There isn't an obvious bright line, and that's probably intentional.
This is not legal language or legal advice, but the gist of it is "if you don't have it, can your website still do what it claims to do?"
For a site like Github, if you can't use cookies to maintain session state, you'd have trouble implementing login sessions, so that's pretty squarely on the essential side of the fence.
But moving into murkier territory, how about logging the IP addresses you signed in from? If you're using it to detect new login locations or new devices as a security alerting thing, then I think you can make a strong enough claim that this is essential. (Again, not a lawyer, this is not legal advice.)
What if a PM wants to look in these logs for how many unique users show up in each country? That's pretty squarely on the side of analytics, and is probably not essential.
But... muddying the waters more, what about if an engineer wants to query unique users to figure out how many more racks of servers to buy? I have no idea. I'd be asking a lawyer.
This is not legal language or legal advice, but the gist of it is "if you don't have it, can your website still do what it claims to do?"
For a site like Github, if you can't use cookies to maintain session state, you'd have trouble implementing login sessions, so that's pretty squarely on the essential side of the fence.
But moving into murkier territory, how about logging the IP addresses you signed in from? If you're using it to detect new login locations or new devices as a security alerting thing, then I think you can make a strong enough claim that this is essential. (Again, not a lawyer, this is not legal advice.)
What if a PM wants to look in these logs for how many unique users show up in each country? That's pretty squarely on the side of analytics, and is probably not essential.
But... muddying the waters more, what about if an engineer wants to query unique users to figure out how many more racks of servers to buy? I have no idea. I'd be asking a lawyer.