← Blog

Which cookies actually need consent under GDPR?

2 June 2026 · by Paul Masterson

The most common compliance mistake we see isn’t a missing cookie banner — it’s a banner that does nothing. Analytics and marketing cookies fire the moment the page loads, before the visitor has clicked a thing.

The test that matters

Under the ePrivacy Directive and GDPR, any cookie that isn’t strictly necessary to deliver the service the user asked for needs prior consent. That means:

• Strictly necessary (no consent): session, CSRF, load-balancing, basic security.
• Analytics (consent required): _ga, _gid, _hjid.
• Marketing (consent required): _gcl_au, IDE, fr, _fbp.

Why a banner isn’t enough

A Consent Management Platform is only compliant if non-essential cookies do not fire before consent, and stop firing after a rejection. If _ga is set on page load, the banner is decorative — and the firing is the violation, regardless of what the banner says.

Want to know what your own site does? Run a free scan.