A cookie is a small text file (typically under 4KB) stored by a web browser on behalf of a website. Functionally, cookies were designed to give stateless HTTP a memory — keeping a user logged in, remembering shopping cart contents, persisting language preferences. That benign origin has been overtaken by the use of cookies (and similar device-storage mechanisms — local storage, pixels, fingerprints) for cross-site behavioral tracking, advertising attribution, and profile building.
Privacy law treats cookies in two tracks. Strictly necessary cookies — login state, security, basic site function — are typically exempt from consent requirements. Non-essential cookies — analytics, marketing, personalization, third-party tracking — require informed, opt-in consent in the EU under the ePrivacy Directive and the GDPR, and increasingly require an opt-out (often via universal signals like GPC) under US state privacy laws.
The compliance challenge is operational rather than conceptual. Even a moderately complex website fires dozens to hundreds of cookies, many set by third-party tags loaded after page load. A consent management platform (CMP) is the system that classifies these cookies, presents the consent choice, and gates downstream tag-firing on the user's recorded preference. Doing this without breaking the site's analytics, ads, or personalization is what separates a working consent implementation from a token banner.