Every time someone loads a page that uses Google Analytics, embeds a YouTube video, or displays a reCAPTCHA widget, Google sets cookies on that visitor's browser. Most website owners know this in the abstract but few realise how many cookies are involved or what each one does.
Google's own cookie policy lists categories from security and authentication to ad measurement and personalisation. A typical site running GA4, a YouTube embed, and Google Ads remarketing will place ten or more Google cookies in a single session. Each falls under a different legal classification, and getting consent wrong is expensive - the French CNIL fined Google EUR 325 million in September 2025 for invalid cookie consent during account creation.
The Main Categories of Google Cookies
Google groups its cookies into five broad functions: preferences, security, analytics, advertising, and personalisation. The cookies appear on your domain (or as third-party cookies from Google's domains) the moment you integrate a Google service.
Preference and Functionality Cookies
The NID and _Secure-ENID cookies store language settings, SafeSearch preferences, and search results count. NID expires six months after a user's last interaction; _Secure-ENID lasts 13 months. On YouTube, PREF remembers playback settings for up to eight months. The SOCS cookie records a user's cookie-consent choice and persists for 13 months.
These cookies look harmless, but NID doubles as an advertising cookie for signed-out users. That dual purpose matters when you categorise cookies in your consent banner - assign the stricter category.
Security and Authentication Cookies
SID and HSID contain digitally signed, encrypted records of a user's Google Account ID and most recent sign-in time. Together they block cross-site request forgery attacks and prevent unauthorised access. Both last two years. AEC checks that requests come from the actual user rather than another site (six months). On YouTube, YSC validates user interactions during a session, while __Secure-YEC detects bot traffic over 13 months.
Security cookies are typically classified as strictly necessary. Under Article 5(3) of the ePrivacy Directive, strictly necessary cookies do not require consent because they are essential for a service the user explicitly requested.
Analytics Cookies
The _ga cookie is the backbone of Google Analytics. It assigns each visitor a random client ID so GA4 can distinguish one user from another, and it persists for two years. The _ga_<container-id> cookie maintains session state. Each _ga cookie is unique to the property, so it cannot track users across unrelated websites.
Despite that, analytics cookies are not strictly necessary. They measure site usage for the owner's benefit, not to deliver a service the visitor requested. Under GDPR and the ePrivacy Directive, setting _ga before consent is unlawful.
Advertising and Measurement Cookies
This is where things get complicated. Google's advertising ecosystem relies on a web of cookies tracking impressions, clicks, conversions, and preferences.
| Cookie | Purpose | Duration |
|---|---|---|
IDE | Serves and measures personalised ads on non-Google sites | 13 months (EEA/UK), 24 months elsewhere |
DSID | Links a signed-in user's ad preferences across domains | 2 weeks |
_gads | Measures ad campaign performance via Google Ads | 13 months |
_gac_ | Stores campaign information for conversion attribution | 90 days |
_gcl_ | Tracks Google Ads click conversions | 90 days |
1P_JAR | Stores ad-related data from recent interactions | 30 days |
NID | Shows Google Ads to signed-out users on Google properties | 6 months |
All advertising cookies require explicit, informed consent from visitors in the EU and UK. There is no legitimate-interest shortcut for ad tracking. The IDE cookie is a third-party cookie from doubleclick.net, already blocked by default in Safari and Firefox.
Google's Third-Party Cookie U-Turn
Google originally announced in 2020 that Chrome would phase out third-party cookies entirely. After multiple delays, the company reversed course in July 2024, proposing a user-choice model instead. Then in April 2025, Google scrapped even that plan - Chrome will not introduce a separate consent prompt for third-party cookies. Users can still manage preferences through Chrome's existing privacy settings, but third-party cookies remain enabled by default.
This does not make third-party cookies safe to rely on. Safari's Intelligent Tracking Prevention has blocked all third-party cookies by default since March 2020. Firefox's Total Cookie Protection isolates them per site. Between the two browsers, roughly 25-30% of global web traffic already operates cookie-free for third parties. For CCPA and GDPR compliance, the question is not whether third-party cookies will disappear, but how to handle consent for those that remain.
Google Consent Mode v2: What Website Owners Must Know
Since March 2024, Google has required websites serving ads to or monitoring EU/EEA users to implement Google Consent Mode v2. Without it, Google Ads loses remarketing audiences and conversion tracking for European traffic.
Consent Mode v2 added two parameters: ad_user_data (whether the user consents to sharing data with Google for advertising) and ad_personalization (whether data can be used for remarketing). These join the original analytics_storage and ad_storage parameters.
Two implementation modes are available. Basic Consent Mode blocks all Google tags until the user interacts with your consent banner. Advanced Consent Mode loads tags before the banner and sends cookieless pings when consent is denied, letting Google model conversions from aggregated data. The advanced option recovers more data but sits in a legal grey area - sending pings from non-consented users could be interpreted as tracking without consent.
