AOrganizations often classify too many cookies as “strictly necessary.” If your consent banner lists fifteen “strictly necessary” cookies, some of them almost certainly don’t meet the legal standard, exposing you to regulatory risk.
What makes a cookie “strictly necessary”
A strictly necessary cookie is a type of cookie used by a website to function correctly, without which the site would not work as intended. This type of cookie does not collect personally identifiable information about users and does not track their browsing habits across sites.
Strictly necessary cookies are essential to accessing the website’s features such as signing in to authenticated areas, adding items to a shopping cart, processing payments, or maintaining security. They are typically first-party session cookies, though not all first-party cookies qualify as strictly necessary. These cookies allow users to navigate between pages without losing previous actions from the same session – like items in a cart or authentication state.
The legal test
Strictly necessary cookies are the only cookies that privacy laws exempt from requiring user consent. Since these cookies are essential for basic website functionality, website owners do not have to obtain consent from users before placing strictly necessary cookies on their devices.
However, GDPR and the ePrivacy Directive still require websites to inform users about these cookies, what they do, and why they’re necessary. Transparency doesn’t disappear just because consent isn’t required.
The legal test is strict: The cookie must be essential for a service explicitly requested by the user. Not “helpful” or “improves experience” – essential.
Cookies that fail the necessity test
Analytics cookies – even first-party ones: Analytics that help you understand user behavior don’t meet the necessity test. Users didn’t explicitly request that you track their behavior; they requested your content or service. The analytics serve your business purposes, not the user’s explicitly requested service.
Preference cookies that aren’t essential: A cookie remembering that the user prefers dark mode might feel necessary for good UX, but legally it’s not. The site works fine in light mode; the preference is a convenience, not a necessity.
Marketing cookies disguised as functionality: Some companies classify cookies as “strictly necessary” when they’re actually enabling marketing features like personalized content recommendations. If the core service works without it, it’s not strictly necessary.
Load balancing cookies when alternatives exist: While load balancing may be technically necessary for your infrastructure, if you could implement it without cookies (e.g., through IP-based routing), the cookie itself isn’t strictly necessary.
Examples that typically pass the test
Authentication cookies that maintain logged-in state for authenticated services clearly pass. Without these cookies, users would be logged out with every page load, breaking the service they explicitly requested.
Shopping cart cookies for ecommerce sites pass because they’re essential to the explicitly requested service of shopping and completing a purchase.
Security cookies that prevent CSRF attacks or detect suspicious authentication attempts pass because they’re essential to providing the service securely.
Load balancing cookies when they’re truly necessary for the service to function (though server-side session management may be a better approach).
What regulators look for
European data protection authorities have issued enforcement actions against organizations that misclassified non-essential cookies as “strictly necessary.” They look for:
- Whether the cookie is truly essential to deliver the service the user requested
- Whether the website functions without the cookie (even if functionality is reduced)
- Whether the purpose serves the user’s needs or the company’s business interests
- Whether alternatives exist that don’t require cookies
If your website works fine without a particular cookie – even if some features are missing – it likely doesn’t qualify as strictly necessary.
Recommended approach
Audit your cookies with this framework:
- If we removed this cookie, would the explicitly requested service stop working entirely?
- Is there any reasonable alternative that would allow the service to work without this cookie?
- Does this cookie serve the user’s explicit request or our business purposes?
If the answer to question 1 is “no” or questions 2 is “yes” or question 3 is “our business purposes,” the cookie requires consent.
When in doubt, require consent. The regulatory risk of misclassifying cookies as strictly necessary exceeds the inconvenience of asking users for consent.
You may also like:
- First-party vs third-party cookies: why first-party is the way to go
- Data flow in an analytics platform: How to set up your data collection and analysis process
- Collect data in a privacy-friendly way | Piwik PRO help center
You can check if the cookies used on your website and your consent management mechanism meet the requirements of GDPR with Free Online Cookie Scanner | Piwik PRO Analytics Suite
