Use Google Analytics without cookies? And cookieless web analytics

It has been the talk of the town lately. "Google Analytics might be banned in Europe."

The DSB in Austria was the first to openly question the legal use of Google Analytics. Various popular news outlets such as Hacker News & TechCrunch picked up on the news and spread the word.

Not so long after the DSB, their french counterpart, CNIL, also stated that Google Analytics conflicts with GDPR. A few months later, Italy (Garante) and Denmark (Datatilsynet) joined the club.

(Update: as of June 2023, there are plenty of developments- and they are all bad news for Google. Finland and Norway also ruled against Google Analytics- although the Norwegian decision is yet preliminary. Most importantly, Meta was ordered to cease US data transfers for Facebook and fined for a record €1.2 billion in a high-profile case involving all European authorities- and for the exact same legal issues behind the rulings on Google Analytics! You can learn more about the decision here)

Organizations, especially within the EU, are questioning themselves now if they could still use Google Analytics legally. And what happens if they can't? Will they lose all the valuable insights as well?

In other words: Will there be life after Google Analytics?

Let's find out 👇

The UK Government chose Simple AnalyticsJoin them

How does Google Analytics work?

Google Analytics is by far the most used analytics tool on the planet. At least 86% of the websites that use an analytics tool use Google Analytics. It's a free tool, but it comes at a cost.

To understand why Google Analytics has come under pressure lately, it's key to know how it works and what implications it brings.

Does Google Analytics use cookies?

If you install Google Analytics to track your website performance, you need to set first-party cookies to:

Identify unique visitors
Identify unique sessions
Identify traffic source information
Determine the start and end of a session

Want to learn more about what cookies are? Check out this blog post.

You can access the cookies when you open the developer toolbar (right-click + inspect). By navigating to the 'application' (or 'storage') tab and clicking on 'cookies,' you can see which cookies are used by the specific website.

alt:Cookies of Indeed.com inspected via browser Cookies of indeed.com inspected via browser

As you can see from the screenshot above (taken from the Indeed homepage), the cookie's name is indicated as '_ga'. The second arrow on the screenshot indicates the value:

GA.1.2.1680553188.1645472981

It consists of a version name, the first part, and a unique ID, which is the second part.

The version name: GA.1.2.

The unique identifier: 1680553188.1645472981

The unique identifier consists of two parts. The first part is a randomly generated number. The second part is a timestamp for the first time the visitor visited the page. That way, Google can identify whether someone is a unique visitor or not.

Whenever someone visits a website, Google Analytics looks for the cookie, which is provided by the web browser. If there is a cookie stored, Google knows that the visitor is not unique. If Google can't find a cookie, it means it's a first-time visitor that visited the website. This is how Google Analytics distinguishes between unique visitors and pageviews.

Is Google Analytics using first or third-party cookies?

Google Analytics uses first-party cookies. The difference is that first-party cookies are only issued when the user is directly using the website. The website that issues the cookies is also to only one that can read them.

In contrast, third-party cookies are issued by other websites than the one you are visiting. They are mainly used for remarketing purposes. If you see ads from a website you visited in the past, it means that third-party cookies are tracking you.

How long do Google Analytics cookies last?

Both first and third-party cookies can be used with or without an expiration date. Cookies that are set with an expiration date are called persistent cookies. They stay on your device even after you close the web browser. Cookies without expiration date are called temporary cookies and are removed after you end your web session.

_ga is the main cookie for Google Analytics. It's a persistent cookie that stays for two years(!). However, you can change the cookie's duration to, for example, one year by following these steps.

You can overwrite the default of two years directly in the script (if you have an old Google Analytics script on your website). All you need to do is add the following 'cookieExpires' parameter to the script that issues the cookie: {'cookieExpires': 31536000}. The value here is noted in seconds and precisely a year.

You can also change it in Google Tag Manager, which is even easier:

Navigate to the Google Analytics Page View Tag
Check this box: Enable overriding settings in this tag
Click on: open more settings
Open Fields to Set
Click on: Add Field and fill out the two fields below. Indicate 31536000 in the value box to change the duration to one year.

How do I use Google Analytics lawfully?

Yes. Under the ePrivacy Directive, all cookies require the user's consent except for strictly necessary cookies. Cookies for web analytics always require the user's consent, whether they are from GA or from a different software.

If you use cookie-based analytics without a cookie banner, you are violating the GDPR. And if your website features deceptive cookie banners or "cookie walls", you are also violating the GDPR by collecting invalid consent- but that's a story for another day.

When you install Google Analytics, you need to show a cookie banner to ask for consent. If you really want to use Google Analytics, take the following steps:

Don't read or write analytics cookies if you don't have consent.
Make sure Google Analytics cookies are only activated after users have given their consent.
Give visitors a clear, immediate, and visible option to refuse cookies. Don't force them to go through endless options to refuse them! Tricks like that may improve your opt-in rates, but they are not GDPR compliant and authorities are starting to crack down on them.
Have a comprehensive and well-written privacy policy, but also give the essential information in your cookie banner! See this blog for a few hints.
Be transparent regarding the details of the Google Analytics cookies you are using. According to privacy regulations, consent is only valid if it constitutes an informed decision. You need to explain what type of cookies you are using and for what purpose.

Please note that this will result in your website missing out on some data.

People are getting more and more worried about their privacy, and quite often cookies when given a chance. This puts websites between a rock and a hard place. If you give users a transparent choice not to be tracked, many will take it, and you fill find yourself with less data. And if you use deceiving and confusing cookie banners to make rejection harder, you risk violating the GDPR (and being held liable for it).

