Cookie Categories Explained: The 5 Types Every Website Sorts Cookies Into

Cookie categories explained: what necessary, preferences, statistics, and marketing cookies do, and exactly which ones need consent under the GDPR.


by Riad Us Salehin • 3 July 2026


Cookie categories are the groups a website sorts its cookies into by purpose: necessary, preferences, statistics, and marketing. A cookie's category decides what a visitor sees in the banner and whether it can run at all. Privacy laws like the GDPR require consent for every category except strictly necessary cookies.

Below: what each category does and how many actually exist. Then which ones need consent, and how a scanner turns a raw cookie list into the toggles visitors see in a banner.

What Is a Cookie Category?

A cookie category is a group of cookies sorted by what they do. Consent tools use these groups to let visitors allow or block cookies as a set, rather than one at a time.

A cookie is a small text file a site stores in a visitor's browser. Grouping cookies by purpose lets a preference center show a manageable set of toggles instead of hundreds of individual files: necessary, preferences, statistics, and marketing. There is no single official list of category names. The ePrivacy Directive and national data protection authorities set the legal framework, and each consent tool implements its own version of the taxonomy.

The Main Cookie Categories (and What Each One Does)

Consent tools sort cookies by purpose into a small set of standard categories, and every major tool uses different names for the same groups. The table below reconciles the common names.

CategoryAlso calledWhat it doesExamplesNeeds consent?
Strictly necessaryEssential, necessaryRuns core site functions the visitor requestedLogin session, shopping basket, load balancingNo, exempt
PreferencesFunctionalRemembers non-essential choicesLanguage, region, text sizeUsually yes
StatisticsAnalytics, performanceMeasures how visitors use the sitePage views, traffic sourcesYes
MarketingAdvertising, targetingTracks visitors to build ad profilesCross-site ad targetingYes
Social media(none common)Powers embedded share buttons and playersFacebook Like button, embedded YouTube playerYes

Strictly Necessary (Essential) Cookies

Strictly necessary cookies, also called essential or necessary cookies, let a site run its core functions. Logging in, keeping a shopping basket, and securing a session all depend on them. They are the one category exempt from consent under UK and EU cookie law.

The UK Information Commissioner's Office names three concrete examples. A cookie that remembers an online basket qualifies, as does one that secures an online banking session. So does a load-balancing cookie that distributes traffic across servers. The exemption is narrow. It covers only what a service needs to fulfil the visitor's specific request, not anything merely convenient.

Learn more about the exact boundary in essential vs non-essential cookies.

Preferences (Functional) Cookies

Preferences cookies, also called functional cookies, remember non-essential choices like language, region, or text size. They improve the experience but are not required to run the site, so most of them need consent.

One narrow exception exists. The Article 29 Working Party's 2012 opinion, referenced in current ICO guidance, notes that some language-preference and user-interface-customization cookies may fall inside the strictly-necessary exemption. Some platforms label this bucket with a numbered scheme instead, so a banner that mentions "Category 3 functionality cookies" is describing this same group.

Statistics (Analytics / Performance) Cookies

Statistics cookies, also called analytics or performance cookies, count visitors and show how they use a site's pages. They are not strictly necessary, so they require consent even when the data collected is aggregated.

This is the most common misconception about cookie categories: that measuring "just" page views is harmless enough to skip consent. The ICO's guidance draws the line precisely. Cookies that are helpful or convenient but not essential will still require consent, in the regulator's own words. A tool like Google Analytics falls into this category by definition, regardless of how the data gets used afterward.

Marketing (Advertising / Targeting) Cookies

Marketing cookies, also called advertising or targeting cookies, track visitors across sites to build a profile and serve targeted ads. They are usually third-party cookies, and they always require consent.

Whether the site or an embedded ad network sets a marketing cookie determines its first-party vs third-party cookies status. That status affects how it gets blocked and disclosed.

Social Media and Unclassified Cookies

Social media cookies come from embedded share buttons and players, such as a Facebook Like widget or an embedded YouTube player. They need consent like any other non-essential category. Unclassified cookies are new or unknown cookies a scanner has detected but not yet sorted; treat them as non-essential until they are categorized.

How Many Cookie Categories Are There? Why the Names Differ

There is no single official list of cookie categories. Most consent tools use four to six categories, and names vary because the categories come from regulator and industry convention, not a fixed legal enumeration.

The naming split runs consistently across vendors:

  • Necessary = essential = strictly necessary
  • Preferences = functional
  • Statistics = analytics = performance
  • Marketing = advertising = targeting

Some tools add a fifth category for social media cookies; others fold it into marketing. A few platforms, including Apple's own cookie documentation, still use an older numbered scheme ("Category 1" through "Category 4") instead of these purpose-based names. All of these schemes describe the same underlying groups; only the labels differ.

Which Cookie Categories Need Consent?

Under the GDPR and ePrivacy rules, every cookie category needs prior opt-in consent except strictly necessary cookies.

Non-essential categories, preferences, statistics, marketing, and social media, must be blocked until the visitor consents. Strictly necessary cookies can run by default, but a site should still disclose them.

