Any businesses that use essential cookies on their websites should understand what a Cookie Notice is and when cookie consent is required. While essential cookies do not require cookie consent, there are a number of reasons why you should still have a cookie consent mechanism on your website.

This article explains everything you need to know about essential cookies, cookie consent, and cookie notices, laws that require you to get cookie consent and have a cookie notice, whether essential cookies need consent and a cookie notice, how to comply with cookie laws, what your cookie notice should contain, and where to display your cookie notice.



What are Essential Cookies?

Essential cookies are a type of cookie (a small file that websites store on users' devices to save their browsing activities) that helps your website function properly.

Cookies are placed on users' devices directly from the website they are visiting. For instance, essential cookies are what help websites remember users' username and password information so they stay logged into their account while browsing, or save items in an ecommerce shopping cart.

Essential cookies can help remember certain information, such as login info for customers who shop when the "stay signed in" or similar option is selected, as seen here:

Screenshot of Stay Signed In checkbox

Acer's Cookie Policy describes its use of essential cookies to help remember login information and user behavior during individual browsing sessions. It explains that website and security function performance may be affected if users deny essential cookies:

Acer Cookie Policy: Strictly necessary cookies clause

Non-essential cookies include third-party cookies used for analytics, tracking and targeting.

Third-party cookies are placed on users' devices from a website other than the one they are visiting and are often used for marketing or analytics purposes. For example, websites use third-party cookies to track users' browsing behavior and then use that data to create advertisements based on users' online activities.

Starbucks' Privacy Notice explains that it uses third-party cookies and lets users know that they can adjust their cookie preferences via their device's browser settings:

Starbucks Privacy Notice: Cookies web beacons and similar technologies clause

Uber's Cookie Notice explains that it uses third-party cookies for targeted advertising (advertising based on users' behavior) purposes:

Uber Cookie Notice

A Cookie Notice is a popup banner that explains what kind of cookies a website uses. It can help meet legal requirements of providing cookie information to users and getting cookie consent by giving users options to learn more about cookies, adjust cookie preferences, and accept or reject cookies.

A Cookie Notice can be used to:

  • Provide notice to visitors about a website's use of essential cookies (where consent is not required)
  • Implement consent mechanisms to obtain consent from visitors before placing non-essential cookies on the user's device (non-essentials cookies require consent under GDPR).

Example of a basic cookie notice without I Agree/I Decline buttons:

Techuber cookie consent notice

You can use a Cookie Notice to get consent from users through consent mechanisms. A common type of consent mechanism is a set of buttons that users must select from stating that they accept or deny cookies (i.e. "I Agree" and "I Decline"). Another would be a checkbox for users to check.

The McDonald's Cookie Notice explains that it uses cookies for advertising, analytics, and customization purposes. It provides links to its Privacy Statement, California Privacy Notice, and Cookies Settings. Users can click the Cookies Settings link to change their cookie preferences:

McDonalds cookie notice

Note that this cookie notice does not have an explicit consent mechanism like an Accept button or checkboxes.

BMW's Cookie Notice uses buttons to give users options to learn more about and customize their cookie settings, reject the use of cookies that require user consent, or accept all cookies:

BMW Cookie Consent Notice

Although essential cookies do not require consent, you should still maintain a cookie notice that contains a description of the types of cookies you use and the reasons you use them in order to comply with applicable laws.

For instance, the GDPR requires businesses to be transparent about the personal data they collect or use. Since the GDPR considers cookies to be personal data, you should follow the law's rules pertaining to how data controllers (those who make decisions about how to use personal data) handle personal data. Website owners who use cookies to track users' behavior are considered data controllers under the GDPR.

Article 13 of the GDPR explains the information that data controllers need to convey to users when collecting their data, including explaining their reasons for processing personal data.