Cookie rejection is not the only problem. More and more users browse the Web with ad-blocking browser plug-ins and similar anti-tracking technologies such as the cookie jars on the Firefox browser, or Brave's built-in ad-blocking capabilities. Depending on their settings, these users could be ghosts in your web analytics. They don't even need to bother rejecting your cookies- their browser does the work.

And to be clear, this is not only a problem with Google Analytics: all cookie-based analytics services face the same issues.

Do you need to include Google Analytics cookies in your privacy policy

If your website issues Google Analytics cookies, you need to include this in your privacy policy. By law, you must be transparent about the cookies your website issues. If third-party cookies are issued, you need to address this separately in your privacy policy. It is also against Google's terms & conditions not to disclose that you are using cookies. If this is not addressed in your privacy policy, you illegally use Google Analytics.

How can I make Google Analytics privacy-friendly?

You can't. Google's entire business model is mining enormous amounts of personal data, and privacy-friendly options in their products are just there to give the illusion of privacy.

Can I anonymize IP?

Universal Analytics offers a (fairly ineffective) IP anonymization option. Universal analytics has been phased out, but UA properties will still work for a year for GA360 users. So UA users do have the option to anonymize IP- but privacy authorities have noted again and again that this built-in anonymization option accomplishes very little and does not meet the GDPR's bar for proper anonymization

The IP anonymization option is no longer available in Google Analytics 4 because the new version does not store IP addresses.

Can I anonymize Client IDs?

Client IDs are the identifiers found in analytics cookies. They allow Google Analytics to recognize a user (more exactly, a browser) for the purpose of metrics such as new visitors. These identifiers cannot be anonymized because proper anonymization under the GDPR would make the visitor unrecognizable to Google Analytics- making cookies completely useless.

The next best thing you could do would be using rotating hashes, but that takes some work and will greatly decrease Google Analytics' performance.

More importantly, it may still not be enough to anonymize the data, given how many more personal data Google collects both through Google Analytics and from other sources. In fact, the data from Google Accounts alone basically enough to de-anonymize just about everything (as pointed out by several data protection authorities).

Bottom line, Google Analytics is a data-devouring machine and trying to make it privacy-friendly just runs counter to its design.

Can I use Google Analytics without cookies?

Not really. In theory, Google Analytics offers a "consent mode" that provides some information about non-tracked users through behavioral modeling (that is, by drawing inferences from other data Google already has). But this behavioral modelling will work poorly if you use it as your sole source of data.

If you are looking for website analytics without cookies, you should probably look at some alternative solutions.

Is web analytics possible without cookies?

It is. Simple Analytics does exactly that, so the proof is in the pudding.

After installing Google Analytics scripts for several years, our founder Adriaan didn't feel quite like sending so much data to Google for free. So he came up with a solution to provide insights without invading the privacy of website visitors.

This means that website visitors don't need to interact with an annoying cookie banner before they enter your website. It also means that we are 'out-of-the-box' compliant with GDPR

I hear you think... "This sounds good, but what data will I be missing? Can you still identify unique visitors if you don't use cookies? And can you still track events?

Well... Yes, you can, but don't just take my word for it.

Try for yourself.

How do we identify unique visitors?

We have to be honest here. Calculating unique visitors is a lot more difficult without cookies. As explained earlier in this post, Google Analytics can spot a unique visitor based on the fact if it has already placed a cookie or not.

Other "privacy-friendly" alternatives in the space anonymize IP addresses to check for unique visitors. While from a privacy perspective, this is more privacy-friendly, it is still considered personal data.

We do it even better.

We use the referral domain to see if someone is a unique visitor. When a user navigates to your website, the browser sends information about the referrer along.

Let's look at the illustration below. Someone visits a particular website (randomwebsite.com) and navigates to your website (yourwebsite.com). The browser sends the referrer (randomwebsite.com) to yourwebsite.com. This referrer is very useful to figure out where traffic is coming from.

When a user lands on your website without visiting another website, we record it as a unique visit:

Can you still track events?

It is one of the most common questions we get. With Simple Analytics, it is still possible to track event counts. It is based on aggregate data, meaning that we can't collect data on individuals triggering the event.

You can add our automated events script or add your custom events to see your event counts. We can estimate a conversion based on the traffic to that specific page (and we are working on a user-flow section).

In addition, you can still use URL Parameters to see where your traffic is coming from. For example, if you want to see the traffic to a blog post or newsletter.

What data does Simple Analytics collect?

Simple Analytics does not user cookies or track users in any way. This means that we do not collect any data that could be used to fingerprint a user.

For a more comprehensive overview of the data we collect, please refer to this page.

Every web analytics service involves a fundamental trade off: if you want to collect fine-grained data on an individual level, then you need to track your users aggressively.

The general take on cookie-less web analytics tools is that you trade more privacy for fewer data. This is true because you collect fewer data points. However, it does not necessarily mean that analytics without cookies is less accurate. Cookie-based web analytics tools are not bulletproof.

When should you consider a privacy-first web analytics tool?

Ask yourself: what data do you I really need? Do you need to track every individual move of a website visitor? If that's the case, Simple Analytics might not be your tool.

We are here for companies that want to be part of the future. Companies that want to see the big picture while acting in the best interest of their visitors.

So if you are looking for a solution, that is...

...GDPR-compliant 'out of the box'

...Cookieless by design

...Gives you the big picture

...And Simple to understand and use (see our live dashboard)

You might want to give us a try.