Google Analytics 4 (GA4) stands out as the top tool for insights into website performance and user interactions and engagement. Many website owners wonder if their site is GDPR-compliant if they use Google Analytics. What are GA4 cookies? How to use GA4 cookies in a privacy laws-compliant way?
If you really want to understand how Google Analytics 4 (GA4) works (collects data, defines users and sessions, and defines metrics) and/ or if you want to implement cross-domain consent or cross-device tracking, you need to have a great understanding of GA4 cookies.
Read this guide to explore what GA4 cookies are, how they work, whether you need to ask users for cookie consent, and what implications they hold for website owners.
What Are Cookies in Web Analytics?
Web cookies, also known as HTTP cookies, are small pieces of data stored on a user's device by websites they visit.
Cookies are not programs; they do not perform any function besides data collection.
They can be enabled or disabled via web browser settings. Cookies serve various purposes, such as browsing session management, remembering user preferences, tracking, and facilitating targeted advertising. In the context of Google Analytics, cookies play a crucial role in collecting and analyzing website performance data and user interactions with websites.
There are first-party cookies, that are stored directly by the domain or website the user visits. The tracking is limited to this website only. There are different types of first-party cookies. Some of them, like strictly necessary cookies, are important for websites to function normally, while other types of cookies are optional.
Third-Party Cookies are cookies that are placed on a user's device by a website from a domain other than the one the user is visiting. They are used for web tracking and advertising purposes.
Since cookies collect the personal information of website users, the usage of cookies is strictly regulated by privacy laws around the world. Most privacy laws allow users to opt in or opt out of the cookies.
Scan your website for free to see all cookies, including Google Analytics 4 cookies, and other cookies that your website uses.
What Are Google Analytics 4 Cookies?
In Europe, besides the GDPR and ePrivacy Directive, the Digital Markets Act (DMA) came into force in March 2024 and regulates big companies such as Google, nominated as gatekeepers.
To adhere to these strict privacy regulations, Google introduced Consent Mode v2 and GA4. Google Analytics 4 uses GA4 cookies, that are like their predecessors, but with the increased emphasis on user privacy and consent management.
GA4 cookies are cookies, set by Google Analytics 4 that help GA4 recognize unique users and sessions, trace interactions, and collect data such as page views, session duration, and engagement.
Google Analytics 4 mainly sets first-party cookies. However, it can also set Third-Party Cookies (DoubleClick cookies) if a website uses GA4 display advertiser features like remarketing.
GA4 uses first-party cookies to identify unique users and individual sessions.
GA4 sets the following primary JavaScript first-party cookies:
- GA4 Cookie (gtag.js). The _gtag.js cookie is used to identify unique users and sessions. It contains a randomly generated identifier that is used to calculate visitor, session, and campaign data.
- Analytics Cookie (analytics.js). The _analytics.js cookies are used for tracking user interactions on the website.
The _ga cookie is used to identify unique users and expires after two years.
The _utma cookie stores the number of visits made from the users’ device, the time of the first visit, the previous visit, and the current visit.
The _utmb cookie stores information on how long the user stays on a website which uses Google analytics: when a visit started and when ended. This cookie does not contain any personal information other than the IP address of your device.
The _gat cookie is used to limit the number of requests and expires after ten minutes. If you use GTM to set Google Analytics, this cookie is set as _dc_gtm_<property-id>. By expiring every 10 minutes for non-authenticated users, it prevents a flood of data all at once, ensuring a steady and manageable flow for accurate analytics tracking.
The _gid cookie is used to track sessions, evaluate engagement and to view insights and overall traffic trends. It measures engagement time and engaged sessions. The _gid cookie expires after 24 hours.
- Conversion linker cookie. The _gcl cookie is employed to track conversions, particularly across domains. It ensures that clicks on ads are accurately attributed to conversion actions.
- Google Ads cookie. For websites using Google Ads, the _gac cookie is used to store ad click information and to track ad campaign performance.
These cookies are set on top-level domains, so it allows us the subdomain tracking without any extra configuration, a single tag is enough.
There are also other GA4 cookies. Preference cookies are used to store users’ preferences, like language or any type of customization.
Security cookies (SID or HSID) are used to protect users’ data from unauthorized access.
Google Analytics cookies are set as soon as you visit a website where Google Analytics tracking is implemented.
Since all cookies are browser-specific, Google Analytics will set a different set of cookies if you return to a website via another web browser.
