What Cookies Actually Need Consent Under GDPR?
Not all cookies require consent. Learn the difference between strictly necessary, functional, analytics, and marketing cookies.
The Short Answer
Under GDPR, any cookie that is not strictly necessary for the website to function requires explicit user consent before it can be set. This means analytics, marketing, and most functional cookies all need opt-in consent.
Cookie Categories Explained
Strictly Necessary Cookies (No Consent Needed)
These are cookies essential for the website to work. Without them, the site would break:
- Session cookies that keep you logged in
- Shopping cart cookies on e-commerce sites
- CSRF tokens for security
- Load balancing cookies for server infrastructure
- Cookie consent preference cookies (the cookie that remembers your choice)
Key test: if you remove the cookie, does a core feature of the site stop working? If yes, it's strictly necessary.
Functional Cookies (Consent Required)
These improve the user experience but aren't essential:
- Language preferences
- Region/location settings
- Chat widget identifiers (Intercom, Crisp)
- Video player preferences
- Font size or accessibility settings
Many developers incorrectly assume these are "necessary." Under GDPR, comfort and convenience don't qualify as necessity.
Analytics Cookies (Consent Required)
Any cookie that tracks user behavior requires consent:
- Google Analytics (
_ga,_gid,_gat) - Hotjar (
_hjid,_hjSessionUser) - Microsoft Clarity (
_clck,_clsk) - Mixpanel, Segment, Matomo (unless self-hosted with anonymization)
Exception: Some privacy-focused analytics tools (Plausible, Fathom) are designed to work without cookies and may not require consent. But verify — if they set any cookie, consent is needed.
Marketing Cookies (Consent Required)
These are used for advertising and tracking across sites:
- Facebook Pixel (
_fbp,_fbc) - Google Ads (
_gcl_au,_gcl_aw) - LinkedIn Insight (
li_sugr,bcookie) - TikTok Pixel (
_ttp,tt_*)
These always require consent. No exceptions.
The Timing Rule
GDPR doesn't just require consent — it requires consent before the cookie is set. This means:
- When a user first visits your site, only strictly necessary cookies should be active
- Analytics and marketing scripts must be blocked until the user clicks "Accept"
- If a user never interacts with the consent banner, non-essential cookies must remain blocked
This is where most websites fail. They load Google Analytics on page load and ask for consent afterward — that's a violation.
What This Means for You
- Audit your cookies — Use a tool like GDPR Fix to see exactly what cookies your site sets
- Classify each cookie — Determine if it's truly necessary or requires consent
- Block before consent — Configure your CMP or tag manager to block non-essential cookies until opt-in
- Document everything — List each cookie in your cookie policy with name, purpose, provider, and duration
The penalty for getting this wrong? Up to €20 million or 4% of global annual turnover — whichever is higher.
Check your website now
Find out if your site has the issues described in this article. Free scan, results in minutes.
Scan Your Site — Free