Virtually every website uses cookies. That's because, in many cases, a website simply won't work properly without the presence of certain types of cookies.

One such type of cookie is a "functional" cookie. Below, we explore what functional cookies are, what purpose they serve, and whether you need consent to install functional cookies on a user's device. We'll also consider how to disclose your use of functional cookies and how to obtain consent, should it be required.

What are Cookies?

Consider a cookie as a small packet of data. It's created by a web server and installed on a user's computer when they visit that domain. The server recognizes or "remembers" the user's device the next time they visit this website.

As a result, the server can generate content matching the user's pre-selected preferences. This should result in an improved, more enjoyable browsing experience.

That being said, not all cookies are the same. In fact, there are various types of cookies, and they all play slightly different roles. Some are essential for website functionality, whereas others are non-essential and simply enhance the user experience.

Let's briefly explore the difference before we consider where functional cookies fit along the spectrum.

Essential vs. Non-Essential Cookies

The main difference between essential and non-essential cookies is whether they're required for a website to work as intended, or whether the user can reject them and still use the website.

Essential Cookies

An essential cookie is required for a website to load or work properly. In other words, without these cookies, the website owner couldn't provide the intended service.

Essential cookies allow certain functions such as:

  • Enabling user logins
  • Payment processing
  • Connecting to the website server
  • Managing the user's account
  • Keeping the user logged in as they move around the website
  • Carrying the contents of an online shopping cart from one page to the next

Most consumers understand that such cookies are inevitable and have no issue accepting them as part of using the internet.

Non-Essential Cookies

Non-essential cookies, on the other hand, are useful, but they are not strictly necessary for a website to function as intended. They may not even be generated by the website the user initially visited, but instead by a third party.

The most common examples are advertising cookies and cookies which track users' behavior across other websites. They're the reason why, for example, someone might browse a product on one website, and when they visit another website, an advert for that product appears in the sidebar.

Non-essential cookies can enhance the user experience, but not every user wants to accept them.

What are Functional Cookies?

As the name implies, "functional" cookies improve website functionality. Certain website features may not work properly without them, although these are non-essential parts of the website.

They're capable of remembering certain information about a user, although they do not track users across websites. They're restricted to the website of origin i.e. they don't "follow" the user like advertising cookies do.

Examples of Functional Cookies

Functional cookies take various forms. Functional cookies can remember:

  • Language preferences
  • Font size and style settings
  • User location
  • Name and login details

These cookies allow users, for example, to comment on blog posts, engage with online chat services, and experience improved website performance.

Why Use Functional Cookies?

Functional cookies make for a richer, more enjoyable browsing experience. Specifically, though, here's why you might use functional cookies:

  • Content personalization e.g. greeting someone by name can make users feel valued.
  • Functional cookies allow you to deliver the most relevant and interesting content to your users e.g. local news.
  • Without functional cookies, users would be required to repeatedly adjust their settings e.g. language settings, which is cumbersome.

As preference or functional cookies are not strictly essential, then yes, you need consent for functional cookies. You may require consent to use functional cookies, depending on where your users are based, and which global privacy laws affect you.

Why might you require consent? There are a few reasons, but ultimately, it comes down to user privacy and personal data.

Personal data is essentially any information you can use to identify a specific person. This can be, for example, their real name, username, email address, or financial information. However, it also includes more obscure information such as an IP address.

If you collect any amount of personal data, then you must comply with certain privacy and cookie laws around the world. Let's consider some of the major laws and how they control cookie consent.

This is a non-exhaustive list, but here's how some major global privacy laws address the issue of functional (non-essential) cookie consent:

  • Canada's Anti-Spam Legislation (CASL): You must disclose that you use non-essential cookies and provide an opportunity to opt-out. However, implied consent is enough. You don't need express consent to functional cookies if you disclose them.
  • California's Consumer Privacy Act (CCPA): You should disclose your use of non-essential cookies, according to the CCPA, including functional cookies. You don't need consent to use functional cookies unless you're selling the collected data to third parties.
  • U.S. Federal Child's Online Privacy Protection Act (COPPA): Under COPPA provisions, you should not use cookies capable of collecting personal data on websites aimed at under-13s unless you get verifiable parental consent. The practicalities of this means that it's best to not use non-essential cookies on websites aimed at children.
  • Australia's Privacy Act (APA): This Act doesn't specifically reference cookies. However, data collected via cookies may be considered personal data under the Australian Privacy Principles. This means you should disclose using cookies but you don't need formal consent.

Although some jurisdictions do not require cookie consent, this is always subject to change. Furthermore, complying with laws such as the GDPR does often require obtaining consent, so it's best to err on the side of caution and seek informed consent as standard.

Do Browsers Allow Functional Cookies?

Browsers typically let users turn off any cookies they don't wish to accept, including essential ones (although there will be a caveat that this could render some websites unusable). However, browsers don't normally restrict functional cookies by default.

The same can't be said of purely marketing-based or cross-tracking, third-party cookies. Browsers are routinely working to faze out these cookies in response to an overall stricter approach to online privacy protection.

Should you require consent to use functional cookies, your cookie consent mechanism must be informed, expressly given, and clear. It should also be easily revocable i.e. the user can change their cookie consent preferences at any time.

To achieve this, use an opt-in approach to cookie consent. Users should be required to actively give consent the moment they land on your website, and before you attempt to collect personal data or install preference cookies.

