Strictly necessary cookies — the only category exempt from prior consent under the ePrivacy Directive. To qualify, the cookie must be:
- Essential to provide the service the user explicitly requested.
- Not used for any secondary purpose (analytics, marketing, etc.).
Common examples on Shopify:
- Cart contents (
cart) - Checkout session (
_secure_session_id) - Language preference (
localization) - Fraud prevention (
_orig_referrer, hashed) - Cookie consent state itself (
consentico_consent)
Not strictly necessary, despite common claims:
- Google Analytics (analytics is not "the service the user requested")
- Hotjar / session replay (improvement, not service)
- A/B testing tools
- Klaviyo web tracking
- Pinterest Save / share buttons
If in doubt, ask: "If this cookie wasn't set, would the service the user explicitly requested still work?" If yes, it's not strictly necessary.