Cookies classified as essential are genuinely required for basic functionality

Why it matters

ePrivacy Art. 5(3) exempts from consent only cookies 'strictly necessary' for a service explicitly requested by the user — a narrow carve-out that does not cover analytics, A/B testing, or affiliate attribution. GDPR Art. 6(1)(b)'s performance-of-contract basis equally does not extend to tracking that serves the operator's interests rather than delivering the requested service. Miscategorizing GA as 'functional' to bypass the consent requirement is a documented enforcement priority: the Austrian DSB, Italian Garante, and CNIL have all found this specific misclassification to constitute an unlawful consent mechanism under GDPR Recital 47.

Remediation

Audit every entry in the essential category against the strict-necessity test: would the site's core service fail for this user without this cookie? If the answer is 'no, but it helps us,' the cookie is not essential.

// src/lib/cookies/registry.ts

// WRONG — GA classified as essential to avoid consent
{ name: '_ga', category: 'essential', purpose: 'Site functionality' }

// CORRECT — GA classified as analytics, consent required
{ name: '_ga', category: 'analytics', purpose: 'Google Analytics tracking.' }
{ name: '_ga_XXXXXXXX', category: 'analytics', purpose: 'GA4 session tracking.' }

Legitimate essential cookies: auth session tokens, CSRF tokens, load balancer stickiness, user-selected language preference. Move everything else — A/B testing, affiliate tracking, 'remember me' persistence — to analytics, marketing, or preferences as appropriate.

Detection

ID: cookie-consent-compliance.cookie-classification.essential-genuinely-essential
Severity: low
What to look for: Review the "essential" or "strictly necessary" category in the cookie registry. For each cookie listed as essential, verify that the site would genuinely break or become unusable without it. Legitimate essential cookies include: session/auth tokens (login would fail), CSRF protection tokens, load balancer stickiness cookies, user's own language/region preference set by the user in the UI, shopping cart contents (for e-commerce without accounts). Cookies that are NOT legitimately essential: analytics cookies classified as "functional" to avoid requiring consent, A/B testing cookies, affiliate tracking cookies, social login state cookies that persist beyond the current session, "remember me" cookies (these are preferences, not essential). Flag any cookie in the essential category that appears to serve an analytics, tracking, or marketing purpose.
Pass criteria: Enumerate all cookies marked as "essential" and list their purpose. All cookies in the essential/strictly necessary category are genuinely required for the site to function for its core purpose. No analytics, tracking, A/B testing, or marketing cookies are miscategorized as essential to avoid consent requirements. 100% of essential cookies must be genuinely required for basic site functionality.
Fail criteria: Quote the actual cookie names classified as essential and explain why each fails the essentiality test. Analytics or tracking cookies (e.g., Google Analytics) are classified as "necessary" or "essential" to bypass consent requirements. A/B testing cookies classified as "functional" or "essential." Marketing attribution cookies classified as essential.
Skip (N/A) when: No cookie registry exists (already failing at all-cookies-documented). No cookies classified as essential.
Detail on fail: Example: "Google Analytics cookies (_ga, _ga_XXXXXXXX) classified as 'functional/essential' in the consent platform config. These are analytics cookies requiring consent." or "Optimizely A/B test cookie classified as 'strictly necessary'. A/B testing is not required for core site functionality.".
Remediation: Re-classify miscategorized cookies in your src/lib/cookie-registry.ts:
```
// WRONG: GA classified as essential
{ name: '_ga', category: 'essential' }
// CORRECT: GA classified as analytics
{ name: '_ga', category: 'analytics' }
```
Move GA cookies to analytics; move A/B testing to analytics or preferences; move marketing attribution to marketing.

External references

eprivacy · Art. 5(3) — ePrivacy Directive — exemption for strictly necessary cookies only

gdpr · Art. 6(1)(b) — GDPR — processing necessary for performance of a contract (strictly necessary basis)

gdpr · Recital 47 — GDPR — legitimate interests cannot override data subject rights for non-essential tracking

Why it matters

Remediation

// src/lib/cookies/registry.ts

// WRONG — GA classified as essential to avoid consent
{ name: '_ga', category: 'essential', purpose: 'Site functionality' }

// CORRECT — GA classified as analytics, consent required
{ name: '_ga', category: 'analytics', purpose: 'Google Analytics tracking.' }
{ name: '_ga_XXXXXXXX', category: 'analytics', purpose: 'GA4 session tracking.' }

Detection

ID: cookie-consent-compliance.cookie-classification.essential-genuinely-essential
Severity: low
What to look for: Review the "essential" or "strictly necessary" category in the cookie registry. For each cookie listed as essential, verify that the site would genuinely break or become unusable without it. Legitimate essential cookies include: session/auth tokens (login would fail), CSRF protection tokens, load balancer stickiness cookies, user's own language/region preference set by the user in the UI, shopping cart contents (for e-commerce without accounts). Cookies that are NOT legitimately essential: analytics cookies classified as "functional" to avoid requiring consent, A/B testing cookies, affiliate tracking cookies, social login state cookies that persist beyond the current session, "remember me" cookies (these are preferences, not essential). Flag any cookie in the essential category that appears to serve an analytics, tracking, or marketing purpose.
Pass criteria: Enumerate all cookies marked as "essential" and list their purpose. All cookies in the essential/strictly necessary category are genuinely required for the site to function for its core purpose. No analytics, tracking, A/B testing, or marketing cookies are miscategorized as essential to avoid consent requirements. 100% of essential cookies must be genuinely required for basic site functionality.
Fail criteria: Quote the actual cookie names classified as essential and explain why each fails the essentiality test. Analytics or tracking cookies (e.g., Google Analytics) are classified as "necessary" or "essential" to bypass consent requirements. A/B testing cookies classified as "functional" or "essential." Marketing attribution cookies classified as essential.
Skip (N/A) when: No cookie registry exists (already failing at all-cookies-documented). No cookies classified as essential.
Detail on fail: Example: "Google Analytics cookies (_ga, _ga_XXXXXXXX) classified as 'functional/essential' in the consent platform config. These are analytics cookies requiring consent." or "Optimizely A/B test cookie classified as 'strictly necessary'. A/B testing is not required for core site functionality.".
Remediation: Re-classify miscategorized cookies in your src/lib/cookie-registry.ts:
```
// WRONG: GA classified as essential
{ name: '_ga', category: 'essential' }
// CORRECT: GA classified as analytics
{ name: '_ga', category: 'analytics' }
```
Move GA cookies to analytics; move A/B testing to analytics or preferences; move marketing attribution to marketing.

External references

eprivacy · Art. 5(3) — ePrivacy Directive — exemption for strictly necessary cookies only

gdpr · Art. 6(1)(b) — GDPR — processing necessary for performance of a contract (strictly necessary basis)

gdpr · Recital 47 — GDPR — legitimate interests cannot override data subject rights for non-essential tracking

Cookies classified as essential are genuinely required for basic functionality

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History

Cookies classified as essential are genuinely required for basic functionality

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History