To do this, use a banner, or pop-up. Netflix, for example, requires users to accept or reject cookies before they can access the website:

Netflix cookie consent banner

When a user clicks "Learn more," they can learn about functional cookies:

Netflix Privacy Preference Center

And Amazon EU has an option for users to specifically opt in or opt out of functional cookies:

Amazon EU Functional Cookies with On Off buttons

How Do You Disclose the Use of Functional Cookies?

You can disclose your use of functional or preference cookies in the following ways:

  • A Privacy Policy
  • A Cookies Policy
  • A Cookie Banner or Notice

To be clear, you don't need a separate Cookie Policy if you already have a comprehensive Privacy Policy. You can set out your cookie practices within the Privacy Policy and this is perfectly acceptable. At the very least, though, you should absolutely have a Privacy Policy.

Privacy Policy

A Privacy Policy sets out your website's privacy practices. It should include information such as whether you collect personal data, why you collect it, and what rights users have to opt in or opt out of data collection.

In other words, it's an ideal location to describe your cookie processes. When discussing cookies in your Privacy Policy, explain:

  • If you use cookies
  • Why you use cookies
  • What cookies you use (you don't need a detailed list; the category is sufficient)
  • The rights users have to accept or reject cookies
  • How users can change their cookie preferences

Dine Brands, aimed at U.S. audiences, has a short section in the Privacy Policy covering cookies. This single clause is sufficient to comply with US federal-level cookie laws. There's also information on opting out of location data tracking:

Dine Brands Privacy Policy Cookies clause

And Rogue Fitness does not have a Cookie Policy. Instead, it has a detailed list of the types of cookies it uses within its Privacy Policy. You'll note it calls functional cookies "personalization cookies," however the meaning is still clear:

Rogue Fitness Privacy Policy personalization Cookies clause

It also sets out how users can reject cookies, and the consequences of doing so:

Rogue Fitness Privacy Policy How to Control Cookies clause

Cookies Policy

A Cookies Policy is similar to a Privacy Policy. The difference is that, rather than detailing your entire approach to privacy protection, it only covers cookies. You'll still need to explain, as described above, what cookies you use, the purpose for using them, and users' privacy choices.

To be clear, you can have a short section about cookies in your Privacy Policy and then use a fuller Cookies Policy to expand on this. Or you can simply incorporate your Cookies Policy into your Privacy Policy. So long as you have a Privacy Policy compliant with global laws, there's no need for a separate document.

If you do opt for a Cookie Policy, though, take the same approach as you would to drafting a Privacy Policy. BMW Canada, for example, establishes what cookies are and why they're used:

BMW Canada Cookies Policy Modifications clause

It then explains what options customers have to reject cookies and change their preferences:

BMW Canada Cookies Policy Rejecting Cookies clause

This is a good example of a transparent Cookie Policy. It's user-friendly, not too detailed, but informative enough to comply with applicable privacy laws.

A cookie notice banner is a great way to ensure visitors to your site are immediately told about your use of cookies. You can also use them to get consent.

Here's an example from MTV. MTV clearly discloses its use of cookies which can improve the user's experience. The user is free to accept or reject these cookies in full knowledge of what will happen if they accept:

MTV Cookie Notice

You can also take the approach adopted by BMW Canada. It includes its core Cookies Policy within the Cookie Banner. Users can quickly scroll and learn about cookies before making a decision:

BMW Canada cookie Consent notice

TGI Friday's UK takes a similar approach:

TGIFridays UK cookie notice

The Future of Functional Cookies

It's unlikely that we'll see a demise of functional cookies anytime soon. While most browsers, including Safari, Edge, and Chrome, limit non-essential cookies by default, this typically affects marketing and other third-party cookies rather than functional cookies.

That said, it's still wise to pay attention to developments in this area. There's always the chance that functionality cookies will be impacted by new laws or tech changes. It's wise to seek legal advice if you have concerns about your overall cookie strategy or your approach to compliance.


The small data packets we call "cookies" are often crucial for websites to work properly. However, not all cookies are the same. Some are truly essential, whereas others are optional. Functional cookies, also known as "preference" or "functionality" cookies, arguably fall somewhere in between.

Functional cookies remember a user's preferences for a more personalized, consistent browsing experience. Examples of functional cookies are cookies which remember:

  • User location
  • Login details
  • Language settings
  • Preferred regional settings

In other words, they allow users to make choices which will enhance or streamline their experience the next time they visit the website.

As functional cookies are highly valuable but not strictly necessary, you may need consent to use them. At the very least, you'll most likely need to disclose your use of functional cookies in a clear and obvious way.

  • If consent is necessary under laws such as the GDPR, then you should obtain unambiguous, informed, and express consent using a slider, checkbox, or similar tool. Consent should be opt-in rather than opt-out for non-essential cookies.
  • You should disclose your cookie use through a Privacy Policy and/or a Cookies Policy. This should include an overview of the cookies you use, why you use them, a user's right to opt in or opt out of certain cookies, and how they can contact you for more information.

If you're unsure whether a cookie counts as a preference or functional cookie, or you have specific questions about the technical details around your own cookie usage, it's wise to seek legal advice.

Privacy Policy Generator
Comprehensive compliance starts with a Privacy Policy.

Comply with the law with our agreements, policies, and consent banners. Everything is included.

Generate Privacy Policy