Consent statusCategories
Needs consentPreferences, statistics, marketing, social media
Exempt from consentStrictly necessary

The ICO states this plainly: a site cannot set non-essential cookies on a homepage before the visitor consents to them. That prior-blocking rule, not just disclosure, is what a consent tool has to enforce in practice. Consent requirements vary by legal regime. See the full cookie compliance checklist for how rules differ across GDPR, CCPA, and other laws. Read how cookie consent works for the underlying legal standard.

The Three Ways Cookies Are Classified (Purpose, Duration, Source)

The categories above sort cookies by purpose. Cookies are also classified two other ways: by duration (session vs persistent) and by source (first-party vs third-party).

Classification axisWhat it splits onThe two main valuesDepth
PurposeWhat the cookie doesNecessary, preferences, statistics, marketing, socialThis page
DurationHow long the cookie lastsSession, persistentSession vs persistent cookies
SourceWho set the cookieFirst-party, third-partyCovered in the Marketing cookies section above

Purpose is the axis that determines consent treatment. Duration and source describe how a cookie behaves and where it came from. Both matter for compliance disclosure, but neither one exempts a cookie from consent by itself. See the full list of cookie types for every variant across all three axes.

How Cookies Get Sorted Into Categories

Sorting a cookie into a category is a four-step process that connects a raw scan to the toggles a visitor actually sees.

To sort cookies into categories:

  1. A cookie scanner crawls the site and finds every cookie, tracker, script, and iframe.
  2. Each cookie is matched to a category by a known-cookie database, its name or host, or manual review; unmatched cookies land in "unclassified."
  3. The categories become the toggles a visitor sees in the cookie banner and preference center.
  4. Non-essential categories stay blocked until the visitor consents to them.

This is the step most explainers skip: the category isn't just a label. It's the mechanism that decides whether a script fires before or after the visitor clicks accept.

Common Misconceptions About Cookie Categories

Several assumptions about cookie categories are wrong and lead directly to compliance gaps.

  • "Analytics cookies are essential, so they don't need consent." They aren't. Only cookies essential to a service the visitor requested are exempt, and analytics measures usage rather than delivering the service itself.
  • "There is one official GDPR list of cookie categories." There isn't. The categories are convention drawn from the ePrivacy Directive and data protection authority guidance, not a statutory enumeration.
  • "'Legitimate interest' means I can't reject those cookies." Legitimate interest is a separate legal basis under the IAB Europe TCF, distinct from consent. It governs whether data can be processed after collection, not whether a non-essential cookie can be set without consent, which ePrivacy rules still require. The GDPR's Article 21 gives visitors the right to object to that processing, and reputable banners surface it as a toggle.
  • "More categories means more compliant." What matters is correct classification and blocking before consent, not the number of buckets a banner shows.

How Consently Categorizes Your Cookies Automatically

Consently scans a whole site and sorts every cookie into the standard categories automatically. It turns those categories into per-category toggles in the banner and preference center, blocking non-essential ones until the visitor consents.

The scanner detects cookies, trackers, scripts, and iframes across a site and assigns each one to a category: essential, preferences, statistics, marketing, social, or unclassified. Custom categories are available when the defaults don't fit a specific setup.

Every category shows up as a separate control in Consently's preference center. Visitors can accept statistics cookies while rejecting marketing ones, instead of choosing all or nothing. Non-essential categories stay blocked by default until a visitor opts in.

Try Consently free with a 14-day trial. No credit card required.

FAQs

What are the four types of cookies?

The four most common consent categories are necessary, preferences (functional), statistics (analytics), and marketing (advertising). Many tools add a fifth for social media.

What is a strictly necessary cookie?

A strictly necessary cookie is one a site cannot work without, such as a login session, a shopping basket, or a security check. It is the only category exempt from consent.

Are analytics cookies essential?

No. Analytics cookies are not strictly necessary because the site works without them. Even aggregated visitor statistics still require consent.

What are "legitimate interest" cookies?

Legitimate interest is a separate ad-tech legal basis under the IAB Europe TCF, shown beside consent in some banners. GDPR Article 21 gives visitors the right to object to processing based on it, so reputable banners let them switch it off.

What are unclassified cookies?

Unclassified cookies are ones a scanner has found but not yet sorted into a category. Treat them as non-essential until they are categorized.

Do all cookie categories need consent?

Under the GDPR and ePrivacy rules, every category except strictly necessary requires prior consent. Requirements differ by region; the cookie compliance checklist earlier in this article covers how rules vary.

Who decides the cookie categories?

There is no single official list. Categories follow the ePrivacy Directive and data protection authority guidance, and consent tools implement them.

AUTHOR

Riad Us Salehin is the content lead at Dorik. He is a passionate content creator who lets the work speak for itself. Focused on taking brands and causes to the next level.

Read More

Subscribe to Consently
Newsletter

Subscribe to our newsletter to stay updated with latest articles from our blog.

Built with ❤️ by the team @ Dorik.com 

GET IN TOUCH

Any questions? Feel free to chat with us or reach out to us at

For any queries:
support@consently.net

Follow us:


©2026 Dorik, Inc. All rights reserved.