What Marketing Cookies Actually Do
Marketing cookies - sometimes labelled advertising or targeting cookies - are small files placed on a visitor's device to track their browsing behaviour across websites. Their purpose is to build a profile of interests and activity that advertisers use to serve targeted ads, run retargeting campaigns, and measure conversions.
A typical marketing cookie records which pages a visitor views, which products they click on, and whether they complete a purchase or abandon a cart. That data is then shared with advertising platforms so they can display relevant ads as the visitor moves across the web.
The distinction matters because cookie categories determine which consent rules apply. Strictly necessary cookies can load without asking. Marketing cookies cannot.
Common Marketing Cookies and What Sets Them
Marketing cookies come from both your own domain (first-party) and external advertising networks (third-party). Here are the most common ones:
| Cookie Name | Set By | Purpose | Typical Duration |
|---|---|---|---|
_fbp | Meta Pixel | Identifies browsers for ad delivery and retargeting | 90 days |
_gcl_au | Google Ads | Stores conversion data from Google ad clicks | 90 days |
fr | Delivers, measures, and targets advertising | 90 days | |
IDE | Google DoubleClick | Serves targeted ads across non-Google sites | 13 months |
_uetvid | Microsoft Ads (Bing) | Tracks conversions from Bing ad clicks | 16 days |
personalization_id | X (Twitter) | Enables targeted ads on X | 2 years |
bcookie | Identifies browsers for LinkedIn ad targeting | 1 year |
These cookies are typically set through tracking pixels - tiny snippets of JavaScript embedded in your pages. When a visitor loads a page containing the Meta Pixel, for example, it fires a request back to Meta's servers and drops the _fbp cookie on the visitor's browser. That cookie then follows the visitor across any site running the same pixel, building a cross-site profile used for ad targeting and conversion attribution.
Social media widgets, embedded videos, and share buttons also set marketing cookies, often without the site owner realising it.
How Retargeting Works Through Marketing Cookies
Retargeting is the reason visitors see ads for a product they browsed days ago on an entirely different website. When someone visits your site and views a product, the advertising pixel drops a cookie recording that interaction. Later, when the same visitor browses a news site or social media platform in the same ad network, the cookie is read, matched to the recorded behaviour, and a relevant ad is served - often showing the exact product they viewed.
Dynamic product ads, cart abandonment reminders, and lookalike audience modelling all depend on this cookie-driven data flow.
The Legal Framework: GDPR, ePrivacy, and Beyond
Marketing cookies sit squarely in the category of tracking technologies that require prior, explicit consent under EU law. Two regulations work together here.
Article 5(3) of the ePrivacy Directive establishes the rule: storing or accessing information on a user's device requires consent, unless the cookie is strictly necessary to deliver a service the user requested. Marketing cookies do not qualify for that exemption.
GDPR then defines what valid consent looks like. Under Article 7, consent must be freely given, specific, informed, and unambiguous. Pre-ticked boxes do not count. Bundling all cookies into a single "Accept" button without category-level controls does not count either. Visitors must be able to accept non-essential cookies like analytics while rejecting marketing cookies, or vice versa.
Enforcement is not theoretical. In September 2025, the French data protection authority CNIL fined Google a combined 325 million euros and Shein 150 million euros for cookie consent failures - including setting advertising cookies before users had any opportunity to interact with the consent interface. The CNIL's total cookie-related fines in 2025 exceeded 486 million euros, up from roughly 55 million euros in 2024.
CCPA and the Opt-Out Model
The California Consumer Privacy Act (CCPA) and its successor, the CPRA, take a different approach. Rather than requiring opt-in consent before setting marketing cookies, California law requires websites to disclose data collection practices and provide a clear "Do Not Sell or Share My Personal Information" link. If a visitor opts out, marketing cookies that share data with third parties for advertising must stop.
Websites must also honour Global Privacy Control (GPC) browser signals as valid opt-out requests. Ignoring a GPC signal is treated as a violation.
Other Jurisdictions
Brazil's LGPD follows an opt-in model for marketing cookies. South Africa's POPIA requires processing to be justified under a lawful condition, which for marketing cookies typically means consent. Canada's PIPEDA treats cookies as computer programs requiring meaningful consent before installation. The UK GDPR and PECR mirror the EU framework, requiring prior consent for non-essential cookies.
Third-Party Cookies, Browser Changes, and the Shift to First-Party Data
Marketing cookies have traditionally been third-party cookies - set by domains other than the website the visitor is browsing. Safari blocks third-party cookies entirely through Intelligent Tracking Prevention (ITP). Firefox does the same through Enhanced Tracking Protection. These browsers have blocked third-party cookies by default for years.
Google Chrome took a different path. After years of announcing and postponing plans to deprecate third-party cookies, Google formally abandoned the Privacy Sandbox initiative in October 2025, retiring most replacement APIs due to low adoption. Chrome still supports third-party cookies, and in April 2025 Google confirmed it would not introduce a user-facing prompt to disable them. Third-party cookies remain functional in Chrome, but their legal status under privacy law has not changed.
