Analytics cookies are small text files stored in a visitor's browser that record how they interact with your website. They track page views, session duration, traffic sources, and similar behavioural data. Unlike strictly necessary cookies that keep a site functioning, analytics cookies exist to help site owners understand their audience - and that distinction is what makes them legally sensitive.
What Do Analytics Cookies Actually Do?
Every time someone visits your site, analytics cookies assign them a unique identifier so the analytics platform can distinguish one visitor from another. That identifier persists across pages and sessions, building a picture of how each person navigates your site over time.
The data typically includes which pages were viewed and in what order, time spent on each page, the referring source, the visitor's device type and browser, geographic location based on IP address, and interactions like button clicks or form submissions. None of this is needed for the website to work. A visitor who refuses analytics cookies will experience your site identically to one who accepts them. Because analytics cookies are not strictly necessary, privacy laws across the EU, UK, Brazil, and beyond classify them as non-essential and require consent before they load.
Common Analytics Cookies and What They Track
Google Analytics 4 (GA4) is the most widely deployed analytics platform, and it sets first-party cookies on every site that uses it. The main ones are _ga, which stores a unique client ID and persists for up to 400 days in Chrome (though Safari caps JavaScript-set cookies at 7 days), and _ga_<container-id>, which maintains session state. Older implementations may also set _gid (a 24-hour identifier) and _gat (a throttling cookie).
GA4 is not the only source of analytics cookies. Other common examples include:
| Cookie | Platform | Purpose | Typical Duration |
|---|---|---|---|
_ga | Google Analytics 4 | Distinguishes unique users across sessions | 400 days (Chrome) / 7 days (Safari) |
_ga_<id> | Google Analytics 4 | Persists session state and event data | 400 days (Chrome) / 7 days (Safari) |
_gid | Google Analytics 4 | Short-term user distinction within 24 hours | 24 hours |
_pk_id | Matomo | Stores unique visitor ID | 13 months |
_pk_ses | Matomo | Tracks active session | 30 minutes |
_hj_* | Hotjar | Session recordings, heatmaps, polls | Varies (session to 365 days) |
_clck / _clsk | Microsoft Clarity | Session replay and heatmap data | 1 year / 1 day |
All of these are classified as non-essential. Even though GA4 sets first-party cookies (from your domain rather than google.com), the data is transmitted to Google's servers. Regulators treat this as third-party data sharing, which is why analytics cookies receive the same scrutiny as third-party tracking.
Why Analytics Cookies Require Consent Under GDPR
Two regulations work together to govern analytics cookies in the EU. The ePrivacy Directive (Article 5(3)) establishes the rule: storing or accessing information on a user's device requires prior consent, unless the cookie is strictly necessary for delivering a service the user explicitly requested. The GDPR then defines what valid consent looks like - it must be freely given, specific, informed, and unambiguous (Article 7).
Analytics cookies fail the ePrivacy Directive's necessity test. A visitor requests a web page, not a visitor-counting service. Since measuring audience behaviour is the site owner's interest rather than the visitor's request, consent is required before any analytics cookie hits the browser.
Can you rely on legitimate interest instead of consent? The current enforcement position is clear: no. The EDPB and national DPAs have consistently held that legitimate interest cannot justify non-essential cookies. The French CNIL issued fines totalling 486 million euros in 2025 for cookie violations alone - including 325 million euros against Google and 150 million euros against Shein in September 2025, both for failures around consent.
The CNIL's Audience Measurement Exemption
There is one narrow exception. The French CNIL recognises that certain analytics cookies can qualify for a consent exemption if they are first-party only, produce purely anonymous aggregate statistics, are not cross-referenced with other processing, and have lifetimes capped at 13 months. Standard Google Analytics does not meet these criteria. Tools like Matomo can be configured to qualify, and the CNIL maintains a validated list of compliant solutions.
Browser Restrictions That Affect Analytics Cookies
Even when visitors do consent, browser-level restrictions can undermine your analytics data. Safari's Intelligent Tracking Prevention (ITP) caps all cookies set via JavaScript to a maximum of 7 days. Since GA4 sets its cookies through JavaScript, the _ga cookie that is supposed to persist for two years actually expires after 7 days in Safari if the visitor does not return. Worse, if the visitor arrived via a link with tracking parameters like fbclid or gclid, Safari reduces the cookie lifetime to just 24 hours.
Chrome allows first-party cookies up to 400 days, but Firefox applies its own restrictions through Enhanced Tracking Protection (ETP). With Safari holding roughly 24% of browser market share, one in four visitors may appear as new users every week - even if they consented to tracking. Server-set cookies (delivered via HTTP Set-Cookie headers rather than JavaScript) can bypass Safari's 7-day cap, provided the server's IP address matches the website's domain IP. This is driving adoption of server-side tracking, though it adds complexity and does not remove the consent obligation.
How Google Consent Mode Interacts with Analytics Cookies
Google Consent Mode v2 communicates visitor consent choices to Google's tags using four parameters: analytics_storage, ad_storage, ad_user_data, and ad_personalization. When analytics_storage is set to denied, GA4 does not write cookies. In Advanced mode, it sends cookieless pings - anonymous, non-identifying signals - that Google uses for conversion modelling.
