Gretelfy
Back to Blog
Cookie Compliance

What is a Cookie? A Plain-Language Guide for Website Owners

Gretelfy TeamMarch 14, 20267 min read
cookiesbasicsprivacybeginnersGDPR

Your website probably sets dozens of cookies every time someone visits. Do you know what each one does, why it's there, or whether it needs consent? Most website owners don't, and that's exactly where compliance problems start.

This guide breaks cookies down in plain language: what they are, the different types you'll encounter, and why they matter for privacy regulations like GDPR.

What Exactly is a Cookie?

A cookie is a small text file that a website stores in a visitor's browser. It contains a name, a value (usually a string of characters), and some metadata like an expiration date and the domain it belongs to.

Think of it like a name badge at a conference. When you first arrive, someone hands you a badge. Every time you walk up to a booth, they glance at your badge and know who you are without asking again. Cookies work the same way: they help websites remember things about visitors between page loads.

Here's what a typical cookie looks like under the hood:

  • Name: _ga
  • Value: GA1.2.1234567890.1709300000
  • Domain: .example.com
  • Expiry: 2 years
  • HttpOnly: No
  • Secure: Yes

That particular cookie belongs to Google Analytics. It tracks unique visitors across sessions, and under GDPR, it requires explicit consent before being set.

First-Party vs Third-Party Cookies

This distinction matters enormously for compliance.

First-Party Cookies

First-party cookies are set by the domain you're actually visiting. If you're on shop.example.com, a first-party cookie comes from example.com.

Common uses include:

  • Keeping you logged in
  • Remembering your shopping cart
  • Storing language or currency preferences
  • Session management

First-party cookies aren't inherently problematic, but they still need to be categorized correctly. A first-party analytics cookie still requires consent.

Third-Party Cookies

Third-party cookies are set by a domain different from the one you're visiting. If you're on shop.example.com but a cookie is set by doubleclick.net, that's a third-party cookie.

These are the cookies that privacy regulations target most heavily because they enable:

  • Cross-site tracking (following users across different websites)
  • Retargeting and behavioral advertising
  • Building user profiles without direct interaction

Major browsers are phasing out third-party cookie support, but the transition is slow. In the meantime, your website might still set dozens of them through embedded scripts, ad tags, and social media widgets.

Session vs Persistent Cookies

Beyond who sets them, cookies also differ in how long they stick around.

Session Cookies

Session cookies exist only while the browser is open. Close the tab, and they disappear. These are typically used for:

  • Active login sessions
  • Shopping cart contents during a single visit
  • Temporary form data
  • CSRF protection tokens

Session cookies are generally considered lower risk because they don't persist.

Persistent Cookies

Persistent cookies survive after the browser closes. They have an explicit expiration date, which can range from minutes to years. Examples:

  • _ga (Google Analytics): 2-year expiry
  • _fbp (Facebook Pixel): 90-day expiry
  • IDE (Google DoubleClick): 13-month expiry

The longer a cookie persists, the more data it can accumulate about a user's behavior. Privacy regulations pay close attention to expiry periods, and some Data Protection Authorities (DPAs) have argued that analytics cookies with multi-year lifespans are disproportionate.

Cookie Categories Explained

Every cookie on your website falls into one of these categories. Understanding them is essential for building a correct consent mechanism.

Necessary Cookies

These are required for the website to function. Without them, core features break. Examples:

  • Session IDs for logged-in users
  • Load balancer cookies
  • CSRF tokens
  • Cookie consent preference storage

Necessary cookies are the only category that does not require explicit consent under GDPR. But the bar is high: if the website can function without a cookie, it's probably not strictly necessary.

Functional Cookies

Functional cookies enhance the user experience but aren't essential. Examples:

  • Language preferences
  • Region or currency selection
  • Remembering font size or theme settings
  • Live chat session cookies

These require consent. A common mistake is classifying functional cookies as "necessary" to avoid consent requirements, but regulators have flagged this practice repeatedly.

Analytics Cookies

Analytics cookies measure how visitors use your website. They track page views, session duration, bounce rates, and navigation paths. Examples:

  • _ga, _gid (Google Analytics)
  • _hjSessionUser (Hotjar)
  • ajs_anonymous_id (Segment)

Analytics cookies always require consent. Even when configured to anonymize IP addresses, the European Data Protection Board (EDPB) has confirmed that analytics cookies are not "strictly necessary" and need opt-in consent.

