What are strictly necessary cookies? List + examples

Published

Not all cookies are created equal. Some are essential for a website to work properly, while others support analytics, advertising, or personalization. In this article, we’ll focus on strictly necessary cookies – what they are, when they’re used, and why they’re exempt from consent requirements.

Understanding the difference helps ensure a better user experience, builds user trust, and supports accurate cookie compliance strategies for businesses of all sizes.

Why Strictly Necessary Cookies Don’t Need Consent

If your website uses cookies, you probably already know that user consent is required for most of them. But there’s one important category that’s exempt: strictly necessary cookies.

These are cookies that enable core website functionality and ensure the site can function correctly. Without them, key features of your site would simply not work, and these cookies are essential for accessing secure areas such as user accounts. Because of their role in delivering basic services (like login, cart management, or user preferences), you can use them without showing a consent prompt.

However, transparency is still important. These cookies should be clearly explained in your cookie policy, even if consent isn’t required. Informing users about what’s happening behind the scenes reinforces trust and ensures that your compliance approach is fully transparent.

Strictly necessary cookies can also vary depending on your industry. For example:

  • In e-commerce, they support secure checkouts and session continuity by preserving users’ previous actions, such as items added to a cart, to ensure seamless navigation across pages without data loss
  • In finance or healthcare, they may support identity verification or secure access

That’s why identifying and documenting these cookies precisely is a critical step in managing risk.

What are strictly necessary cookies?

Strictly necessary cookies – sometimes called essential cookies – are those required to operate your website. They allow basic functions like navigation, security, and session handling. These cookies are placed to fulfill a specific action or service the user has explicitly requested. Strictly necessary cookies are stored in the user’s browser to maintain session state and security.

Examples include:

  • Remembering items in a shopping cart
  • Logging a user into their account
  • Saving language or region preferences
  • Ensuring secure payment processing
  • First-party session cookies, which are essential for features like form filling, shopping carts, and account access

The key is that they are technically required to provide a service requested by the user – not just useful or helpful to your business. These cookies are necessary for the website to work properly.

Strictly necessary cookies do not include:

  • Analytics cookies
  • Marketing or retargeting cookies
  • Social media trackers

Strictly necessary cookies do not track or collect users’ browsing habits.

Those types of cookies always require prior consent.

A common mistake is assuming that any cookie that improves performance or personalization qualifies as strictly necessary. But if it’s not directly related to a feature the user has requested, it’s not exempt.

Typical use cases for strictly necessary cookies

You’ll often find strictly necessary cookies behind the scenes of these website features:

  • Authentication: Keeping users logged in as they navigate the site, preventing repeated logins, and helping maintain session continuity during user visits across multiple pages.
  • Shopping cart: Remembering added items between page views and through checkout. Persistent cookies may be used to remember user preferences or login states beyond a single session.
  • Language selection: Saving the visitor’s preferred language or region to provide localized content. Persistent cookies can also help retain these preferences over time.
  • Security: Preventing cross-site forgery, detecting bots, and enabling load balancing. These cookies are essential for implementing security measures such as CSRF protection and bot detection to protect user data and maintain website integrity.
  • Consent handling: Recording and storing users’ cookie preferences to ensure those preferences are respected

Some strictly necessary cookies have a defined expiration date to maintain security or session continuity, and may track user visits to support essential website functions.

They are also used to maintain service consistency during peak traffic, manage network infrastructure, and ensure that websites are delivered efficiently across geographies.

Authentication and Authorization: When cookies are essential for security

Authentication and authorization are critical for protecting both users and sensitive information on your website. In these scenarios, first-party cookies are indispensable – they securely store login credentials and session identifiers, allowing users to access secure areas without repeatedly entering their details. Strictly necessary cookies, such as authentication cookies, play a vital role in verifying user identities and maintaining secure sessions throughout a visit.