If a GA4 cookie already exists, it is updated to collect users’ data. Thus, if you try to set a cookie that already exists, it will be overwritten.
Note, that Google Analytics 4 does not store any personal information in its cookies. Based on user Cookie Consent preferences, GA4 cookies just collect user data and send it to Google Analytics 4, if the user granted cookie consent.
How Do GA4 Cookies Work?
GA4 cookies function by collecting and transmitting data related to user identification, session identification, and user interactions with the website. When a user visits a site with GA4 implemented, first-party cookies are set by the analytics.js library, allowing the collection of data directly from a website user. GA4 collects user data about GA4 events like clicks, scrolls, file downloads, page views, session duration, user preferences, and more. It can also provide additional data like where users come from or if this is the first or returning visit to the website. This data is then aggregated and processed by Google algorithms to generate insights into user behavior and website performance.
Google Analytics 4 sets cookies to:
- Identify unique users;
- Identify unique sessions;
- Trace user interactions;
- Collect data about user sessions, such as page views, session duration, and engagement.
By default, GA4 cookies persist for 2 years. After this time, they are deleted for inactivity.
You can change the expiration time of GA4 cookies manually from the GA4 admin panel. However, if you set GA4 cookies to expire immediately, you won’t be able to discriminate new vs. returning website users since all users will appear to be new.
In GA4, first-party cookies are set by the gtag.js library, allowing the collection of data directly from a website user. GA4 collects user data about GA4 events like clicks, scrolls, file downloads, page views, and more. It can also provide additional data like where users come from or if this is the first or returning visit to the website.
Google Analytics uses cookies which are set by the JavaScript library being used.
Google Analytics 4 JavaScript libraries
Google Analytics 4 uses these JavaScript libraries for tracking website usage data:
- gtag.js
- Analytics.js
The gtag.js library is the main JavaScript library for implementing tracking and analytics features in GA4. All data that is collected by Google Analytics 4, is saved into this library. The gtag.js JavaScript library uses first-party cookies to distinguish unique users as well as unique sessions from a single user. The library also allows you to transmit data to your GA4 properties without cookies when a user denies Cookie Consent.
The Google tag (gtag.js) is a single tag you can add to your website to use a variety of Google products and services (e.g., Google Ads, Google Analytics, Floodlight, Campaign Manager, Search Ads 360, etc.). Instead of managing multiple tags for different Google product accounts, you can use the Google tag across your entire website and connect the tag to multiple destinations.
See the official documentation and guides for implementing tracking with gtag.js in GA4.
The Analytics.js library is the outdated JavaScript library that was used in Universal Analytics. Universal Analytics and its JavaScript library were replaced by Google Analytics 4. All customers will lose access to the Universal Analytics interface and this library starting on July 1, 2024. Analytics.js library was used to measure interactions on your website like page views, and custom events, and identify unique website users with the help of first-party cookies.
The main difference between gtag.js and Analytics.js libraries is that gtag.js uses a single tag for a variety of Google products and services. It’s an improvement since in the case of the gtag.js JavaScript library, you just need to implement a single Google tag, while in the case of the Analytics.js library you had to write different codes for different tags. Analytics.js is a JavaScript library used to send data only to Google Analytics.
GA4 also uses an AMP HTML JavaScript library to enhance the mobile web content user experience. The AMP HTML JavaScript library ensures the fast rendering of AMP HTML pages. It gives you custom HTML tags to ensure a fast page loading. The AMP HTML library uses a streamlined version of HTML, CSS, and JavaScript to implement all the AMP's best performance practices such as inline CSS and font triggering, which manages resource loading facilitating the measurement of user interactions on the page.
GA4 Cross-Device and Cross-Domain Tracking
GA4 cookies enable more robust cross-device tracking, allowing website owners to understand how users interact with their site across multiple devices. Cross-device tracking enables you to track user interactions across multiple devices, such as desktop computers, smartphones, and tablets.
GA4 uses various methods to enable cross-device tracking:
- User ID. Google Analytics first tries to identify unique users across GA4 sessions through a user ID. The User ID is stored in the Google Analytics cookie, which is set when a user visits your website for the first time. The User ID feature lets you associate identifiers with individual users so you can connect their behavior across different sessions and on various devices and platforms.
However, you can assign the User ID only to users who log in or create an account on your website or app. By using the User ID, you can track user interactions across devices as long as the user is logged in.
