Google Ads Cookies at a Glance
Every time someone clicks a Google ad and lands on your website, Google's advertising tags write cookies to that visitor's browser. Those cookies record which ad was clicked, when, and whether the visitor later completed a purchase, sign-up, or other conversion.
These are Google Ads cookies - small text files that connect ad clicks to on-site behaviour. They power conversion tracking, remarketing lists, frequency capping, and click-fraud detection. Without them, Google Ads would have no way to report which campaigns actually drove results.
Under GDPR, the ePrivacy Directive, and comparable laws in other regions, advertising cookies require informed, prior consent before they are placed. Get this wrong and you face both regulatory fines and the loss of your Google Ads data - a double hit that became very real in July 2025.
Which Cookies Does Google Ads Actually Set?
Google Ads uses a family of first-party and third-party cookies, each with a distinct role.
| Cookie Name | Type | Purpose | Duration |
|---|---|---|---|
_gcl_aw | First-party | Stores the Google Click Identifier (gclid) after an ad click. Used by the conversion linker to attribute conversions. | 90 days |
_gcl_au | First-party | Stores a unique experiment ID and timestamp for conversion tracking. | 90 days |
_gcl_dc | First-party | Used by the conversion linker for DoubleClick/Display & Video 360 click information. | 90 days |
_gac_<property-id> | First-party | Set by Google Analytics when linked to Google Ads. Records campaign data for attribution. | 90 days |
IDE | Third-party (doubleclick.net) | Serves and personalises display ads across non-Google sites. | 13 months (EEA/UK), 24 months elsewhere |
NID | Third-party (google.com) | Stores preferences and personalises ads on Google properties. | 6 months |
DSID | Third-party | Identifies a signed-in user on non-Google sites so their ad personalisation settings are respected. | 2 weeks |
_gads | First-party | Enables sites running AdSense or Ad Manager to display and measure ads. | 13 months |
All _gcl_ cookies are first-party cookies set on your domain. IDE, NID, and DSID are third-party cookies set on Google's domains. Both types fall into the advertising cookie category, and neither qualifies as strictly necessary under the ePrivacy Directive's Article 5(3) exemption.
Alongside cookies, Google Ads appends URL parameters when auto-tagging is enabled. The gclid (Google Click Identifier) is stored inside the _gcl_aw cookie after a user lands on your site. Two newer parameters - gbraid and wbraid - serve a similar function for iOS traffic where Apple's privacy restrictions limit cross-app tracking.
Why These Cookies Need Consent
The valid consent requirement comes from two overlapping sources. Article 5(3) of the ePrivacy Directive requires prior consent before placing any cookie that is not strictly necessary. GDPR Articles 6 and 7 govern the lawful processing of the personal data those cookies collect.
Google Ads cookies exist to measure advertising performance and build remarketing audiences. A visitor who clicks an ad requested a product page - not conversion tracking. Pre-ticked boxes, implied consent, and continued browsing do not qualify. The CJEU made this explicit in the Planet49 ruling (Case C-673/17, 2019).
The CNIL's September 2025 Fine Against Google
On 1 September 2025, the CNIL fined Google 325 million euros for two cookie-related breaches. The first concerned advertising cookies set during Google account creation without valid consent - users needed six clicks to refuse personalised ad cookies but only two to accept. The second concerned Gmail advertisements displayed without consent, classified as direct marketing by email under French law.
The fine affected over 74 million French accounts. Google had already been fined by the CNIL in 2020 (100 million euros) and 2021 (150 million euros) for similar violations, and the repeat offences were treated as an aggravating factor. Regulators are issuing increasingly large fines against companies that treat advertising cookie consent as optional.
Google Consent Mode v2 and the July 2025 Enforcement
Google Consent Mode v2 adjusts how Google tags behave depending on a user's consent choices. It reads four signals from your consent management platform: ad_storage, ad_user_data, ad_personalization, and analytics_storage.
On 21 July 2025, Google began disabling conversion tracking, remarketing, and demographic reporting for EEA and UK traffic on sites without Consent Mode v2. Advertisers reported overnight drops of 90-95% in tracked conversions. Data lost during non-compliant periods cannot be backfilled.
Having a cookie banner alone is not enough. The banner must integrate with a Google-certified CMP that sends the correct signals through the IAB TCF. If your CMP does not pass the four parameters to Google's tags, Google treats your traffic as non-compliant.