GDPR Article 13 Section 1

Whether you use essential or non-essential cookies, your cookie notice should clearly explain:

  • The types of data your cookies track
  • Your reasons for using cookies

For example, visitors to Coca-Cola's website are presented with a Cookie Notice that explains that it uses cookies to run its website, create customized content, and fulfill its business goals. It lists the types of cookies it uses-and gives users options to allow or reject them individually-and includes a link to its Cookie Policy where users can learn more about how it uses cookies:

Screenshot of Coca Cola Privacy Preference Center

By clicking on Coca-Cola's Cookies Policy link, users can find a detailed description of the types of cookies it uses, including strictly necessary, performance, functional, and targeting cookies:

Coca Cola Cookies Policy Kinds of Cookies Used clause

Essential cookies do not require consent, but you should still use a cookie notice to inform users how you use essential cookies.

For example, businesses subject to the ePrivacy Directive don't have to get consent for essential cookies, as long as they meet the law's exemption criteria.

To tell whether a cookie is exempt from the ePrivacy Directive's consent requirements, you need to check if it meets the following criteria:

  1. The cookie is used only for transmitting data via an electronic communication network, such as a load-balancing cookie used to identify a server (a communication endpoint) or
  2. The cookie is used to provide services directly requested by a user, such as to enable commenting on an online forum or adding a review to a site

Article 5.3 of the ePrivacy Directive explains that cookies used to transmit data over an electronic communications network or to provide user-requested services are exempt from the law's consent requirements.

ePrivacy Directive Section 5 3

Here are some types of essential cookies:

  • User-input cookies (session-id): They are used to remember user inputs to the website, such as items added to a shopping cart.
  • Authentication cookies: These are a type of tracking cookie that identifies/authenticates users via login credentials. This is seen with the common option to "remember your login" or "keep you logged in."
  • Session cookies: They remember activities users engage in on a website such as your login status.
  • User-centric security cookies: They help detect any errors or abuses in user authentication. For example, if multiple incorrect passwords are attempted at a login, these cookies can track the number of attempts to log in.
  • Load-balancing cookies: These simply connect a website's server with the user's web server.

Many privacy and data protection laws require websites to publish their reasons for using cookies and get users' consent before using certain types of cookies (i.e. non-essential).

Let's take a look at a couple of the laws that require businesses to have cookie notices and get cookie consent.

The global laws that require websites to have a Cookie Notice and get cookie consent include the European Union's (EU) General Data Protection Regulation (GDPR) and ePrivacy Directive.

GDPR and Essential Cookies

The GDPR is the EU's primary data protection law. It protects EU residents' privacy rights and provides a framework for how organizations should handle personal data (information that can be used to identify an individual).

Cookies are considered personal data under the GDPR, as they can be combined with other information to identify an individual.

Businesses that use non-essential cookies on their websites need to comply with the GDPR's consent requirements-including maintaining a Cookie Notice and providing mechanisms for users to agree to or reject cookies and adjust their cookie preferences.

Organizations that only use essential cookies do not need to get consent before using cookies. However, they do need to have a Cookie Notice to inform users about why they use essential cookies.

Regardless of the types of cookies you use, if you are subject to the GDPR you need to comply with the law's data handling requirements pertaining to personal data, including maintaining a Cookie Notice that explains your reasons for using cookies.

ePrivacy Directive and Essential Cookies

Another EU law dictating cookie use is the ePrivacy Directive. The ePrivacy Directive (also known as the "EU cookie law") requires websites to notify users if they use cookies-including essential cookies. Websites that use non-essential cookies must also give users the option to allow or deny cookies to be stored on their devices.

Zermatt's Cookie Notice explains why it uses cookies, and gives users a way to consent to-or reject-cookies:

Zermatt cookie consent notice

When users click on Details, they are presented with more information about the types of cookies Zermatt uses-including essential cookies-and gives users the option to allow all cookies or only allow necessary cookies:

Zermatt cookie consent notice details

Section 25 of the ePrivacy Directive explains that websites should present users with an easy way to accept or decline the storage of cookies on their devices. And Article 5 of the ePrivacy Directive explains that websites must provide information about their use of cookies and give users a way to opt out of the processing of their personal data.

U.S. Privacy Laws and Essential Cookies

There are currently no federal U.S. laws concerning the use of cookies.

