Does Google Analytics require cookie consent?

By purchasing through the links on this page, you are giving us the opportunity to earn a commission. Your support is greatly appreciated!

Google Analytics (GA4) stands out as the most widely used web analytics tool, used by 81.6% of websites with known analytics tools according to W3Techs. However, the tool uses cookies to track user behavior across websites.

With data privacy regulations like the General Data Protection Regulation (GDPR) or ePrivacy Directive requiring cookie compliance, site owners wonder how to properly comply using GA4.

In this guide, we’ll answer whether you need cookie consent if you’re using Google Analytics and how to ensure compliance with the cookies it uses.

Does Google Analytics use cookies?

Yes, Google Analytics leverages first-party cookies to collect user data on various websites and track their behavior. The platform sets cookies on a website to distinguish different users and unique browsing sessions.

Those cookies then help track user interactions with a site, such as visited pages, time spent on a page, bounce rates, and more.

Google Analytics 4 uses the following cookies on your website:

_ga – used to identify unique users across sessions (set for 2 years)
_ga <container-id> – used to track individual sessions (set for 2 years)

Yes, Google Analytics 4 cookies require consent. That’s because they fall under the tracking cookie category for tracking user behavior and interactions. Data privacy regulations like the GDPR, CCPA, and ePrivacy Directive require obtaining consent for this cookie category even if you’re using anonymization features on GA4.

The only cookies exempt from consent are the ones that are essential for the site to function, or strictly necessary cookies. However, Google Analytics cookies don’t fall into this category.

Set up cookie consent on Shopify

Records user consent

GDPR-compliant

Try TinyCookie free

The shift from Universal Analytics to Google Analytics 4 resulted in a reduced platform dependency on cookie usage for tracking. For example, Universal Analytics used multiple types of cookies and offered limited consent handling. Meanwhile, GA4 has improved Consent Mode V2 support and respects privacy laws while using just a few cookies.

You can compare Google Analytics 4 and Universal Analytics using the table below:

	Universal Analytics	Google Analytics 4
Tracking	Session-based	Event-based
Reliance on cookies	Heavy	Reduced (more reliant on first-party data and can work without cookies)
Consent management	Limited	Strong, especially with Consent Mode V2 support
User ID tracking	Had to be configured manually	Built-in support
Machine learning	Minimal	Built-in
Cross-device tracking	Limited	Improved with Google Signals

Here are the main differences between cookie usage in both Google Analytics versions:

Event-based tracking. Google Analytics 4 relies more on events that don’t always require cookies, such as clicks, page views, and other interactions. Universal Analytics is more focused on sessions, which heavily rely on cookie usage.
Machine learning. Universal Analytics heavily relies on cookies to gather information about users, while GA4 adopted machine learning to predict actions and give valuable insights.
Data modeling. When user consent is not given, GA4 uses data modeling techniques to estimate behavior and get insights while reducing reliance on direct user tracking and third-party cookies.

What counts as personal data in Google Analytics?

Personal data or Personally Identifiable Information (PII) in Google Analytics means data that could be used to recognize or identify an individual. Some PII examples include email addresses, social security numbers, and mobile numbers.

The personal data definition is similar under regulations like the GDPR. According to the GDPR, the term “personal data” should be applied as widely as possible. Examples of personal data under the GDPR include:

User name or surname
Home address
Email address
Cookie ID
Identification card number
Health data
IP address
Device type

The GDPR doesn’t consider a company’s email address (like info@company.com), company’s registration number, or aggregated data as personal data.

Note: Google strictly prohibits passing PII to Google itself in order to protect user privacy.

Implementing cookie consent for Google Analytics mainly involves adopting a cookie banner or popup. However, there are some other requirements that are required by data privacy laws, like creating a cookie policy. Let’s review all the necessary cookie compliance steps in detail.

1. Acquire explicit user consent for cookies

Regulations like the GDPR or ePrivacy Directive require obtaining user consent for the use of non-essential cookies. One of the most popular ways to do it is using a cookie banner. For example, Shopify users can adopt a one-click setup cookie banner like TinyCookie. You can see an example of a GDPR-compliant banner below.

