A typical website sets anywhere from five to fifty cookies per visit. Some keep the shopping cart working. Others track which adverts a visitor has seen across a dozen unrelated sites. Privacy law treats these two scenarios very differently, and the distinction comes down to category.
Where Cookie Categories Come From
The concept of dividing cookies into categories originates in Article 5(3) of the ePrivacy Directive (2002/58/EC, amended in 2009). That provision draws a line between cookies that are strictly necessary to deliver a service the user has requested and everything else. Strictly necessary cookies may be set without consent. All others require it.
Most consent management platforms, including Kukie.io, expand this binary into four categories: strictly necessary, functional, analytics, and marketing. This grouping is not defined word-for-word in legislation, but it reflects the categorisation recommended by the GDPR cookie guidance published by the ICO, CNIL, and the Article 29 Working Party (now the EDPB). It also maps neatly onto Google Consent Mode v2's four consent parameters: functionality_storage, personalization_storage, analytics_storage, and ad_storage.
Category 1: Strictly Necessary Cookies
Strictly necessary cookies are the only type that do not require consent under EU and UK law. They exist solely to enable a core function that the visitor explicitly requested. The classic example is a session cookie like PHPSESSID or JSESSIONID that keeps a user logged in as they move between pages. Without it, the site would not function as expected.
Other common strictly necessary cookies include CSRF tokens (which prevent cross-site request forgery attacks), load-balancer cookies that route traffic to the correct server, and cookies that store a visitor's consent preferences - such as Kukie.io's own consent cookie.
The exemption is narrow. A cookie qualifies only if both of these conditions are met: the user has actively requested a service (loading a web page counts), and the cookie is strictly necessary to provide that service. A language-preference cookie fails this test because remembering a language choice is convenient, not strictly necessary to serve the page.
Common Strictly Necessary Cookies
| Cookie name | Purpose | Typical expiry |
|---|---|---|
PHPSESSID | Server-side session identifier | Session |
__cfruid | Cloudflare bot management | Session |
csrf_token | Cross-site request forgery protection | Session |
cart_id | Shopping cart persistence | 14 days |
cookie_consent | Stores visitor's consent choice | 6-12 months |
Even though consent is not required, transparency is. Article 13 of the GDPR still requires you to tell visitors what strictly necessary cookies do, typically through a cookie policy or the second layer of a consent banner.
Category 2: Functional Cookies
Functional cookies (also called preference cookies) remember choices a visitor has made - language, region, text size, dark mode, or whether they have dismissed a notification banner. They improve the browsing experience without being essential to it.
A common example is pll_language, set by the Polylang plugin on WordPress sites. It records which language version a visitor selected so the site can serve the same language on subsequent page loads. Another is wordpress_logged_in_[hash], which keeps a user authenticated on the front end after logging in to a WordPress account.
Functional cookies require consent because they are not strictly necessary. The website would still work without them - the visitor would just need to reselect their language each time. Under the UK GDPR and PECR, the ICO treats functional cookies in the same way as analytics and marketing cookies: consent first, set second.
The UK's Data (Use and Access) Act 2025, which received Royal Assent in June 2025, introduced five narrow exemptions for low-risk cookies. Some functional cookies may qualify, but the exemptions are tightly drawn and do not apply broadly to all preference cookies.
Category 3: Analytics Cookies
Analytics cookies measure how visitors interact with a website - which pages they view, how long they stay, what they click, and where they drop off. The data helps site owners identify problems and improve content.
Google Analytics is the dominant source of analytics cookies. Its primary cookie, _ga, assigns each browser a pseudonymous client ID and persists for two years by default. GA4 also sets _ga_[container-id] to distinguish between data streams. These cookies generate data that qualifies as personal data under GDPR Recital 30, because the client ID can identify a natural person when combined with other information held by Google.
That means analytics cookies need consent in the EU and UK. Pre-ticked boxes, implied consent from scrolling, and banners that lack a visible reject button do not count.
The CNIL Exemption for Audience Measurement
The CNIL carved out a limited exception for certain analytics tools. Under its audience measurement guidelines, analytics cookies may be exempt from consent if the tool meets strict conditions: data must be limited to aggregate audience measurement, no cross-site tracking, no data sharing with third parties, and full IP anonymisation. Matomo (formerly Piwik) and AT Internet can qualify when configured correctly. Google Analytics does not qualify, because Google processes the data for its own purposes.
This exemption is specific to France. Other EU member states generally require consent for all analytics cookies, including privacy-focused alternatives.
