# [Understanding Google Analytics cookies: consent, compliance, and alternatives](https://usercentrics.com/knowledge-hub/google-analytics-cookies/)

**Google Analytics cookies provide insights into user behavior, but privacy laws now require explicit consent before tracking. Learn how cookies work, the consent requirements in the EU and US, and practical alternatives to maintain analytics while respecting user privacy.**

[Start free scan](https://usercentrics.com/privacy-compliance-scanner/)

---

## At a Glance

Key Takeaways

- Google Analytics cookies collect data on visitor behavior, session duration, traffic sources, and device information — classifying them as analytics or measurement cookies.
- Google Analytics cookies consent is required under GDPR and ePrivacy for EU and UK visitors: GA cookies are non-essential and cannot be set before affirmative consent is obtained.
- GA4 has introduced more privacy-focused measurement options, including cookieless measurement, consent mode integration, and data thresholding, compared to Universal Analytics.
- Google Consent Mode v2 allows Google Analytics to operate in a consent-respecting mode, using behavioral modeling to fill measurement gaps where consent has not been given.
- Google Analytics cookies consent must be collected and recorded by a CMP that integrates with Consent Mode v2 and passes consent signals before any GA cookies are set.
- Organizations using Google Analytics must disclose this in their privacy policy, naming Google as a data recipient and describing the data collected and the purpose of processing.

Google Analytics (GA) tracks billions of user interactions across websites every day through cookies. While these cookies power insights that drive marketing decisions, they've also become a focal point of global privacy regulations.

In fact, what was once standard practice now requires explicit user consent in many jurisdictions. And analytics implementations that ignore these requirements expose organizations to regulatory action, financial penalties, and reputational damage.

Understanding how Google Analytics cookies work and what privacy compliance actually requires regarding their use isn't optional anymore.

---

## What are Google Analytics cookies?

Google Analytics cookies are small text files stored in a user's browser that enable the platform to collect data about website visits and user behavior. These [tracking cookies](https://usercentrics.com/knowledge-hub/tracking-cookies-and-the-gdpr) assign unique identifiers to each of your website visitors, track their interactions across pages, and help attribute traffic to specific sources.

When someone visits your website and it's using Google Analytics, the tracking code checks for existing cookies. If none are found, Google Analytics creates a new one. On subsequent visits, GA cookies recognize a returning user and maintain continuity in their session data.

The cookies themselves don't contain personally identifiable information, like names or email addresses. Instead, they store randomly generated client IDs, timestamps, and behavioral markers that GA uses to compile aggregate reports about traffic patterns, conversion paths, and user engagement.

### Types of cookies in Google Analytics

Google Analytics deploys several cookies depending on your configuration. GA4, the current version, uses a streamlined Google Analytics cookies list:

- **_ga**: stores the client ID with a two-year expiration, serving as the primary identifier for tracking users across sessions
- **_ga_<container-id>**: contains session information and event data specific to your GA4 property
  - **Note:** Many standard GA4 implementations also set **_gid** (used to distinguish users; typically expires after 24 hours) and other related cookies

These are first-party cookies, meaning they're set from your domain rather than from Google's domain. However, despite this technical classification, they send data to Google's servers for processing, which is why regulators treat them with the same scrutiny as third-party tracking cookies.

Beyond these standard cookies, GA4 may set additional cookies when you enable cross-domain tracking, enhanced e-commerce features, or advertising features. The exact cookie list varies based on your implementation choices.

---

## How do Google Analytics cookies work?

The Google Analytics cookie operates through a straightforward process that begins the moment someone lands on your website.

When the GA tracking code loads, it immediately checks the visitor's browser for existing Google Analytics cookies. If this is their first visit, GA creates a new client ID — a randomly generated string, such as *"1234567890.9876543210"* — and stores it in the _ga cookie.

This client ID acts as a persistent identifier, linking all of that user's activity over time. As they browse your site, the tracking code reads the client ID and sends it to Google's servers along with behavioral data. Every page view, click, and interaction is tagged with the same identifier, allowing GA to build a coherent picture of each user's journey.