TinyCookie cookie banner example

Here are the main requirements for consent management:

Consent must be informed, unambiguous, and involve an affirmative action
Cookies cannot be activated before receiving consent
Consent must be granular, meaning there should be an option to manage preferences
There must be an option to withdraw or reject consent, an it should be as easy as it was to consent
User consent must be securely stored in one place for proof of compliance
Consent must be freely given, meaning there shouldn’t be any manipulation to gain consent, like pre-ticked boxes

Add a GDPR cookie banner on Shopify

Free plan available

Customizable banner

Try TinyCookie free

2. Create a cookie policy

A cookie policy is a legal document on your website that’s used to explain how cookies are used on a website and their purpose. It demonstrates transparency and thus protects your company from any legal action due to misleading information. A cookie policy should include:

List of cookies used on your site
Lawful basis for processing
Cookie management information
Company contact details

You can add it as a section in your privacy policy or you can write a separate cookie policy.

3. Adopt Google Consent Mode V2

Google Consent Mode V2 helps websites manage how Google tags, like GA4 or Google Ads, operate based on user consent. It was created to help website owners ensure compliance while using Google services easier.

The main difference between Consent Mode and Consent Mode V2 is that even if users don’t grant consent, Consent Mode V2 can still use cookieless data to track users. This is also called anonymous tracking, and it can be used to get such data as user agents or timestamps.

4. Sign a DPA

Under the GDPR, website owners as data controllers must enter a Data Processing Agreement (DPA) with data processors like Google. The DPA must involve such information as what information is collected, the duration and purpose for processing, and data processor and controller obligations.

You can learn how to enter a DPA with Google Analytics by following this guide to accept Google’s Data Processing Amendment.

While Google Analytics is the most popular tool for tracking user behavior, there are plenty of other good tools that don’t use cookies or require consent. Here’s a quick comparison between Google Analytics and its alternatives:

	GA4	Matomo	Plausible	Fathom
GDPR compliant	✅ (with user consent)	✅	✅	✅
Uses cookies	✅ Yes	Optional – cookie-free mode is available	❌ No	❌ No
Needs cookie consent	✅ Yes	❌ No (if it’s cookieless)	❌ No	❌ No
Features	Advanced, like cross-platform tracking, custom event-based tracking	Advanced, like heatmaps and session recordings, A/B testing	Basic	Basic
Price	Free	Free if self-hosted (from $26/month for cloud)	From $9/month	From $15/month
Best for	Deep tracking and event-based insights	Custom tracking with more control	Privacy-oriented websites	Ethical tracking

The best choice will depend on your needs and budget. While GA4 offers a free deep tracking tool for event-based insights, Matomo offers more control to create custom tracking. Meanwhile, Plausible and Fathom are more basic tools that don’t use cookies and are made for ethical tracking and privacy-oriented websites.

All of these tools come with a free version or free trial, so you can test out which one works best for GDPR-compliant tracking on your website.

Frequently asked questions

Is Google Analytics loaded without consent?

No, if user consent is denied or not received, Google Analytics will not be loaded on a website. That’s because privacy regulations like the GDPR prohibit deploying non-essential cookies on a user’s device without consent.

How will GA4 work without cookies?

GA4 can work without cookies by using first-party data, statistical modeling, and machine learning to predict user actions or behavior. The Google Consent Mode V2 tracks user engagement using AI-powered analytics while respecting user consent preferences.

Are Google Analytics cookies strictly necessary?

No, Google Analytics cookies aren’t strictly necessary. Instead, GA4 cookies are used as tracking cookies to track and analyze user behavior and actions. They require user consent under privacy regulations like the GDPR or ePrivacy Directive.

About the author

Kristina Jaruseviciute

Kristina is a Senior Writer at TinyCookie, where she specializes in providing educational content for readers interested in web cookies and compliance. She covers an extensive scope of subjects, from cookie types, definitions, and tutorials to compliance tips for website owners.

Do you need cookie consent if you use Google Analytics?