Just as there are numerous recipes for crispy biscuits to bake, there are at least as many (unfortunately less tasty) biscuits on the internet – the infamous “cookies”. Many internet users find them unpalatable. The reason for this is the issue of data protection. First, cookies are used to make surfing the internet more comfortable. However, there are also website operators who do not take the protection of stored user data very seriously and sometimes use cookies to pass on data to third parties (third party cookies).
To put an end to the biscuit confusion in your head and so that you know how to integrate cookies into your website in a legally compliant manner, we will explain the different functional and technical types of cookies and their requirements in this article.
Theoretically, the law does not stipulate into which groups cookies must be divided. In fact, whether cookie groups are legally permissible in Germany has not yet been finally clarified. At present (at the time of writing this article). However, it can be assumed that they will be permissible or are even recommended.
The only distinction to be made for legal reasons is between essential cookies and all other cookies.
Accordingly, most e.g. WordPress cookie plugins divide the cookies into different groups based on function or benefit. However, most WordPress plugins also allow you to introduce your own additional groups. Which cookies belong to which group is a question that every website operator must answer for themselves. Depending on the use of a service, plugin or integration of external media, the assessment may be different.
As a rule, cookies are divided into four cookie groups: essential cookies, functional cookies, statistics cookies and marketing cookies.
Since the ECJ/CURIA ruling on 01.10.2019 (C-673/17), only technically necessary cookies – also known as “necessary cookies” or “essential cookies” – are allowed to be obtained without the active and informed consent of the website visitor.
Which cookies are necessary? Essential cookies are required for the basic functionality of the website. They only contain technically necessary services. These services cannot be refused.
✊ General rule: If the basic functionality of your website is disrupted by the missing cookie, it is a necessary cookie.
☝️ Important: You must still explain its function in your privacy policy.
In the following, we show examples of technically necessary cookies, controversial cases and when a cookie is definitely not essential.
The login status cookie can be considered essential. Without the cookie, the usefulness of the website would be fundamentally impaired, as the visitor would not be able to access the members’ area.
Google Fonts is a service that allows aesthetic fonts to be displayed on websites even if they are not installed on the user’s computer or mobile device. In the process, data is transmitted to Google and in some cases cookies are set or read.
Practically, everyone would probably agree that these cookies are essential because a website with a standard font looks entirely different from one with a beautiful and matching font. Legally, however, the user of your website has no functional disadvantages if the website looks less pretty. In addition, as the operator of the website, you technically have the option of delivering fonts from your server and therefore not transmitting any data to Google.
As a result of these arguments, it is legally disputed whether services such as Google Fonts can be considered essential. At the time of writing, there has not yet been a supreme court decision on this.
If you want to be on the safe side, you should rather classify such cookies as non-essential!
You want to integrate Google Analytics on your website to track users and thus increase the quality and/or sales of your website. Your website would function without this service and its cookies, just as it does with it. Whether you would be able to improve your website in the long term, for example, is irrelevant for legal purposes.
Functional cookies are necessary to provide features beyond essential functionality, such as prettier fonts, video playback or interactive Web 2.0 features. Content from e.g. video platforms and social media platforms should be loaded by default only after the website visitor has given consent. If the service has been consented to once, this content is loaded automatically without further manual consent.
Consent can typically be given directly in the cookie banner. Alternatively, the website visitor can also give their consent subsequently in a content blocker. You can see how this can look in the following screenshot.
Examples of functional services that set cookies are:
- YouTube
- Google Fonts
- Tidio (Live-Chat)
Statistics cookies (also known as “performance cookies”) help to monitor a user’s behaviour on the website. These cookies are needed to collect pseudonymised data about visitors to the website in aggregate form. The data makes it possible to better understand individual users, a group of users or the totality of all users and to optimize the website.
For example, it records how often which links or sub-pages are clicked and whether error messages are displayed, how long the loading time is and how the website behaves in different browsers. Based on these findings, the user experience on the website can be improved.
Examples of statistics services that set cookies are:
- Google Analytics
- Matomo
- Clicky
Marketing cookies (also called “advertising cookies” or “targeting cookies”) are used by the website operator and third parties to record the behaviour of individual users, analyse the data collected and display personalised advertising, for example. These services make it possible to track the user across domains. For example, if you visit a fashion online shop, you will probably be shown advertising from that online shop when you visit other websites later. This so-called retargeting advertising can only be played because Google, for example, can evaluate which websites you have surfed on via the marketing cookies.
Examples of marketing services that set cookies are:
- Google Ads
- Sendinblue (Newsletter Opt-in)
- Hotjar
So what is cookie-like information? And why is there a functional distinction between cookie types as well as a technical one? Don’t panic, we’ll explain it to you in an easy-to-understand way!
As already mentioned in our article about cookies, “cookies” are legally referred to as “HTTP cookies”. Roughly summarised, “HTTP” is a network protocol that allows web browsers and servers to communicate with each other by exchanging data.
However, information that you might store in an HTTP cookie could also be stored other technical structures:
- HTTP Cookie: An HTTP cookie is a classic cookie that is transferred to the server with every connection.
- Local Storage: Local storage is a modern, local storage of information (similar to cookies) for your browser, which, however, can only be read by JavaScript applications.
- Session Storage: Just like local storage, but technically limited to the particular tab in the browser in which the information was set. If you close your browser, the session is automatically ended.
- Flash Local Shared Object: Often also referred to as “Flash Cookie”. Flash Local Shared Object” is an object for storing information about users in Flash files that are executed with the Adobe Flash Player ( barely used nowadays).
- IndexedDB: Modern alternative to local storage for larger amounts of data (still rarely used).
As the operator of a website, you must also find all cookie-like information used on your website (plus HTTP cookies) and integrate them correctly. You can read how to do this in our knowledge base in the article How do I find all services (cookies) on my website?
Congratulations, now you know what types of cookies there are and how they differ. 😎
However, you still have to overcome one challenge: tracking down cookies and obtaining consent in a legally compliant manner. As a website operator, it is your responsibility to find all the services used on your website and, if necessary, only set them after your user has given their consent. Phew, that sounds like a lot of work – unfortunately it is!
Since we know from our own experience how tedious and complicated this work can be, our WordPress Cookie Consent Plugin Real Cookie Banner with built-in scanner feature will give you a helping hand!