For more detail on what happens when these cookies fire before consent, see our guide on pre-consent cookie tracking.

Marketing Cookies

Marketing cookies enable advertising, retargeting, and cross-site tracking. They are the highest-risk category. Examples:

  • _fbp, _fbc (Facebook/Meta)
  • IDE, NID (Google Ads)
  • li_sugr (LinkedIn)
  • muc_ads (Twitter/X)

These cookies build detailed user profiles and share data across ad networks. They absolutely require consent, and setting them before consent is one of the most common pre-consent violations.

Unknown Cookies

If a cookie doesn't match any known pattern, it's classified as "unknown." This happens more often than you'd think, especially with:

  • Custom tracking implementations
  • Niche third-party tools
  • Obfuscated or dynamically named cookies

Unknown cookies should be treated as non-necessary until reviewed and properly categorized. Leaving cookies unclassified in your consent banner is itself a compliance risk.

Why Cookies Matter for Privacy

Cookies are the primary mechanism through which websites track user behavior. A single marketing cookie can:

  1. Identify a user across multiple websites
  2. Build a profile of their interests and browsing habits
  3. Share that profile with advertising networks
  4. Enable targeted ads based on private browsing behavior

This is why the GDPR, ePrivacy Directive, and similar laws require informed, explicit consent before non-essential cookies are set. The user has the right to decide whether this tracking happens.

The Consent Requirement, Simplified

Here's the rule, stripped to its essence:

Before setting any cookie that isn't strictly necessary for the website to function, you must get the user's explicit consent.

That means:

  • No pre-checked boxes: Consent must be an active choice
  • No cookie walls: Users can't be forced to accept cookies to access content (in most EU jurisdictions)
  • Granular options: Users must be able to accept analytics but reject marketing, for example
  • Easy withdrawal: Rejecting cookies must be as easy as accepting them
  • No pre-consent firing: Cookies must not be set before consent is given

That last point is critical and frequently violated. Many websites display a consent banner but have already set tracking cookies during page load, before the user has clicked anything. This is a pre-consent violation, and it's exactly what tools like Gretelfy are built to detect.

To learn how to check whether your own site has this problem, see our cookie compliance audit guide.

Practical Steps for Website Owners

If you're unsure about your website's cookie situation, here's where to start:

1. Inventory Your Cookies

You can't manage what you don't know about. Scan your website to get a complete list of every cookie set during page load, including name, domain, category, and expiry.

2. Categorize Every Cookie

Map each cookie to the correct category: necessary, functional, analytics, or marketing. Don't guess. Unknown cookies should be researched and classified.

3. Check Your Consent Mechanism

Make sure your Consent Management Platform (CMP) or consent banner actually blocks non-essential cookies until the user opts in. Many CMPs are configured incorrectly and allow cookies to fire before consent.

4. Verify with an Independent Scan

Your CMP vendor telling you that you're covered isn't the same as independent verification. Use a third-party scanner to check what actually happens during a fresh page load, before any consent interaction.

5. Monitor Regularly

New cookies appear when you add scripts, update plugins, or change analytics tools. A one-time audit isn't enough. Regular monitoring catches new violations before a regulator does.

What Comes Next

Cookies are one piece of the larger privacy puzzle, but they're the most visible and most regulated piece. Understanding what's on your website is the first step toward genuine compliance.

Curious what cookies your website sets? Run a free scan and see every cookie listed with its category and purpose. Scan your website now.

See how your website measures up

Run a free compliance scan and get your Gretel Score in seconds.

https://

Related Articles

Why Your Cookie Banner Might Not Be Protecting You
Cookie Compliance

Why Your Cookie Banner Might Not Be Protecting You

A cookie banner isn't automatic compliance. Learn the common mistakes that leave websites vulnerable despite having a consent banner in place.

Feb 3, 20269 min read
The Top 10 Pre-Consent Cookie Violations (And How to Fix Them)
Cookie Compliance

The Top 10 Pre-Consent Cookie Violations (And How to Fix Them)

Discover the most common pre-consent cookie violations found on websites, with practical fixes for each one.

Jan 24, 202611 min read
CMP vs Cookie Scanner: Why You Need Both for True Compliance
Cookie Compliance

CMP vs Cookie Scanner: Why You Need Both for True Compliance

Understand the difference between Consent Management Platforms and Cookie Scanners, and why using both is essential for GDPR compliance.

Jan 20, 20267 min read