Do I need a cookie banner if I only use "essential" cookies?

The honest answer to “can I skip the banner?” is “yes, if you only use cookies that are strictly necessary for what the user asked for.” The unhonest version, sold by some consent-management vendors, treats the exception as a marketing claim. The real list of strictly-necessary cookies is short, and most SMB sites set at least one cookie that breaks the exemption.

What qualifies as strictly necessary

ePrivacy 5(3) exempts storage that is “strictly necessary for the provision of an information society service explicitly requested by the subscriber or user.” The EDPB Guidelines 02/2023 expand on what this means. The list is short:

• Session cookies for authentication. When a user is logged in, maintaining the session is necessary to deliver the requested service.
• CSRF protection tokens. Anti-forgery tokens on form submissions.
• Load balancer routing. Sticky-session cookies that ensure the user’s requests reach the same backend during a session.
• Shopping cart state. A cart cookie persisting cart contents between page loads on a checkout flow the user initiated.
• Security cookies that detect attacks on a service the user requested.Cloudflare’s bot management cookie, Akamai’s session-based fraud-detection cookies in narrow contexts.
• Explicit user-preference cookies. A user clicks “dark mode,” the site sets a preference cookie to remember it next visit. The storage is necessary because the user explicitly asked for the customization.

What does not qualify

• Analytics, even “privacy-friendly” ones. GA4, Matomo, Plausible, Fathom, Mixpanel, Amplitude. Helpful to you, not necessary for the user.
• Performance cookies that A/B test or personalize. Even if the personalization is intended to benefit the user, the storage exceeds “strictly necessary” — the user can be served the page without it.
• Default theme or default language cookies set without user action.Setting a language preference based on the user’s Accept-Language header is functionality; persisting that choice as a cookie before the user has interacted is storage that exceeds necessity.
• Anti-bot cookies on marketing pages. Cloudflare bot management on your checkout is arguably essential; the same cookie on a static landing page is not.
• Cross-domain identifiers. Any cookie set with a domain attribute that lets it be read from a different subdomain or domain. The cross-domain dimension exceeds the user’s explicit request.
• Anything from a third-party ad, social, or analytics vendor. The EDPB has explicitly rejected the “legitimate interest” argument for tracking storage. Strictly necessary excludes anything serving a third party.

The narrow path that actually works

A site that legitimately runs banner-free is uncommon but exists. Typical patterns:

• Pure logged-in SaaS dashboards. A signed-in user’s authenticated session and CSRF protection only. No analytics on the dashboard, or analytics on a separate marketing site that does run a banner.
• Static informational sites. A small business homepage with no forms, no analytics, no third-party widgets, hosted on Cloudflare with bot management disabled on the static pages. Possible but increasingly rare.
• Cookieless analytics on a site with no other storage. Vercel Web Analytics, Plausible in cookie-less mode, Cabin — these do not write to terminal equipment in the 5(3) sense. The condition is that nothing else on the site does either.

The audit question

Before claiming the essential-only exemption, run a fresh cookie inventory. Open DevTools, load your site fresh, check the Application tab for every cookie set on first load, every localStorage entry, every IndexedDB key. Cross-reference each against the strictly-necessary list above. If even one entry on your site falls outside the list, you are subject to ePrivacy 5(3) consent.

A typical Veracly free scan finds an average of seven cookies on a SMB site that claims to be “essential only.” The usual culprits: a third-party widget (Calendly, Tidio chat), an embed (YouTube, Vimeo), an analytics script left in a subpage from a previous experiment, a Cloudflare cookie set on marketing pages where bot management was not strictly required.

Veracly’s position

Veracly does not enforce a banner where none is required — but it also does not assume an essential-only exemption without evidence. Every scan returns a complete cookie and storage inventory; the report flags the specific entries that fail the 5(3) strictness test, with the regulation reference and a one-line explanation of why each entry exceeded the exemption. The site operator decides whether to remove the offending storage or to add a banner.

See also: GDPR vs ePrivacy: which one governs cookies? · Cookies, localStorage, IndexedDB: which require consent?