In recent years, we've all faced a barrage of cookie consent pop-ups on nearly every website we visit. Many of these prompts urge us to "accept all cookies" or "accept only technically required" — those that are first-party and necessary for a website's core functions. But here's the truth: no law mandates consent for these essential cookies, like those that maintain your login or shopping cart. Despite this, consent solutions have been asking for approval, creating widespread confusion.
What Are Technically Required Cookies?
Technically required cookies are essential to the basic operation of a website. They support key functions, such as keeping you logged in during a session or saving items in your shopping cart. These cookies are deemed "necessary" because the website cannot function correctly without them — meaning they don't require user consent under data privacy laws. The ePrivacy Directive, specifically Article 5(3), clearly states that such cookies are exempt from consent requirements if they are strictly necessary to provide a service the user is actively requesting.
For example, if you log into your account, a session cookie tracks your login status, allowing you to navigate seamlessly. Because this function is fundamental to the service you're requesting, it falls under the "Technically Required" category and is exempt from consent requirements. The same principle applies to cookies that handle secure payments or remember your privacy settings.
Why Are We Still Seeing Consent Requests for These Cookies?
The confusion stems from many consent solution providers treating all cookies, beacons, and pixel trackers alike, bundling non-essential third-party elements with essential, first-party cookies. This conflation results in misleading consent prompts, asking for permissions even for basic cookies that should operate without consent.
Additionally, some third-party providers have circumvented the laws by wrongly claiming "legitimate interest" under GDPR to justify deploying tracking cookies, beacons, and pixels as "necessary" for site operations. However, third-party solutions, including consent management platforms, are never technically required for a website's core functions. A third-party supplier cannot impose a technical requirement on the user, and the classification of these cookies as technically required has been incorrect from the beginning. Furthermore, legitimate interest cannot override ePrivacy Directive Article 5(3), as it is lex specialis (a legal principle where a more specific law takes priority over a general one) compared to the broader GDPR legitimate interest principle.
The 2024 ePrivacy Directive Guidelines Make It Clear
In October 2024, the European Data Protection Board (EDPB) provided further clarification on when consent is required, particularly for accessing users' devices. While the guidelines do not explicitly state that technically required cookies do not need consent, they clarify that consent is required only when there is access to a user's device for non-essential purposes. Since first-party, technically required cookies are essential for services that users actively request – such as maintaining a login or shopping cart – they do not require consent under GDPR or the ePrivacy Directive. When a user visits a website, they are actively engaging with it, meaning there is no need to inform, request consent for, or offer opt-out for these essential cookies. For all other types of cookies such as first-party analytics or third-party consent management solutions, explicit, informed user consent is mandatory before any data collection begins.
When Is Consent Required?
Consent is required for cookies, beacons, pixel trackers, or similar technologies that are not strictly necessary for providing a service the user actively requests. For example, first-party analytics cookies, which collect data to improve website performance, do require user consent. These technologies, while beneficial, are not essential for the core functionality of the website, which is why explicit consent must be obtained before they are used. Similarly, third-party consent management platforms, often integrated to manage and track user preferences across different services, require explicit consent due to their access to user data for non-essential purposes. These platforms and tracking technologies involve data collection that goes beyond what is necessary for basic site operation, making informed user consent a legal requirement as they access the users device. The reason users can click "Accept only technically required cookies" is because many consent solution providers have misrepresented their own tracking technologies – such as analytics scripts, beacons, and pixel trackers – as essential to the core operation of a website. They have attempted to classify these technologies as technically required, misleading users into believing they are necessary for the website to function properly. However, these third-party technologies are not essential to the primary services users actively engage with, such as logging in or making purchases.
Additionally, some consent solution providers have tried to justify the deployment of these tracking technologies by claiming "legitimate interest" under GDPR. However, legitimate interest cannot override the specific requirements set forth by the ePrivacy Directive Article 5(3), which is more narrowly focused on user privacy compared to the broader GDPR provisions. The ePrivacy Directive, being lex specialis, takes precedence over GDPR in matters related to cookie consent. Therefore, relying on legitimate interest to deploy tracking technologies without explicit, informed user consent is not legally defensible.
The misclassification of these third-party technologies as technically required has been incorrect from the outset, undermining the transparency that privacy regulations are intended to enforce. Users should always be given a clear choice about whether they wish to be tracked, and informed consent is crucial for building trust, ensuring compliance, and demonstrating a genuine commitment to user privacy.
Read more about Consent:
Why Are Companies Still Paying for Non-Compliant Cookie Consent Solutions?
What Does This Mean for Businesses?
If your business uses first-party analytics or third-party consent management solutions, it's crucial to revise your approach to ensure consent is requested only where legally required. By adopting a first-party data strategy, you can rely on essential cookies solely for core functionalities, while collecting additional user data only after obtaining explicit consent. This approach not only aligns with privacy regulations but also enhances transparency.
Solutions like AesirX’s First-Party Foundation emphasize a first-party data framework, enabling businesses to gather meaningful analytics and compliant consent management without relying on intrusive third-party trackers. This helps build user trust, improve compliance, and mitigate the privacy risks associated with third-party tracking technologies. As privacy regulations continue to evolve, businesses that embrace a privacy-first mindset will be better positioned to foster long-term customer loyalty and demonstrate a commitment to ethical data practices.
The Bottom Line
The current cookie consent landscape needs a reset. As privacy regulations continue to evolve, it is essential for businesses to clearly distinguish between technically required cookies and those that require explicit consent. Technically required, first-party cookies, such as those used to maintain logins or shopping carts, have never needed user consent, and this will not change.
At the same time, it is critical for businesses to ensure that consent is obtained whenever required, minimizing the burden of consent fatigue on users. This means implementing data minimization principles and avoiding the blanket consent approach of auto-loading hundreds of third-party partners' cookies and trackers, which is non-compliant. By focusing on a privacy-first design and obtaining consent only when truly necessary, businesses can respect user choices, enhance transparency, and adhere to both the spirit and letter of data privacy laws.
By aligning data practices with these distinctions, businesses can reduce user confusion, build transparency, and demonstrate a genuine commitment to privacy by design. Adopting a first-party data approach not only enables compliance but also builds user trust — allowing businesses to avoid unnecessary and misleading consent pop-ups, and instead focus on ethical data handling that respects user preferences.
Ronni K. Gothard Christiansen // VikingTechGuy
Creator, AesirX.io
AesirX Privacy Scanner for WordPress:
Check if your WordPress or Joomla site complies with the ePrivacy Directive and GDPR by
using AesirX Privacy Scanner, which detects non-compliant elements like cookies and trackers.
