Essential vs non-essential cookies
Under the EU ePrivacy Directive, storing or reading information on a user's device is allowed without consent only when it is strictly necessary to provide a service the user explicitly requested. Everything else — including the vast majority of analytics, advertising, and personalisation cookies — is non-essential and requires prior, informed consent. This page explains the test and where analytics usually lands.
The strictly-necessary test
Article 5(3) of the ePrivacy Directive permits storing or accessing information on terminal equipment without consent in two cases: when it is for the sole purpose of carrying out a transmission, or when it is strictly necessary to provide a service the subscriber or user has explicitly requested. A login session cookie or a shopping-cart cookie typically passes. A cookie that exists to measure audiences or build profiles does not.
The European Data Protection Board's guidance stresses that 'strictly necessary' is judged from the user's perspective — necessary to deliver what they asked for, not what the site operator finds useful.
Where analytics usually lands
Most analytics cookies are non-essential because measurement is a purpose of the operator, not a service the user requested. That means EU sites generally need prior consent before the analytics cookie is written. Some regulators have offered narrow, conditional exemptions for strictly first-party, aggregate audience measurement, but the conditions are specific and vary by country.
- Strictly necessary: session, cart, security, load-balancing, consent-state cookies
- Non-essential: analytics, advertising, social, personalisation cookies
- Exemptions for audience measurement are narrow and country-specific
How it appears in analytics and logs
If your analytics writes a cookie before consent, regulators in the EU treat it as a non-essential cookie set without a lawful basis — a common reason analytics counts are challenged or scoped down.
Diagnostic use case
Decide whether an analytics cookie can be set on page load or must wait for consent, by applying the strictly-necessary test rather than guessing.
What WebmasterID can help detect
WebmasterID's privacy-first mode is designed to measure without setting non-essential cookies, so first-party counts do not depend on a consent click.
Common mistakes
- Labelling analytics cookies 'essential' to skip the consent prompt.
- Assuming a first-party cookie is automatically exempt.
- Treating one regulator's audience-measurement exemption as EU-wide.
Privacy and accuracy notes
This page is educational and not legal advice; the strictly-necessary exemption is defined by ePrivacy and interpreted by national regulators. Cookieless analytics avoids the question by storing nothing on the device.
Related pages
- The ePrivacy Directive and cookie consent
The ePrivacy Directive (2002/58/EC, amended 2009) regulates confidentiality of communications and, critically for analytics, the storing or accessing of information on a user's device. That clause is why setting non-essential cookies in the EU generally requires prior consent, sitting alongside the GDPR rather than being replaced by it. This is an educational overview, not legal advice.
- Consent banners and analytics
A consent banner (or CMP) is the interface that asks visitors to accept or refuse non-essential storage and processing. For consent to be valid under EU rules it must be freely given, specific, informed, and unambiguous — which rules out pre-ticked boxes and 'accept-only' dark patterns. Reducing what needs consent in the first place is the cleaner path. This is educational, not legal advice.
- Cookieless analytics: how it works and its limits
Cookieless analytics records visits and events without setting cookies or persistent cross-site identifiers. It relies on first-party, server-side signals and aggregate counting. The trade-off is honest: it cannot follow an individual across sessions the way cookie-based tracking can — which is exactly the point for privacy-first measurement.
- Privacy-first analytics
Measure without setting non-essential cookies.
Sources and verification notes
- EUR-Lex — ePrivacy Directive 2002/58/EC, Article 5(3)Defines the strictly-necessary and transmission exemptions.
- EDPB — Guidelines 2/2023 on Article 5(3) of the ePrivacy DirectiveInterpretation of strictly-necessary storage and access.
Last reviewed 2026-06-24. Facts are checked against primary/official sources where available; uncertain specifics are marked “Data not yet verified” rather than guessed.