By using such cookies, websites can monitor user behavior for security purposes, ensuring that only authorized users can access protected content or services. For example, authentication cookies store session IDs that help identify users and prevent unauthorized access, while language preference cookies can personalize the experience without exposing personally identifiable information. These necessary cookies are strictly limited to essential security functions, which exempts them from consent requirements under most data privacy laws. Their use is fundamental to the proper functioning of secure areas and the protection of user data.

Functional Cookie Use: Supporting core site features without consent

Functional cookies are designed to support the essential features that make your website work smoothly and intuitively. These first-party cookies often store user preferences, such as language settings or display options, and enable session cookies to remember choices as users navigate your site. By collecting data on user behavior and preferences, functional cookies help websites deliver a more personalized and efficient experience.

When functional cookies are strictly necessary for website functionality – such as enabling e-billing processes or allowing users to access secure areas – cookie consent is not required. However, it remains important to inform users about their use through a clear cookie consent notice. By leveraging functional cookies appropriately, websites can ensure that core features function properly, site performance is optimized, and users enjoy a seamless experience without unnecessary interruptions. Transparency about these cookies builds trust while maintaining compliance.

List of common strictly necessary cookies

Here are some cookie names that typically fall under the “strictly necessary” category (cookie identifiers are unique values used to distinguish user sessions and manage authentication):

  • Session cookies for login/authentication
    • Examples: PHPSESSID, session*id, wp_logged_in*, SID\
    • These cookies are often transmitted with each HTTP request to maintain session state.
  • Load balancer cookies
    • Examples: AWSALB, BIGipServer, ARRAffinity, __cf_bm
  • Consent management cookies
    • Examples: CookieInformationConsent, CookieConsent, OptanonConsent, cmplz_policy_id
  • Shopping cart cookies
    • Examples: woocommerce_cart_hash, woocommerce_items_in_cart, cart_token
  • Language/region preference cookies
    • Examples: wp-wpml_current_language, language, locale, i18n_redirected
  • CSRF protection cookies
    • Examples: csrftoken, *csrf,* _RequestVerificationToken, XSRF-TOKEN
  • Infrastructure session cookies (for web application firewalls or caching)
    • Examples: __cfduid, akamai_session, edge_session_id

The information collected by strictly necessary cookies is limited to what is required for website functionality and security.

Note: The exact names and functions may vary depending on the CMS, hosting provider, or platform you use. Some may also appear to be strictly necessary but serve multiple purposes. That’s why detailed scanning and classification is essential. Strictly necessary cookies are stored on the user’s device to enable essential website features.

How to identify strictly necessary cookies on your site

To make sure your cookie classifications are correct, follow these steps:

  1. Run a full cookie scan using a trusted scanner or CMP. This process helps identify all data collection activities on your website.
  2. Review your CMP (Consent Management Platform) – it should list cookies by category and purpose. Proper classification is essential for compliance with cookie laws.
  3. Check technical documentation from your CMS, e-commerce system, or authentication tools
  4. Ask your developers or IT team if any custom cookies are used to enable site functionality
  5. Look at vendor tags and scripts to see if any cookies load before consent is given

Only cookies which require consent, such as analytics or statistics cookies, should trigger a consent prompt, while strictly necessary cookies do not require consent.

Some CMPs, like Cookie Information, provide built-in cookie categorization, making it easier to stay compliant. But even with automated tools, manual review is key for edge cases and custom scripts. You must obtain consent for any cookies that go beyond basic functionality, such as those used for statistics or marketing.

Cookie Management: Best practices for handling necessary cookies

Effective cookie management is key to balancing website functionality with user privacy and legal compliance. Website owners should prioritize the use of first party cookies for strictly necessary purposes, such as authentication and maintaining secure sessions, while minimizing reliance on third party cookies that may introduce privacy risks. Adhering to data privacy laws and cookie compliance standards means providing clear, accessible information about necessary cookies and obtaining consent where required.

Do strictly necessary cookies need to be listed in your cookie policy?

Yes. Even though consent is not required, transparency is still essential.

