Cookie types and how to audit them: the foundation of compliant consent

Before configuring any banner, there's a step almost everyone skips: knowing which cookies your site actually uses. Without that inventory, your consent is worthless, because you can't ask permission for something you haven't identified. Let's start by understanding what needs classifying and how to find it.

First distinction: whose, and for how long

First-party: set by your own domain. Usually functional (session, language, cart).
Third-party: set by external domains (Google, Meta…). The most sensitive, and the ones browsers are phasing out.
Session: deleted when the browser closes.
Persistent: stay for days, months or years depending on their expiry date.

Duration matters legally: a marketing cookie that persists two years is a far more invasive processing than a session one, and your cookie policy must reflect that.

The four categories the law asks for

Authorities (and the industry standard) group cookies by purpose. Only the first category can load without consent:

Category	What it's for	Typical example	Needs consent?
Strictly necessary	Login, cart, security	`PHPSESSID`	No
Preferences	Language, region, theme	`lang`, `theme`	Yes
Analytics / statistics	Measuring traffic (GA4)	`_ga`, `_gid`	Yes
Marketing / advertising	Remarketing, pixels	`_fbp`, `_gcl_au`	Yes

In Colombia, the SIC's Resolution 32126 of 2022 recognizes these four categories and clarifies that none are exempt except the strictly necessary ones. In the EU, the standard is equivalent.

Why classifying well changes everything

The banner must offer control per category: the user accepts analytics but rejects marketing, for example. And here's the most common risk: misclassifying a marketing cookie as "necessary" to load it without permission. That single decision turns a compliant banner into a merely decorative one — and it's exactly what an authority looks for in an inspection.

Correct classification is therefore the base everything else rests on: block-first, granularity and proof of consent.

How to audit your site, step by step

Scan every page, not just the home: checkout, forms and campaign landing pages often load pixels that aren't anywhere else on the site.
Identify each cookie: its name, the domain that sets it, its purpose and its lifespan. You can start by hand in the browser DevTools (Application → Cookies tab), but it doesn't scale.
Classify it into one of the four categories.
Document the scripts too, not just the cookies: many modern trackers (server-side pixels, fingerprinting) don't leave a classic cookie.
Re-scan periodically: every new marketing tool adds trackers your banner must account for. An inventory done once goes stale within weeks.

Why the manual method fails: a cookie spreadsheet reflects the site as it was the day you made it. As soon as marketing adds a new pixel or swaps a tool, your declaration stops being truthful — and the liability is yours.

Classification mistakes that cost fines

Three confusions show up in nearly every audit:

Treating Google Analytics as "necessary." Analytics improves your business, but it isn't essential for the site to work: it requires consent.
Forgetting the cookies set by embeds. An embedded YouTube video, a map or a chat widget install their own third-party cookies that you must also declare and block until consent.
Not distinguishing client from server. A pixel may leave no browser cookie and still send data from the server; it still needs a legal basis.

Classifying well isn't a bureaucratic detail: it's what an authority checks first, and the point where most sites fail.

The inventory as foundation

Building and maintaining this inventory by hand is unfeasible. Conma's scanner crawls your site automatically, detects every cookie and script — first- and third-party, client and server — classifies them into the four categories and keeps your declaration always up to date. On top of that inventory, the banner blocks each tracker until the user decides per category. It's the foundation on which truly compliant consent is built.