Google Gemini - the AI assistant formerly known as Bard - sits inside one of the largest cookie ecosystems on the web. Every time a visitor interacts with Gemini at gemini.google.com, or when your website embeds Google services that power Gemini integrations, a set of cookies lands in the browser. Some keep the session alive. Others feed advertising profiles that persist for up to two years.
For website owners, the question is not just "what cookies does Gemini set?" but "what do those cookies mean for my compliance obligations?"
How Google Gemini Uses Cookies
Gemini does not operate in isolation. It shares Google's broader cookie infrastructure, which means interacting with Gemini triggers the same cookie families used across Google Search, YouTube, Google Ads, and Chrome. Google's own privacy documentation groups these into four categories: security, functionality, analytics, and advertising.
When a user signs into Gemini, cookies like SID and HSID authenticate the session. These contain digitally signed, encrypted records of the user's Google Account ID and most recent sign-in time, persisting for two years. Google uses them to block attacks such as form-hijacking and cross-site request forgery.
Preference cookies such as NID and _Secure-ENID remember language settings, SafeSearch filters, and display preferences. The NID cookie expires six months after the user's last interaction; _Secure-ENID lasts 13 months. A cookie called SOCS records the user's cookie consent choice itself, also persisting for 13 months.
The Full Cookie Stack Behind Gemini
Because Gemini is a Google service, it inherits cookies from across the Google ecosystem. Here is a breakdown of the most common cookies a visitor's browser may receive when using Gemini or when your site loads related Google services.
| Cookie | Purpose | Category | Duration |
|---|---|---|---|
SID, HSID | Authentication and CSRF protection | Strictly necessary | 2 years |
__Secure-1PSID, __Secure-1PSIDTS | Session authentication for Gemini | Strictly necessary | 2 years |
NID, _Secure-ENID | Preferences (language, SafeSearch) | Functional | 6-13 months |
SOCS | Records cookie consent choice | Strictly necessary | 13 months |
AEC | Validates that requests originate from the user | Security | 6 months |
_ga, _ga_* | Google Analytics visitor distinction | Analytics | 2 years |
IDE, id | Advertising on non-Google sites | Marketing | 13-24 months |
DSID | Links ad preferences for signed-in users | Marketing | 2 weeks |
pm_sess, YSC | Anti-spam and session validation | Security | Session - 30 min |
The __Secure-1PSID and __Secure-1PSIDTS cookies are specific to the Gemini web app. They authenticate the user's session and are essential for the service to function. Without them, Gemini cannot recognise who is making a request.
The advertising cookies tell a different story. IDE is used to personalise ads on non-Google sites when the user has ad personalisation enabled. In the EEA, Switzerland, and the UK, this cookie lasts 13 months; elsewhere, it persists for 24 months. If a user has disabled personalised ads, the id cookie remembers that opt-out preference instead.
Gemini's Data Collection Beyond Cookies
Cookies are just one layer. Google's Gemini Apps Privacy Hub states that the platform also collects conversation content (prompts and responses), device information, interaction logs, and location data derived from IP addresses.
Human reviewers at Google may examine a subset of Gemini conversations to improve model quality. Those reviewed conversations are retained for up to three years, disconnected from the user's Google Account. Even if a user deletes their Gemini activity, conversations flagged for review remain in Google's systems. The default auto-delete period for Gemini activity is 18 months, though users can adjust this to 3 or 36 months.
What This Means Under GDPR and the ePrivacy Directive
The legal framework is straightforward in principle but messy in practice. Article 5(3) of the ePrivacy Directive requires prior, informed consent before storing or accessing information on a user's device - unless the cookie is strictly necessary to provide a service the user has explicitly requested. GDPR Article 7 then sets the bar for what counts as valid consent: freely given, specific, informed, and unambiguous.
Authentication cookies like SID and HSID arguably fall under the "strictly necessary" exemption when a user has actively signed into Gemini. The user requested the service; these cookies deliver it. But preference cookies like NID occupy greyer territory. A language preference could be considered necessary for delivering the requested page, or it could be viewed as an optional enhancement that requires consent.
Analytics and advertising cookies - _ga, IDE, DSID - unambiguously require consent. The French CNIL has been particularly aggressive on this point. In 2024, the CNIL penalised 11 organisations specifically for making cookie refusal harder than acceptance. Between December 2022 and December 2024, the authority issued combined fines exceeding 139 million euros for breaches of Article 5(3) of the ePrivacy Directive, all related to cookie consent practices.
How Gemini Cookies Reach Your Website
Your site does not need to embed Gemini directly for Google's cookie ecosystem to affect visitors. If your site uses Google Analytics, Google Ads, YouTube embeds, Google Tag Manager, or Google Consent Mode, some of these cookies will be present. The _ga cookie appears on every site running Google Analytics. YouTube embeds can set VISITOR_INFO1_LIVE, YSC, and advertising cookies from the doubleclick.net domain.
The practical risk is this: you are the data controller for cookies set on your domain, even if a third-party service placed them. If Google Analytics drops a _ga cookie before your visitor gives consent, the compliance failure sits with you.