However, there are some state privacy laws such as the California Consumer Privacy Act (CCPA) and the Virginia Consumer Data Protection Act (VCDPA) that require applicable businesses to educate consumers about their use of certain types of cookies and get consent.

Cookie laws tend to apply to businesses that are based in or cater to residents of the location the law originated in. You should check the laws that apply to your location or users to ensure compliance.

There are a few steps you should take to comply with laws such as the GDPR and the ePrivacy Directive, including getting users' consent before using non-essential cookies and explaining your reasons for using all cookies, including essential cookies.

The particular steps you need to take depend on applicable laws, but in general you want to inform users of your use of cookies and get consent for non-essential cookies.

Provide Notice For Essential Cookies

You don't need to get cookie consent if you only use essential cookies. However, you should use a Cookie Notice to inform website visitors of your reasons for using essential cookies.

You can link your Cookie Policy or Privacy Policy (a legal document that contains information about how they collect and handle users' personal information) within your Cookie Notice so that users can easily find more detailed information about your use of cookies.

While not legally required, adding a way for users to adjust their cookie preferences to your Cookie Notice can help build trust with users.

If you use non-essential cookies, your Cookie Notice should both notify users of your purposes for using cookies and give users a way to signal their cookie consent choices. It's important to give users the opportunity to consent to or reject cookies before you track their online activities.

You should keep a record of the cookie consent you obtain from users, and give users the ability to access your website regardless of their consent choice.

While privacy legislation is constantly evolving, one of the best ways to ensure compliance with laws requiring a Cookie Notice and cookie consent is to maintain a Cookie Notice on your website.

Depending on the types of cookies you use, your Cookie Notice should contain information about your use of cookies, mechanisms for users to consent to or reject cookies, a way for users to choose their cookie preferences, and a link to your Cookie Policy and/or Privacy Policy.

While a Cookie Notice for a website that only uses essential cookies doesn't legally need to contain consent mechanisms, it does need to inform users about the website's use of and reasons for using essential cookies.

If you only use essential cookies, your Cookie Notice should contain the following information:

  • An explanation that your website uses essential cookies
  • A list of the reasons why you use essential cookies
  • An explanation of how to change cookie settings
  • A link to your Cookie Policy and/or Privacy Policy

Here's an example:

Generic Essential Cookies Consent Notice Banner

A Cookie Notice for a website that uses non-essential cookies should include everything that a Cookie Notice for essential cookies contains, plus consent mechanisms.

Let's take a deeper look at what your Cookie Notice should contain.

Information About Your Use of Cookies

Whether you only use essential cookies, or use both essential and non-essential cookies, your Cookie Notice should contain information about how you use cookies. Essential cookies are used for site functionality, while non-essential cookies can be used for site optimization, marketing, or data analysis purposes.

Here's a Cookie Notice that explains the site uses cookies for customized content, targeted advertising, social media features, and analytics:

Temptations Cookie Notice

If you use non-essential cookies, your Cookie Notice should provide a way for users to consent to having non-essential cookies stored on their devices. While consent mechanisms are not legally required for essential cookies, it's good practice to give users options when it comes to how their personal data is used.

Many privacy laws require businesses to get active consent from users, meaning that users need to take an action - such as clicking a button - to signal their consent.

Many businesses block users from accessing their websites until they have utilized the cookie consent mechanisms within their Cookie Notices. A common way to do this is by placing buttons stating "Accept" or "Deny" within your Cookie Notice. Users must choose whether to consent to cookies and click the button signifying their selection before browsing the website.

Your consent mechanisms should be equally accessible and easy to use. It should be just as easy for users to reject all cookies as it is for them to accept all cookies.

Orangetheory's Cookie Notice explains what it does with the personal data it processes and includes a link to its Privacy Policy as well as buttons for accepting or rejecting all cookies and a "Your Privacy Rights" button that users can click to adjust their cookie preferences:

Orangetheory cookie consent notice

Your Cookie Notice should include a way for users to easily access and change their cookie preferences. If you give users a way to change essential cookies settings, you should explain that changing their settings may affect your site's functionality.

