sent cross-site), Lax (sent with top-level navigations), and None (sent with all requests, but only if Secure is also set). Chrome defaults to Lax when no SameSite attribute is specified, which reduces unintentional cross-site cookie leakage.
Zombie Cookies and Supercookies
Zombie cookies regenerate after a user deletes them by storing duplicate identifiers in Flash storage, HTML5 local storage, or browser caches. Supercookies exploit browser fingerprinting or ISP-level header injection to track users without any file on the device. Both are widely considered deceptive and would almost certainly violate the GDPR's transparency and lawfulness requirements.
How Cookie Classification Affects Your Consent Banner
A compliant consent banner must do three things: block non-essential cookies until consent is given, offer granular category-level choices, and make rejecting cookies as easy as accepting them. The UK's Information Commissioner's Office (ICO) reviewed the top 1,000 UK websites in 2025 and found that over 95% now meet its cookie compliance standards - up from a much lower figure before the crackdown began.
Your cookie consent platform should automatically categorise detected cookies into the standard groupings, block scripts from firing before consent, and record a timestamped log of each visitor's choice. If your site uses Google Consent Mode v2, the banner must also pass consent signals to Google services so that tags like GA4 and Google Ads respect the visitor's decision.
Misclassifying a marketing cookie as "necessary" does not just break trust - it exposes your organisation to enforcement action. Cumulative GDPR fines passed EUR 5.65 billion across over 2,200 enforcement actions by early 2025, and cookie consent violations remain among the most frequently targeted categories.
Frequently Asked Questions
What is the difference between first-party and third-party cookies?
First-party cookies are set by the domain the user is visiting. Third-party cookies are set by an external domain, typically an ad network or tracking service loaded via a script or pixel on the page.
Do session cookies need consent under GDPR?
It depends on their purpose. A session cookie that keeps a user logged in is strictly necessary and does not need consent. A session cookie used for analytics or tracking is non-essential and requires consent before being set.
Are analytics cookies considered essential?
No. Most data protection authorities classify analytics cookies as non-essential. France's CNIL and Spain's AEPD allow narrow exemptions for privacy-friendly audience measurement tools, but the default rule is that analytics cookies need consent.
How long do persistent cookies last?
Persistent cookies can last from a few hours to several years, depending on the Expires or Max-Age value set by the server. Google Analytics' _ga cookie defaults to two years. Safari's ITP limits JavaScript-set first-party cookies to seven days.
Can I use a cookie wall to force visitors to accept all cookies?
In the EU, no. The EDPB has stated that cookie walls generally do not produce freely given consent. A few narrow exceptions may apply in specific jurisdictions, but the safest approach is to let visitors access your site without requiring them to accept non-essential cookies.
What happens if I classify a marketing cookie as strictly necessary?
You risk regulatory enforcement. Supervisory authorities actively audit cookie banners and treat deliberate misclassification as a transparency violation under both the ePrivacy Directive and the GDPR. Fines for cookie consent breaches regularly reach six and seven figures.
Are third-party cookies going away?
Safari and Firefox already block them by default. Chrome reversed its deprecation plan in 2024 and confirmed in April 2025 it will not add a separate opt-out prompt. Third-party cookies still function in Chrome, but their reliability is declining as more users and browsers restrict them.
Get Your Cookie Categories Right
If you are unsure which cookies your site sets - or whether they are correctly categorised - start with a scan. Kukie.io detects every first-party and third-party cookie on your site, assigns each one to the appropriate category, and gives you a consent banner that blocks non-essential scripts until your visitors make a choice.