A consent management platform that supports Consent Mode v2 handles the technical integration - it detects visitor choices, maps them to the four Google parameters, and fires the appropriate gtag('consent', 'update', {...}) call. Without a compatible CMP, you need to implement this manually through Google Tag Manager or gtag.js.
CNIL's EUR 325 Million Fine: Lessons for Every Website
On 1 September 2025, the CNIL fined Google EUR 325 million for two violations. Google displayed promotional emails in Gmail's Promotions and Social tabs without consent, and during account creation, users were nudged toward accepting personalised advertising cookies through asymmetric design - bright accept buttons, muted refuse options.
The consent obtained was neither free nor informed, the CNIL ruled. Even after Google added an equally prominent refuse button in October 2023, the lack of transparency about the purpose of cookies persisted. Google's cookie-related CNIL fines have escalated from EUR 100 million in 2020 to EUR 150 million in 2021 to EUR 325 million in 2025 - regulators treat prior violations as an aggravating factor.
The case also confirmed that cookie enforcement falls under national ePrivacy laws, not the GDPR's one-stop-shop mechanism. The CNIL can investigate any company whose cookies affect French users, regardless of EU headquarters. A 2024 study from Karlsruhe Institute of Technology found that 72% of websites use at least one dark pattern in their consent interface. If your accept button is more prominent than your refuse option, regulators can declare all consent collected through that banner invalid.
How to Audit Google Cookies on Your Website
Start by running a cookie scan. A scanner crawls your pages, loads all scripts, and records every cookie set during the session. Pay attention to cookies from google.com, doubleclick.net, youtube.com, google-analytics.com, and googletagmanager.com. Each needs to be disclosed in your cookie policy and properly categorised in your consent banner.
Check whether any Google cookies fire before consent is granted. Open your site in a fresh incognito window, do not interact with the cookie banner, and inspect the cookies stored. If you see _ga, IDE, or any advertising cookie already present, your banner configuration has a problem.
Categorising Google Cookies Correctly
Miscategorisation is one of the most common compliance mistakes. A cookie like NID might appear to be a simple preference cookie, but because Google also uses it for ad targeting, it belongs in the advertising category. When in doubt, assign the stricter classification.
Strictly necessary cookies - SID, HSID, AEC for authentication and security - do not require consent. Analytics cookies like _ga fall into the statistics category. Advertising cookies like IDE, _gads, and _gcl_ belong in marketing. Functional cookies like PREF sit in the preferences tier.
Reducing Your Google Cookie Footprint
You do not have to accept every cookie Google's services want to set.
Replace standard YouTube embeds with privacy-enhanced mode (youtube-nocookie.com), which delays cookie setting until the visitor plays the video. Use Google Tag Manager's consent-aware tags so scripts only fire after consent. Consider server-side tagging for GA4, which moves data collection to your own server. If you run Google Ads, implement Enhanced Conversions alongside Consent Mode v2 - it sends hashed first-party data to Google for conversion matching when cookies are blocked.
Frequently Asked Questions
Which Google cookies are strictly necessary and do not require consent?
Security and authentication cookies like SID, HSID, and AEC are generally considered strictly necessary when they protect a service the user explicitly requested, such as signed-in sessions. Analytics, advertising, and preference cookies always require consent under the ePrivacy Directive.
Does Google Analytics 4 still use cookies?
Yes. GA4 relies on the _ga cookie (lasting two years) and the _ga_<container-id> cookie to distinguish visitors and maintain sessions. These are first-party cookies set on your domain, but they still require consent because they serve an analytics purpose rather than a service the visitor requested.
What happens if I do not implement Google Consent Mode v2?
Without Consent Mode v2, Google Ads cannot use remarketing audiences or track conversions for visitors from the EU and EEA. You lose access to ad personalisation features and conversion modelling, which can significantly reduce campaign effectiveness for European traffic.
Can I use legitimate interest instead of consent for Google Analytics cookies?
No. Article 5(3) of the ePrivacy Directive requires consent for storing or accessing information on a user's device unless the cookie is strictly necessary. Analytics cookies do not meet the strictly necessary exemption, so consent is the only lawful basis - regardless of what the GDPR might allow for the subsequent data processing.
Are Google cookies blocked in Safari and Firefox?
Safari blocks all third-party cookies by default through Intelligent Tracking Prevention (ITP) and caps JavaScript-set first-party cookies at seven days. Firefox isolates third-party cookies per site through Total Cookie Protection. First-party Google cookies like _ga still work in both browsers, but third-party cookies from doubleclick.net or google.com are blocked.
How often should I scan my website for Google cookies?
Run a scan after every change to your site's scripts, plugins, or embedded content, and at least once a quarter as a routine check. A new WordPress plugin, a freshly embedded Google Map, or an updated YouTube embed can introduce cookies you did not anticipate.
Keep Your Cookie Consent Accurate
Google's cookie ecosystem shifts frequently - new cookies appear, old ones get renamed, and consent requirements tighten with each enforcement action. Kukie.io detects Google cookies automatically, maps them to the correct categories, and integrates with Google Consent Mode v2 so your tags respond to visitor choices in real time.
