Necessary Cookies Setup – Configuring Essential Cookies Category

Necessary cookies (also called essential or strictly necessary cookies) are the foundation of your cookie consent strategy. These are cookies required for your website to function properly—they enable core features like security, network management, and basic navigation. Unlike analytics or marketing cookies, necessary cookies can be set without explicit user consent under GDPR and most privacy regulations because they’re essential for the service the user is requesting.

This comprehensive guide explains what qualifies as a necessary cookie, how to configure the necessary cookies category in DigiConsent, which scripts and cookies to include, and how to ensure your implementation remains compliant.

Understanding Necessary Cookies

Necessary cookies have a special status under privacy law. Understanding what qualifies as “necessary” is critical for compliant implementation.

Legal Definition of Necessary Cookies

Under GDPR (specifically the ePrivacy Directive) and similar regulations, necessary cookies are those that are:

Strictly necessary: The website cannot function properly without them
Purpose-limited: Used solely for transmitting communications or providing a requested service
User-expected: Required to deliver functionality the user explicitly requested
Non-tracking: Not used for analytics, advertising, or tracking purposes

The UK ICO provides this clear test: “Would the website work without this cookie?” If the answer is yes, it’s probably not necessary.

What Qualifies as Necessary

Common examples of genuinely necessary cookies include:

Authentication and Security:

Session cookies that keep users logged in
Authentication tokens
Security tokens and CSRF protection
Two-factor authentication cookies

Website Functionality:

Shopping cart contents in e-commerce
Language preference cookies
Load balancing cookies (server distribution)
Content delivery network (CDN) cookies for site delivery

Privacy and Consent:

Cookie consent preferences (recording user’s consent choice)
Cookie banner display status

Essential Application Functions:

Form data retention during multi-step processes
Payment gateway session cookies
Video player cookies for streaming (if core content)

What Does NOT Qualify as Necessary

Many cookies are useful but not strictly necessary. These require consent:

Analytics and Performance:

Google Analytics cookies (even though they help you improve the site)
Heatmap and session recording tools (Hotjar, Crazy Egg)
cookies (Optimizely, VWO)
Performance monitoring cookies

Marketing and Advertising:

Facebook Pixel
Google Ads tracking
Remarketing cookies
Affiliate tracking cookies

Personalization and Convenience:

“Remember me” login cookies (convenience, not necessity)
Theme preferences (dark mode toggle)
Recently viewed items
Personalized content recommendations

Social Media:

Social media sharing buttons that track users
Embedded social media feeds with tracking
Social login cookies (unless it’s the only login method)

The key distinction: if the cookie enhances experience but the site works without it, it’s not necessary.

Common Necessary Cookies in WordPress

WordPress sites typically use several standard necessary cookies.

WordPress Core Cookies

wordpress_logged_in_[hash]:

Purpose: Indicates when a user is logged in and who they are
Duration: Session or “remember me” duration
Why necessary: Required for authenticated areas of the site

wordpress_test_cookie:

Purpose: Checks if the browser accepts cookies
Duration: Session
Why necessary: Determines if cookie-based features can work

wp-settings-{user}:

Purpose: Stores user-specific WordPress settings
Duration: 1 year
Why necessary: Required for admin dashboard functionality

PHPSESSID (or similar):

Purpose: PHP session identifier
Duration: Session
Why necessary: Maintains state across page loads

WooCommerce Cookies (E-commerce)

If you run a WooCommerce store, these cookies are necessary:

woocommerce_cart_hash:

Purpose: Helps WooCommerce determine when cart contents change
Duration: Session
Why necessary: Shopping cart cannot function without it

woocommerce_items_in_cart:

Purpose: Stores whether cart has items
Duration: Session
Why necessary: Required for cart functionality

wp_woocommerce_session_:

Purpose: Contains unique identifier for cart session
Duration: 2 days
Why necessary: Cart contents would be lost without this

Note: WooCommerce analytics cookies (like tk_ai) are NOT necessary—they’re analytics and require consent.

