Plain-English guide

What are cookies, really?

No code, no legalese. Just what a cookie actually is, which kinds put you at risk, and the one moment that decides whether your site is compliant: consent.

IN ONE SENTENCE
A cookie is a small text file a website stores in your browser to remember something between page loads: a login, a language, or who you are, for advertisers.
How they work

Harmless on their own. Powerful in bulk.

  1. 01
    A site sets a cookie

    When you load a page, the site (or a tool on it, like Google Analytics) writes a small file to your browser with a value, often just a random ID.

  2. 02
    Your browser sends it back

    On every later visit, the browser hands that file back, so the site recognizes you, your cart, and your settings.

  3. 03
    Third parties join in

    The risky part: ad and analytics companies set their own cookies through your site, following the same visitor across the web. That's tracking, and it's what consent law is about.

First-party

Set by your own domain, for your own purposes, like keeping someone logged in or remembering a cart.

Usually the low-risk ones. Many are exempt from consent because the site simply can’t work without them.

Third-party

Set by other companies through your site: ad networks, analytics, social pixels.

These follow people across sites. Under GDPR they almost always need consent before they fire.

The five categories that matter

Every cookie falls into one of five buckets.

It’s the same grouping your scan report uses. The further down this list a cookie sits, the more it needs consent.

NecessaryLogins, security tokens, the shopping cart. The site can't run without them.No consent needed
PreferencesRemember choices like language, region, or currency. Low-risk, but you should still disclose them.Disclose · low risk
AnalyticsMeasure how visitors use your site: page views, sessions, heatmaps. Helpful, but they need consent first.Consent required
MarketingAdvertising and audience-building pixels from Meta, Google Ads, and LinkedIn. The cookies regulators scrutinize most.Consent required
Uncategorized“Other”Cookies whose purpose can't be identified. Unknown intent is the highest risk of all, because you can't claim consent for something you can't explain.Highest risk
Where consent comes in

The whole rule, in one idea.

Nothing but the Necessary cookies should fire until a visitor has actively said yes. That single “yes” (freely given, specific, and easy to take back) is what turns a tracking cookie from a violation into a compliant one.

Before consent
Only Necessary cookies. No analytics, no marketing, nothing third-party.
After consent
Whatever the visitor opted into, and you keep a record proving they did.

Get the order wrong (cookies first, asking later) and you’re non-compliant, even if you have a banner. See the 6 GDPR requirements →

Now the easy part

See which of these are on your site.

One scan sorts every cookie into these five buckets and tells you what's firing before consent.