Introduction

Cookie categories allow you to organize different types of cookies based on their purpose and provide users with granular control over their privacy preferences. PureDevs GDPR Compliance comes with four predefined cookie categories, each serving a specific purpose in your compliance strategy.

Properly managing cookie categories is essential for GDPR compliance, as it gives users the transparency and control required by law.

The plugin provides four default cookie categories:

1. Strictly Necessary Cookies

Purpose:

  • Essential for website functionality
  • Enable core features like security, authentication, and basic operations
  • Cannot be disabled by users

Examples:

  • Session cookies for logged-in users
  • Shopping cart cookies for e-commerce
  • Security tokens and CSRF protection
  • Load balancing cookies
  • Cookie consent preference storage

GDPR Status:

  • Do NOT require explicit consent
  • Can be set before user accepts banner
  • Must still be disclosed to users
Always Active

Strictly necessary cookies are always enabled and cannot be turned off by users. They are exempt from consent requirements under GDPR.

2. Additional Cookies

Purpose:

  • Enhance website functionality and performance
  • Improve user experience
  • Optional but beneficial features

Examples:

  • Analytics cookies (Google Analytics, Matomo)
  • Performance monitoring cookies
  • User preference cookies (language, theme)
  • Heat mapping and session recording

GDPR Status:

  • Require explicit user consent
  • Should be disabled by default
  • Can be enabled/disabled individually

3. Third-Party Cookies

Purpose:

  • Set by external services and domains
  • Enable integrations with third-party platforms
  • Often used for advertising and tracking

Examples:

  • Social media embeds (Facebook, Twitter, YouTube)
  • Advertising networks (Google Ads, Facebook Pixel)
  • External analytics services
  • Live chat widgets
  • Payment gateway cookies

GDPR Status:

  • Require explicit consent
  • Must be clearly identified as third-party
  • Should link to third-party privacy policies

4. Required Cookies

Purpose:

  • Cookies required for specific features users opted into
  • Necessary for services users explicitly request
  • Different from strictly necessary as they’re feature-specific

Examples:

  • Video player cookies when user plays video
  • Form builder cookies when using forms
  • Comment system cookies
  • Newsletter subscription tracking

GDPR Status:

  • May require consent depending on implementation
  • Can argue implied consent for requested features
  • Best practice: still ask for explicit consent
  1. Go to Settings → PureDevs GDPR compliance
  2. Click the Cookie Settings tab
  3. You’ll see four expandable sections for each category

Category Configuration Options

For each cookie category, you can configure:

1. Category Name

  • Displayed to users in preferences
  • Should be clear and descriptive
  • Default names are GDPR-compliant

2. Category Description

  • Explains what cookies in this category do
  • Use plain language, not technical jargon
  • Should be 2-3 sentences
  • Helps users make informed decisions

Example for Additional Cookies:

"These cookies help us understand how visitors interact with our website by collecting and reporting information anonymously. This helps us improve your experience."

3. Cookie List

  • List specific cookies in this category
  • Include cookie name, purpose, and duration
  • Provides transparency to users
  • Required for full GDPR compliance

4. Enable/Disable

  • Turn category on or off entirely
  • Disabled categories won’t appear in preferences
  • Use if category isn’t applicable to your site

5. Default State

  • Whether category is checked by default
  • Strictly Necessary: Always on (can’t change)
  • Others: Should default to OFF for GDPR compliance

Adding Cookies to Categories

Document Your Cookies

Before configuring, create a list of all cookies your site uses:

Information to Gather

  • Cookie Name: Exact name as stored in browser
  • Purpose: What the cookie does
  • Duration: How long it lasts (session, days, months)
  • Type: First-party or third-party
  • Provider: Who sets it (your site, Google, Facebook, etc.)

