Even if you're not aware of it, if you have a website, chances are you're using cookies. This is because, in most cases, websites must use at least certain types of cookies to function properly and deliver the user experience that customers expect.

The types of cookies your website might use vary considerably, from cookies which are truly essential to website functionality, to optional cookies which track or monitor user behavior. Tracking and analytics cookies can raise various legal concerns for business owners, including whether they need consent to use such cookies, and how to obtain this consent.

Cookie laws may seem complex, but they're actually fairly straightforward. Below, we consider how tracking and analytics cookies work and how businesses can use these cookies in a legally compliant way.

What are Cookies?

A cookie is a text file generated by a web server and placed on a user's device. It contains unique strings of data which the server "recognizes" the next time that user visits the website. The website will then be displayed according to the user's pre-set preferences e.g. language settings and geographical location.

That's the basic principle behind how any cookie works. However, there's more than just one type of cookie. In fact, there are various types of website cookies, and they all serve different purposes. Some are essential for the website to run properly, whereas others are purely for marketing or commercial purposes.

Let's briefly consider the differences between different types of cookies so you can better understand the role of tracking and analytics cookies.

Types of Cookies

There are two major cookie categories: cookies which we need for a website to work as intended, and cookies which are helpful for commercial purposes but your website functions just fine without them.

In other words, cookies can be essential or non-essential.

Essential Cookies

Essential cookies are what they sound like. They are essential for providing the intended web service to the end user. Without essential cookies, a website wouldn't load, or it wouldn't be of value because it wouldn't work as intended.

Here are just some of the functions that essential cookies facilitate:

  • Payment processing
  • Shopping cart transfer i.e. keeping a user's cart "full" as they move around your website
  • User login enablement
  • Account management
  • Web server access

Given how valuable essential cookies are, most people accept them without concern. There are very few consumers who object to truly essential or necessary cookies.

Non-Essential Cookies

Non-essential cookies are important to the overall user experience and for commercial purposes, but they are not required or strictly necessary. Meaning, users can reject non-essential cookies and still fully access and use the website as intended.

Cookies we can consider non-essential include cookies which:

  • Target and retarget advertisements
  • Monitor user behavior e.g. shopping or browsing habits
  • Remember user preferences
  • Analyze how visitors use a website

As we'll explore below, it's crucial to know the difference between essential and non-essential cookies, because they have different privacy and consent requirements.

The key point is this: if a user has full access to your website without needing this particular cookie, then it's a non-essential cookie.

Let's now consider whether tracking and analytics cookies are ever essential, or if they are non-essential cookies.

What are Tracking and Analytics Cookies?

Tracking and analytics cookies monitor users' online activities. They track and analyze user behavior to help businesses better understand how users interact with the company's website.

You may see these cookies referred to by other names such as performance or targeting. They have the same meaning.

There are two main types of tracking and analytics cookies:

  • First-Party Tracking Cookies: Placed on the user's device by the website owner for internal tracking and analytics monitoring.
  • Third-Party Tracking Cookies: Placed on the user's device by a third-party, such as a marketing company, to send the user targeted product and services ads.

First-party cookies aren't capable of tracking users around the internet. The cookies only work while the user is browsing the business owner's website. Third-party cookies, on the other hand, may be used to "follow" users around the web, monitoring their browsing habits and repeatedly showing them targeted ads.

Why Do Businesses Use Tracking and Analytics Cookies?

There are many reasons why a business might use tracking and analytics cookies. However, the most common reasons for using such cookies are:

  • Displaying more relevant content to improve the user experience
  • Making the website more convenient to navigate
  • Improving website functionality based on user trends and customer behavior
  • Offering targeted discounts and product recommendation on ecommerce stores
  • Identifying customer conversion issues

Examples of Tracking and Analytics Cookies

Tracking and analytics cookies vary considerably across websites. That said, there are certain types of tracking cookies which are more common than others.

Here are some specific examples of tracking cookies used most frequently:

  • Cookies to identify popular products and products with very little views. Business owners can use this data to, for example, offer "flash discounts" or change the website layout to get more traction on the "least" popular products.
  • Cookies for spotting conversion issues e.g. products often added to carts but rarely convert into sales.
  • Making a website more personalized, memorable, and convenient for a user.
  • Third-party advertisers tracking users across websites to send them targeted ads and, theoretically, offer a better browsing experience.

Tracking and analytics cookies are capable of collecting personal data. Personal data is, by definition, any information which can identify a particular individual. This type of information is heavily protected by global privacy laws, and you often need consent to collect and process it.

What does this mean for tracking and analytics cookies? There are a few takeaways:

  • You may not require consent to use essential first-party tracking cookies. This is because you have a legitimate business interest in using them. Without these cookies, you couldn't deliver goods or services the customers expect.
  • Depending on which privacy laws apply, you may require consent to use non-essential tracking cookies.
  • If you collect personal data for any reason, you should disclose this, and explain your reasons for processing the data, via a Privacy Policy.

Let's consider, more specifically, which privacy laws might affect you and when.

It's best to be cautious and get consent to tracking cookies if you're unsure whether you need it. But specifically, here are the main global privacy rules relating to tracking cookies.

  • GDPR: The EU's General Data Protection makes it mandatory to get express, informed, opt-in consent to personal data processing unless a valid exemption applies e.g. legitimate business purposes.
  • COPPA: Under U.S. federal law, you can't collect personal data relating to minors without express, verified parental consent.
  • CCPA/CPRA: If you sell personal data to third parties, then you need consent. Otherwise, you don't need consent to use tracking and analytics cookies, but you must disclose that you use them.
  • APA: Under Australia's Privacy Act, you don't need consent to third-party cookies or personal data processing so long as you disclose that you use such cookies.

