The 4 GDPR cookie categories: a complete guide

TL;DR

The GDPR and the ePrivacy Directive classify cookies into four categories based on their purpose: strictly necessary, functional, analytics (performance), and marketing (advertising). Only strictly necessary cookies are exempt from consent. All other categories require prior, freely given, and informed consent before being placed on the user's device. Understanding this classification is essential for properly configuring your cookie banner and CMP.

The four cookie categories under the GDPR

European regulations do not define cookie categories rigidly, but market practice and guidance from the CNIL, ICO, and major CMPs have converged on four main families. These categories structure the cookie banner and determine which cookies require consent.

The fundamental distinction is this: a cookie is either strictly necessary for the website to function (and therefore exempt from consent), or it is not (and therefore requires prior consent). Functional, analytics, and marketing cookies all fall into the second category.

Strictly necessary cookies (essential)

A strictly necessary cookie is one without which the website cannot function properly. It is set in response to a user action (logging in, adding items to a cart, selecting a language) and serves only that specific purpose.

These cookies do not require user consent under the ePrivacy Directive. They are exempt because their purpose is strictly limited to providing the service requested by the user.

Common examples: session authentication cookies, shopping cart cookies, security cookies (CSRF tokens), load balancing cookies, and cookies that store the user's consent choice (the CMP cookie itself).

An important point: the fact that a cookie is "useful" or "important" to the website is not enough to make it strictly necessary. The CNIL and ICO emphasize this distinction. An analytics cookie, even if it is essential for the site's business objectives, is not strictly necessary for the service requested by the user.

Functional cookies (preferences)

A functional cookie stores information already provided by the user to personalize their experience: display theme (dark/light mode), selected region, login credentials remembered between sessions, video player settings, live chat history.

These cookies are not strictly necessary for the website to function. The site works without them, but the experience is degraded. Under the GDPR and the ePrivacy Directive, functional cookies require user consent before being set.

The boundary between "strictly necessary" and "functional" is sometimes blurry. A simple rule: if the site can deliver the requested service without this cookie (even less comfortably), then the cookie is functional, not strictly necessary.

Analytics cookies (performance / statistics)

An analytics (or performance) cookie collects data on how visitors use the site: pages viewed, visit duration, bounce rate, traffic sources, error messages. This data is aggregated and used to improve the site's performance and content.

The most common example is Google Analytics (cookies _ga, _gid). Other tools like Matomo, Plausible, Piano Analytics, and Adobe Analytics also use analytics cookies.

By default, analytics cookies require user consent. The CNIL provides an exception for audience measurement tools configured in a strictly necessary manner: purpose limited to audience measurement for the publisher only, anonymous statistical data only, no cross-referencing with other processing, no sharing with third parties. Google Analytics does not qualify for this exemption in its standard configuration.

Marketing cookies (advertising / targeting)

A marketing (or advertising, or targeting) cookie tracks the user's browsing activity to display personalized advertising. These cookies build a user profile based on interests, purchases, and searches, and share this information with advertising networks.

Common examples: Facebook Pixel, Google Ads (remarketing cookies), DoubleClick, retargeting cookies, social media sharing button cookies, affiliate platform cookies.

Marketing cookies always require prior user consent. There are no exceptions. They are often third-party cookies (set by a domain different from the visited site), which makes them particularly sensitive for compliance.

Which consent for which category?

Strictly necessary cookies do not require consent, but informing the user remains mandatory. Functional cookies require prior consent. Analytics cookies require prior consent, except under the CNIL exemption for certain tools configured in "strictly necessary" mode. Marketing cookies always require prior consent.

Consent must be freely given (no cookie wall except under strict conditions), specific (per category, not blanket consent), informed (the user knows what they are accepting), and unambiguous (a positive action, no pre-checked boxes). The user must be able to refuse as easily as to accept, and withdraw consent at any time.

How to configure your CMP by category

A consent management platform (CMP) like FlowConsent presents cookie categories in the cookie banner and allows the user to give or refuse consent per category.

The standard configuration includes four tiers. The first tier (always active, cannot be disabled) contains strictly necessary cookies. The second tier (disabled by default, consent required) contains functional cookies. The third tier (disabled by default, consent required) contains analytics cookies. The fourth tier (disabled by default, consent required) contains marketing cookies.

Each category should include a clear description of its purpose and, ideally, a list of associated cookies with their lifespan and provider. The FlowConsent cookie scanner automatically identifies cookies on your site and classifies them by category.

Common classification mistakes

Classifying Google Analytics as "strictly necessary". Google Analytics sets tracking cookies that are not essential for the site to function. Unless specifically configured and validated by the CNIL, these cookies belong to the analytics category and require consent.

Forgetting third-party widget cookies. Social sharing buttons, embedded video players (YouTube, Vimeo), Google Maps, and chat tools all set cookies. They must be classified in the appropriate category and blocked before consent.

Treating functional cookies as "strictly necessary". A cookie that remembers display theme or navigation preferences is functional, not strictly necessary. The site works without it.

Not listing cookies by category in the cookie policy. The cookie policy must detail each category with associated cookies, their purpose, lifespan, and provider.

Pre-checking non-essential categories. Consent must result from a positive action. Functional, analytics, and marketing categories must be disabled by default in the cookie banner.

How to audit your site's cookies by category

A cookie audit starts with a full site scan to identify all cookies and trackers. Each cookie must then be classified into one of the four categories.

For each identified cookie, document its name, domain (first-party or third-party), lifespan, purpose, and the category it belongs to. If you cannot identify a cookie's purpose, treat it as a marketing cookie (most restrictive category) by default.

Check cookies set on all pages of the site, not just the homepage. Some pages contain widgets or iframes that set additional cookies (embedded YouTube videos, third-party forms, conversion pixels).

Checklist: classifying and managing cookies by category

1. Scan the site to identify all active cookies and trackers.
2. Classify each cookie into one of four categories (strictly necessary, functional, analytics, marketing).
3. Configure the CMP to present categories separately in the cookie banner.
4. Keep strictly necessary cookies always active (cannot be disabled).
5. Disable functional, analytics, and marketing cookies by default.
6. Actually block scripts for non-consented categories (not just hide the banner).
7. Detail each category in the cookie policy with associated cookies.
8. Check if your analytics cookies qualify for the CNIL exemption (strict criteria).
9. Regularly audit the site to detect new cookies introduced by updates or new widgets.
10. Test refusing each category to verify that corresponding cookies are not set.

Conclusion

Classifying cookies into four categories (strictly necessary, functional, analytics, marketing) is the foundation of GDPR cookie compliance. Only strictly necessary cookies are exempt from consent. All other categories must be blocked by default and activated only after explicit consent.

To identify and classify the cookies on your site, run a free scan with FlowConsent.