What Are Essential Cookies, and Do You Need to Disclose Them?

Written by FreePrivacyPolicy Legal Writing Team and last updated on 08 May 2024.

What Are Essential Cookies, and Do You Need to Disclose Them?

Essential cookies are cookies that are necessary for a website to work properly. For example, ecommerce stores need essential cookies to remember which items are in a visitor's shopping cart.

Essential cookies are exempt from many of the requirements that apply to non-essential cookies. Read on to learn what essential cookies are, how they work, and what their legal implications are.



What are Essential Cookies?

Essential cookies are cookies necessary for a website to function properly. Without these cookies, the website would not be able to offer its services.

Here are some categories of essential cookies.

Session Cookies

An example of essential cookies are session cookies, which store information about the current website session.

For example, online shops must keep track of the items users have added to their carts throughout a session. Otherwise, a customer who did not create an account would not be able to navigate to new pages and add new products without losing all the items in their cart every time they visit a new page.

Yet another type of session cookie tracks your previous browsing history. That way, when you click on the back button, the server knows which page to load.

Another example of such a cookie is a login cookie that keeps a user logged in through a session. Without this cookie, the user would be logged out every time they visit a new page on the site. However, this exception does not apply to persistent login cookies. A login or session cookie is only considered essential for the current session.

As soon as the visitor closes the tab or their browser, the login cookie is no longer considered essential. That's because we can't assume the visitor wants to stay logged in beyond that point.

If a login cookie is persistent, for example it keeps the user logged in so that they don't need to log in again if they visit the website the next week, it is not considered an essential cookie.

Security Cookies

Another type of cookie monitors how many times a visitor has tried to log into their account. This ensures that if too many attempts are made, the account can be locked.

Without these cookies, people would be able to hack into accounts using brute-force attacks. Brute-force attacks are attacks in which multiple password combinations are attempted with the use of a program until the program guesses the correct answer.

However, security cookies are only considered essential if they relate to your own services.

Any security cookies relating to third-party services you have partnered (such as social media plugins) with are not considered essential.

Network Management Cookies

Network management cookies help with load balancing. In other words, they direct network requests to different servers to prevent a server from becoming overwhelmed with requests.

This is essential for the website to function properly because if a server gets overwhelmed, it may crash. If that happens, visitors won't be able to access the site.

How Do Essential Cookies Work?

How Do Essential Cookies Work?

Essential cookies are stored in your browser. Each time your browser sends a request to the server to download a webpage's contents to the browser, the cookie is sent to the server along with that request.

The server then uses that cookie to deliver the correct webpage or content to the user.

For example, let's say you visit a site and log in. A cookie is stored in your browser with your username and password. When you navigate to a new page, this username and password is sent back to the server along with the request for the new page. That allows you to stay logged in on that new page.

Essential cookies are typically set to be deleted once you end the session. That sets them apart from persistent cookies, which are not deleted once a session ends.

How Do Essential Cookies Differ From Other Cookies?

Essential cookies differ from other cookies in two ways: the length of time they are active and their purposes.

Firstly, persistent cookies stick around a lot longer, as mentioned in the previous section. While persistent cookies may have an expiration date, they typically stay active even after the user closes out a session.

For example, an affiliate cookie tracks whether a visitor to a product page has clicked on an affiliate's link in the past.

Different affiliate programs use different lengths of time for this cookie. Some keep the cookie for 30 days, while others might keep it for 90 days or a year. After the expiration date, any sales are no longer attributed to that affiliate.

Secondly, non-essential cookies are not necessary for the website to function properly. That's why privacy laws require consent before such cookies are used. In the next section, you'll read about some types of non-essential cookies.

First, though, it's important to know the difference between first-party and third-party cookies.

First vs Third-Party Cookies

First party cookies are created by the owner of the site you are visiting. An ecommerce site might use cookies that track your browsing history to build a profile for you. With the help of these cookies, it can recommend products you might be interested in.

Third-party cookies are from third-party companies, not the site you are visiting itself. If a site is part of an ad network that displays ads on the page, these cookies may track you and build a profile of your history and interests. This profile may be used by companies unknown to the visitor, since it's not always obvious which ad networks the site is part of.

The profile will be associated with you through these cookies, after which personalized ads may start showing up on other sites that are part of this ad network. That's why if you research a certain product, you might suddenly see ads for that product on social media.

In addition, these third parties may even sell the data to other third parties, such as large advertising agencies, for data analysis purposes.

That's why cookie disclosure and consent are required.

What are Some Types of Non-Essential Cookies?

Here are some different types of non-essential cookies and what they are used for. Note that this is not a full list, but it should give you a general idea of what non-essential cookies are.

Analytical Cookies

Analytical cookies, also called statistical cookies, track a visitor's browsing history on the site. These cookies are not necessary for the website to function but rather allow the owner to see what visitors are doing on the site.

For example, they allow the owner to see which blog posts are visited the most. The owner can then publish blog posts that cover similar topics to increase engagement.

Even though these cookies provide important information, they are not strictly necessary to provide the services requested by your visitors. It's not a must to have Google Analytics to run your site. Since it's not strictly necessary, the exemption doesn't apply.

Advertising Cookies

Advertising cookies, also called marketing cookies, could be either first or third-party cookies. They track a visitor's history on the site for the purposes of building a profile about the visitor. That way, the site or partner networks can customize ads for the visitor.

If you visit a page selling baseball bats, the ad network's cookie will add that to your profile. It can then be used to show you ads about baseball bats on any site that has partnered with that ad network.