Read more about how to measure activity across platforms with User ID.
- Google Signals. If the User ID feature is not activated, GA4 will start looking for Google Signals data. Google signals are session data from websites and apps that are associated with users who have also signed in to their Google accounts, and who agreed with Ads Personalization.
- Client ID. If a user didn’t sign in to their Google account, GA4 automatically assigns a Client ID to each user, which persists across different devices and sessions. By analyzing the Client ID, GA4 can identify and track users across devices.
- Device ID. If the user didn’t grant Cookie Consent for Ads personalization, GA4 will then use Device ID.
GA4 cookies allow Google to use subdomain tracking and cross-domain tracking as well.
Google Analytics cookies are website-specific. The default Google Analytics implementation will track the user’s activity across subdomains. When the user travels across subdomains, they will maintain the same cookie.
Cross-domain tracking is different from subdomain tracking since cookies are not shared between different domains unless you have set up cross-domain tracking on your website.
Cross-domain tracking allows website owners and marketers to use a variety of Google products and services by using a single tag. Instead of managing multiple tags for different Google product accounts, you can use a single Google tag across your entire website and connect the tag to multiple destinations. This insight is valuable for optimizing the user experience and targeting relevant content and ads.
To enable cross-domain tracking in GA4, you need to configure your GA4 setup appropriately. Here's a general outline of how to set up cross-domain tracking in GA4:
1. Modify GA4 tracking code. If you're using the gtag.js library to implement GA4, you'll need to include additional configuration options in your tracking code. Specifically, you'll need to use the config command with the linker parameter to specify the domains you want to track across.
See the example on how to modify the GA4 tracking code:
gtag('config', 'GA_MEASUREMENT_ID', {
'linker': {
'domains': ['example.com', 'subdomain.example.com']
}
});
Replace 'GA_MEASUREMENT_ID' with your GA4 Measurement ID and 'example.com', 'subdomain.example.com', etc., with the domains or subdomains you want to track across.
2. Use the Cross-Domain Linker plugin. If you're using Google Tag Manager (GTM) to manage your GA4 tags, you can use the Cross-Domain Linker plugin to simplify cross-domain tracking configuration. This plugin automatically adds the necessary configuration to your GA4 tags based on the specified domains.
3. Use a CMP with the cross-domain tracking functionality. You can also enable the cross-domain tracking functionality by using a Consent Management Platform (CMP), that has this functionality. CookieScript is a CMPs, that allows a seamless implementation of cross-domain tracking without the configuration of GA4 cookies.
Google Consent Mode V2 and GA4 Cookies
Consent mode is a mechanism by which a website communicates user privacy choices to Google. Google tags can then adjust how they fire and process user data. Websites collect user Cookie Consent through cookie banners like the one below.
If businesses want to continue using Google Advertisement products and measure user behavior and website performance in the EEA, starting from March 2024, they need to switch to Google Consent Mode v2.
There are two operating modes for Consent Mode v2: Basic and Advanced.
With the Basic consent mode, Google tags do not fire and do not collect any data until the website user consents to data collection. If a user grants Cookie Consent, GA4 cookies send user-related data to Google. If a user denies cookies through the Cookie Banner or ignores the Cookie Banner, the user will not be tracked at all.
With Advanced consent mode, Google tags load before the cookie consent banner appears on the web page. If a user grants cookie consent, GA4 cookies send user-related data to Google. If a user denies Cookie Consent, GA4 cookies do not fire, but the tags still send cookieless pings to Google. GA4 developed a method that could also work without cookies. These cookieless pings allow Google to process non-personal data and provide modeled data for the GA4 property.
To compensate for the data loss, GA4 will fill in the gaps of data loss based on behavioral modeling and conversion modeling. Behavioral modeling estimates non-consented user behavior based on the aggregate data of consented user behavior. Conversion modeling estimates user behavior patterns and engagement on the user paths on the website, which allows marketers to evaluate the performance of marketing.
To implement Google Consent Mode v2: you need to use a Google-certified Consent Management Platform (CMP). CookieScript is a Google-certified CMP, that allows you to implement Google Consent Mode v2 seamlessly.
Implications for Website Owners and Marketers
In conclusion, website owners and marketers need to understand GA4 cookies to leverage the full potential of Google Analytics 4 while adhering to privacy regulations. Here are some key implications to consider:
Compliance with privacy regulations. GA4 uses a privacy-centric approach, ensuring consent management and full compliance with the EU’s GDPR, the UK’s DPA 2018, and other privacy laws and regulations.
