Cookie categories are the groups a website sorts its cookies into by purpose: necessary, preferences, statistics, and marketing. A cookie's category decides what a visitor sees in the banner and whether it can run at all. Privacy laws like the GDPR require consent for every category except strictly necessary cookies.
Below: what each category does and how many actually exist. Then which ones need consent, and how a scanner turns a raw cookie list into the toggles visitors see in a banner.
What Is a Cookie Category?
A cookie category is a group of cookies sorted by what they do. Consent tools use these groups to let visitors allow or block cookies as a set, rather than one at a time.
A cookie is a small text file a site stores in a visitor's browser. Grouping cookies by purpose lets a preference center show a manageable set of toggles instead of hundreds of individual files: necessary, preferences, statistics, and marketing. There is no single official list of category names. The ePrivacy Directive and national data protection authorities set the legal framework, and each consent tool implements its own version of the taxonomy.
The Main Cookie Categories (and What Each One Does)
Consent tools sort cookies by purpose into a small set of standard categories, and every major tool uses different names for the same groups. The table below reconciles the common names.
| Category | Also called | What it does | Examples | Needs consent? |
|---|---|---|---|---|
| Strictly necessary | Essential, necessary | Runs core site functions the visitor requested | Login session, shopping basket, load balancing | No, exempt |
| Preferences | Functional | Remembers non-essential choices | Language, region, text size | Usually yes |
| Statistics | Analytics, performance | Measures how visitors use the site | Page views, traffic sources | Yes |
| Marketing | Advertising, targeting | Tracks visitors to build ad profiles | Cross-site ad targeting | Yes |
| Social media | (none common) | Powers embedded share buttons and players | Facebook Like button, embedded YouTube player | Yes |
Strictly Necessary (Essential) Cookies
Strictly necessary cookies, also called essential or necessary cookies, let a site run its core functions. Logging in, keeping a shopping basket, and securing a session all depend on them. They are the one category exempt from consent under UK and EU cookie law.
The UK Information Commissioner's Office names three concrete examples. A cookie that remembers an online basket qualifies, as does one that secures an online banking session. So does a load-balancing cookie that distributes traffic across servers. The exemption is narrow. It covers only what a service needs to fulfil the visitor's specific request, not anything merely convenient.
Learn more about the exact boundary in essential vs non-essential cookies.
Preferences (Functional) Cookies
Preferences cookies, also called functional cookies, remember non-essential choices like language, region, or text size. They improve the experience but are not required to run the site, so most of them need consent.
One narrow exception exists. The Article 29 Working Party's 2012 opinion, referenced in current ICO guidance, notes that some language-preference and user-interface-customization cookies may fall inside the strictly-necessary exemption. Some platforms label this bucket with a numbered scheme instead, so a banner that mentions "Category 3 functionality cookies" is describing this same group.
Statistics (Analytics / Performance) Cookies
Statistics cookies, also called analytics or performance cookies, count visitors and show how they use a site's pages. They are not strictly necessary, so they require consent even when the data collected is aggregated.
This is the most common misconception about cookie categories: that measuring "just" page views is harmless enough to skip consent. The ICO's guidance draws the line precisely. Cookies that are helpful or convenient but not essential will still require consent, in the regulator's own words. A tool like Google Analytics falls into this category by definition, regardless of how the data gets used afterward.
Marketing (Advertising / Targeting) Cookies
Marketing cookies, also called advertising or targeting cookies, track visitors across sites to build a profile and serve targeted ads. They are usually third-party cookies, and they always require consent.
Whether the site or an embedded ad network sets a marketing cookie determines its first-party vs third-party cookies status. That status affects how it gets blocked and disclosed.
Social Media and Unclassified Cookies
Social media cookies come from embedded share buttons and players, such as a Facebook Like widget or an embedded YouTube player. They need consent like any other non-essential category. Unclassified cookies are new or unknown cookies a scanner has detected but not yet sorted; treat them as non-essential until they are categorized.
How Many Cookie Categories Are There? Why the Names Differ
There is no single official list of cookie categories. Most consent tools use four to six categories, and names vary because the categories come from regulator and industry convention, not a fixed legal enumeration.
The naming split runs consistently across vendors:
- Necessary = essential = strictly necessary
- Preferences = functional
- Statistics = analytics = performance
- Marketing = advertising = targeting
Some tools add a fifth category for social media cookies; others fold it into marketing. A few platforms, including Apple's own cookie documentation, still use an older numbered scheme ("Category 1" through "Category 4") instead of these purpose-based names. All of these schemes describe the same underlying groups; only the labels differ.
Which Cookie Categories Need Consent?
Under the GDPR and ePrivacy rules, every cookie category needs prior opt-in consent except strictly necessary cookies.