Category 4: Marketing and Advertising Cookies
Marketing cookies track visitors across websites to build behavioural profiles and serve targeted advertisements. They are the most privacy-intrusive category and attract the strictest regulatory scrutiny.
The Meta Pixel (_fbp, _fbc), Google Ads (_gcl_au, _gcl_aw), and third-party ad-network cookies like __gads all fall into this category. These cookies create persistent identifiers that follow a visitor from a product page on your site to an ad slot on a completely different domain. The resulting profiles can reveal sensitive information about health conditions, political views, and financial status - categories that attract additional protection under Article 9 of the GDPR.
Marketing cookies always require explicit, informed consent. No exception exists in any EU or UK regulation. The CNIL's September 2025 enforcement actions underscore this point: Shein received a EUR 150 million fine partly because advertising cookies were placed on visitors' devices before the cookie banner had even finished loading.
Google Consent Mode v2, mandatory since March 2024, directly ties advertising functionality to consent status. If a visitor denies the ad_storage parameter, Google tags will not set advertising cookies at all. Sites that fail to implement Consent Mode v2 lose access to conversion tracking, remarketing audiences, and similar list features for EEA and UK traffic.
How to Tell Which Category a Cookie Belongs To
Classification is not always obvious. A cookie called preferences might sound functional but could be logging behavioural data that feeds a recommendation engine - making it an analytics or marketing cookie in practice. What matters is not the name but the purpose and the data flow.
Ask three questions about each cookie:
1. What data does it store? A session ID that expires when the browser closes is less invasive than a persistent UUID with a two-year lifespan.
2. Who reads it? A first-party cookie read only by your own server is different from a third-party cookie accessible to an advertising network spanning thousands of domains.
3. What happens if it is removed? If the site breaks, the cookie is likely strictly necessary. If the visitor loses a language preference, it is functional. If nothing visible changes but a tracking pixel stops firing, it is analytics or marketing.
Running a cookie scan is the most reliable way to identify and classify every cookie on your site. Automated scanners crawl your pages, detect all first-party and third-party cookies, and flag cookies that may be misclassified.
Consent Rules by Category: A Summary
| Category | Consent required (EU/UK)? | Example cookies | Legal basis |
|---|---|---|---|
| Strictly necessary | No | PHPSESSID, CSRF tokens, consent cookies | ePrivacy Art. 5(3) exemption |
| Functional | Yes | pll_language, theme_preference | Consent (Art. 6(1)(a) GDPR) |
| Analytics | Yes (CNIL exemption possible for some tools) | _ga, _ga_[id], _gid | Consent (Art. 6(1)(a) GDPR) |
| Marketing | Yes, always | _fbp, _gcl_au, __gads | Consent (Art. 6(1)(a) GDPR) |
What Happens When You Get the Classification Wrong
Misclassifying cookies is not a theoretical risk. Data protection authorities specifically audit cookie classifications as part of enforcement actions, and the penalties are steep.
The French CNIL's enforcement record makes the stakes clear. In September 2025, the CNIL fined Google EUR 325 million and Shein EUR 150 million for cookie violations, including setting advertising cookies before consent was obtained. In November 2025, the CNIL fined the publisher of Vanity Fair France EUR 750,000 for the same issue - cookies dropped without valid consent despite multiple prior warnings dating back to 2019. Across the full year, the CNIL imposed EUR 486 million in fines from 83 sanctions, with cookies and tracking as a primary enforcement theme.
The UK's ICO has taken a different but equally pointed approach. In January 2025, the ICO announced a systematic review of the top 1,000 UK websites. Its initial sweep of the top 200 found that 134 had non-compliant cookie practices. Warning letters were issued with a deadline of approximately 30 days to fix the problems. By December 2025, the ICO reported that over 95% of those top-1,000 websites met its compliance checks, affecting an estimated 40 million UK internet users.
A common mistake is treating analytics cookies as strictly necessary. Google Analytics cookies do not meet the ePrivacy Directive's exemption criteria because measuring traffic is not strictly necessary to deliver the service the visitor requested. Loading a web page does not require audience measurement. Classifying _ga as strictly necessary and setting it before consent is a textbook violation that any automated audit tool - and any regulator - will catch instantly.
Cookies That Sit Between Categories
Some cookies resist neat classification. A chat widget might set a cookie to remember whether a visitor has already been shown a chat prompt - that is functional. But the same widget might also log page URLs and referring sources to feed into a CRM's lead-scoring algorithm - that is analytics or even marketing.
The safest approach is to classify based on the most privacy-intrusive purpose the cookie serves. If a single cookie supports both a functional purpose (remembering a preference) and a tracking purpose (feeding data into a third-party analytics system), it should be classified as analytics and require consent.