Data accuracy and modeling. When users grant Cookie Consent, GA4 cookies can gather accurate data on website performance and user behavior. When a user rejects Cookie Consent, GA4 uses behavioral modeling and conversion modeling to compensate for data loss. The combination of this data gives a comprehensive view, allowing marketers to make strategic decisions related to content optimization, user experience improvements, and marketing campaigns.
Cross-device and cross-domain tracking. GA4 cookies enable more robust cross-device tracking, allowing website owners to understand how users interact with their site across multiple devices. Cross-domain tracking allows website owners and marketers to use a variety of Google products and services by using a single tag. Instead of managing multiple tags for different Google product accounts, you can use the Google tag across your entire website and connect the tag to multiple destinations. This insight is valuable for optimizing the user experience and targeting relevant content and ads.
Customization and personalization. Leveraging the data collected through GA4 cookies, website owners can personalize user experiences and tailor content to specific audience segments. This can lead to higher engagement and conversion rates.
Frequently Asked Questions
What are Google Analytics 4 Cookies?
GA4 cookies are cookies, set by Google Analytics 4 that help GA4 recognize unique users and sessions, trace interactions, and collect data such as page views, session duration, and engagement. With CookieScript CMP, you can automatically scan your website for cookies, prepare a cookie declaration table, and collect cookie consent from users through a Cookie Banner.
Does GA4 use cookies?
Google Analytics 4 (GA4) relies on first-party cookies and other methods of data collection. GA4 mainly sets first-party cookies to provide tracking and measurement data. GA4 developed a method that could also work without cookies. With Advanced Consent Mode v2 implementation, when a user denies cookie consent, GA4 cookies do not fire, but the tags still send cookieless pings to Google. In some cases, GA4 can also set Third-Party Cookies (DoubleClick cookies) if a website uses GA4 display advertiser features like remarketing.
How long do GA4 cookies last?
Usually, GA4 cookies persist for 2 years. After that, they are deleted for inactivity. Website owners can change the expiration time of Google Analytics 4 manually from the admin panel. CookieScript Cookie Scanner can scan your website for free and show all Google Analytics cookies and other cookies that your website uses.
Do you need cookie consent for Google Analytics?
Yes, you must ask for and get cookie consent while using Google Analytics. Privacy laws laws vary by country. In the European Economic Area (EEA), you must get explicit consent from your users in order to use Google Analytics in compliance with the GDPR. Under the GDPR, cookie consent must be obtained prior to loading of cookies or other trackers. CookieScript CMP can help you to get privacy laws-compliant cookie consent through a cookie banner.
How to add cookie consent to Google Analytics?
The easiest way to add cookie consent to Google Analytics is by using a Google-certified Consent Management Platform (CMP). First, select a Google-certified CMP. Second, create a cookie banner and place it on your website. Third, collect and store cookie consent from users. CookieScript CMP is a Google-certified CMP and is integrated with Google Analytics 4.
How do Google Analytics cookies work?
When a user visits a site with GA4 implemented, first-party cookies are set by the analytics.js library. GA4 collects user data about GA4 events like clicks, scrolls, file downloads, page views, session duration, user preferences, and more. It can also provide additional data like where users come from or if this is the first or returning visit to the website. This data is then aggregated and processed by Google algorithms to generate insights into user behavior and website performance. CookieScript CMP can help you to implement GA4 cookies on your website.
Is Google Analytics legal in Europe?
Yes, Google Analytics 4 (GA4) is legal in Europe. In July 2023, Google switched from Google Analytics to GA4, which is much more privacy-orientated. The European Commission accepted the EU-U.S. Data Privacy Framework and confirms that personal data transferred from the EU to the United States is equally safeguarded. CookieScript CMP can help you to implement GA4 and GA4 cookies on your website.
How does GA4 track across devices?
GA4 uses various methods to enable cross-device tracking: user ID, Google Signals data, client ID, and Device ID. GA4 first tries to identify the user based on his User ID. If this can’t be done, it will start looking for Google Signals data. If a user didn’t sign in to their Google account, GA4 automatically assigns a Client ID to each user. If the user didn’t grant cookie consent for Ads personalization, GA4 will then use a Device ID. CookieScript Cookie Scanner can scan your website for free and show all GA4 cookies and other cookies.