This browser fragmentation is pushing the advertising industry toward first-party data strategies. Meta's Conversions API, Google's server-side tagging, and LinkedIn's CAPI all route tracking data through the website's own server rather than relying on browser-set cookies. These cookieless advertising methods still process personal data and still require consent under GDPR - the legal obligation follows the data, not the technology.
The EU's Digital Omnibus Proposal
In November 2025, the European Commission published the Digital Omnibus proposal, which would bring cookie consent rules directly under GDPR through a new Article 88a, replacing the ePrivacy Directive's role. The proposal acknowledges consent fatigue and introduces Article 88b to standardise how preferences are communicated through machine-readable signals. Marketing cookies would still require consent - the legal instrument would simply change.
How to Handle Marketing Cookies on Your Website
Getting marketing cookie compliance right requires both technical and legal steps. The process starts with knowing exactly which marketing cookies your site sets.
Audit Your Cookies
Run a cookie scan to identify every cookie and tracking pixel active on your site. Pay attention to third-party scripts loaded through tag managers, embedded social widgets, and video players. Many sites unknowingly set marketing cookies through a YouTube embed or a Facebook Like button.
Block Before Consent
Marketing cookie scripts must not execute until the visitor actively opts in. A consent banner that displays while scripts are already firing in the background is exactly the behaviour that earned Shein a 150-million-euro fine. Your consent management platform should block marketing scripts by default and release them only after the visitor grants consent for that specific category.
Provide Granular Choice
Visitors must be able to accept or reject marketing cookies independently of analytics or functional categories. A single "Accept All" button paired with a barely visible "Reject" link is a dark pattern that regulators actively penalise. Both options should have equal visual prominence.
Keep Consent Records
Under GDPR, the burden of proof sits with the data controller. You need timestamped logs showing when each visitor consented, what information they were shown, and which categories they accepted. Retain these records for at least five years.
Respect Withdrawal
Withdrawing consent must be as easy as giving it. When a visitor changes their mind, marketing cookies must stop being set and existing ones should be deleted where technically possible.
Marketing Cookies vs Analytics Cookies
Both marketing and analytics cookies track visitor behaviour, but their purposes differ. Analytics cookies like _ga (set by Google Analytics) measure aggregate traffic patterns - page views, session duration, bounce rates. Marketing cookies like _fbp identify individual visitors to serve them personalised ads across different websites.
The legal treatment is similar under GDPR - both require consent - but some data protection authorities allow limited analytics cookie exemptions. The CNIL, for example, exempts audience measurement tools like Matomo from consent requirements when configured to collect only anonymised, aggregate data. No such exemption exists for marketing cookies.
Google Consent Mode v2 bridges this gap by sending modelled (rather than observed) data to Google when a visitor declines marketing cookies. This preserves some conversion measurement without individual-level tracking, but it does not remove the consent requirement for the underlying cookies.
Frequently Asked Questions
Do marketing cookies require consent under GDPR?
Yes. Marketing cookies are classified as non-essential under both the ePrivacy Directive and GDPR. They must be blocked until the visitor provides explicit, informed, category-specific consent. Pre-ticked checkboxes or implied consent through continued browsing are not valid.
What happens if my site sets marketing cookies before consent?
Setting marketing cookies before obtaining consent is a direct violation of Article 5(3) of the ePrivacy Directive. In 2025, the CNIL fined Shein 150 million euros specifically because advertising cookies loaded before users could interact with the consent banner. Similar enforcement has occurred across EU member states.
Can I use legitimate interest instead of consent for marketing cookies?
No. Under current GDPR and ePrivacy enforcement, legitimate interest is not a valid legal basis for placing marketing or advertising cookies. Consent is the only lawful basis for non-essential cookies that track users for advertising purposes.
Are first-party marketing cookies treated differently from third-party ones?
Not from a legal perspective. Whether a marketing cookie is set by your domain or a third-party advertising network, the consent requirement is the same. The shift from third-party to first-party cookies (as seen with Meta Pixel and Google Ads) does not change the legal obligation to obtain prior consent.
How do marketing cookies differ from analytics cookies?
Analytics cookies like _ga measure aggregate site traffic - page views, session counts, referral sources. Marketing cookies like _fbp or _gcl_au track individual visitors to build advertising profiles and enable retargeting across different websites. Both require consent under GDPR, though some DPAs grant limited exemptions for anonymised analytics.
Does blocking marketing cookies break my ad tracking?
If a visitor declines marketing cookies, tracking pixels from Meta, Google Ads, and other platforms will not fire for that visitor. Google Consent Mode v2 can send modelled (estimated) conversion data in this scenario, but individual-level attribution is lost. Server-side APIs like Meta's Conversions API provide partial alternatives but still require a lawful basis for processing.
How long should I keep cookie consent records?
GDPR does not specify an exact retention period for consent records, but regulatory guidance and enforcement practice suggest retaining them for at least five years. Records should include a timestamp, the consent text displayed, the categories accepted or rejected, and a unique identifier for the consent event.
Take Control of Your Cookie Compliance
If you run advertising campaigns, social media pixels, or retargeting scripts, your website almost certainly sets marketing cookies. A proper audit is the first step toward compliance. Kukie.io scans your site, identifies every marketing cookie, categorises it, and blocks it until your visitors give clear consent.