Google Consent Mode v2, made mandatory for European advertisers in March 2024, attempts to bridge this gap. It uses four parameters - analytics_storage, ad_storage, ad_user_data, and ad_personalization - to control whether tags fire based on the user's consent state. When consent is denied, Google uses conversion modelling to estimate metrics from aggregate signals. But implementation errors are common, with many deployments defaulting parameters to "granted" before users make a choice.
Google's Reversal on Third-Party Cookie Deprecation
Google originally planned to phase out third-party cookies in Chrome by 2025, but reversed course in July 2024. Instead of removing them, Chrome now offers a user-choice model that lets individuals decide whether to allow or block tracking cookies across their browsing.
This matters because third-party Google cookies - including advertising identifiers like IDE - continue to function in Chrome, which holds roughly 67% of global browser market share. Safari and Firefox already block most third-party cookies by default, but the majority of web users still encounter Google's full advertising cookie stack.
Managing Gemini Cookies on Your Site
If your website uses any Google services, you need a consent management platform that correctly categorises and controls these cookies. Here is a practical approach:
Audit your cookies first. Run a cookie scan to identify every Google cookie present on your site. You may find cookies you did not know about - YouTube embeds and Google Fonts can both introduce tracking cookies without obvious configuration.
Categorise correctly. Do not lump all Google cookies into a single "analytics" bucket. Authentication cookies are strictly necessary; preference cookies are functional; analytics and advertising cookies require prior consent. Misclassifying marketing cookies as functional is a growing target for regulators.
Block before consent. Under GDPR consent rules, non-essential cookies must not be set before the user makes an active choice. Your tag manager or CMP must prevent Google Analytics, Google Ads tags, and advertising scripts from firing until consent is granted. Pre-ticked boxes and "by using this site you agree" banners do not constitute valid consent.
Implement Consent Mode properly. If you rely on Google's advertising tools, configure Consent Mode v2 with all four parameters defaulting to "denied" for EEA, UK, and Swiss visitors. Only switch to "granted" after the user actively accepts the relevant cookie category.
Gemini in the Workplace: Different Rules Apply
Google Workspace customers who use Gemini through Gmail, Docs, or Sheets operate under different data handling terms. Google's documentation states that Workspace Gemini conversations are not reviewed by human reviewers and are not used for model training without permission. The Cloud Data Processing Addendum governs this data, not the consumer Gemini Apps Privacy Notice.
This distinction matters. Workspace Gemini falls under your existing controller-processor agreements with Google Cloud, while consumer-facing Google cookies on your website fall under ePrivacy Directive consent requirements.
Frequently Asked Questions
Does Google Gemini set cookies in my browser?
Yes. Gemini uses Google's standard cookie infrastructure, including authentication cookies (SID, HSID, __Secure-1PSID), preference cookies (NID, _Secure-ENID), and potentially analytics and advertising cookies depending on the user's settings.
Do I need consent before Google Gemini cookies are set on my website?
If your website uses Google services that share Gemini's cookie ecosystem (Google Analytics, Google Ads, YouTube embeds), you need prior consent for any non-essential cookies under GDPR Article 7 and Article 5(3) of the ePrivacy Directive. Strictly necessary authentication cookies may be exempt, but analytics and advertising cookies always require consent.
How long do Google Gemini cookies last?
It varies by cookie. Authentication cookies like SID persist for two years. Preference cookies last 6-13 months. Advertising cookies like IDE last 13 months in the EEA and UK, or 24 months elsewhere. Session cookies like YSC expire when the browser closes.
Can Google human reviewers see my Gemini conversations?
Yes. Google states that a subset of Gemini conversations are reviewed by human reviewers to improve service quality. Reviewed conversations are retained for up to three years, even if the user deletes their activity. Google advises users not to enter confidential information.
Does Google Consent Mode v2 handle Gemini-related cookies automatically?
Consent Mode v2 controls whether Google Analytics and Google Ads tags fire based on the user's consent state. It does not manage all Google cookies automatically - you still need a consent management platform to block scripts before consent is given and to categorise cookies correctly.
Are Gemini cookies affected by Safari and Firefox tracking protections?
Third-party Google cookies (such as those from doubleclick.net) are blocked by default in Safari and Firefox. First-party cookies set via JavaScript, like _ga, may have their expiry capped to seven days by Safari's Intelligent Tracking Prevention. Chrome continues to support third-party cookies under a user-choice model.
What is the difference between Gemini cookies for consumers and Workspace users?
Consumer Gemini conversations may be reviewed by human reviewers and used for model training. Workspace Gemini is governed by the Cloud Data Processing Addendum, meaning conversations are not used for model training or reviewed by humans without permission. The cookie types may overlap, but the data handling rules differ significantly.
Get Ahead of Your Cookie Compliance
If your site relies on any Google service - Analytics, Ads, YouTube, or Tag Manager - Gemini's cookie ecosystem is already part of your compliance picture. Kukie.io scans your website, identifies every Google cookie, categorises them correctly, and gives your visitors a clear, lawful choice before any non-essential tracking begins.
