In case you haven't looked at your calendar lately, we made it to 2025... 🎆 and that's exciting not only because Joomla will enjoy its 20 year anniversary 🎂 soon, but because the World Wide Web is definitely a bit more interesting than when it first started...

but aside from the look and feel, and navigation styles, a lot of other things have changed. In the last few years, particularly, some of those changes have come in the shape of Privacy and Consumer/User rights updates...

In 2025, if you don't have the proper understanding of what cookies are, you might just get yourself into trouble... not just the European Union where GDPR policies are in effect.

Many other parts of the world are starting to take a serious position when it comes to Consumer Rights and Privacy:

California Consumer Privacy Act (CCPA/CPRA) - USA
Personal Information Protection Law (PIPL) - China
Lei Geral de Proteção de Dados (LGPD) - Brazil
Digital Personal Data Protection Act (DPDPA) - India
Protection of Personal Information Act (POPIA) - South Africa
Personal Data Protection Act (PDPA) - Singapore
Revised Data Protection Act (UK GDPR) - United Kingdom
Swiss Data Protection Act (Revised 2023) - Switzerland
Personal Information Protection and Electronic Documents Act (PIPEDA) - Canada
Act on the Protection of Personal Information (APPI) - Japan
Personal Information Protection Act (PIPA) - South Korea

( and of course, for violations, they basically all carry fines💰).

In some capacity or another, all of the above Regulations/Acts have some more or less strict provisions around Cookies... and these Cookies 🍪 won't give you a sugar high or cause cavities 🦷 — so let's dive into what are all of these different types of Cookies - ( I'll focus on GDPR as that is the most widespread, comprehensive, and stringent privacy framework currently ).

Cookies can be catalogued by different criteria: Source, Functionality, even Security Attributes among others.

By Source

• 1st party cookies: created when one visits a website to remember preferences (i.e. cart items, login details, or language settings). These expire when the browser closes and are typically session-based.

• 3rd party cookies: placed by external partners/domains (i.e. analytics tools, advertisers etc ) to track cross-site behavior for analytics and targeted ads. These raise privacy concerns and persist longer...
  
  

By Functionality

• Strictly necessary Cookies: required for a website's core functionality (i.e. shopping cart, login etc). ✅

• Performance/Analytics Cookies: tracks user interactions (i.e. page visits, bounce rates) mostly to optimize a site's performance. ⚠️ GDPR requires consent.

• Functional Cookies: enables non-essential features (i.e. preferences saving). ⚠️ GDPR requires consent.

• Targeting Cookies: used for ad personalization. ⚠️ GDPR requires explicit consent.
  
  

By Security Attributes

• Secure cookies: to prevent interception, these are only transmitted only over HTTPS.

• HTTP-only cookies: they protect sensitive data and block access to client-side script

• SameSite cookies: to mitigate CSRF attacks, they restrict cross-site sharing.
  

✅ - Consent is not required under GDPR.

⚠️ - GDPR requires consent — in some cases, explicit consent before use.

If you are starting to think that this gets complicated quickly, you would be correct.

Just with GDPR and CCPA/CPRA, there are a lot of subtleties and that's without adding country or regionally based nuances such as the French CNIL (French independent regulatory authority responsible for ensuring data protection and privacy rights) or Germany's Telecommunications and Telemedia Data Protection Act (TTDSG) and German Data Protection Authorities (DPAs) which adds a layer of rules beyond GDPR and the EU's ePrivacy Directive (ePD).

So, what can you do with all these different regulations and this ever evolving privacy landscape?

The easiest approach is to provide a clear and transparent declaration of what cookies your website uses and to require consent for everything other than Strictly necessary Cookies.

And when it comes to Joomla (since v3.9+), you have some built-in help from the core:

Privacy Tool Suite includes:

• Consent tracking for registered users.

• Data request workflows with access, export, and deletion.

• Core API for reporting collected data for extensions.

Current Limitations of the suite: It lacks automatic blocking, granular cookie categorization, or granular banner customization — features required for full GDPR/ePrivacy compliance.

Unfortunately, many extensions or services still fail to meet the necessary compliance standards today, leaving gapes in your site's adherence to the latest regulations...

Since you need more capabilities than what Joomla 5 provides built-in, you may want to check out one of these quality extensions to complement the built-in features, here are a few to consider (in no particular order):

Honorable Mention: 
JA Joomla GDPR Extension (currently lacks some important/required features but should qualify in the future).

NOTE: 
I realize there are also 3rd party online solutions that exist like CookieBot, Osano, Iubenda, Enzuzo, OneTrust and several others. However, these solutions are often not native to Joomla or do not offer a Joomla extension. They are typically not free without limitations or are paid-only options, often requiring a monthly subscription.

---

In conclusion:

Similar to the idea that all websites should be accessible, and while many of the requirements around Cookies might seem to be inclusive of the European Union and GDPR, I would urge all website creators to include a Cookie Banner / Management into their website. This helps protect users' privacy and provides a more transparent approach to handling their data, which is beneficial for the entire internet and everyone using it.

Enjoy munching on 'em cookies...  🍪🥠🍪