It's worth noting that these Google Analytics first-party cookies don't contain personally identifiable information such as names or email addresses. Instead, they store the random identifier, timestamps, and behavioral markers that GA uses to generate aggregate traffic and engagement reports.

This structure also enables GA to group activity within defined time windows, known as sessions.

### Session tracking and continuity

A session is essentially a bundle of interactions within a specific period. By default, a session ends after 30 minutes of inactivity. (With the old version of Universal Analytics, it ended after 30 minutes of inactivity or at midnight.)

The _ga_<container-id> cookie maintains session state as users move among pages, recording the start time and number of pages viewed.

When a visitor returns after a session expires, GA recognizes them through the persistent _ga cookie but initiates a new session. This separation between user-level and session-level data allows GA to analyze both long-term behavior and individual visit patterns. It also lays the groundwork for understanding how people arrive on your site in the first place.

### Traffic source attribution

Cookies play a key role in linking sessions to their original traffic source. When someone lands on your site through a marketing campaign, search result, or referral, cookies in Google Analytics record that information and associate it with the client ID.

Even if that person later returns directly, GA cookies can still attribute their eventual conversion to the original source.

This persistent attribution is what makes it possible to evaluate marketing effectiveness across multiple visits. It's also the aspect of cookie tracking that privacy regulations now closely scrutinize, since it involves following users over time and across sessions.

The way GA cookies function has significant legal implications. Because they track users across sessions, attribute traffic sources over time, and involve data transfers outside national borders, regulators view them as more than just technical tools.

Privacy laws around the world now treat analytics cookies as personal data processing activities that are subject to privacy compliance obligations for consent.

---

## Google Analytics cookies and global privacy laws

The legal treatment of analytics cookies has shifted dramatically in recent years. Around the world, regulators have made it clear that Google Analytics cookies are not automatically exempt from consent requirements. The earlier assumption that analytics were "necessary" for basic website function has been repeatedly challenged, and, in most jurisdictions, rejected.

### Google Analytics cookies and the GDPR

In the European Union, the [General Data Protection Regulation (GDPR)](https://usercentrics.com/knowledge-hub/the-eu-general-data-protection-regulation/) and the [ePrivacy Directive](https://usercentrics.com/knowledge-hub/eprivacy-everything-you-need-to-know-about-it) set a clear standard. Analytics cookies are not considered strictly necessary, so they require explicit Google Analytics cookie consent before being placed on a user's device.

The ePrivacy Directive has reinforced this by prohibiting any storage of information on a device without prior consent, except for essential technical purposes.

Regulators and courts have consistently upheld this position. In 2022, data protection authorities in Austria, France, and Italy ruled that [Google Analytics cookies violated the GDPR](https://usercentrics.com/knowledge-hub/google-analytics-and-gdpr-compliance-rulings/) because data was transferred to the United States without adequate safeguards.

Although these rulings centered on international data transfers, they also confirmed that GA cookies require consent as a baseline.

If you do business or serve customers in the EU, then the GDPR applies to you. Easily achieve and maintain compliance by downloading our [GDPR compliance checklist](https://usercentrics.com/resources/gdpr-checklist).

### Google Analytics cookies and US state privacy laws

In the United States, regulation follows a different model, but this still affects your analytics use. For instance, the [California Privacy Rights Act (CPRA)](https://usercentrics.com/knowledge-hub/california-privacy-rights-act-cpra-enforcement-begins) doesn't require prior opt-in for cookies, but it does mandate clear notice and an option to opt out of data collection that goes beyond what's necessary to deliver a service.

Analytics cookies used for profiling, marketing, or sharing data often fall into this category.

Other states with privacy laws are adopting similar rules, resulting in a patchwork that increasingly leans toward consent or, at a minimum, simple and easily accessible opt-out mechanisms.

Discover [which US states have privacy laws in place](https://usercentrics.com/knowledge-hub/us-state-data-privacy-effective-dates-and-thresholds) and how to best comply with their requirements.

### Do companies need consent when using Google Analytics cookies?

In most cases, yes.

