Cookie categories group cookies by their purpose on your website. This classification determines which cookies require user consent under privacy laws like the GDPR and CCPA. The standard categories are: strictly necessary, analytics/performance, functional/preferences, marketing/advertising, and social media. Only strictly necessary cookies are exempt from consent requirements.
Why cookie categories matter
Privacy laws like the GDPR require granular consent, so users must be able to accept or reject cookies by category, not just "accept all or nothing." This means your cookie consent banner needs to present clear categories that users can individually toggle.
Properly categorizing your cookies also matters for:
- Script blocking: knowing which scripts to block until consent for that category is given
- Google Consent Mode: mapping categories to Google's consent types (ad_storage, analytics_storage, etc.)
- Cookie policy transparency: accurately disclosing what each cookie does in your privacy policy
- Audit compliance: demonstrating to regulators that you understand and control your cookies
Strictly necessary cookies
Strictly necessary cookies are essential for the website to function as requested by the user. Without them, basic features like page navigation, secure areas, and shopping carts would not work. These are the only cookies exempt from the consent requirement.
Common examples
| Cookie | Purpose | Typical Expiry |
|---|---|---|
| Session ID (PHPSESSID, JSESSIONID) | Maintain user session across page loads | Session (deleted when browser closes) |
| Authentication token | Keep users logged in after authentication | Session to 30 days |
| CSRF token | Prevent cross-site request forgery attacks | Session |
| Shopping cart (cart_id) | Remember items added to cart | Session to 30 days |
| Load balancer cookie | Route requests to the correct server | Session |
| Cookie consent preference | Remember the user's consent choices | 6-12 months |
| Language / region (when essential) | Serve content in the correct language | Session to 1 year |
Analytics / performance cookies
Analytics cookies collect data about how visitors use your website. which pages they visit, how long they stay, what they click, and where they come from. This data helps website owners understand and improve the user experience.
These require consent under the GDPR because they track user behavior for the website owner's benefit, not to provide a service the user requested.
Common examples
| Cookie | Service | Typical Expiry |
|---|---|---|
| _ga | Google Analytics: distinguishes unique users | 2 years |
| _gid | Google Analytics: distinguishes users (24h) | 24 hours |
| _gat | Google Analytics: throttles request rate | 1 minute |
| _hjSession* | Hotjar: session recording and heatmaps | 30 minutes |
| ajs_anonymous_id | Segment: anonymous visitor tracking | 1 year |
| mp_* | Mixpanel: product analytics | 1 year |
Functional / preference cookies
Functional cookies remember user choices and preferences that enhance the browsing experience but aren't strictly necessary for the site to work. These improve convenience but the site would still function without them.
Common examples
| Cookie | Purpose | Typical Expiry |
|---|---|---|
| Theme preference (dark/light) | Remember the user's display preference | 1 year |
| Language (when not essential) | Remember preferred language across visits | 1 year |
| Font size | Remember accessibility settings | 1 year |
| Video player preferences | Remember volume, quality settings | Session to 1 year |
| Form auto-fill data | Pre-populate form fields on return visits | 30 days to 1 year |
| Chat widget state | Remember if live chat was open/closed | Session |
The line between "functional" and "strictly necessary" can be blurry. If your site is multilingual and automatically detects the user's language, that cookie could be argued as necessary. When in doubt, categorize as functional (requires consent). It's the safer approach.
Marketing / advertising cookies
Marketing cookies track users across websites to build profiles and deliver targeted advertising. They are set by advertising networks and are the most privacy-invasive category of cookies. These always require consent under the GDPR.
Common examples
| Cookie | Service | Purpose |
|---|---|---|
| _fbp, _fbc | Meta Pixel | Facebook/Instagram ad targeting and conversion tracking |
| _gcl_au, _gcl_aw | Google Ads | Google Ads conversion tracking and remarketing |
| IDE, DSID | Google DoubleClick | Ad serving and frequency capping |
| _uetsid | Microsoft Ads (UET) | Bing Ads conversion tracking |
| li_fat_id | LinkedIn Insight Tag | LinkedIn ad targeting and conversion tracking |
| _tt_enable_cookie | TikTok Pixel | TikTok ad attribution |
| _pin_unauth | Pinterest Tag | Pinterest ad targeting |
Which categories need consent?
| Category | GDPR (EU) | CCPA (California) | Other US States |
|---|---|---|---|
| Strictly Necessary | No consent needed | No consent needed | No consent needed |
| Analytics / Performance | Prior consent required | Opt-out if data is sold/shared | Opt-out if data is sold/shared |
| Functional / Preferences | Prior consent required | Generally no action needed | Generally no action needed |
| Marketing / Advertising | Prior consent required | Opt-out required | Opt-out required |
| Social Media | Prior consent required | Opt-out if data is sold/shared | Opt-out if data is sold/shared |
How to classify your website's cookies
1. Scan your website
Use a cookie scanner to automatically discover every cookie and tracker your site sets. Manual inspection misses dynamically loaded cookies, third-party scripts, and cookies set only on specific pages.
2. Identify each cookie's purpose
For each cookie found, determine: Who sets it? What data does it collect? Is it necessary for the site to function? How long does it persist? Is data shared with third parties?
3. Assign categories
Place each cookie in the appropriate category. When in doubt, choose the category that requires more consent. it's always safer to over-consent than under-consent.
4. Configure your consent banner
Map your categories to your consent banner's toggle switches. Each non-essential category should have its own toggle that users can individually accept or reject.
5. Re-scan regularly
New cookies appear when you add third-party services, update plugins, or change ad configurations. Scan at least monthly to catch new cookies before they become compliance issues.
Frequently asked questions
Can a cookie belong to multiple categories?
A cookie should be assigned to a single category based on its primary purpose. If a cookie serves multiple purposes (e.g., both analytics and advertising), assign it to the most privacy-invasive category. In this case, marketing/advertising.
What about first-party vs third-party cookies?
First-party cookies are set by your domain; third-party cookies are set by external services (ad networks, analytics tools, social plugins). The category system applies to both. A first-party analytics cookie still requires consent. A third-party necessary cookie (like a payment processor's session) may be exempt. The purpose determines the category, not who sets it.
Are fingerprinting and local storage covered too?
Yes. The ePrivacy Directive covers "storing or accessing information on a user's device," which includes local storage, session storage, IndexedDB, and fingerprinting techniques, not just cookies. If you use these technologies for non-essential purposes, they need consent just like cookies.
How do cookie categories map to Google Consent Mode?
Generally: Analytics → analytics_storage, Marketing → ad_storage + ad_user_data + ad_personalization, Functional → functionality_storage. AutoCMP handles this mapping automatically.
Sources & References
- ePrivacy Directive 2002/58/EC, Article 5(3)
- GDPR (EU) 2016/679, Recital 30, Articles 6, 7
- EDPB Guidelines 05/2020 on consent
- ICO: Cookies and similar technologies (Guide to PECR)
This guide is for informational purposes only and does not constitute legal advice.
Social media cookies
Social media cookies are set when you embed social sharing buttons, video players, or social feeds on your website. They allow social networks to track visitors across sites, even if the user never clicks the social button.
Common examples
youtube-nocookie.cominstead ofyoutube.comfor embeds. For social sharing, use simple share links instead of SDK embeds to avoid loading third-party cookies entirely.