Persistent Login and Cross-Device Tracking Cookies

Persistent login cookies keep a user logged in even after they close the browser session. They may have an expiration date, but they are still considered persistent login cookies if they don't expire as soon as the user ends the session.

Cross-device tracking cookies link accounts to different devices. For example, let's say you log onto an ecommerce site or email account on your desktop computer. Then, you log onto the same account on your mobile phone.

The ecommerce site may use your browsing activity on your phone to recommend products when you visit the desktop site. Or, the email account may allow you to use your phone - if logged in - as a second-factor authentication device to confirm your identity when you try to log in on your laptop.

For example, when you try to log into Google on a new computer, it often sends a notification to your Android phone to confirm the login, since it has already linked that device to your account.

Do You Need to Obtain Consent Before Using Essential Cookies?

No. Privacy laws don't require consent for essential cookies, since they are required to provide services the user has requested.

For example, according to the ePrivacy Directive Article 5.3, cookies which are necessary for the website to provide services requested by the consumer can be used without obtaining consent first.

The same applies to cookies that are only necessary for the transmission of communication.

For example, if you require cookies to stream videos that the visitor wants to watch, they are considered essential cookies. Or, if you need cookies for load-balancing purposes (i.e., to direct visitors to the correct server), they are also exempt:

ePrivacy Directive Article 5 3

Similarly, the PECR (Privacy and Electronic Communications Regulations) of the UK makes an exception for essential cookies. Here's how the ICO (Information Commissioner's Office) of the UK notes this in one of its guides:

ICO Cookies and Similar Technologies page: Essential cookies exception section

Do You Need to Disclose Your Use of Essential Cookies?

Do You Need to Disclose Your Use of Essential Cookies?

Yes. Although you don't need to obtain consent to use essential cookies, you should inform users that they are being used.

For example, the ICO states that it's still good practice to disclose essential cookies even if you are not required to do so. Furthermore, if the essential cookies collect personal information (such as a name and password), you are legally obligated to disclose them:

ICO Cookies and Similar Technologies page: Rule 9 excerpt

In addition, according to Recital 30 of the GDPR, cookies may be considered personal data if they can be used to identify visitors. In other words, cookies that keep track of a person's IP address, username, and password to keep them logged in during a session is considered personal data.

Since it's considered personal data, it falls subject to Article 13 of the GDPR, which requires website owners to provide consumers with information about personal data collected from them.

How Do You Disclose Your Use of Essential Cookies?

How Do You Disclose Your Use of Essential Cookies?

The best way to disclose your use of essential cookies is in your Cookies Policy or Privacy Policy.

It is not necessary to list every cookie you are using. This is beyond the scope of most people's understanding, especially if you use a lot of cookies. It is also not required by law.

According to the ICO, "levels of user understanding will differ," and "if you use cookies, you will need to make a particular effort to explain their activities in a way that all people will understand."

If your site uses a lot of cookies, it is better to explain the different categories of cookies and what each category does, rather than listing every individual cookie.

For example, as per the ICO, you could state that you employ analytical cookies and what you use them for rather than listing every single analytical cookie on your site:

ICO Cookies and Similar Technologies page: Rule 4 excerpt

If you deploy cookies as soon as a user visits your site, you should inform visitors of that with a pop-up notice. This notice doesn't have to be lengthy but can link to your Privacy Policy, where you discuss your cookies usage in greater detail.

For example, a notice like this explains that the business and its partners collect cookies and lists the basic purposes for which cookies are collected. However, the initial notice is not a lengthy disclosure.

Instead, it includes links and buttons which people can click on to learn more about the different third-party cookies on the site and more detailed explanations of why cookies are used:

Cookie notice with vendors and purposes links highlighted

A notice like this can be set up so that when users click on "Show Purposes" they will be shown a list of the different categories of cookies on the site, such as essential cookies, social media cookies, and advertising cookies.

Visitors can then click on each category to get a short description of what this type of cookie does:

Cookie notice with types of cookies highlighted

Of course, this is not a complete technical list of every single cookie present on the site. Rather, only categories of cookies are listed along with a description that is easy for non-technical users to understand.

A cookie notice can also look like the following, where it simply provides notice to the user that cookies are being used. There are not adjustable settings and multiple options. Rather, a just simple statement - or notice - is provided:

CBC cookie consent notice

In a Cookies or Privacy Policy is where more information about what cookies are, the types of cookies it collects, and how users can disable or reject cookies can be disclosed, such as via a clause like this one:

Cookies clause example

Summary

Essential cookies are cookies that are required for the website to function properly or for you to provide services requested by the visitor. For example, essential cookies allow you to:

  • Keep a user logged in throughout a session
  • Keep track of a visitor's browsing history so they can use the back button
  • Keep track of which items are in a visitor's shopping cart
  • Provide security measures, such as locking an account after three unsuccessful login attempts

Non-essential cookies, on the other hand, are used for marketing, advertising, profile-building, and other purposes.

You do not need to obtain consent before using essential cookies, unlike non-essential cookies.

However, you should still disclose them. If they keep track of personal data, such as people's email addresses and passwords, you are required to disclose them.

The best way to disclose them is to list them in your Privacy or Cookies Policy, which should be easily accessible from any page of your site.

Greeting users with a pop-up containing a short cookie disclosure that links to your Privacy Policy is a great way to comply with privacy regulations, especially if you start tracking personal information with non-essential cookies as soon as a user visits your site. This pop-up can also provide users with the option of rejecting or accepting non-essential (and other) cookies.