In the EU, the ePrivacy Directive and GDPR require explicit consent before setting Google Analytics cookies. The rule is simple: if cookies aren't strictly necessary to deliver a service the user requested, they need consent and must be mentioned in your [cookie banner](https://usercentrics.com/knowledge-hub/cookie-banner). Analytics cookies don't meet this threshold, since websites function without them.

In the US, the situation varies by state, but increasingly points toward consent or clear opt-out mechanisms. Under California's CCPA/CPRA, analytics cookies can count as "selling" or "sharing" personal information if they feed advertising or third-party systems.

In these cases, users must be able to opt out — often via [CCPA cookie banners](https://usercentrics.com/knowledge-hub/ccpa-cookie-banner) that resemble GDPR consent tools.

---

## Alternatives to cookie-based tracking in Google Analytics 4

If users don't give consent for analytics cookies, your data collection options narrow. You can accept data gaps or adapt. Several approaches enable you to maintain meaningful analytics while honoring user choices and complying with privacy rules.

### Google Analytics cookies and Google Consent Mode

[Google Consent Mode](https://usercentrics.com/knowledge-hub/google-consent-mode) doesn't just block cookies when consent is declined — it can also enable cookieless pings that send limited data to GA4. This approach provides aggregate insights about traffic volumes and basic behavior without user-level tracking.

In this mode, GA4 uses modeling to fill gaps in your reports. Google's machine learning estimates conversions and other metrics based on users who did provide consent, then applies them to the nonconsenting population. The accuracy varies, and you won't get individual user journeys, but you maintain directional insights.

### Google Analytics cookies and server-side tracking

Shifting GA4 to a server-side architecture changes how data is collected. Instead of relying on browser-based scripts, your server receives events and forwards them to Google.

[Server-side tracking offers several benefits](https://usercentrics.com/knowledge-hub/benefits-of-server-side-tracking). You control data collection directly, can implement first-party cookies from your own domain — which some privacy laws treat more favorably — and gain flexibility in what data you send to Google.

Learn more about [Google Analytics server-side tracking](https://usercentrics.com/guides/server-side-tagging/google-analytics-server-side-tracking/)

In addition, privacy-focused users who block client-side tracking scripts won't automatically block server-to-server communication.

However, server-side GA4 adds technical complexity. You need server infrastructure to receive and process events, must maintain the tracking logic yourself, and lose some automatic features like enhanced measurement. Regulatory requirements also remain — you're still processing personal data, so lawful bases like consent may still apply.

Future-proof your analytics with privacy-first server-side tagging — Take control of your tracking and get higher quality data for your ad channels with our easy-to-use Server-Side Tagging solution. [Learn more](https://usercentrics.com/server-side-tracking-solution/)

### First-party data strategies

Building analytics around data users actively provide — such as through logins or subscriptions — shifts tracking from cookies to authenticated sessions. This works well for SaaS products, member portals, or other contexts where users naturally identify themselves.

It's less viable for open-access sites with mostly anonymous visitors, but where possible, it can reduce reliance on cookies while improving data quality.

Discover more [first-party data marketing strategies](https://usercentrics.com/guides/future-of-data-in-marketing/first-party-data-marketing).

### Privacy-friendly analytics platforms

If your company doesn't want to use Google Analytics cookies, there are alternatives that have been developed. Platforms like Plausible, Fathom, and Simple Analytics don't use cookies at all, process minimal data, and position themselves as privacy-first solutions.

These tools sacrifice depth for privacy compliance simplicity. You won't get the granular user paths and sophisticated attribution that GA4 provides, but you also avoid much of the regulatory complexity.

### Hybrid approaches

Many organizations combine methods. They might use server-side GA4 for consenting users, switch to a privacy-focused platform for non-consenting users, and supplement both with first-party data from logged-in users. Implementing multiple approaches can feel challenging, but it can increase your data input while respecting consent.

The key is matching your tactics to your actual needs. If you require detailed user journey analysis and have multiple [attribution models](https://usercentrics.com/guides/marketing-measurement/attribution-modeling) in place, you may need multiple consent mechanisms to gather that data legally. If you primarily need traffic volume and basic engagement metrics, simpler approaches may be enough.