In your cookie policy, you should:

  • Include strictly necessary cookies in a separate category or section
  • Explain their name, purpose, duration (expiration date), provider, and the type of information collected by each cookie
  • Clearly distinguish strictly necessary cookies from those used for website performance, analytics, advertising, or preference cookies

This helps:

  • Build trust with users
  • Demonstrate that your website has considered compliance holistically
  • Show regulators that cookie practices are fully documented
  • Emphasize transparency about how cookies collect user data, which is essential for compliance

How to stay compliant when using strictly necessary cookies

Here’s how to handle strictly necessary cookies responsibly:

  • Don’t group them with optional cookies in your consent prompt. Only cookies requiring affirmative action from the user, such as marketing or profiling cookies, should be subject to consent.
  • Label cookie categories clearly in your CMP, and keep the strictly necessary section non-editable by the user
  • Avoid misclassifying cookies – don’t label performance, measurement, or personalization cookies as “necessary” to bypass consent. Cookies used to create profiles or for targeted advertising must not be labeled as strictly necessary.
  • Document cookie purpose, provider, and lifespan for internal auditing
  • Review your setup regularly to ensure classifications still hold after updates or integrations. New third party services may introduce cookies that require additional review to confirm they are strictly necessary.

Compliance is not a one-time task – it requires ongoing attention, especially as you add new tools, scripts, or third party services to your website.

Summary: Use the exemption responsibly

Strictly necessary cookies are the foundation of many basic website functions. You can use them without user consent – but that doesn’t mean you can ignore transparency.

To stay compliant:

  • Use a cookie scanner to detect and classify cookies accurately
  • Make sure only truly essential cookies are exempt from consent
  • Explain them clearly in your cookie policy (Strictly necessary cookies do not collect data for advertising, behavioral advertising, or to track users across other websites.)
  • Keep classifications defensible and up to date

Cookies used for targeted advertising, behavioral advertising, to track users, or to collect data across other websites are not strictly necessary and require user consent.

Remember: overuse of the “strictly necessary” label to avoid showing consent prompts can lead to regulatory scrutiny. Use the exemption responsibly, and always give users a clear picture of how their data is handled.

Start now: Scan your website for strictly necessary cookies – Try our free detection tool

Frequently asked questions

1. What are strictly necessary cookies?
These are cookies required for your website to function properly. They support features like logging in, security, shopping cart memory, or saving language settings. You don’t need user consent to use them.

2. Do strictly necessary cookies require consent?
No. These cookies can be placed without consent, but you still need to disclose them in your cookie or privacy policy.

3. Can I use Google Analytics without consent if I consider it necessary?
No. Analytics cookies are not strictly necessary. They always require prior consent.

4. Are cookie banner and CMP cookies strictly necessary?
Yes. Cookies that store the user’s cookie consent choice are considered strictly necessary and do not require consent themselves.

5. Do I need to list strictly necessary cookies in my cookie policy?
Yes. Even if consent isn’t required, transparency is mandatory. Include their purpose, duration, and provider.

6. Can performance or load-time optimization cookies be classified as strictly necessary?
Only if they are essential for delivering a core service. Otherwise, they fall under performance or preference cookies, which may need consent.

7. What’s the difference between first-party and third-party strictly necessary cookies?
Most strictly necessary cookies are first-party (set by your own domain). Third-party cookies rarely qualify unless the third party is powering a user-requested service (e.g., secure payment processing).

8. How can I check which cookies are strictly necessary on my site?
Use a cookie scanner, review CMP category labels, and consult with your developers to identify which cookies support essential functionality.

9. Is it OK to block access to a site if the user declines cookies?
Not for optional cookies. You can condition some functionality on strictly necessary cookies, but access to basic content should remain unaffected by cookie consent.

10. What are common mistakes when classifying cookies?
Marking analytics or A/B testing cookies as strictly necessary is a frequent error. Another is failing to update the classification after adding new scripts or third-party services.

This content was created with the support of AI tools.