You can include a link to information about how users can set their cookie preferences, or you can utilize toggle buttons that can be used to adjust cookie preferences from directly within the Cookie Notice.

Here's a Cookie Notice that includes a Customize Settings link that users can follow to adjust their cookie preferences:

Cookie Notice with Customize Settings link highlighted

When users click on the Customize Settings link, they can be presented with something like a Privacy Preference Center popup box where they can choose to allow all cookies, disable all cookies, or select whether they will allow cookies used for performance, social media, and targeting purposes (essential cookies are always turned on, so users must agree to their use in order to browse Lennox's website).

Here's how this can look:

Manage Consent Preferences form

Your Cookie Notice can contain toggle buttons that users can turn on or off to reflect their cookie preferences, like seen here:

Generic cookie consent notice with toggle buttons

Whether you use essential or non-essential cookies, you should include a link to your Cookies Policy and/or your Privacy Policy within your Cookie Notice so that users can learn more about the types of cookies you use and the categories of personal data you track.

Some businesses maintain a stand-alone Cookies Policy that describes the types of cookies they use, while other businesses include cookie information as part of their Privacy Policy.

The NBA's Cookie Notice includes links to its Cookie Policy, Privacy Policy, and its Terms of Use agreement (a document that outlines the terms users must agree to to use its website). However, it doesn't include a way for users to adjust their cookie preferences or reject the use of cookies:

NBA cookie policy notice

You should display your Cookie Consent/Cookie Notice somewhere visitors to your website can easily find it as soon as they access your site, such as at the top or bottom of your website, or across your entire site.

Where you position the cookie notice banner on your website pages doesn't matter that much as long as the notice is easy to see and remains visible until the user gives or denies consent.

PayPal displays its Cookie Notice across its entire site so that the Notice follows the user whether they scroll up or down:

PayPal website with cookie consent notice highlighted

Here’s an example of a cookie consent notice banner at the top of web pages:

TermsFeed WordPress: Preview: Cookie Consent banner with Google Consent Mode V2

You can even place it off to one side of the screen or the other, as long as it's noticeable and all the components are there:

TermsFeed Webnode: Published Cookie Consent banner displayed

Summary

Essential cookies are cookies that are used to improve the functionality of your site-such as by saving users' usernames and passwords so they stay logged in during a browsing session or saving users' cart info while they shop online.

Many privacy laws (such as the EU's GDPR and ePrivacy Directive) require organizations to inform users about the cookies they use and to get consent before using certain types of cookies. Violations of cookie laws can result in harsh financial penalties.

To comply with cookie laws you should:

  • Get users' consent for non-essential cookies
  • Explain your reasons for using cookies
  • Keep a record of the cookie consent you obtain
  • Allow users to access your website whether or not they consent to cookies
  • Give users a way to withdraw their consent
  • Provide a way for users to easily set their cookie preferences

Essential cookies do not require consent. However, privacy laws may require you to maintain a Cookie Notice to inform users how you use essential cookies.

The ePrivacy Directive states that the following types of cookies are exempt from its consent requirements:

  • Cookies that are used solely for transmitting data over an electronic communication network, or
  • Essential cookies used to provide services directly requested by a user

The GDPR requires organizations to explain their reasons for collecting and using personal data (including cookies) at the time of collection.

One of the most effective ways to comply with cookie laws is to maintain a Cookie Notice on your website that informs users about your use of cookies and enables users to consent to or deny cookies and adjust their cookie preferences at will.

Your Cookie Notice should include the following information:

  • Information about what you use cookies for
  • Consent mechanisms for users to indicate their consent choices
  • A description of how users can set their cookie preferences
  • A link to your Cookies Policy and/or your Privacy Policy

Your Cookie Notice should be displayed conspicuously on either the top or bottom of your website, or across the entire site so that it's impossible to miss and is on every webpage until a user makes a choice to decline or allow cookies.

Privacy Policy Generator
Comprehensive compliance starts with a Privacy Policy.

Comply with the law with our agreements, policies, and consent banners. Everything is included.

Generate Privacy Policy