How to Find Cookies

  1. Browser DevTools:
    • Press F12 in browser
    • Go to Application/Storage tab
    • Click Cookies in sidebar
    • View all cookies for your domain
  2. Cookie Scanner Tools:
    • Use online cookie scanning services
    • Automated detection of all cookies
    • Generates compliance reports
  3. Plugin/Service Documentation:
    • Check docs for services you use
    • Google Analytics cookie documentation
    • Facebook Pixel cookie information

Categorizing Cookies

Place each cookie in the appropriate category:

Strictly Necessary Examples:

  • wordpress_logged_in_* – WordPress login session
  • PHPSESSID – PHP session identifier
  • woocommerce_cart_hash – Shopping cart data
  • gdpr_consent – Cookie consent record

Additional Cookies Examples:

  • _ga – Google Analytics visitor tracking
  • _gid – Google Analytics session tracking
  • _gat – Google Analytics throttling

Third-Party Examples:

  • _fbp – Facebook Pixel tracking
  • fr – Facebook advertising
  • YSC – YouTube session tracking
  • VISITOR_INFO1_LIVE – YouTube preferences

Naming Conventions

  • Use clear, user-friendly names
  • Avoid technical jargon
  • Be consistent with industry standards
  • Consider translations for international sites

Description Guidelines

  • Write in plain language
  • Explain benefits to user, not just technical function
  • Be honest about tracking and profiling
  • Keep descriptions concise (2-4 sentences)
  • Keep an up-to-date list of all cookies
  • Update when adding new services
  • Remove cookies when services are discontinued
  • Audit cookies quarterly

Default States

  • Strictly Necessary: Always ON (can’t toggle)
  • Additional: Default OFF
  • Third-Party: Default OFF
  • Required: Default OFF (or ON if truly required)
Pre-Ticked Boxes Violation

Having optional cookie categories pre-selected (ticked by default) violates GDPR. Consent must be an active choice. Always default non-essential categories to unchecked.

Conditional Script Loading

Respecting User Choices

Cookie categories are only effective if you actually respect user choices by conditionally loading scripts:

What This Means:

  • Don’t load Google Analytics if user declined Additional Cookies
  • Don’t load Facebook Pixel if user declined Third-Party Cookies
  • Only load scripts for categories user approved
  • Check consent status before initializing tracking

Implementation Methods:

  1. Manual JavaScript Checks:
    • Check consent cookie before loading scripts
    • Use plugin’s JavaScript API
  2. Google Tag Manager Integration:
    • Use GTM consent mode
    • Trigger tags based on consent status
  3. Plugin Integrations:
    • Many analytics plugins support consent integration
    • Check plugin documentation for GDPR hooks
Developer Note

See the Hooks and Filters documentation for technical implementation of conditional script loading based on cookie consent.

Regular Audits

Perform quarterly cookie audits:

  1. Scan site for all cookies
  2. Identify new cookies from added services
  3. Remove entries for discontinued services
  4. Update descriptions if purposes changed
  5. Verify categorization is still accurate

When to Update

Update cookie categories when:

  • Adding new plugins or services
  • Removing plugins or services
  • Changing analytics providers
  • Adding social media integrations
  • Implementing new advertising
  • Privacy policy is updated

Documentation Updates

  • Keep privacy policy in sync with cookie list
  • Update cookie policy page if you have one
  • Notify users of significant changes
  • Consider re-requesting consent for major changes

Complete Category Examples

Example: Additional Cookies Category

Category Name: Analytics & Performance

Description:

"These cookies help us understand how visitors interact with our website by collecting and reporting information anonymously. We use this data to improve your experience and optimize our content."

Cookies List:

  • _ga (Google Analytics) – Distinguishes unique visitors – 2 years
  • _gid (Google Analytics) – Distinguishes users – 24 hours
  • _gat (Google Analytics) – Throttles request rate – 1 minute

Example: Third-Party Cookies Category

Category Name: Social Media & Advertising

Description:

"These cookies are set by third-party services like social media platforms and advertising networks. They may track your activity across different websites and build a profile of your interests."

Cookies List:

  • _fbp (Facebook) – Tracks visits across websites – 3 months
  • fr (Facebook) – Delivers targeted advertising – 3 months
  • IDE (Google DoubleClick) – Ad targeting and frequency – 1 year