Cookies are not the sweet, baked treats we all love, but rather small pieces of data stored on users' devices when they visit your website. With the enactment of various data privacy laws, the use of cookies has become a hot topic, and it's crucial to understand which cookies require user consent and which do not. In this blog post, we'll delve into the exemptions for 'strictly necessary' cookies, as outlined in the Working Party 29 Opinion 04/2012 on Cookie Consent Exemption↗. Understanding Strictly Necessary Cookies Strictly necessary cookies are essential for your eCommerce website to function properly. They do not collect any personally identifiable information or track browsing habits. These cookies enhance the user experience on your site by remembering language preferences and other settings, making the user's visit as efficient as possible through the buying process. Other Types of Cookies Apart from strictly necessary cookies, there are non-necessary or non-essential cookies. These cookies are not required for basic website functionality and often serve different purposes, such as tracking user behavior for targeted advertising or marketing research. These cookies include third-party cookies used by services, tools, or websites other than your own. They also include functional, analytics, and advertisement cookies. Based on duration, cookies can be classified into: - Session cookies: These are short-lived cookies that expire when the user session on a website ends or when the browser is closed.
- Persistent cookies: These cookies have a longer lifespan, ranging from days to weeks, months, or even years. They remain on the user's device until they reach their expiration date or the users clear them from the browser. The Importance of Cookie Consent According to the GDPR and ePrivacy Directive, websites must ask for user consent to use cookies that are not necessary for accessing the website's functionality. These cookies require consent because they collect user data for their purposes. Collecting data without users' consent is unlawful, and consent is one of the six legal bases for processing user data. For consent to be valid, it must be: - Informed: Users must have adequate information about it before giving consent.
- Freely given: Users must have a free and genuine choice to give consent.
- Specific: Cookies with multiple purposes must seek different consent for different purposes.
- Unambiguous: Users must be able to give their consent via explicit and affirmative action.
- Revocable: Users must be able to easily withdraw their consent at any time.
- Demonstrable: You must be able to provide proof of cookie consent in case of an audit. Criteria for Cookie Consent Exemption The ePrivacy Directive allows for two criteria for using cookies without "informed consent": - Criterion A: The cookie is used solely for "carrying out the transmission of a communication over an electronic communications network".
- Criterion B: The cookie is strictly necessary to provide a service "explicitly requested by the user". Case Scenarios for Cookie Consent Exemptions Let's analyze some cookie examples to determine if they meet criterion A or B.
Exempted Cookies
These cookies meet criterion A or B and are exempted from informed consent. They include: - User-input cookies
- Authentication cookies
- User-centric security cookies
- Multimedia player session cookies
- Load balancing session cookies
- UI customization cookies
- Social plug-in content sharing cookies for "logged-in" members
Non-exempted Cookies
These cookies do not meet criteria A or B and require explicit consent from the users to be stored on their devices. They include: - Social plug-in tracking cookies
- Third-party advertising cookies
- First-party analytics cookies Conclusion Understanding the nuances of cookie consent exemptions is crucial for eCommerce. By ensuring your website complies with these regulations, you can provide a seamless user experience while respecting user privacy.
How to Audit Your Current Cookie Stack
Your eCommerce site likely has dozens of cookies running right now—from Shopify's session cookies to Google Analytics, Meta Pixel, and email marketing tools like Klaviyo. The first step toward compliance is knowing exactly what you have.
Start by using your browser's developer tools (F12 > Application > Cookies) to see what's being set on your domain. Document each one: its name, purpose, lifespan, and whether it's first-party or third-party. Then cross-reference with your installed apps and integrations. A Shopify store might have cookies from:
- Shopify itself (strictly necessary for cart and checkout)
- Your analytics tool (requires consent)
- Your email marketing platform (requires consent)
- Your ads pixel (requires consent)
Create a simple spreadsheet listing cookie name, purpose, duration, and current status. This becomes your "cookie inventory"—essential for proving compliance during an audit or DSAR (data subject access request). Many mid-market brands skip this step and assume their tools handle consent automatically. They don't. You're responsible for declaring what each cookie does and getting permission before it fires.
Implementing a Cookie Banner That Actually Works
A cookie banner isn't just a legal checkbox—it's how you collect and record consent. Under GDPR and similar laws, you need a banner that appears before non-essential cookies load, not after.
Most eCommerce platforms default to banners that are too passive. "Accept All" buttons in large font with "Reject" hidden in tiny text don't meet the "freely given" standard. Your banner should:
- Present "Accept All," "Reject All," and "Customize" options with equal prominence
- Allow users to adjust preferences by cookie category (analytics, marketing, functional)
- Not load analytics or ads pixels until consent is given
- Clearly explain what each category does in plain language
If you're on Shopify, avoid relying solely on the built-in cookie banner—it's a starting point, not a complete solution. Your Meta Pixel, Google Analytics, and conversion tracking won't automatically respect consent without a proper consent management setup. Test your banner yourself: open your site in an incognito window, reject all non-essential cookies, and verify that Google Analytics and Meta Pixel don't fire. If they do, your banner isn't controlling them.
When Users Request Their Cookie Data (DSAR)
Under GDPR and CCPA, users have the right to request all personal data your site has collected about them—including cookie data. This is called a Data Subject Access Request or DSAR.
When a DSAR lands in your inbox, you need to provide: cookies stored on their device, their consent history, and how long you've retained the data. Without organized records, this becomes a nightmare.
Your consent management system should log:
- Exact timestamp of consent
- Which cookies the user approved
- User's IP address or identifier
- Device type and browser
- Whether they later withdrew consent
Many eCommerce brands store this nowhere, making it impossible to respond to a DSAR within the 30-day legal window. Shopify doesn't automatically retain this audit trail. You need a separate system to track it. When a user requests their data, you'll reference these logs to show exactly what you collected and when they agreed to it.
Responding properly to DSARs prevents fines and builds user trust. Late or incomplete responses can trigger regulatory investigations.
Managing cookie consent across Shopify integrations, third-party pixels, and multiple privacy laws is complex. The right consent management platform automates cookie detection, controls what fires when, maintains audit-ready consent records, and ensures your banner respects user choices—eliminating the manual work and compliance risk that grows with every new app you install.