You might think that what constitutes a “strictly necessary” cookie is in the eye of the beholder. After all, every cookie is “strictly necessary” for some purpose. However, in data security and privacy circles (and many regulations), “strictly necessary cookie” has a specific, narrow definition.
A strictly necessary cookie is essential to the function of the website. Examples of strictly necessary cookies are those that:
- Save a reference to the user’s shopping cart on an e-commerce site, so that the user can visit other pages on the site (or even log out and return) without losing the contents of the shopping cart.
- Are needed to manage user authentication and authorization on sites that require users to log in.
- Protect the site and its users by helping detect irregular or fraudulent activity.
- Maintain the user’s web session.
Another type of cookie, which stores the user’s preferences (such as location and language), also falls into the “strictly necessary” category. However, its strict necessity is more from the user’s perspective than the site’s. The site could, of course, require users to select these preferences with each visit to the site, but the users would soon become quite annoyed with it.
Strictly necessary cookies are not used for tracking purposes and do not gather personal information, other than that required for the site to function properly. Most strictly necessary cookies are first-party cookies, meaning that they are owned by the site that provides them and not some other entity.
Strictly Necessary Cookies and Consent
How do data privacy laws and regulations treat strictly necessary cookies? The European GDPR, like most other data privacy regulations, exempts strictly necessary cookies from consent requirements. Because use of the site for its intended purpose would be curtailed, if not not disabled, by disallowing strictly necessary cookies, it doesn’t make sense to ask for the user’s explicit consent.
What about cookies that serve multiple purposes? The regulators thought of this, too. If a cookie has more than one purpose, it is exempt from consent only if all of its functions meet the definition of “strictly necessary.” Otherwise, explicit user consent is required.
Even if a set of cookies is strictly necessary and therefore exempt from consent requirements, it’s a good practice (and, in some jurisdictions, a requirement) to let users know that these cookies are present, what each one is used for, and why they are strictly necessary. This information can be conveyed on your site’s cookie banner or privacy policy.