Are Tracking and Analytics Cookies Turned Off By Browsers By Default?

It depends on the browser and the specific type of tracking or analytics cookies. Let's consider some examples.

  • By default, Apple Safari blocks cross-site tracking and analytics cookies i.e. third-party tracking cookies. Users are free, however, to turn this functionality back on. Apple Safari does not block the more essential first-party cookies used for e.g. payment processing and shopping cart handling.
  • Mozilla Firefox blocks all cross-site tracking and third-party cookies. Some first-party tracking and analytics cookies are still permitted.
  • Google Chrome will eventually block third-party tracking and analytics cookies, but this is not currently in operation.

Is There a Future for Tracking and Analytics Cookies?

As the privacy landscape evolves, and the rules around consent and collecting personal data tighten, there's a real chance that third-party tracking and analytics cookies could disappear. For marketers, this means finding an alternative way to identify missing conversions and opportunities to grow their customer base.

First-party tracking and analytics cookies could remain with us for some time yet. They're less invasive, there's no cross-site tracking capabilities, and they serve to enhance the user experience on a website they freely chose to visit.

That said, business owners would be wise to keep a close eye on how rules around tracking and analytics cookies are changing so they can make informed decisions around how to alter their marketing strategy.

How Should Businesses Disclose the Use of Tracking and Analytics Cookies to Customers?

There are three options for disclosing your use of tracking and analytics cookies:

  • Cookies Policy
  • Privacy Policy
  • Cookie Pop-Up Banner or Consent Notice

Let's look at some examples of how businesses disclose their use of tracking and analytics cookies through these methods.

Cookies Policy

A Cookies Policy sets out how your business uses cookies and for what purpose(s), and it explains what rights users have to control cookie use.

To be clear, there's no need to have a separate Cookies Policy if you already have a Privacy Policy that contains information about your cookie usage. Some businesses opt to have a separate Cookie Policy for clarity. However, remember it's optional to have two policies.

Here's an example from Birkenstock, showing what content the Cookie Policy has, and how it is clear, concise, and broken into short, user-friendly sections explaining why the company uses cookies and what type of data they collect:

Birkenstock Cookie Policy Table of Contents

There's also a clickable section within the Cookie Policy itself so that users can select or deselect certain types of cookies whenever they wish:

Birkenstock Cookie Policy toggle section

The Cookie Pop-Up Notice also contains information regarding customers' rights to opt in or opt out of cookies, and gives them the freedom to easily confirm or rejecting tracking cookies:

Birkenstock Cookie Settings form

Privacy Policy

Your Privacy Policy contains your key policies around data privacy and how you comply with global privacy laws.

Your Privacy Policy should explain if you collect personal data, your reasons for doing so, and what rights customers have to accept or reject non-essential cookies.

Wolters Kluwer, for example, confirms that it collects personal data using cookies and similar technologies:

Wolters Kluwer Privacy and Cookies Policy: How we collect personal information clause

It also clearly defines the categories of cookies it uses, which include cookies capable of tracking and analyzing user behavior. And there is a clear opt-out process, or cookie management process, for every user to understand:

Wolters Kluwer Privacy and Cookies Policy: Manage cookie preferences clause

You don't need to define or list every individual cookie you use. Categories are sufficient, so long as they are clear.

Consent to cookie placement is, essentially, meaningless in legal terms unless it's informed. Users must know what they're consenting to, which makes your Cookie Notice the perfect place to disclose your use of tracking and analytics cookies.

80/20 Endurance, for example, clearly highlights that it uses measurement and marketing cookies (i.e. tracking and analytics cookies). Users can select precisely which cookies they want to accept:

80 20 Endurance Cookie Consent Notice

And Women's Health Magazine has clear opt-in and opt-out consent for non-essential targeting and performance cookies (tracking and analytics cookies):

Womens Health Magazine Cookie options

It also helpfully uses bold text for keywords in its main Cookie Notice to help to ensure users are fully aware of their privacy rights and how to exercise them:

Womens Health Magazine Cookie Consent Notice


Tracking and analytics cookies are used to monitor and analyze how users interact with a website. Businesses typically use tracking and analytics cookies for commercial purposes, such as:

  • Improving the user experience
  • Optimizing websites
  • Identifying underperforming products

First-party tracking cookies only work on a single website. Third-party tracking cookies, however, are installed by advertisers and follow users around the internet. They are typically used for marketing purposes.

Since all tracking and analytics cookies can process personal data, you may need consent before you can use them unless you have a legitimate business reason for using them i.e. they are essential for website functionality.

Consent, when required, must be express, informed, freely given, and easy to withdraw. To comply with this obligation, businesses must:

  • Have a Privacy Policy (and separate Cookies Policy, if they wish) explaining how they collect and use personal data, and how consent can be managed
  • Use Cookie Pop-Up Notices with sliders, checkboxes, or other express means for opt-in consent. Implied consent is insufficient for laws such as the GDPR.

If you're in any doubt, always get legal advice before relying on legitimate business interests or any other grounds for using tracking and analytics cookies without consent. Or better still, always get opt-in consent to be on the safe side.

Privacy Policy Generator
Comprehensive compliance starts with a Privacy Policy.

Comply with the law with our agreements, policies, and consent banners. Everything is included.

Generate Privacy Policy