Essential vs Non-Essential Cookies: What You Can and Cannot Block

Learn the legal test that separates essential from non-essential cookies, which ones need consent, and the mistake that gets analytics mislabeled.


by Riad Us Salehin • 3 July 2026


Essential cookies (also called strictly necessary cookies) make a website work and need no consent. Non-essential cookies, such as analytics and advertising, do other jobs and require consent before they load. Here is what you can safely block.

This guide covers the legal test that separates the two categories and which cookies need consent first. It also names the mistake that gets sites labeled non-compliant. That mistake is calling analytics "strictly necessary."

What Are Essential Cookies?

Essential cookies, also called strictly necessary cookies, are the cookies a site cannot work without. They handle the specific function a visitor requested, such as staying logged in or keeping items in a cart. The ePrivacy Directive exempts them from consent requirements.

These cookies exist to deliver a service the visitor explicitly asked for. Common examples include:

  • Authentication cookies: Keep a visitor logged in as they move between pages.
  • Session cookies: Track a visit so a multi-step process (checkout, a form, a login flow) does not reset midway.
  • Shopping cart cookies: Hold items in a cart while a shopper keeps browsing.
  • Security and fraud-prevention cookies: Detect suspicious login attempts and protect account data.
  • Load-balancing cookies: Route traffic across servers so the site stays fast and available.

Essential cookies do not track visitors across other websites, and they do not collect data beyond what the requested service needs. A login cookie confirms a session; it does not follow a visitor to a different domain. This is what makes the consent exemption legally defensible: the cookie serves the visitor, not a third-party advertiser.

For background on how cookies work in general, see what a cookie is.

What Are Non-Essential Cookies?

Non-essential cookies are every cookie not required to deliver the service a visitor requested. This category covers analytics, advertising, social, and most functional or preference cookies. Because the site works without them, prior consent is legally required.

Non-essential cookies typically fall into four groups.

  • Analytics cookies: Measure traffic, page views, and visitor behavior, including Google Analytics and GA4.
  • Advertising and targeting cookies: Build profiles for ad personalization and retargeting across sites.
  • Social media cookies: Power embedded share buttons, feeds, or login widgets from third-party platforms.
  • Functional or preference cookies: Remember convenience settings, like a saved language, that improve the experience without being required for it.

Every one of these cookies improves or monetizes the visitor experience, but the site still works if they are switched off. That is the line the law draws, and it is why prior consent applies before any of them load. One narrow edge case exists. A cookie that stores a language the visitor actively selected can qualify as essential, because it delivers the choice they just made. For the full breakdown of analytics, advertising, and functional categories, see cookie categories.

Essential vs Non-Essential Cookies at a Glance

The two categories diverge on purpose, consent, and what breaks if you block them. Essential cookies exist to run the service; non-essential cookies exist to measure, market, or personalize it.

AttributeEssential (strictly necessary)Non-essential
PurposeDeliver the service the visitor requestedAnalytics, advertising, social, convenience
Consent required?NoYes, before the cookie loads
ExamplesLogin, session, cart, security, load balancingGoogle Analytics, ad retargeting, social embeds
What breaks if blocked?Login, checkout, security features failNothing breaks; measurement and personalization stop
Tracks across other sites?NoOften, yes (advertising and some analytics)

What Legally Makes a Cookie "Strictly Necessary"?

A cookie qualifies as strictly necessary only when it is essential to deliver the service the visitor asked for. The ePrivacy Directive sets this test, implemented by the UK's PECR and mirrored across GDPR jurisdictions. "Helpful" or "convenient" does not meet that bar.

The UK Information Commissioner's Office states the test directly: a cookie is strictly necessary "to provide an 'information society service'... requested by the subscriber or user," and cookies that are "helpful or convenient but not essential" still require consent. Two conditions narrow the exemption further.

  1. The cookie must serve the visitor's request, not the site owner's own purposes.
  2. The cookie must be limited to transmitting a communication or delivering the requested service, nothing more.

This is why session, cart, security, and load-balancing cookies qualify: each one exists solely to complete the action the visitor initiated. Learn more about how cookie consent works under these rules.

Exempt from consent does not mean exempt from disclosure. Even strictly necessary cookies must still be listed in your cookie policy, so visitors can see what runs and why. The exemption removes the consent step, not the transparency duty.

Source: ICO, Cookies and similar technologies

Which Cookies Need Consent (and Which You Can Block)?