Non-essential categories, preferences, statistics, marketing, and social media, must be blocked until the visitor consents. Strictly necessary cookies can run by default, but a site should still disclose them.
| Consent status | Categories |
|---|---|
| Needs consent | Preferences, statistics, marketing, social media |
| Exempt from consent | Strictly necessary |
The ICO states this plainly: a site cannot set non-essential cookies on a homepage before the visitor consents to them. That prior-blocking rule, not just disclosure, is what a consent tool has to enforce in practice. Consent requirements vary by legal regime. See the full cookie compliance checklist for how rules differ across GDPR, CCPA, and other laws. Read how cookie consent works for the underlying legal standard.
The Three Ways Cookies Are Classified (Purpose, Duration, Source)
The categories above sort cookies by purpose. Cookies are also classified two other ways: by duration (session vs persistent) and by source (first-party vs third-party).
| Classification axis | What it splits on | The two main values | Depth |
|---|---|---|---|
| Purpose | What the cookie does | Necessary, preferences, statistics, marketing, social | This page |
| Duration | How long the cookie lasts | Session, persistent | Session vs persistent cookies |
| Source | Who set the cookie | First-party, third-party | Covered in the Marketing cookies section above |
Purpose is the axis that determines consent treatment. Duration and source describe how a cookie behaves and where it came from. Both matter for compliance disclosure, but neither one exempts a cookie from consent by itself. See the full list of cookie types for every variant across all three axes.
How Cookies Get Sorted Into Categories
Sorting a cookie into a category is a four-step process that connects a raw scan to the toggles a visitor actually sees.
To sort cookies into categories:
- A cookie scanner crawls the site and finds every cookie, tracker, script, and iframe.
- Each cookie is matched to a category by a known-cookie database, its name or host, or manual review; unmatched cookies land in "unclassified."
- The categories become the toggles a visitor sees in the cookie banner and preference center.
- Non-essential categories stay blocked until the visitor consents to them.
This is the step most explainers skip: the category isn't just a label. It's the mechanism that decides whether a script fires before or after the visitor clicks accept.
Common Misconceptions About Cookie Categories
Several assumptions about cookie categories are wrong and lead directly to compliance gaps.
- "Analytics cookies are essential, so they don't need consent." They aren't. Only cookies essential to a service the visitor requested are exempt, and analytics measures usage rather than delivering the service itself.
- "There is one official GDPR list of cookie categories." There isn't. The categories are convention drawn from the ePrivacy Directive and data protection authority guidance, not a statutory enumeration.
- "'Legitimate interest' means I can't reject those cookies." Legitimate interest is a separate legal basis under the IAB Europe TCF, distinct from consent. It governs whether data can be processed after collection, not whether a non-essential cookie can be set without consent, which ePrivacy rules still require. The GDPR's Article 21 gives visitors the right to object to that processing, and reputable banners surface it as a toggle.
- "More categories means more compliant." What matters is correct classification and blocking before consent, not the number of buckets a banner shows.
How Consently Categorizes Your Cookies Automatically
Consently scans a whole site and sorts every cookie into the standard categories automatically. It turns those categories into per-category toggles in the banner and preference center, blocking non-essential ones until the visitor consents.
The scanner detects cookies, trackers, scripts, and iframes across a site and assigns each one to a category: essential, preferences, statistics, marketing, social, or unclassified. Custom categories are available when the defaults don't fit a specific setup.
Every category shows up as a separate control in Consently's preference center. Visitors can accept statistics cookies while rejecting marketing ones, instead of choosing all or nothing. Non-essential categories stay blocked by default until a visitor opts in.
Try Consently free with a 14-day trial. No credit card required.
FAQs
What are the four types of cookies?
The four most common consent categories are necessary, preferences (functional), statistics (analytics), and marketing (advertising). Many tools add a fifth for social media.
What is a strictly necessary cookie?
A strictly necessary cookie is one a site cannot work without, such as a login session, a shopping basket, or a security check. It is the only category exempt from consent.
Are analytics cookies essential?
No. Analytics cookies are not strictly necessary because the site works without them. Even aggregated visitor statistics still require consent.
What are "legitimate interest" cookies?
Legitimate interest is a separate ad-tech legal basis under the IAB Europe TCF, shown beside consent in some banners. GDPR Article 21 gives visitors the right to object to processing based on it, so reputable banners let them switch it off.
What are unclassified cookies?
Unclassified cookies are ones a scanner has found but not yet sorted into a category. Treat them as non-essential until they are categorized.
Do all cookie categories need consent?
Under the GDPR and ePrivacy rules, every category except strictly necessary requires prior consent. Requirements differ by region; the cookie compliance checklist earlier in this article covers how rules vary.
Who decides the cookie categories?
There is no single official list. Categories follow the ePrivacy Directive and data protection authority guidance, and consent tools implement them.

