Cookie Categories Explained: Necessary, Analytics, Marketing & Functional

Why Cookie Categories Matter

GDPR requires that users can give or refuse consent for different types of cookies independently. You can't bundle everything into a single "Accept all" — users must be able to accept analytics cookies while rejecting marketing cookies, for example.

To make this possible, every cookie on your website must be classified into a category. The standard categorisation used by most consent management platforms, including LegalBanner, uses four groups.

1. Necessary (Strictly Necessary) Cookies

These cookies are essential for the website to function. They don't require consent because without them, the site literally cannot work.

Examples:

• Session cookies that keep you logged in
• Shopping cart cookies on e-commerce sites
• CSRF tokens that prevent security attacks
• Load balancer cookies that route your request to the right server
• The cookie consent preference cookie itself

Key rule: Only cookies that are genuinely technically necessary qualify. You cannot classify a Google Analytics cookie as "necessary" — your website works perfectly without it. Misclassifying cookies is a common violation that regulators specifically look for.

2. Analytics (Performance/Statistics) Cookies

These cookies collect anonymous or pseudonymous data about how visitors use the website. They help you understand traffic patterns, popular pages, and user behaviour.

Examples:

• Google Analytics (_ga, _gid)
• Hotjar (_hjSessionUser)
• Mixpanel, Plausible, Matomo cookies
• A/B testing cookies (Optimizely, VWO)

Consent required: Yes. Even though analytics cookies are less intrusive than marketing cookies, they still track user behaviour and require explicit opt-in consent under GDPR.

3. Marketing (Advertising/Targeting) Cookies

These cookies track users across websites to build a profile of their interests, enabling targeted advertising and retargeting campaigns.

Examples:

• Facebook Pixel (_fbp, _fbc)
• Google Ads (_gcl_au)
• LinkedIn Insight Tag
• Twitter/X conversion tracking
• AdSense, DoubleClick cookies

Consent required: Yes, and this is the category with the highest scrutiny. Marketing cookies involve extensive profiling, cross-site tracking, and data sharing with ad networks — all activities that GDPR treats with the strictest requirements.

4. Functional (Preferences) Cookies

These cookies remember user preferences and choices that enhance the experience but aren't strictly necessary for the site to work.

Examples:

• Language preference cookies
• Theme/dark mode preference
• Chat widget cookies (Intercom, Crisp)
• Embedded video player preferences (YouTube)
• Font size or accessibility settings

Consent required: Generally yes, unless the cookie is set in direct response to a user action (e.g., the user explicitly switches language). In ambiguous cases, it's safer to require consent.

How LegalBanner Categorises Cookies Automatically

When you add your site to LegalBanner, the automatic scanner detects every cookie and third-party script, then classifies them into the correct category using a database of 10,000+ known cookies. You can review and adjust any classification in the dashboard.

Accurate classification matters: if a regulator audits your banner and finds marketing cookies labelled as "necessary," it's an automatic violation.