All posts

Published on Mar 11th, 2024 in Analytics

Cookieless GA4: A No-Nonsense Guide

Brian O'Sullivan

Ex-Google Analytics, Ex A/B testing at Dropbox

Share post

Cookies help website owners offer a convenient browsing experience to their users. They let websites remember your login, shopping cart, and other actions you may have taken on their site. At the same time, they also help advertisers target their ‘right’ audience. While inherently harmless, cookies can be misused. Brands can use 3rd party cookies to profile users in ways they are not aware of or have consented to.

Recently, there has been a movement towards a cookieless world, and GA4 is touted to be one of the platforms that offers a ‘cookieless’ experience. Is that true? We will see—in a minute. 

This comprehensive guide dives into cookies, Google Analytics 4 (GA4), and its approach to navigating the ever-changing privacy landscape. 

What are cookies? 

Cookies are small pieces of data that websites store on your device, typically your computer or phone. They act like tiny digital files, holding information that can enhance your browsing experience. For instance, cookies can remember your login details for a website, so you do not have to re-enter them every time you visit a website. 

There are two main types of cookies:

  • First-party cookies
  • Third-party cookies

First-party cookies

First-party cookies are created and controlled by the website you’re visiting. They can only be accessed by that specific domain. They’re essential for many of the conveniences we’ve come to expect while browsing the web. For instance, keeping items in your cart between visits to a site. 

Third-party cookies

Unlike their first-party counterparts, third-party cookies can be set and shared amongst multiple sites. These cookies can be used to track your activity across various websites you visit, building a profile of your interests and browsing habits. 

Third-party cookies raise privacy concerns, as they allow advertisers and other entities to target you with personalized ads even after you’ve left a website. 

3rd party cookies are widespread. Per a survey, in 2022, 75% of full-time marketing and customer experience leaders worldwide relied on third-party cookies.

Google Going ‘Cookieless’?

In a move towards enhanced user privacy, Google Chrome is phasing out third-party cookies. “On January 4, we’ll begin testing Tracking Protection, a new feature that limits cross-site tracking by restricting website access to third-party cookies by default. We’ll roll this out to 1% of Chrome users globally, a key milestone in our Privacy Sandbox initiative to phase out third-party cookies for everyone in the second half of 2024,” announced Google in December 2023. 

This means websites will no longer be able to leverage third-party cookies to track user activity across the web. This is a significant shift in the way online advertising has traditionally functioned, where these cookies have been used for serving personalized ads and for remarketing purposes. 

However, it’s important to remember that there’s currently no indication of Chrome blocking the use of first-party cookies. So, while it is going cookieless in terms of allowing third-party cookies, it will still allow first-party cookies. 

Does GA4 Use Cookies?

Yes. Like previous versions of Google Analytics, GA4 utilizes first-party cookies to identify users across sessions. It doesn’t operate without cookies by default. 

GA4 uses the _ga cookie to identify visitors over time. The unique client ID stored in the _ga cookie lets website owners know if a visitor is new or returning. 

This information allows website owners to understand user behavior on their site. 

So, How is GA4 Any Different for Privacy?

While GA4 utilizes cookies, it was designed with privacy regulations in mind. 

Here are some key features that set it apart from its predecessors:

IP Anonymization by Default

In Universal Analytics (the previous version of Google Analytics), IP masking was an optional step—website owners had to implement an extra set of steps to mask IP addresses. But in Google Analytics 4, IP masking is not necessary since IP addresses are anonymized by default. GA4 removes the last 4 digits from IP addresses. This feature automatically obfuscates your complete IP address from Google Analytics. IP addresses can be used to pinpoint your location, so anonymization adds a layer of privacy protection. 

If users choose not to accept cookies, GA4 offers a solution. You can enable consent mode, which gathers data through alternative methods like cookieless pings and modeling, without relying on cookies. This allows you to continue collecting some data even when users opt out of cookies.

If you use a consent management platform (CMP) on your website and users decline cookie consent, GA4’s consent mode can be a helpful tool. Consent mode utilizes modeled data to compensate for data gaps that would typically be collected through cookies. To get modeled data, Analytics applies machine learning to estimate the behavior of those users based on the behavior of similar users who do accept analytics cookies or equivalent app identifiers.

However, it’s essential to consider some potential drawbacks of consent mode:

Compliance Uncertainties

There’s a lot of debate online whether consent mode fully adheres to all privacy laws, such as GDPR and CCPA. The legal interpretations of these regulations can vary. For example, Brian Clifton considers Google’s approach flawed and one that breaks privacy laws. Brian and others believe that when a user opts out for tracking they would expect not to be tracked at all. Whereas with consent mode they are still tracked but no cookies are used. 

Modeled Data Requirements

Not all websites can utilize modeled data—your website needs to meet specific traffic thresholds to access modeled data. For example, your property must collect at least 1,000 events per day with analytics_storage=’denied’ for at least 7 days. Similarly, for training purposes, it must collect at least 1,000 events per day with analytics_storage=’granted’ for at least at least 7 of the previous 28 days. 

If your website doesn’t have a significant amount of traffic, modeled data might not be readily available. Read more about GA4 behavioral modeling for consent mode. 

Data Latency

There may be a time lag before modeled data is reflected in your reports. This means it might take some time to get a complete picture of your website’s performance.

In Conclusion

GA4 offers a more privacy-focused approach to website analytics compared to UA. While it uses first-party cookies by default, features like consent mode allow for some data collection even without cookies. However, limitations and potential compliance considerations exist that require careful evaluation on the part of website owners.