That modelling is not a free pass. It estimates the behaviour of non-consenting visitors based on patterns observed among consenting ones, but it requires minimum traffic thresholds to activate. Whether Advanced Consent Mode's cookieless pings are themselves compliant under GDPR remains a legal grey area - some privacy professionals argue that sending any data from users who declined tracking contradicts the spirit of their refusal.
Analytics Cookies Under Other Privacy Laws
Outside the EU, the consent requirements for analytics cookies vary considerably.
| Jurisdiction | Law | Consent Model for Analytics Cookies |
|---|---|---|
| EU / EEA | GDPR + ePrivacy Directive | Opt-in (prior consent required) |
| United Kingdom | UK GDPR + PECR | Opt-in (prior consent required) |
| Germany | DSGVO + TTDSG | Opt-in (prior consent required) |
| California (US) | CCPA / CPRA | Opt-out (disclose and allow refusal) |
| Brazil | LGPD | Opt-in consent required |
| Canada | PIPEDA + CASL | Implied or express consent depending on sensitivity |
| South Africa | POPIA | Opt-in for non-essential processing |
The UK's Data Use and Access Act (2025) introduced five narrow cookie exemptions, but analytics cookies that track individual behaviour were not among them. The California approach differs fundamentally: CCPA/CPRA operates on an opt-out basis, so analytics cookies can load by default as long as the site discloses their use and provides a refusal mechanism.
How to Handle Analytics Cookies on Your Website
Getting analytics cookies right involves three practical steps: scanning, blocking, and documenting.
1. Identify Every Analytics Cookie Your Site Sets
Run a cookie scan to catalogue every cookie your site places. Pay attention to cookies set by third-party scripts you may have forgotten about - an embedded YouTube video, a chat widget, or an A/B testing tool can all drop analytics cookies. Schedule regular scans because cookies change every time you add a plugin or integrate a new tool.
2. Block Analytics Cookies Until Consent Is Given
A consent management platform should prevent analytics scripts from executing until the visitor actively opts in. Displaying a banner while cookies fire in the background is the most common compliance failure - and exactly the behaviour that drew the CNIL's record fines in 2025. Your CMP must support granular category-level consent, allowing visitors to accept analytics while rejecting marketing cookies, and it must integrate with Google Consent Mode v2 to communicate those choices to GA4.
3. Maintain a Cookie Declaration
List every cookie in your cookie policy with its name, purpose, duration, and any third parties involved. Generic descriptions like "improves your experience" are not sufficient - the CNIL has specifically targeted vague labels during enforcement. State clearly that _ga assigns a unique identifier and sends data to Google's servers.
Alternatives to Traditional Analytics Cookies
If consent rates are low and data gaps are hurting your reporting, several approaches can help recover insights without relying on persistent cookies.
Cookieless analytics platforms like Matomo (in cookieless mode), Plausible, and Fathom collect aggregate traffic data without setting any cookies. The trade-off is reduced accuracy for returning visitor counts, but the data is often sufficient for understanding overall traffic patterns.
Server-side tracking moves data collection from the browser to your own server, reducing exposure to browser cookie restrictions. GA4 supports server-side tagging through Google Tag Manager's server container. This does not eliminate the consent requirement, but it can improve data quality for consenting users by bypassing Safari's ITP limitations.
Google Consent Mode's conversion modelling fills reporting gaps by estimating non-consenting visitor behaviour using machine learning. It narrows the gap for sites with sufficient traffic volume to train the model, though it is not a replacement for real data.
Frequently Asked Questions
Do analytics cookies count as personal data under GDPR?
Yes. Analytics cookies assign unique identifiers to visitors, and under GDPR, online identifiers constitute personal data (Recital 30). The combination of a unique ID, IP address, and browsing history makes the visitor identifiable.
Can I use Google Analytics without consent if I anonymise IP addresses?
IP anonymisation alone does not remove the consent requirement. The _ga cookie still assigns a unique client ID that tracks visitors across sessions, and data is sent to Google's servers. Both the ePrivacy Directive and GDPR still apply.
What happens if I set analytics cookies before getting consent?
Setting non-essential cookies before consent violates Article 5(3) of the ePrivacy Directive. The French CNIL fined Conde Nast 750,000 euros in November 2025 for placing cookies before visitors could interact with the consent banner.
Why does Google Analytics show different user counts in Safari versus Chrome?
Safari ITP caps JavaScript-set cookies at 7 days. The GA4 _ga cookie, which persists for up to 400 days in Chrome, expires after 7 days in Safari. Returning Safari visitors are counted as new users each week.
Does Consent Mode v2 mean I do not need consent for analytics?
No. Consent Mode communicates consent states to Google tags but does not replace the legal requirement to obtain consent. When analytics_storage is denied, GA4 avoids setting cookies but may still send cookieless pings in Advanced mode.
Are analytics cookies the same as tracking cookies?
They overlap but are not identical. Analytics cookies measure site performance. Tracking cookies follow users across websites for advertising. Some cookies do both - GA4 cookies feed analytics and advertising audiences if Google Ads linking is enabled.
How often should I audit the analytics cookies on my site?
Scan after every significant change: new plugins, script updates, or third-party integrations. Monthly or quarterly scheduled scans catch cookies introduced by automatic updates.
Take Control of Your Cookie Compliance
If you are unsure which analytics cookies your site sets - or whether they fire before consent - start with a scan. Kukie.io detects first-party and third-party cookies, categorises them automatically, and integrates with Google Consent Mode v2 to keep your analytics compliant across jurisdictions.
