Use Google Analytics without cookies? And cookieless web analytics

It has been the talk of the town lately. "Google Analytics might be banned in Europe."

The Austrian DSB was the first privacy watchdog to openly question the GDPR compliance of Google Analytics. Various popular news outlets such as Hacker News & TechCrunch picked up on the news and spread the word.

Not so long after the DSB, their french counterpart, CNIL, also stated that Google Analytics conflicts with GDPR. A few months later, Italy (Garante) and Denmark (Datatilsynet) followed suit.

Organizations, especially within the EU, are now questioning whether they could still use Google Analytics legally- and wondering what happens if they can't. Will they lose all the valuable insights as well?

In other words: Will there be life after Google Analytics?

Let's find out 👇

(Update: after two more decisions against Google Analytics from Norway and Finland, litigation temporarily came to a halt in 2023 when the new US-EU data transfer framework came into effect.

The new framework has been challenged by privacy activists and it is hard to say how it will play out. There is a very real chance that the Court of Justice will invalidate the framework and send the EU and the US back to square one for data transfers. This would once again make it legally risky for organizations to use Google Analytics.

Michelin chose Simple AnalyticsJoin them

How does Google Analytics work?

Google Analytics is by far the most used analytics tool on the planet. At least 86% of the websites that use an analytics tool use Google Analytics. It's a free tool, but it comes at a cost.

To understand why Google Analytics has come under pressure lately, it's key to know how it works and what implications it brings.

Does Google Analytics use cookies?

If you install Google Analytics to track your website performance, you need to set first-party cookies to:

Identify unique visitors
Identify unique sessions
Identify traffic source information
Determine the start and end of a session

Want to learn more about what cookies are? Check out this blog post.

You can access the cookies when you open the developer toolbar (right-click + inspect). By navigating to the 'application' (or 'storage') tab and clicking on 'cookies,' you can see which cookies are used by the specific website.

alt:Cookies of Indeed.com inspected via browser Cookies of indeed.com inspected via browser

As you can see from the screenshot above (taken from the Indeed homepage), the cookie's name is indicated as '_ga'. The second arrow on the screenshot indicates the value:

GA.1.2.1680553188.1645472981

It consists of a version name, the first part, and a unique ID, which is the second part.

The version name: GA.1.2.

The unique identifier: 1680553188.1645472981

The unique identifier consists of two parts. The first part is a randomly generated number. The second part is a timestamp for the first time the visitor visited the page. That way, Google can identify whether someone is a unique visitor or not.

Whenever someone visits a website, Google Analytics looks for the cookie, which is provided by the web browser. If there is a cookie stored, Google knows that the visitor is not unique. If Google can't find a cookie, it means it's a first-time visitor that visited the website. This is how Google Analytics distinguishes between unique visitors and pageviews.

Is Google Analytics using first or third-party cookies?

Google Analytics uses first-party cookies. The difference is that first-party cookies are only issued when the user is directly using the website. The website that issues the cookies is also to only one that can read them.

In contrast, third-party cookies are issued by other websites than the one you are visiting. They are mainly used for remarketing purposes. If you see ads from a website you visited in the past, it means that third-party cookies are tracking you.

How long do Google Analytics cookies last?

Both first and third-party cookies can be used with or without an expiration date. Cookies that are set with an expiration date are called persistent cookies. They stay on your device even after you close the web browser. Cookies without expiration date are called temporary cookies and are removed after you end your web session.

_ga is the main cookie for Google Analytics. It's a persistent cookie that stays for two years(!). However, you can change the cookie's duration to, for example, one year by following these steps.

You can overwrite the default of two years directly in the script (if you have an old Google Analytics script on your website). All you need to do is add the following 'cookieExpires' parameter to the script that issues the cookie: {'cookieExpires': 31536000}. The value here is noted in seconds and precisely a year.

You can also change it in Google Tag Manager, which is even easier:

Navigate to the Google Analytics Page View Tag
Check this box: Enable overriding settings in this tag
Click on: open more settings
Open Fields to Set
Click on: Add Field and fill out the two fields below. Indicate 31536000 in the value box to change the duration to one year.

How do I use Google Analytics lawfully?

Yes. Under the ePrivacy Directive, all cookies require the user's consent except for strictly necessary cookies. So, cookies for web analytics always require the user's consent, whether they are from GA or from a different software.

If you use cookie-based analytics without a cookie banner, you are violating the GDPR. And if your website features deceptive cookie banners or "cookie walls", you are also violating the GDPR by collecting invalid consent- but that's a story for another day.

When you install Google Analytics, you need to show a cookie banner to ask for consent. If you really want to use Google Analytics, take the following steps:

Don't read or write analytics cookies if you don't have consent. Test your implementation to ensure that the GA script checks for consent before writing cookies.
Give visitors a clear, immediate, and visible option to refuse cookies. Don't force them to go through endless options to refuse them! Tricks like that may improve your opt-in rates, but they are not GDPR compliant and authorities are starting to crack down on them.
Have a comprehensive and well-written privacy policy, but also give the essential information in your cookie banner! See this blog for a few hints.
Be transparent regarding the details of the Google Analytics cookies you are using. According to privacy regulations, consent is only valid if it constitutes an informed decision. You need to explain what type of cookies you are using and for what purpose.

Please note that a GDPR compliant banner will result in your website missing out on some data.