Security and CDN Cookies

__cf_bm (Cloudflare):

Purpose: Bot management and security
Duration: 30 minutes
Why necessary: Protects site from malicious bots and DDoS attacks

__cfduid (Cloudflare – deprecated):

Purpose: Security and CDN delivery
Duration: 30 days
Note: Being phased out by Cloudflare

WordPress security plugin cookies:

Wordfence, Sucuri, and similar security plugins may set necessary cookies
These are typically necessary if they prevent unauthorized access

Configuring Necessary Cookies in DigiConsent

DigiConsent provides a dedicated interface for managing the necessary cookies category.

Category Settings

Navigate to DigiConsent > Settings > Cookie Categories
Find the Necessary Cookies category
Verify that Always Enabled is turned ON
Configure the Category Name (typically “Necessary Cookies” or “Essential Cookies”)
Write the Category Description

Writing the Necessary Cookies Description

Your description should clearly explain what necessary cookies do and why they cannot be disabled. Example:

“Necessary cookies are essential for the website to function properly. They enable core features like security, network management, and accessibility. These cookies do not store any personally identifiable information and cannot be disabled. Without these cookies, the website cannot function properly.”

For e-commerce sites, add specific mention:

“Necessary cookies enable essential features like your shopping cart, secure checkout, and account access. Without these cookies, you would not be able to complete purchases or access your account.”

Making the Category Non-Toggleable

Necessary cookies should not have a checkbox or toggle in the preference center since users cannot decline them:

In DigiConsent settings, ensure Always Enabled is ON for necessary cookies
This removes the toggle/checkbox from the preference center
The category is displayed but marked as “Always Active” or similar
Users can read about necessary cookies but cannot disable them

Adding Scripts to Necessary Cookies

Some scripts must execute immediately without waiting for consent. These should be added to the necessary cookies category.

What Scripts Qualify

Only add scripts to the necessary category if they are truly essential:

Security scripts:

reCAPTCHA (when used for spam protection on forms)
Bot detection and mitigation
Fraud prevention for payment processing

Core functionality scripts:

Payment gateway initialization (Stripe, PayPal)
Shopping cart functionality
User authentication systems

CDN and performance (infrastructure):

CDN scripts required for content delivery
Critical CSS/JS loading systems

Adding Scripts to the Category

Go to DigiConsent > Settings > Necessary Cookies
Find the Scripts section
Click Add Script
Paste your script code
Give it a descriptive name (e.g., “reCAPTCHA Security”)
Optionally provide a description of what the script does
Save

Example necessary script (reCAPTCHA):

<script src="https://www.google.com/recaptcha/api.js" async defer></script>

Script Execution Timing

Scripts in the necessary category execute immediately when the page loads:

No waiting for user consent
Load before other category scripts
Available for immediate use by the website

This is why it’s critical to only include truly necessary scripts—anything in this category bypasses the consent requirement.

Documenting Necessary Cookies

Privacy regulations require transparency about all cookies, including necessary ones. DigiConsent helps you maintain a cookie declaration.

Creating a Cookie Declaration

For each necessary cookie, document:

Cookie name: Exact name as it appears in browser
Purpose: What the cookie does
Duration: How long the cookie persists
Provider: Who sets the cookie (your domain, third-party service)
Type: HTTP cookie, JavaScript cookie, etc.

Example necessary cookie entry:

Name: wordpress_logged_in_*
Purpose: Keeps you logged in to your account
Duration: Session or 14 days (if “Remember Me” is checked)
Provider: yourwebsite.com
Type: HTTP cookie

Displaying Cookie Information to Users

In your consent banner’s preference center, users should be able to view details about necessary cookies:

Click on “Necessary Cookies” category
See a list of cookies in this category
Read purpose and duration for each
Understand why these cookies cannot be disabled

DigiConsent can display this information automatically based on your cookie declarations.

Automatic Cookie Scanning

DigiConsent includes cookie scanning capabilities to help identify cookies on your site.