Third-party cookies deserve particular scrutiny. Any cookie set by a domain other than your own - including those from embedded YouTube videos, social sharing buttons, Google Maps iframes, and font services - should be scanned and classified individually. Embedding a YouTube video can set half a dozen cookies from youtube.com and doubleclick.net, all of which fall into the marketing category.
How Cookie Categories Map to Google Consent Mode v2
Google Consent Mode v2 introduced four consent parameters that map directly to cookie categories:
| Consent Mode parameter | Cookie category | What it controls |
|---|---|---|
functionality_storage | Functional | Storage for site functionality (e.g., language) |
personalization_storage | Functional | Storage for personalisation (e.g., recommendations) |
analytics_storage | Analytics | Storage for analytics (e.g., visit duration, bounce rate) |
ad_storage | Marketing | Storage for advertising (e.g., conversion tracking) |
When a visitor denies consent for a specific category, the corresponding Consent Mode parameter must be set to denied. Your CMP should transmit this status to Google tags automatically. If your CMP does not support Consent Mode v2, Google may stop processing data from non-consenting visitors entirely, which creates measurement gaps in your GA4 reports.
Practical Steps for Getting Your Cookie Classification Right
Start with a full cookie scan. An automated scanner will crawl your site, identify every cookie set during a visit, and list its name, domain, expiry, and likely purpose. Manual classification is error-prone, especially on sites with multiple third-party integrations.
Review each cookie against the three questions above (what data, who reads it, what breaks without it). Pay special attention to third-party cookies - they almost never qualify as strictly necessary.
Document your classification decisions. If a regulator asks why you classified a particular cookie as strictly necessary, you need a written justification, not a guess. The ROPA (Record of Processing Activities) required under GDPR Article 30 should include your cookie processing activities.
Re-scan regularly. Third-party scripts update without warning. A plugin update might introduce new cookies or change the behaviour of existing ones. Monthly scans catch these changes before a regulator does.
Frequently Asked Questions
Are analytics cookies ever exempt from consent?
In France, the CNIL allows a limited exemption for audience measurement tools that meet strict conditions: no cross-site tracking, full IP anonymisation, data used only for aggregate statistics, and no sharing with third parties. Google Analytics does not qualify. Most other EU member states require consent for all analytics cookies without exception.
Can I use legitimate interest instead of consent for functional cookies?
No. Article 5(3) of the ePrivacy Directive requires consent for storing or accessing information on a user's device unless the cookie is strictly necessary. Legitimate interest under GDPR Article 6(1)(f) does not override this requirement. The EDPB and national DPAs have confirmed this position repeatedly.
What happens if I classify a marketing cookie as strictly necessary?
The cookie will be set without consent, which is a direct violation of Article 5(3) of the ePrivacy Directive. Regulators specifically look for this type of misclassification during audits. Fines for setting marketing cookies before consent range from thousands to hundreds of millions of euros depending on scale and intent.
Do session cookies always count as strictly necessary?
Not automatically. A session cookie that maintains a login state or shopping cart is strictly necessary. A session cookie that logs page views for analytics purposes is an analytics cookie, regardless of its short lifespan. The exemption depends on purpose, not duration.
How often should I re-scan my website for new cookies?
Monthly scans are a sensible minimum. Third-party scripts, plugin updates, and CMS changes can introduce new cookies without notice. Quarterly scans may suffice for static brochure sites, but any site running advertising tags, social widgets, or e-commerce integrations should scan more frequently.
Does the UK still follow EU cookie consent rules after Brexit?
The UK enforces cookie consent under PECR (Privacy and Electronic Communications Regulations), which mirrors the ePrivacy Directive. The rules are functionally the same: consent is required for all non-essential cookies. The Data (Use and Access) Act 2025 introduced five narrow cookie exemptions, but these do not broadly change the consent requirement for analytics or marketing cookies.
How do I handle cookies set by embedded third-party content like YouTube or Google Maps?
Third-party embeds often set multiple cookies from external domains. These typically fall into the marketing category because they enable cross-site tracking. Block the embed from loading until the visitor consents to marketing cookies, or use privacy-enhanced embed modes (such as YouTube's youtube-nocookie.com domain) that reduce cookie placement.
Get Your Cookie Categories Right
Cookie classification is not a one-time task. Every new plugin, widget, or script can change what your site stores on visitors' devices. A quarterly scan catches drift before it becomes a compliance gap. Kukie.io detects, categorises, and helps manage every cookie on your site, giving your visitors a clear choice and keeping your classifications accurate.