---

## How to manage cookie consent in Google Analytics?

[Download checklist](https://usercentrics.com/wp-content/uploads/2025/10/How-to-manage-cookie-consent-in-Google-Analytics.pdf)

If you decide to continue using Google Analytics with cookies, you need a consent framework that's legally compliant and technically sound. Consent management isn't just a legal checkbox. It's what helps to ensure that GA only collects data when users agree, and that your implementation aligns with both privacy rules and reporting accuracy.

Managing consent involves two parts: a consent interface that collects valid user choices, and a technical configuration that ensures GA receives and respects those choices.

### Step 1: Implement a consent management platform

A [consent management platform (CMP)](https://usercentrics.com/knowledge-hub/cmp-definition) is the foundation. It provides the interface where users can make clear, informed choices, and it communicates those choices to your analytics setup.

Therefore, your cookie banner should explain what GA cookies collect and why, offer equal accept and decline options, and avoid pre-ticked boxes or implied consent. Both of the latter actions violate privacy compliance standards in many jurisdictions. A comprehensive CMP also stores consent records and integrates with your tags, so tracking doesn't start before consent is granted.

### Step 2: Configure Google Consent Mode

If you choose to use [Google Consent Mode](https://usercentrics.com/usercentrics-cmp-and-google-consent-mode-v2/), this is where it fits in. Consent Mode acts as a translator between your CMP and GA4. When users decline analytics cookies, it prevents cookie placement but still allows cookieless pings, enabling GA to model aggregate behavior without violating consent rules.

You enable it by setting default consent states and updating them when users give consent:

```
gtag('consent', 'default', {
  'analytics_storage': 'denied',
  'ad_storage': 'denied'
});
```

This sets the default state to denied. When users provide consent through your CMP, update these parameters:

```
gtag('consent', 'update', {
  'analytics_storage': 'granted'
});
```

### Step 3: Integrate your CMP with Google Analytics

Most CMPs offer native GA4 integrations, so you don't need to manually update tags. These integrations synchronize consent states in real time and GA updates accordingly.

For example, Usercentrics CMP provides native GA4 integration that manages consent parameters without custom coding. When users make consent choices, the platform communicates those decisions to GA4 automatically, thus reducing the risk of misconfiguration and keeping your implementation consistent.

### Step 4: Test your implementation

Even well-designed consent setups break if not properly tested. Misfired tags can result in either data loss or noncompliance.

Test across browsers and devices using tools like:

- **Browser developer tools**: Open your browser's developer console, navigate to the **Application** tab, and check the **Cookies** section. Decline consent in your banner and verify that GA cookies don't appear.
- **Google Tag Assistant**: This Chrome extension shows which tags fire on your pages and whether they respect consent choices. Load your site, trigger the extension, and walk through consent scenarios.
- **Network monitoring**: Use the **Network** tab in developer tools to watch for GA requests. When consent is declined, you should see no requests to Google Analytics endpoints (or only cookieless Consent Mode pings if you've enabled that feature).

### Step 5: Document and maintain

Consent management isn't a "set it and forget it" process. Keep detailed records of your CMP configuration, Consent Mode settings, and test results. Regulators may request this during audits.

Review your implementation regularly. GA4 updates, CMP changes, or new regulatory guidance can all affect compliance. Proactive maintenance helps prevent silent data gaps or legal exposure.

---

## Balancing Google Analytics cookies and compliance

Google Analytics cookies are a valuable tool for understanding user behavior, but they come with clear legal requirements. Most major privacy laws require consent before setting analytics cookies, and enforcement is becoming more active.

Moving forward means finding a balance between collecting meaningful data and respecting user choices. Implement proper consent management, configure GA4 to follow those choices, and consider alternatives — like server-side tracking — for users who decline cookies.

Success won't come from skirting the rules. It comes from building analytics practices around user consent and transparent data handling so you can deliver useful insights while maintaining trust.

