Skip to main content

Menu

Choose a theme and configure high-contrast mode. Preferences are saved in your browser only.

User Preferences

Theme

Pick a palette or follow your system preference.

High Contrast

Sharper text and borders. System follows your OS setting.

Cookies & tracking

Strictly necessary cookies — what actually qualifies

The 'strictly necessary' exemption is the most-misused phrase in cookie compliance. A plain-language walkthrough of the legal text, EDPB guidance, and concrete examples.

Every consent banner has an “essential” or “necessary” checkbox that you can’t uncheck. That’s because the law allows certain cookies without consent. The key word is certain.

What the law says

Under the ePrivacy Directive (plus GDPR), cookies are exempt from consent if they are:

“strictly necessary for the provision of an information society service explicitly requested by the subscriber or user”

Translation: the cookie must be essential for the thing the user asked you to do. Not for the thing you want to do.

What actually qualifies

The UK ICO and EDPB have provided concrete examples.

Exempt, no consent needed:

  • A session cookie that remembers what’s in your shopping cart
  • A cookie that remembers your language preference for that session
  • A load-balancer cookie that keeps your request on the same server
  • A cookie that remembers you filled in a multi-page form

Not exempt, consent required:

  • Analytics cookies (even first-party, even anonymized)
  • A/B testing cookies
  • “Remember me” cookies that persist across sessions
  • Affiliate tracking pixels and cookies
  • Any cookie set by a third party, regardless of purpose

The analytics gray zone

This is where most sites get it wrong. Many claim their analytics cookies are “strictly necessary” because they “need to know how many visitors they get.”

The EDPB has explicitly rejected this argument. Knowing your traffic numbers is useful for you. It is not necessary for the user to receive the service they requested.

There is one narrow exception: if you can prove that without analytics, your service literally cannot function (say, you’re a CDN that needs to route traffic based on load). This exception is so narrow it barely exists. Note that even Google Consent Mode doesn’t make analytics cookies strictly necessary; it just routes consent signals to Google.

The “legitimate interest” misunderstanding

Legitimate interest is a lawful basis under GDPR Article 6. It is not an exemption from the ePrivacy Directive’s cookie consent requirement.

You cannot bypass the consent banner by claiming legitimate interest in dropping cookies. The ePrivacy Directive requires consent for non-essential cookies regardless of your GDPR lawful basis.

How to audit your own cookies

  1. Open your site in an incognito window
  2. Open DevTools → Application → Cookies
  3. Before accepting the consent banner, note every cookie that’s already set
  4. For each one, ask: “Would the site break without this cookie?”
  5. If the answer is no, it needs consent

Most sites find 5-10 non-essential cookies set before consent. That’s a compliance gap.

How Zest handles it

Zest tags every cookie into a category. The strictly-necessary bucket is the only one that’s exempt from consent and never blocked, so session carts, load balancers, and form-state cookies keep working the moment the page loads. Everything else (analytics, ads, A/B, affiliate) stays gated until the user opts in. You tag each cookie once; Zest handles the blocking, the banner, and the consent record from there.

Own your cookie banner.

Zest is free and MIT-licensed, and it doesn't phone home to anyone.
Drop the script in and you're done.