Skip to content

ūüć™ What Makes a Cookie ‚ÄúStrictly Necessary‚ÄĚ?

Osman Husain 2/13/24 12:38 PM

Table of Contents

You might think that what constitutes a ‚Äústrictly necessary‚ÄĚ cookie is in the eye of the beholder. After all, every cookie is ‚Äústrictly necessary‚ÄĚ for some purpose. However, in data security and privacy circles (and many regulations), ‚Äústrictly necessary cookie‚ÄĚ has a specific, narrow definition.

A strictly necessary cookie is essential to the function of the website. Examples of strictly necessary cookies are those that:

  • Save a reference to the user‚Äôs shopping cart on an e-commerce site, so that the user can visit other pages on the site (or even log out and return) without losing the contents of the shopping cart.
  • Are needed to manage user authentication and authorization on sites that require users to log in.
  • Protect the site and its users by helping detect irregular or fraudulent activity.
  • Maintain the user‚Äôs web session.

Another type of cookie, which stores the user‚Äôs preferences (such as location and language), also falls into the ‚Äústrictly necessary‚ÄĚ category. However, its strict necessity is more from the user‚Äôs perspective than the site‚Äôs. The site could, of course, require users to select these preferences with each visit to the site, but the users would soon become quite annoyed with it.

Strictly necessary cookies are not used for tracking purposes and do not gather personal information, other than that required for the site to function properly. Most strictly necessary cookies are first-party cookies, meaning that they are owned by the site that provides them and not some other entity.


Strictly Necessary Cookies and Consent

How do data privacy laws and regulations treat strictly necessary cookies? The European GDPR, like most other data privacy regulations, exempts strictly necessary cookies from consent requirements. Because use of the site for its intended purpose would be curtailed, if not not disabled, by disallowing strictly necessary cookies, it doesn’t make sense to ask for the user’s explicit consent.

What about cookies that serve multiple purposes? The regulators thought of this, too. If a cookie has more than one purpose, it is exempt from consent only if all of its functions meet the definition of ‚Äústrictly necessary.‚ÄĚ Otherwise, explicit user consent is required.

Even if a set of cookies is strictly necessary and therefore exempt from consent requirements, it’s a good practice (and, in some jurisdictions, a requirement) to let users know that these cookies are present, what each one is used for, and why they are strictly necessary. This information can be conveyed on your site’s cookie banner or privacy policy.

Osman Husain

Osman is the content lead at Enzuzo. He has a background in data privacy management via a two-year role at ExpressVPN and extensive freelance work with cybersecurity and blockchain companies. Osman also holds an MBA from the Toronto Metropolitan University.