Using cookies has privacy and data law implications. These laws nearly always have exemptions for cookies classed as "essential" that mean you don't need consent to use them. However, you will usually need to inform people about your use of such cookies. Here's what you need to know and do.
Which Laws Cover Cookie Use?
Laws affecting cookies fall into two main categories: those which specifically cover cookie use, and those which cover the personal data you collect and use, including through cookies.
The most prominent example of the first category is the 2002 Privacy and Electronic Communications Directive. This is a European Union law that's commonly known as the ePrivacy Directive, and less officially as the "cookie law". It applies if a website user is in the EU; the location of the website operator or the data processing doesn't matter.
The most prominent example of the second category is the General Data Protection Regulation. (GDPR). This is a European Union law that applies if the data subject (the person the data is about), the business using the data, or the data processing itself, is in the EU. Personal data can include cookies if they can be linked to an identifiable individual, including by combining them with other data.
Another example is the Children's Online Privacy Protection Act. This is a United States federal law, commonly known as the COPPA rule. It applies to websites which target users in the US aged under 13, or where the operators know that such people are using their site.
What Are Essential Cookies?
"Essential" is one of the most common categories used when laws and policies try to distinguish between different cookies. It's also sometimes referred to as "strictly necessary."
While precise definitions vary (and are sometimes not entirely clear-cut), the broad principle of an essential cookie is that it is necessary for a website to provide its core functions to users. For example:
- A cookie used for a virtual shopping cart function on an online retail website is essential. Without the cookie it would be difficult or impossible for a user to purchase more than one item without having to go through multiple transactions.
- A cookie used to store somebody's location on a weather website and automatically provide a local forecast is borderline, but likely not essential. The website could still fundamentally work if the user instead had to type in their location every time they visited.
- A cookie used to track how many times particular users visit a website is not essential. It's very helpful for the business to analyze how well it is doing at driving repeat visits, but it's not essential for the website to operate and serve users.
The New York Times gives examples of essential cookies that it uses:

What Cookies Are Not Essential?
Different laws and policies use different categorization of cookies, but common examples other than "essential"/"strictly necessary" include:
- Performance or statistics: these give the website operator information about how people use the site.
- Functional: these power technical features that improve the website in a way that is not essential to its operation.
- Marketing or targeting: these help personalize content to the user, for example by allowing targeted advertising that means different visitors see different ads.
There are other ways to categorize cookies, but these don't tell you whether a cookie is essential.
For example, first party cookies are issued by the website itself while third party cookies come from another source such as an advertising network. Session cookies only last until the user leaves the website, while persistent cookies last for a fixed or indefinite timescale and will still work if and when the user comes back to the site.
Cookies in any of these categories could be essential or non-essential, so they aren't a reliable way to decide if a law applies.
The Economist Group gives examples of particular categories of cookie:

Do I Need Consent To Use Essential Cookies?
None of the major laws on cookies require consent for essential cookies, though it's theoretically possible that the COPPA rule could affect how you use them.
The EU Privacy Directive specifically requires consent to use cookies which are not "strictly necessary". Essential cookies fall into the "strictly necessary" category and so the law does not require consent to use them.
This is reflected in the European Commission's cookie banner, which does not offer a choice to reject essential cookies:

The GDPR does not require consent for essential cookies. That's because consent is only one of the acceptable ways to make data processing lawful under the GDPR. Essential cookies will almost always come under another lawful basis, namely "legitimate interests". This means something that's necessary to carry out your core business but does not outweigh the user's personal data rights.
The COPPA rule is a little more complicated. It broadly requires parental consent to collect personal data about somebody aged under 18, including through cookies. It has a narrower definition of personal data than many laws, specifically limiting it to:
- First and last name.
- A home or other physical address including street name and name of a city or town.
- Online contact information.
- A screen or username that functions as online contact information.
- A telephone number.
- A Social Security number.
- A persistent identifier that can be used to recognize a user over time and across different websites or online services.
- A photograph, video, or audio file, where such file contains a child's image or voice.
- Geolocation information sufficient to identify street name and name of a city or town; or
- Information concerning the child or the parents of that child that the operator collects online from the child and combines with an identifier described above.
In most cases, an essential cookie won't collect any such data. Usually this would happen because of poor design, such as with an authentication system that stores a screenname or email address in a cookie. It could also happen with a persistent identifier that recognizes the same user across multiple sites.
When a genuinely essential cookie does have information on the above list, you will need to get parental consent before collecting the data, which effectively means you need consent to issue the cookie.
Can I Use Essential Cookies Without Restriction?
Although you don't need consent, you must still follow notification rules on essential cookies. Many laws say you must tell people what cookies you use, including essential ones.
The ePrivacy Directive says you must give people "clear and comprehensive information" about your cookie use, even with essential cookies. Though the law doesn't detail exactly what information you must provide, the key is that you tell them why you use the data you collect through the cookies.
The GDPR says you must tell people what data you collect and the purposes for which you collect and use it. This can include using essential cookies. For example, a shopping cart cookie might be classed as essential and not require consent, but the details it stores about items a customer has selected can count as personal data.
The COPPA rule only says you must detail what personal information you collect from children. If this applies to an essential cookie, you should be collecting consent anyway.
Many US states have privacy laws that directly or indirectly cover cookies. Though these usually don't require consent to process personal data (many have an opt-out system that lets people stop you selling their data), the laws do commonly say you must inform people about the information you collect. That could cover information collected in an essential cookie.
Laws in countries such as Brazil (LGPD), Canada (PIPEDA) and South Africa (POPI) have a similar practical effect to the GDPR with cookies: you don't need consent for essential cookies but they should be included in the information you must give users about your use of personal data.
How Do I Follow the Rules Regarding Essential Cookies?
You can provide the necessary information about essential cookies in several ways:
You can also link between these items. For example, a cookies banner could outline the types of cookie you use and then link to a cookies policy that goes into more specific detail.
Shell uses a common approach: it lets users accept all cookies, reject all optional cookies (ie, not essential ones), or use the "Manage cookies" option for more granular control. It also links to a full cookie policy:

Allianz uses a cookie banner which details different types of cookies, including strictly necessary (essential) ones:

Bed Advice UK combines its Privacy and Cookies Policy into a single page with a tab control to switch between the two:

Summary
Essential cookies, also called "strictly necessary", are ones which are necessary for your website to provide its core function. They do not include cookies which simply make it easier or more effective to run your business, or which power non-essential functions which simply make the site work better.
While several data privacy laws cover cookies, they don't require consent for essential cookies. They are specifically exempted from the consent requirements for Europe's ePrivacy Directive. They will usually be classed as "legitimate interests" under the GDPR, meaning you don't need consent to use them.
However, cookie-specific laws like the ePrivacy Directive say you must detail all cookies, while privacy laws like the GDPR say you must detail all personal data collection, which can include data collected through essential cookies. A combination of a cookie banner, cookie policy and a Privacy Policy can provide this information clearly and prominently.





