Cookies

The difference between essential and non-essential cookies

4 min read ·26 April 2026 ·By Trust Center

When you implement a cookie consent banner on your website, you do not need to ask for consent for every single cookie your site sets. The law carves out an exemption for "strictly necessary" cookies — those without which the website simply could not function. Understanding this distinction correctly means you avoid both under-compliance (failing to get consent for cookies that need it) and over-compliance (blocking cookies that could safely load without user interaction).

What counts as strictly necessary?

A cookie is strictly necessary if it is essential to provide a service that the user has explicitly requested. The standard examples are:

  • Session cookies that keep a user logged in as they navigate between pages
  • Shopping cart cookies that remember what items a user has added
  • Security cookies used for CSRF protection, rate limiting, or fraud prevention
  • Load balancing cookies that route requests to the right server
  • Consent record cookies that remember the user's own cookie preferences

The test is not whether the cookie is useful to you as the operator — it is whether removing it would make the website non-functional from the user's perspective. A cookie that makes your checkout work is essential. A cookie that tells you which marketing channel the user came from is not.

The following categories of cookies require prior consent, regardless of how you have set them up:

  • Analytics cookies — Google Analytics, Microsoft Clarity, Hotjar, Mixpanel. Even first-party analytics implementations that process IP addresses or generate persistent user IDs are not strictly necessary.
  • Advertising and tracking cookies — Facebook Pixel, Google Ads conversion tracking, TikTok Pixel. These are not necessary to deliver your core service.
  • Social media cookies — embedded share buttons, Like buttons, and comment widgets from social platforms set third-party cookies that track users across sites.
  • Personalisation cookies — cookies that remember a user's display preferences, language choice (unless critical to service delivery), or previously viewed content for recommendation purposes.
  • A/B testing cookies — unless they affect a fundamental aspect of how the site functions.

How to audit your cookies

Most website operators do not have a clear picture of every cookie their site sets. Third-party scripts added by plugins, embedded content, and marketing tools can each set their own cookies without you realising it. A cookie scanner runs against your live site and lists every cookie being set, its expiry, and whether it is first-party or third-party. Running this audit at least annually — and after any significant change to your tech stack — is the baseline for maintaining an accurate cookie policy and a correctly configured consent banner.

Ready to simplify your compliance?

Trust Center manages your privacy policies, cookie consent, and DSARs — one platform, all your brands, always up to date.

Get early access →

Related articles

Cookies

Cookie consent 101: what you actually need on your website

Cookie banners are everywhere, but most of them are non-compliant. This guide explains what the law actually requires — and what it does not.

5 min read · 26 April 2026
Cookies

ePrivacy vs GDPR: understanding the cookie law distinction

GDPR and ePrivacy are two separate laws that both apply to cookies. Understanding the difference prevents a common compliance mistake that many online businesses make.

5 min read · 26 April 2026