Cookies are often required for a website to load and work as intended. That's why, if you have a website, you are most likely using at least certain types of cookies to process data. But while certain cookies are essential, others, such as advertising cookies, are not.

If you use non-essential targeting and advertising cookies, different rules apply as to when you use essential cookies.

Below, we explain how targeting and advertising cookies work, why you may need a user's consent to use them, and how to obtain this consent while complying with various global privacy laws.



A cookie is simply a string of data contained within a text file. The data is generated by a web server and installed on a user's device when they visit that webpage. The purpose is to allow the server to "remember" that user. When they next visit the website, they'll have a more personalized, enjoyable browsing experience as a result.

Types of Cookies

Not all cookies are created equal. There are, in fact, various types of web cookies, and they serve vastly different purposes.

  • Some cookies are essential, meaning that a website cannot load at all, or offer the intended service, without these cookies in place.
  • Other cookies are non-essential, meaning that they are desirable, but a website can work just fine without them.

Let's consider the difference between essential and non-essential cookies to determine how we can classify targeting and advertising cookies.

Essential vs. Non-Essential Cookies

Essential cookies are integral to website functionality. Put another way, if the user wants to enjoy the website and everything it has to offer, they must accept these cookies.

Essential cookie functions include:

  • Processing payments
  • Enabling logins
  • Remembering shopping cart contents as the user moves around the website
  • User account management
  • Connecting to the website

Essential or necessary cookies are turned on by default. They can't normally be disabled.

Non-essential cookies improve the user's experience and offer more personalized browsing. They may be generated by the web server or by a third party advertiser. Non-essential cookie functions include:

  • Cross-site tracking
  • Analyzing consumer behavior
  • Sharing content on social media
  • Enabling chatbot services
  • Tailoring language, content, and geographical preferences to the user

As we'll explore below, you may need consent to use these cookies.

What are Targeting and Advertising Cookies?

Targeting and advertising cookies gather information about users to show them more relevant, targeted ads based on their browsing behavior.

Targeting and advertising cookies can be first or third-party in nature.

  • First-party targeting cookies are generated by the web server. They are used, for example, to highlight products similar to the ones which the user is purchasing. This may encourage users to buy additional products.
  • Third-party targeting advertising cookies are generated by external advertisers. They track user behaviors and show them adverts which may be relevant to them on other websites.

It's not uncommon for a website owner to share data generated by targeting and advertising cookies with third parties. However, if this is something you wish to do, then you may need consent first, and we'll explore this below.

How Do Businesses Use Targeting and Advertising Cookies?

There are many reasons why businesses use targeting and advertising cookies. The primary benefits are:

  • Analyzing ad performance
  • Understanding user behavior and browsing habits
  • Designing more relevant, effective ads
  • Increasing, or encouraging, more user engagement

Targeting and advertising cookies are powerful tools for any business. However, there are rules to follow, should you wish to use such cookies. Let's consider these rules now.

You may require consent to use targeting and advertising cookies, or place them on a user's device. There are two reasons for this.

  • Targeting and advertising cookies are non-essential. Certain privacy laws dictate that you must disclose and obtain consent to use non-essential cookies, particularly those with cross-site tracking capabilities.
  • Advertising and targeting cookies can collect personal data. Personal data is any identifier you can use to identify a specific individual, including their name, IP address, or account login details. You often need consent to process personal data (although not always, depending on which privacy laws apply).

Specifically, though, when do you need consent to use or install targeting and advertising cookies? It all comes down to which privacy laws apply.

Although there are many privacy laws around the world, some are especially significant based on how many users (and businesses) they affect. Here are the major global privacy laws that affect your use of targeting and advertising cookies.

  • CPRA/CCPA: California's Consumer Privacy Act requires you to disclose your use of non-essential cookies, such as targeting and advertising cookies. However, you do not need consent unless you sell data collected through these cookies to third parties.
  • GDPR: Under the EU's General Data Protection Regulation, you typically need consent to process personal data, or use cookies capable of processing personal data, unless a legitimate business interest exemption applies.
  • COPPA: U.S. federal law prohibits businesses from using cookies capable of collecting personal data belonging to minors without express, verifiable parental consent. Given how challenging this is to obtain, for all intents and purposes, you should perhaps not use targeting and advertising cookies on websites aimed at minors.
  • APA: Australia's Privacy Act does not require consent for personal data processing, or the use of targeting and advertising cookies. The caveat is that you must disclose that you use these cookies. It should also be clear how to opt out.
  • CASL: According to Canada's Anti-Spam Legislation, you don't need express consent to non-essential cookies, such as advertising cookies. However, you do need to disclose that you use targeting and advertising cookies and provide a clear mechanism for opting out.

Do Web Browsers Block or Allow Targeting and Advertising Cookies?

Some browsers do block targeting and advertising cookies. This is because, by default, they block any third-party and non-essential cookies that are capable of cross-site tracking.

Mozilla Firefox, for example, blocks third-party cookies, including advertising cookies, by default. Users can opt to accept them but they are turned off as standard.

And Google plans, as of mid-2024, on blocking non-essential cookies although they have not yet implemented this feature.

Similarly, Microsoft Edge is moving towards restricting third-party non-essential cookies by default.

Finally, Apple Safari blocks advertising and targeting cookies because they are non-essential third-party cookies, which are restricted by the browser.

Marketers and website owners would do well to bear these changes in mind when they are considering how to advertise and target users in the future. In the meantime, though, targeting and advertising cookies are still a marketing staple, so here's how to disclose your use of these cookies and how to obtain consent to targeting and advertising cookies.

How Do You Disclose the Use of Targeting and Advertising Cookies?

