This is definitely an issue that's been coming up often lately! The DevPortal does not include any modifications around cookie usage, so the Drupal core default behavior is:
- Anonymous users
- No session cookie
- A has_js cookie is set to indicate whether the browser allows JS usage
- Authenticated users:
- Session cookie used to authenticate user
- has_js cookie
After that it all comes down to which contributed modules are enabled on the site:
- Google Analytics
- Sets 2 cookies "_ga" and "_gid" for all users. Visitor data is sent back to Google
- Marketo
- Sets cookie "_mkto_trk" for all users. Visitor data back is sent back to Marketo
- Adobe Site Catalyst
- Sets cookie "s_fid" for all users. Visitor data may be sent to Adobe
There is a lot of work being done to allow Drupal sites to comply with GDPR regulations, and this is available as contributed modules. This page
https://www.drupal.org/project/drupal_gdpr_team collects the discussion and modules being created. Specifically the