Running a Cookie Scan

Navigate to DigiConsent > Cookie Scanner
Click Scan Website
DigiConsent crawls your pages and detects cookies
Review the discovered cookies
Categorize each cookie (Necessary, Analytics, Marketing, Functional)
Add descriptions and details

Reviewing Scan Results

The scanner may identify cookies you didn’t know about:

Unknown cookies: Research their purpose before categorizing
Third-party cookies: Investigate which service sets them
Duplicate cookies: Multiple cookies serving the same purpose may indicate cleanup opportunities

For any cookie classified as necessary, verify it truly meets the strict necessity test. When in doubt, categorize as functional or analytics instead.

Special Considerations

First-Party vs. Third-Party Cookies

First-party necessary cookies: Set by your domain, generally acceptable as necessary if they meet the criteria

Third-party necessary cookies: Set by external domains. These face higher scrutiny:

CDN cookies from Cloudflare: Generally necessary
Payment processor cookies: Necessary during checkout
Authentication provider cookies (Google, Facebook login): Necessary if it’s the only auth method
Advertising network cookies: Never necessary, even if the network claims otherwise

Video and Media Players

Video player cookies present a gray area:

YouTube embeds:

Use youtube-nocookie.com domain for privacy-enhanced mode
Block standard YouTube embeds until consent
If video is core content, you might argue necessity, but this is risky

Self-hosted video:

Player functionality cookies may be necessary
Analytics cookies from video players are NOT necessary

Language and Accessibility Preferences

Language and accessibility cookies occupy a special space:

Language preference:

Some argue it’s necessary for multilingual sites
Others classify it as functional (convenience, not necessity)
Conservative approach: Classify as functional and request consent

Accessibility settings:

Font size, contrast adjustments, screen reader settings
Arguably necessary for users with disabilities
Strong case for necessity category

Compliance Best Practices

Follow these best practices to ensure your necessary cookies category remains compliant:

Apply strict criteria: When in doubt, don’t classify as necessary
Document justification: Keep records of why each cookie is classified as necessary
Regular audits: Review necessary cookies quarterly to ensure they still qualify
Remove unnecessary items: If functionality changes and a cookie is no longer needed, remove it
Be transparent: Clearly explain to users what each necessary cookie does
Minimize data collection: Even necessary cookies should collect minimal data
Set appropriate durations: Session cookies when possible; shorter durations when persistence is needed

Common Mistakes to Avoid

Avoid these common errors when configuring necessary cookies:

Classifying analytics as necessary: Google Analytics is NEVER necessary, even though it’s helpful
Including marketing pixels: Facebook Pixel, Google Ads tracking are never necessary
“Legitimate interest” confusion: Legitimate interest is not the same as necessary; it still requires transparency and opt-out
Vendor claims: Don’t blindly trust when a vendor says their cookies are necessary; verify independently
Convenience vs. necessity: “Remember me” is convenient, not necessary; users can log in each time
Performance cookies: Cookies that improve site speed are helpful but not strictly necessary

Testing Necessary Cookies Configuration

After configuring necessary cookies, test thoroughly:

Clear all cookies and visit your site
Don’t accept any cookies in the consent banner
Check browser cookies (DevTools → Application → Cookies)
Verify only necessary cookies are present
Test core functionality: Can you browse the site? Add to cart? Log in?
Verify no analytics or marketing cookies are set
Check JavaScript console for errors indicating missing consent
Test on mobile devices as well as desktop

If you find non-necessary cookies being set before consent, investigate and move them to appropriate categories.

Necessary Cookies Configuration Checklist

Necessary cookies category is set to “Always Enabled”
Clear description explains what necessary cookies are and why they can’t be disabled
Only genuinely essential cookies are included
Each necessary cookie is documented with name, purpose, duration, and provider
Scripts in necessary category are truly required for core functionality
No analytics, marketing, or convenience cookies in necessary category
Cookie scanner has been run and results reviewed
Tested with all cookies declined—only necessary cookies present
Core website functionality works with only necessary cookies
Documentation maintained for compliance audits

The necessary cookies category is the foundation of your consent implementation. By carefully limiting this category to truly essential cookies and maintaining transparent documentation, you demonstrate respect for user privacy while ensuring your website functions properly. Remember: the stricter you are about what qualifies as necessary, the more trustworthy your privacy implementation becomes.