You must get prior consent for every non-essential cookie, including analytics, advertising, and most functional cookies. You do not need consent for essential cookies, and you can safely reject all non-essential cookies without breaking basic site use.

Use this as a quick decision list:

  • Needs consent first: analytics (including first-party Google Analytics), advertising and retargeting, social media embeds, most functional or preference cookies.
  • No consent needed, safe to load: login and session cookies, shopping cart cookies, security cookies, load-balancing cookies.
  • Safe to reject as a visitor: all non-essential cookies. Rejecting them does not stop you from logging in, checking out, or staying secure.

Getting this line right is the core of cookie compliance. Non-essential cookies cannot fire before the visitor consents. That choice is offered through a cookie banner on the visitor's first visit.

The Most Common Mistake: Mislabeling Analytics as Essential

The most common compliance mistake is labeling analytics or marketing cookies as "strictly necessary" to avoid showing a consent banner. Analytics cookies always require consent under the ePrivacy Directive and PECR, and being first-party or anonymized does not change that.

This mistake is recognizable by its symptom: a consent banner listing far more "strictly necessary" cookies than a site could legitimately need. If a banner lists 15 cookies as strictly necessary, some almost certainly do not meet the legal standard. The test excludes anything merely helpful.

Two myths drive this mistake:

  • Myth: first-party analytics is exempt from consent, reality: the ICO's guidance applies "PECR apply to all cookies," including anonymous, first-party visitor counting; first-party status does not create an exemption.
  • Myth: analytics helps run the site, so it counts as necessary, reality: analytics helps you understand visitors, but it does not deliver the service the visitor requested, which is exactly what fails the strictly-necessary test.

Some cookie-consent pages published by other CMP vendors still repeat the first-party exemption myth for analytics. Regulator guidance and consent-law reference sites consistently confirm the opposite: analytics cookies do not fall within the strictly necessary exemption and always require consent.

How Consently Categorizes and Blocks Cookies for You

Consently scans a site on install and sorts every cookie into essential and non-essential categories automatically. It then blocks the non-essential ones until a visitor consents, removing the guesswork behind the mislabeling mistake above.

The scanner detects cookies, trackers, scripts, and iframes across a site. It sorts each into essential, analytics, performance, advertising, social, or unclassified, with weekly rescans to catch anything new. Instead of manually deciding whether a marketing pixel counts as "necessary," the categorization is applied consistently and can be reviewed and adjusted per site.

Auto-blocking enforces that categorization: non-essential cookies, scripts, and iframes stay off until the visitor opts in, so analytics and advertising tags cannot fire early. Consently ships GDPR opt-in and CCPA and US-state opt-out templates by default, plus consent logs for audit records.

See how automatic cookie blocking works or start free with a 14-day trial.

FAQs

What is the difference between essential and non-essential cookies?

Essential cookies make a site work and need no consent. Non-essential cookies, like analytics and advertising, do other jobs and require consent first.

Do essential cookies require consent?

No. Strictly necessary cookies are exempt from consent under the ePrivacy Directive and PECR, though sites must still disclose them in a cookie policy.

Is Google Analytics an essential cookie?

No. Google Analytics and GA4 cookies are non-essential and require prior consent, even when set as first-party or configured to be anonymous.

Can I reject non-essential cookies safely?

Yes. Rejecting analytics, advertising, and social cookies does not affect basic site use. Only essential cookies are needed to log in, shop, and stay secure.

Are essential cookies safe?

Yes. Essential cookies do not track you across other sites or collect data beyond what the service you requested needs.

What happens if you only allow necessary cookies?

The site still works: login, cart, and security all function. Analytics and ads do not load, and many such sites do not need a consent banner at all.

Do I need a cookie banner if I only use essential cookies?

Generally no. Sites that use only strictly necessary cookies are exempt from consent requirements, so no banner is required.

AUTHOR

Riad Us Salehin is the content lead at Dorik. He is a passionate content creator who lets the work speak for itself. Focused on taking brands and causes to the next level.

Read More

Subscribe to Consently
Newsletter

Subscribe to our newsletter to stay updated with latest articles from our blog.

Built with ❤️ by the team @ Dorik.com 

GET IN TOUCH

Any questions? Feel free to chat with us or reach out to us at

For any queries:
support@consently.net

Follow us:


©2026 Dorik, Inc. All rights reserved.