Cookie Categories Explained: Necessary, Functional, Statistics, Marketing

"Which category is this cookie?" — this question comes up in every implementation project. And surprisingly often classification is wrong. Here a clear overview of the four categories with concrete examples from Swiss web agency daily life.

The four categories overview

Necessary cookies

Cookies without which the website doesn't technically function. Examples:

• Session cookies (PHPSESSID, JSESSIONID): identify the running session
• CSRF protection (_csrf, XSRF-TOKEN): prevent cross-site request forgery
• Shopping cart (cart_id, basket): mandatory in e-commerce shops
• Login (auth_token, remember_me): for logged-in areas
• Cookie consent (cookie_consent, aiara_consent): saves the consent choice
• Stripe Payment (__stripe_mid, __stripe_sid): for payment security
• Cloudflare (__cf_bm): bot protection

These cookies need no consent but must be mentioned in the privacy policy.

Functional cookies

Cookies that make use more comfortable but are not technically mandatory. Examples:

• Language preference (locale, lang): remembers selected language
• Theme selection (theme=dark): remembers light/dark mode
• Geo-location (country, region): for regional content
• Font size (font_size): accessibility setting
• Cookie banner preferences (banner_dismissed): don't show banner again

These cookies are borderline: information recommended, consent in Switzerland mostly not mandatory, in GDPR practice recommended.

Statistics cookies

Cookies that collect website statistics. Examples:

• Google Analytics 4 (_ga, ga*): website tracking
• Matomo (_pk_id, _pk_ses): self-hosted analytics
• Hotjar (hjSession, hjUser): session recording
• Plausible (in cookie-less configuration without cookie)
• YouTube Embed Statistics (YSC, VISITOR_INFO1_LIVE): when YouTube videos embedded

These cookies usually need consent — even if not directly for advertising. The FDPIC guide recommends opt-in, FADP sees it similarly.

Marketing cookies

Cookies for ad tracking, targeting and conversion measurement. Examples:

• Google Ads (_gcl_au, _gcl_aw): conversion tracking
• Meta Pixel (_fbp, fr): Facebook/Instagram advertising
• LinkedIn Insight Tag (li_oatml): B2B advertising
• TikTok Pixel (_ttp): TikTok advertising
• HubSpot CRM (__hstc, hubspotutk): marketing automation
• Salesforce Pardot: lead tracking

These cookies mandatorily need consent. They may only be loaded after opt-in, and consent must be documented.

Most common classification mistakes

Mistake 1 — Classifying Google Analytics as "necessary." Some websites justify with "we use it for our internal statistics anyway." That's wrong: statistics is not necessary in the sense of technical function.

Mistake 2 — Categorising live chat cookies as "functional." Tools like Intercom or Drift are often designed as CRM and lead generation tools. As soon as data flows to the provider for marketing purposes, it's marketing — not functional.

Mistake 3 — Blanket categorising YouTube embed as "statistics." Embedding a YouTube video loads YouTube cookies. YouTube also does user tracking for Google Ads. More correctly: treat as marketing cookie, or better: use youtube-nocookie.com which does significantly less tracking.

Mistake 4 — A/B test tools as "statistics." Tools like VWO or Optimizely can be classified as statistics if they collect only anonymous aggregate data. But as soon as personalisation is involved (user segmentation), it becomes marketing.

Classification decision tree

For each new cookie ask:

1. Does the website work without the cookie?

   • No → Necessary
   • Yes, continue to 2

2. Is data transmitted to third parties?

   • No → Functional
   • Yes, continue to 3

3. What's the purpose of data transmission?

   • Pure website analysis, anonymous aggregate data → Statistics
   • Ad tracking, targeting, conversion → Marketing

When in doubt: choose stricter category. It's always safer to classify a cookie as marketing and demand consent than to be too lax.

What happens with correct classification

Anyone classifying cleanly offers users real choice:

• Reject all: only necessary cookies are set
• Statistics only: necessary + statistics activated, marketing stays off
• Accept all: all four categories active

This granularity is FDPIC and GDPR requirement. Banners without this choice option are considered insufficient.

Classification in Aiara's cookie database

Aiara maintains a cookie database with over 1,500 known cookies and their default classification. When the scanner finds a known cookie on a website, it's automatically correctly categorised. For unknown cookies, the website operator is asked to perform manual classification — with the three questions from the decision tree as help.

The result: fewer classification mistakes, consistent banner configuration, and in case of an FDPIC random check a documented justification for every assignment.