*Tom Wilkinson, Senior Marketing Consultant, Usercentrics GmbH*

---

## Frequently asked questions

### What is Google Analytics cookies?

Google Analytics cookies are small text files stored in users' browsers that enable the platform to track website visits and user behavior. They assign unique identifiers to visitors and help GA collect data about sessions, traffic sources, and user interactions across your site.

### Does Google Analytics use cookies?

Yes, Google Analytics uses first-party cookies to track and measure user activity on a website. These small text files are stored in a visitor's browser to distinguish unique users across sessions and collect data like page views and session duration. Google Analytics 4 uses cookies like _ga and is also equipped to use cookieless methods and data modeling for privacy compliance.

### Are Google Analytics cookies essential?

No. Analytics cookies aren't considered strictly necessary for website operation under most privacy laws. While they're valuable for understanding user behavior, websites function fully without them, which is why they typically require user consent before placement.

### Are Google Analytics cookies first- or third-party?

Google Analytics cookies are technically first-party cookies, meaning they're set from your domain rather than from google.com. However, the data collected through these cookies is sent to and processed by Google (a form of third-party data transfers), so regulators still treat them as requiring consent similar to third-party tracking mechanisms.

### What cookies does GA4 set?

GA4 primarily sets two cookies: _ga (which stores the client ID with a two-year expiration) and _ga_ (which stores property-specific session and event data).

However, Google's global tag (gtag.js) can still set other cookies, such as _gid (used for session and user distinction and typically expires after 24 hours) and _gac_gb_ (for campaign-related information).

### How do I delete Google Analytics cookies?

Users can delete Google Analytics cookies through their browser settings. Navigate to Settings > Privacy > Cookies, find a website, and delete the _ga cookies. You can also clear all cookies, use private browsing modes, or block cookies entirely through browser settings or extensions.

### Can I use Google Analytics without cookies?

Yes, with limitations. GA4 can operate in a cookieless mode using Google Consent Mode, though this significantly reduces data quality and granularity. Server-side implementations can also track some events without browser cookies. However, standard client-side GA4 implementations rely heavily on cookies for full functionality.

### How does Google Analytics cookies work?

Google Analytics cookies work by storing a unique client ID in the user's browser. When someone visits your site, the GA tracking code checks for this cookie. If found, it reads the ID and sends it with behavioral data to Google's servers. This allows GA to connect multiple page views and sessions to the same user over time.

### How long do Google Analytics cookies last?

The primary _ga cookie and the _ga_ cookie from Google Analytics are set to expire two years after a user's last interaction. This expiration date is reset with each new visit. However, some browser policies, such as Apple's Intelligent Tracking Prevention (ITP), can reduce the cookie's lifespan to as little as 7 days, overriding the default setting.

### What are the analytics cookies used for?

Analytics cookies are used to track and measure user behavior on a website. They assign a unique identifier (Client ID) to a visitor to distinguish new and returning users and group their page views and interactions into a single session. This allows the website owner to accurately analyze traffic sources and evaluate site performance.

---

## Products
- [Usercentrics Web CMP](https://usercentrics.com/website-consent-management/)
- [Usercentrics App CMP](https://usercentrics.com/in-app-sdk/)
- [Usercentrics CTV CMP](https://usercentrics.com/usercentrics-ctv-cmp/)
- [Privacy Policy Generator](https://usercentrics.com/privacy-policy-generator/)
- [Server-side Tagging Solution](https://usercentrics.com/server-side-tracking-solution/)
- [Preference Manager](https://usercentrics.com/preference-management/)
- [Audience Unlocker](https://usercentrics.com/audience-unlocker/)
- [Integrations](https://usercentrics.com/integrations/)
- [Web Compliance Scan](https://usercentrics.com/privacy-compliance-scanner/)
- [App Compliance Scan](https://usercentrics.com/app-data-privacy-audit/)
- [ROAS Calculator](https://usercentrics.com/roas-calculator/)