There are two implementation approaches. Basic Consent Mode blocks all Google tags until consent is granted - simple and safe, but you lose all data from visitors who decline. Advanced Consent Mode loads tags immediately but sends anonymised, cookieless pings when consent is denied, enabling Google's conversion modelling to recover an estimated 15-25% of otherwise lost data. The trade-off is legal complexity, since some privacy professionals argue that even cookieless pings constitute data collection requiring a legal basis.
Third-Party Cookies in Chrome: The Current State
In April 2025, Google confirmed it would not introduce a standalone user-choice prompt for third-party cookies in Chrome. Then in October 2025, Google retired much of its Privacy Sandbox API programme. Third-party cookies remain functional in Chrome for users who have not manually blocked them, while Safari and Firefox continue to block them by default.
Third-party Google Ads cookies like IDE and NID still work for Chrome visitors but are already blocked for a significant share of traffic on other browsers. First-party cookies (_gcl_aw, _gcl_au) are more durable because they sit on your domain, but they still require consent. A cookieless advertising strategy is worth planning regardless.
Compliance Beyond the EU
Under the CCPA and CPRA, advertising cookies constitute a "sale" or "sharing" of personal information. Website owners must honour opt-out requests and display a "Do Not Sell or Share My Personal Information" link. Brazil's LGPD requires consent as the most common legal basis for advertising cookies. Canada's PIPEDA requires meaningful consent and transparency. The UK GDPR and PECR mirror the EU framework, requiring prior consent for non-essential cookies.
How to Handle Google Ads Cookies on Your Website
Audit Your Cookies
Run a free cookie scan to identify every cookie your site places, including all _gcl_ variants and any third-party Google cookies loaded through iframes or embedded content. Do not assume you know what your tags set - configuration drift is common.
Implement a CMP With Consent Mode v2
Choose a consent management platform that is Google-certified and integrated with the IAB TCF. The CMP must pass all four Consent Mode v2 parameters to your Google tags. Without these signals, conversion tracking is blocked for EEA and UK visitors.
Classify and Document Correctly
All _gcl_ and _gac_ cookies belong in the advertising category - not analytics, and not functional cookies. Keep your cookie policy updated with specific cookie names, purposes, and durations. Review quarterly, as Google regularly changes cookie names and behaviours without notice.
Frequently Asked Questions
Do Google Ads cookies count as strictly necessary?
No. Strictly necessary cookies are limited to those essential for delivering a service the user explicitly requested. Advertising cookies like _gcl_aw and IDE serve the advertiser's measurement needs, not the visitor's request. They always require consent under the ePrivacy Directive.
What happens when running Google Ads without Consent Mode v2?
Since July 2025, Google disables conversion tracking, remarketing, and demographic reporting for EEA and UK traffic on non-compliant sites. Smart Bidding strategies optimise on incomplete data, and the data lost during non-compliant periods cannot be recovered.
Is Consent Mode v2 a legal requirement?
Consent Mode v2 is a Google policy requirement, not a legal one. GDPR does not mandate any specific technical standard. However, Google enforces it as a condition of using its advertising products for EEA and UK traffic, so the practical impact is comparable.
How long do Google Ads cookies last?
Most first-party cookies (_gcl_aw, _gcl_au, _gac_) expire after 90 days. The third-party IDE cookie lasts 13 months in the EEA and UK, and 24 months elsewhere. NID expires 6 months after last use. _gads persists for 13 months.
Is consent needed for Google Ads cookies under the CCPA?
The CCPA uses an opt-out model. Prior consent is not required, but you must honour opt-out requests and provide a "Do Not Sell or Share My Personal Information" link. Google Ads remarketing cookies qualify as "sharing" for cross-context behavioural advertising.
Is it possible to use Google Ads without any cookies at all?
Not entirely. Enhanced Conversions can reduce reliance on cookies by sending hashed first-party data to Google. Advanced Consent Mode sends cookieless pings for modelling. But remarketing and detailed conversion paths still depend on cookies for consenting users.
What is the difference between _gcl_aw and _gac cookies?
_gcl_aw is set by Google's conversion linker tag and stores the gclid from an ad click. _gac_ is set by Google Analytics when linked to Google Ads and records campaign data for GA4 reports. Both last 90 days but originate from different tags.
Take Control of Your Cookie Compliance
If you are running Google Ads and targeting visitors in the EU or UK, Consent Mode v2 compliance is no longer optional. Kukie.io detects, categorises, and manages every cookie on your site, including the full family of Google Ads cookies, and integrates with Consent Mode v2 out of the box.