You can disclose your use of targeting and advertising cookies in three ways:

  • Cookies Policy
  • Cookie Pop-Up Banner/Cookie Consent Notice
  • Privacy Policy

Note that you do not need to disclose each specific cookie used, but can simply disclose categories.

Let's consider each option in turn, starting with a Cookies Policy.

Cookies Policy

A Cookies Policy explains why (and how) your business uses cookies. You should specify that you use advertising and targeting cookies, and for what purpose. Disclosing your use of this category of cookie is sufficient. Remember: You do not need to list every individual cookie.

Marks and Spencer, for example, explains how it uses advertising cookies, and for what purpose:

Marks and Spencer Cookies Policy: Third Party excerpt

And further down the Policy, there's a section explaining how customers can accept or reject non-essential cookies, which includes advertising cookies:

Marks and Spencer Cookies Policy: Non essential cookies excerpt

To be clear, there's no need for a separate, standalone Cookies Policy. You can make this policy part of your Privacy Policy, or even your Terms and Conditions Agreement. Or, you can have a standalone Cookie Policy, if you prefer.

A Cookie Consent Notice, or Cookie Pop-Up Banner, discloses that you use cookies and informs users of their rights to accept or reject certain types of cookies on your website. You should use it, therefore, to disclose your use of targeting and advertising cookies.

As with a Cookies Policy, there's no need to specify the exact cookies you use in detail (although you can if you wish). It is sufficient to declare that you use these categories of cookies.

Marks and Spencer, for example, discloses its use of advertising cookies. The company also explains the consequences of keeping these cookies turned off, which helps users make informed choices:

Marks and Spencer Cookie consent notice excerpt

Your pop-up banner should be placed prominently on your landing page.

Next Ireland, for example, displays its Cookie Notice in the center of the page, and users can't click through to the website until they either accept cookies or manage their preferences:

Next Ireland Cookie Consent Notice

Requiring users to expressly opt-in to non-essential cookies ensures compliance with the GDPR and other strict privacy laws.

Privacy Policy

A Privacy Policy describes, in some detail, how you collect, use, and share personal data, and for what purposes. It should also explain what choices a user has regarding how they share data with your business.

Since targeting and advertising cookies can collect personal data, they should be disclosed in your Privacy Policy.

Let's take TeePublic as an example. In its Privacy Policy, it states that the company wishes to use non-essential cookies, but it require a user's permission before actually using these cookies:

TeePublic Privacy Policy: Cookies clause

It then goes on to list different types of cookies, including marketing, advertising, and targeting-type cookies:

TeePublic Privacy Policy: Marketing Cookies clause

There's no need to list every cookie you use the way TeePublic does. However, you can if you feel like it will benefit your users.

Here's another example from Nike. In its Privacy Policy, under the "Cookies and Pixel Tags" section, it describes the main categories of cookies used, which include marketing and advertising-type cookies:

Nike Privacy Policy: Cookies clause excerpt

It's explained how it works with third parties, how targeted ads work, and why users might see certain ads on other websites. And finally, its clearly explained how users can change their preferences to reject these types of cookies:

Nike Privacy Policy: Cookies clause excerpt 2

The most effective way to obtain consent to targeting and advertising cookies is through a Cookie Banner or Cookie Notice. This should be an opt-in Cookie Notice, meaning the user must take an active step to consent to targeting and advertising cookies. It should also be clear what the user is consenting to, meaning the user must be informed before they consent.

Securing express, informed, opt-in consent rather than implied consent ensures that you comply with the strictest privacy laws such as the GDPR.

We've looked at Cookie Banners above. However, here's another excellent example which offers clear and succinct information to the reader.

Next Ireland helpfully explains that advertising cookies are turned off by default, and moving the slider means they're on. They also clearly explain what the cookies do, how to accept them, and what it means to leave them turned off:

Next Ireland  Manage Cookie Preferences

Although consent is not always required, it's best to take a thorough approach to obtaining consent to ensure complete privacy compliance.

The Future of Targeting and Advertising Cookies

Targeting and advertising cookies are non-essential, third-party cookies. There is a significant chance that such cookies could disappear, or at least become less popular, as we see a trend towards greater online privacy regulation.

Even if browsers continue to allow non-essential marketing cookies, individual users may reject targeting and advertising cookies themselves, especially now that there's increasing awareness around privacy rights.

You should continue to use targeting and advertising cookies if they align with your commercial goals. However, stay alert for changes to privacy laws which may impact how you use non-essential cookies more generally, and how you obtain consent.

You should also be aware that individual users are more informed now than ever before, and it may be more challenging to convince them to accept non-essential marketing cookies.

Summary

Targeting and advertising cookies are non-essential cookies. They offer more personalized browsing experiences, improve advertisement quality and relevance, and help business owners better understand user behavior.

However, although they are highly beneficial for business owners and marketers, targeting and advertising cookies are not essential to a website's functionality. As non-essential cookies, you may require consent before using them. And, in most cases, you will at least need to disclose that you use such cookies, and for what purpose.

Compliance with global privacy rules on targeting and advertising cookies is straightforward.

  • Disclose your use of non-essential cookies, including targeting and advertising cookies. You may do this through a Cookie Policy, Privacy Policy, Cookie Notice, or combination of methods.
  • Be clear about whether you share or sell data to third parties. Allow users the chance to opt-out of third-party data sharing for marketing purposes.
  • Obtain express, informed, opt-in consent to all non-essential cookies. This includes targeting and advertising cookies. Do this through an interactive Cookie Consent Notice.

Privacy Policy Generator
Comprehensive compliance starts with a Privacy Policy.

Comply with the law with our agreements, policies, and consent banners. Everything is included.

Generate Privacy Policy