## Solutions
- [Data Privacy Regulatory Compliance](https://usercentrics.com/data-privacy-regulatory-compliance/)
- [Marketing Performance Optimization](https://usercentrics.com/marketing-performance-optimization/)
- [Migration](https://usercentrics.com/migration/)
- [Media & Publishing](https://usercentrics.com/media-publishing/)
- [Retail & Ecommerce](https://usercentrics.com/retail-ecommerce/)
- [Banking, Finance & Insurance](https://usercentrics.com/banking-finance-insurance/)
- [Healthcare & Pharmaceuticals](https://usercentrics.com/healthcare-pharmaceuticals/)
- [Gaming](https://usercentrics.com/gaming/)
- [Education](https://usercentrics.com/education/)
- [Automotive](https://usercentrics.com/automotive/)
- [Travel & Hospitality](https://usercentrics.com/travel/)

## Regulations & Frameworks
- [GDPR (EU)](https://usercentrics.com/gdpr/)
- [GDPR (UK)](https://usercentrics.com/uk-gdpr/)
- [CCPA (California)](https://usercentrics.com/ccpa/)
- [TCF v2.3 (IAB)](https://usercentrics.com/cmp-for-publishers/)
- [DMA (EU)](https://usercentrics.com/digital-markets-act-dma/)
- [Amazon Consent Signal](https://usercentrics.com/usercentrics-cmp-and-amazon-consent-signal/)
- [Google Consent Mode (EU)](https://usercentrics.com/usercentrics-cmp-and-google-consent-mode-v2/)
- [Microsoft UET Consent Mode (EU)](https://usercentrics.com/usercentrics-cmp-and-microsoft-consent-mode/)
- [Microsoft Clarity Consent Mode](https://usercentrics.com/usercentrics-cmp-and-microsoft-clarity-consent-mode/)
- [View all regulations](https://usercentrics.com/regulations-and-frameworks/)

## Resources
- [Blog](https://usercentrics.com/knowledge-hub/)
- [Whitepapers](https://usercentrics.com/whitepapers/)
- [Checklists](https://usercentrics.com/checklists/)
- [Courses](https://courses.usercentrics.com/)
- [Case Studies](https://usercentrics.com/case-studies/)
- [Privacy-Led Marketing](https://usercentrics.com/privacy-led-marketing/)
- [Events](https://usercentrics.com/webinar/)
- [CONSENTED Podcast](https://usercentrics.com/consented/)
- [Guides](https://usercentrics.com/guides/)
- [Release Notes](https://releases.usercentrics.com/en)
- [Developer Documentation](https://usercentrics.com/docs/)
- [RFI Template](https://usercentrics.com/resources/usercentrics-rfi-template/)
- [Customer Directory](https://usercentrics.com/usercentrics-customer-directory/)

## Company
- [About Us](https://usercentrics.com/about-us/)
- [Press](https://usercentrics.com/press/)
- [Our Offices](https://usercentrics.com/contact/)
- [Trust Center](https://trust.usercentrics.com/)
- [Careers](https://usercentrics.com/career/)
- [Open Positions](https://apply.workable.com/usercentrics/)
- [Diversity & Inclusion](https://usercentrics.com/dei/)

## Support
- [General Support](https://support.usercentrics.com/hc/en-us)
- [Contact Sales](https://usercentrics.com/book-a-consultation/)
- [Technical Support](https://support.usercentrics.com/hc/en-us/requests/new)
- [Billing & Account](https://support.usercentrics.com/hc/en-us/categories/12253804608156-Account-and-billing)
- [Suggest a Feature](https://support.usercentrics.com/hc/en-us/requests/new?ticket_form_id=10610312381340)
- [Partner Login](https://partnerportal.usercentrics.com/)
- [Partner Program](https://usercentrics.com/partner-program-overview/)
- [Affiliate Program](https://usercentrics.com/affiliates/)

## Legal
- [Terms & Conditions](https://usercentrics.com/terms-and-conditions/)
- [Terms & Conditions USA](https://usercentrics.com/terms-and-conditions-usa/)
- [Privacy Policy](https://usercentrics.com/privacy-policy/)
- [Legal Notice](https://usercentrics.com/legal-notice/)
- [Legal Documents](https://usercentrics.com/legal-documents/)
- [Accessibility Statement](https://usercentrics.com/accessibility-statement-wcag-compliance/)

© 2026 Usercentrics GmbH