Skip to main content

Cookie Categories: How to Classify Cookies for Consent

Cookie consent is not an all-or-nothing decision. Privacy regulations require that users can make granular choices about which types of cookies they accept. To make this possible, cookies are organized into categories — groups based on their purpose, each with its own consent requirements.

Getting categorization right is critical. Misclassifying a marketing cookie as "strictly necessary" is not just a technical error — it is a compliance violation that regulators actively look for and penalize.

Why Categorization Matters

The GDPR requires that consent be "specific" (Article 4(11)). The Article 29 Working Party (now the EDPB) has clarified that this means consent must be given separately for each distinct purpose. Bundling all cookies into a single "accept all" without offering per-category choice does not meet this standard.

In practice, this means your cookie consent mechanism must present cookies grouped by purpose and allow users to accept or reject each category independently. The standard that has emerged across the industry — and that regulators expect — uses four categories.

The Four Standard Cookie Categories

1. Strictly Necessary Cookies

These cookies are essential for the basic functioning of the website. Without them, the service the user has explicitly requested cannot be provided.

Consent required: No. Strictly necessary cookies are exempt from the consent requirement under ePrivacy Directive Article 5(3), which states that consent is not needed for cookies that are "strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service."

Examples of strictly necessary cookies:

  • Session cookies that maintain login state
  • Shopping cart cookies on an e-commerce site
  • CSRF (cross-site request forgery) protection tokens
  • Load balancing cookies that distribute traffic across servers
  • Cookie consent preference cookies (the cookie that remembers your consent choice)
  • Security cookies that detect authentication abuse

What is NOT strictly necessary:

  • Analytics cookies — even first-party ones. Measuring traffic is useful for the website operator, but it is not necessary for providing the service the user requested.
  • Social media plugins — sharing buttons and embedded feeds serve the site owner's interests, not a function the user explicitly requested.
  • Advertising cookies — by definition, these serve a purpose beyond the service the user is accessing.
  • A/B testing cookies — these serve the site operator's optimization goals, not the user's explicit request.

The key test is perspective: necessary for whom? If the cookie serves the website operator's interests rather than a function the user explicitly requested, it is not strictly necessary — regardless of how important it may be to the business.

2. Analytics / Statistics Cookies

These cookies collect information about how visitors use the website: which pages are visited, how long users stay, where they come from, and where they drop off. The data is typically aggregated and used to improve the website.

Consent required: Yes, in most jurisdictions. However, some data protection authorities (notably the French CNIL and the Dutch AP) have indicated that certain first-party analytics tools may qualify for a limited exemption, provided specific conditions are met (see our section on when consent is required).

Common analytics cookies:

Cookie Service Purpose Default Lifetime
_ga Google Analytics Distinguishes unique users 2 years
_ga_* Google Analytics 4 Maintains session state 2 years
_gid Google Analytics Distinguishes users (24h) 24 hours
_pk_id.* Matomo Visitor ID 13 months
_pk_ses.* Matomo Session tracking 30 minutes
_hjSessionUser_* Hotjar User identifier 1 year

Note that Google Analytics cookies are third-party in nature even though they may appear as first-party cookies — because Google processes the data on its own servers and may use it for its own purposes. This distinction has been significant in several European enforcement actions.

3. Marketing / Advertising Cookies

These cookies track visitors across websites to build a profile of their browsing behavior. This profile is used to deliver targeted advertising, measure ad campaign effectiveness, and limit the number of times a user sees a particular ad.

Consent required: Always. There is no exception for advertising cookies under any interpretation of the ePrivacy Directive or GDPR.

Common marketing cookies:

Cookie Service Purpose Default Lifetime
_fbp Meta (Facebook) Tracks visits for ad targeting 3 months
_gcl_au Google Ads Conversion tracking 3 months
IDE Google DoubleClick Retargeting and ad serving 13 months
_uetsid Microsoft Advertising Conversion tracking 1 day
li_fat_id LinkedIn Member indirect identifier 30 days

Marketing cookies are almost always third-party. They represent the highest privacy risk and are the most heavily regulated category. Any consent mechanism that makes it easier to accept marketing cookies than to reject them risks regulatory action.

4. Preferences / Functionality Cookies

These cookies enable enhanced functionality and personalization that goes beyond the strictly necessary. They remember choices the user has made but are not required for the core service to function.

Consent required: Yes, though the risk level is lower than analytics or marketing cookies. Some regulators treat preferences cookies with more leniency, but the legal position is that consent is still required.

Examples:

  • Language preference (when the site functions without it, just defaults to another language)
  • Region or currency selection
  • Username pre-fill on login forms
  • Video player preferences (volume, quality)
  • Chat widget state (open/closed, conversation history)
  • Font size or accessibility preferences

The distinction between "strictly necessary" and "preferences" can be subtle. A language cookie on a single-language site is meaningless. A language cookie on a multilingual site that defaults to a functional language without it is a preference. A language cookie on a site that cannot function at all without it — because the content does not load without a language selection — could arguably be strictly necessary. Context matters.

How to Categorize Your Cookies Correctly

Follow this process for each cookie on your website:

  1. Identify the cookie. What is its name, who sets it (first-party or third-party), and how long does it last?
  2. Determine its purpose. Why does this cookie exist? What happens if it is removed?
  3. Apply the strictly necessary test. Is this cookie essential for a function the user explicitly requested? If the user asked to log in, a session cookie is necessary. If you want to track their behavior, that is your need, not theirs.
  4. Assign the category. If it is not strictly necessary, classify it based on its primary purpose: analytics, marketing, or preferences.
  5. Document your reasoning. For each cookie, record why you categorized it the way you did. This documentation is valuable if a regulator ever asks.

Common Categorization Mistakes

Based on regulatory enforcement actions and audit findings, these are the most common errors:

  • Classifying Google Analytics as strictly necessary. This is the single most common mistake. GA is an analytics tool. It is never strictly necessary for providing a service to the user. Several DPAs have specifically called this out.
  • Putting all third-party cookies under "functionality." Embedded YouTube videos, social sharing buttons, and chat widgets are not strictly necessary and their cookies typically serve analytics or marketing purposes beyond the visible functionality.
  • Ignoring cookies set by plugins and integrations. A WordPress site with 20 plugins may set dozens of cookies the site operator is not even aware of. You are still responsible for all of them.
  • Treating marketing cookies as analytics. Facebook Pixel and Google Ads conversion tracking are marketing cookies, not analytics — their primary purpose is advertising, even if you use the data analytically.
  • Miscategorizing A/B testing cookies. Tools like Optimizely and VWO set cookies to assign users to test groups. These are not strictly necessary and should be categorized as analytics or preferences.

Automate the Process

Manual cookie audits are time-consuming and error-prone. Websites change constantly — a new plugin, an updated script, a marketing team adding a tracking pixel — and each change can introduce new cookies that need to be categorized.

Passiro automatically scans and categorizes all cookies on your website, detects new cookies when they appear, and flags potential miscategorizations. This ensures your cookie consent mechanism always reflects the actual cookies your site uses — not just the ones you knew about when you last checked.

Now that we understand the categories, let's look at what cookie consent actually means legally — the requirements are more specific than most people realize.

Tipos de cookies Consentimiento de cookies

¿Cumple tu sitio web con la normativa de cookies?

Escanea tu sitio web gratis y encuentra todas las cookies en minutos.

Escanea tus cookies gratis