People are getting more and more worried about their privacy and often reject cookies when given a chance. This puts websites between a rock and a hard place. If you give users a transparent choice not to be tracked, many will take it, and you fill find yourself with less data. And if you use deceiving and confusing cookie banners to make rejection harder, you risk violating the GDPR (and being held liable for it).

Cookie rejection is not the only problem. More and more users browse the Web with ad-blockers and similar anti-tracking technologies such as Firefox’s cookie jars. Depending on their settings, these users could be ghosts in your web analytics. They don't even need to bother rejecting your cookies- their browser does the work.

To be clear, this is not only a problem with Google Analytics: all cookie-based analytics services face the same issues.

Do you need to include Google Analytics cookies in your privacy policy

If your website issues Google Analytics cookies, you need to include it in your privacy policy. By law, you must be transparent about the cookies your website issues. If third-party cookies are issued, you need to address this separately in your privacy policy. It is also against Google's terms & conditions not to disclose that you are using cookies. If this is not addressed in your privacy policy, you illegally use Google Analytics.

How can I make Google Analytics privacy-friendly?

You can't. Google's entire business model is mining enormous amounts of personal data. Privacy-friendly options in their products are just there to give the illusion of privacy.

Can I anonymize IP?

Unlike Universal Analytics, Google Analytics 4 does not store IP addresses. So, it does not offer an IP anonymization option.

Can I anonymize cookies?

Google Analytics cookies contain unique identifiers called Client IDs. These IDs allow Google Analytics to recognize a user (more exactly, a browser) for the purpose of metrics such as new visitors.

Whether cookies can be anonymized depends on the jurisdiction and on the definition of personal data. In the EU, all unique identifiers are by definition personal data and cannot be anonymized.

The most privacy-friendly option would be setting cookies to a very short duration, which greatly decreases Google Analytics' performance. More importantly, it may still not be enough to anonymize the data, given how much more personal data Google collects both through Google Analytics and from other sources. In fact, the data from Google Accounts alone are basically enough to de-anonymize all the rest (as pointed out by several data protection authorities in the Google Analytics cases).

Bottom line, Google Analytics is a data-devouring machine and trying to make it privacy-friendly runs counter to its design. If privacy is a concern to you, then you should move to a different service altogether.

Can I use Google Analytics without cookies?

Not really.

In theory, Google Analytics offers a "consent mode" that provides some information about non-tracked users through behavioral modeling (that is, by drawing inferences from other data Google already has). But behavioral modeling works poorly if you use it as your sole source of data!

If you are looking for website analytics without cookies, you should probably look at alternative solutions.

Is web analytics possible without cookies?

It is. Simple Analytics does exactly that, so the proof is in the pudding.

After installing Google Analytics scripts for several years, our founder Adriaan didn't feel quite like sending so much data to Google for free. So he came up with a solution to provide insights without invading the privacy of website visitors.

This means that website visitors don't need to interact with an annoying cookie banner before they enter your website. It also means that we are 'out-of-the-box' compliant with GDPR

I hear you think... "This sounds good, but what data will I be missing? Can you still identify unique visitors if you don't use cookies? And can you still track events?

Well... Yes, you can, but don't just take my word for it.

Try for yourself.

How do you identify unique visitors?

Other "privacy-friendly" alternatives in the space anonymize IP addresses to check for unique visitors. This is somewhat less invasive than using cookies but IP addresses still count as personal data.

We do it even better.

We use the referral domain to see if someone is a unique visitor. When a user navigates to your website, the browser sends information about the referrer along.

Let's look at the illustration below. Someone visits a particular website (randomwebsite.com) and navigates to your website (yourwebsite.com). The browser sends the referrer (randomwebsite.com) to yourwebsite.com. This referrer is very useful to figure out where traffic is coming from.

When a user lands on your website without visiting another website, we record it as a unique visit:

This is not a perfect system but is accurate enough compared to cookies because many visitors reject cookies. When you account for this data gap, Simple Analytics’ referral-base approach works quite well while being more privacy-friendly than any other approach on the market.

Can you still track events?

This is one of the most common questions we get. With Simple Analytics, it is still possible to track event counts. It is based on aggregate data, meaning that we can't collect data on individuals triggering the event.

You can add our automated events script or add your custom events to see your event counts. We can estimate a conversion based on the traffic to that specific page (and we are working on a user-flow section).

In addition, you can still use URL Parameters to see where your traffic is coming from. For example, if you want to see the traffic to a blog post or newsletter.

What data does Simple Analytics collect?

Simple Analytics does not user cookies or track users in any way. This means that we do not collect any data that could be used to fingerprint a user.

For a more comprehensive overview of the data we collect, please refer to this page.

Every web analytics service involves a fundamental trade off: if you want to collect fine-grained data on an individual level, then you need to track your users aggressively.

The general take on cookie-less web analytics tools is that you trade more privacy for fewer data. This is true because you collect fewer data points. However, it does not necessarily mean that analytics without cookies is less accurate. Cookie-based web analytics tools are not bulletproof.

When should you consider a privacy-first web analytics tool?

Ask yourself: what data do you I really need? Do you need to track every individual move of a website visitor? If that's the case, Simple Analytics might not be your tool.

We are here for companies that want to be part of the future. Companies that want to see the big picture while acting in the best interest of their visitors.

So if you are looking for a solution, that is...

...GDPR-compliant 'out of the box'

...Cookieless by design

...Gives you the big picture

...And Simple to understand and use (see our live dashboard)

You might want to give us a try.