Safeguarding your data
This article summarizes Google Analytics’ data practices and commitment to protecting the confidentiality and security of data. Visitors to sites or apps using Google Analytics (aka “users”) may learn about our end user controls.
Site or app owners using Google Analytics (aka “customers”) may find this a useful resource, particularly if they are businesses affected by the European Economic Area’s General Data Protection Regulation. See also the Google privacy policy and Google’s site for customers and partners.
Google Analytics cookies and identifiers
Google Analytics mainly uses first-party cookies to report on visitor (aka. user) interactions on Google Analytics customers’ websites. Users may disable cookies or delete any individual cookie. Learn more
In addition, Google Analytics supports an optional browser add-on that – once installed and enabled – disables measurement by Google Analytics for any site a user visits. Note that this add-on only disables Google Analytics measurement.
Where a site or app uses Google Analytics for Apps or the Google Analytics for Firebase SDKs, Google Analytics collects an app-instance identifier — a randomly generated number that identifies a unique installation of an App. Whenever a user resets their Advertising Identifier (Advertising ID on Android, and ID for Advertisers on iOS), the app-instance identifier is also reset.
Where sites or apps have implemented Google Analytics with other Google Advertising products, like Google Ads, additional advertising identifiers may be collected. Users can opt-out of this feature and manage their settings for this cookie using the Ads Settings. Learn more
Google Analytics also collects Internet Protocol (IP) addresses to provide and protect the security of the service, and to give website owners a sense of which country, state, or city in the world their users come from (also known as “IP geolocation”). Google Analytics provides a method to mask IPs that are collected (detailed below) but note that website owners have access to their users’ IP addresses even if the website owners do not use Google Analytics.
Data Collected by Google Analytics
First-party Cookies
Google Analytics collects first-party cookies, data related to the device/browser, IP address and on-site/app activities to measure and report statistics about user interactions on the websites and/or apps that use Google Analytics. Customers may customize cookies and the data collected with features like cookie settings, User-ID, Data Import, and Measurement Protocol. Learn more
Google Analytics customers who have for instance, enabled the analytics.js or gtag.js collection method can control whether or not they use cookies to store a pseudonymous or random client identifier. If the customer decides to set a cookie, the information stored in the local first-party cookie is reduced to a random identifier (e.g., 12345.67890).
For customers who use the Google Analytics for Apps SDK, we collect an App Instance Identifier, which is a number that is randomly generated when the user installs an app for the first time.
Advertising identifiers
Where customers use Google Analytics Advertising Features, Google advertising cookies are collected and used to enable features like Remarketing on the Google Display Network. These features are subject to the users’ Ads Settings, the Policy requirements for Google Analytics Advertising Features and Google’s EU User Consent policy, which requires customers to obtain consent for cookies where legally required—including consent for personalized ads. For more information about how Google uses advertising cookies, visit the Google Advertising Privacy FAQ. It is possible to implement Google Analytics without affecting normal data collection where Advertising features are disabled until consent is obtained.
IP Address
Google Analytics uses IP addresses to derive the geolocation of a visitor, and to protect the service and provide security to our customers. Customers may apply IP masking so that Google Analytics uses only a portion of an IP address collected, rather than the entire address. In addition, customers can override IPs at will using our IP Override feature.
PII Prohibition
Our contracts prohibit customers from sending Personally Identifiable Information to Google Analytics. Customers should follow these Best Practices to ensure PII is not sent to Google Analytics.
Cookie Usages
What is the data used for?
Google uses Google Analytics data to provide the Google Analytics measurement service to customers. Identifiers such as cookies and app instance IDs are used to measure user interactions with a customer’s sites and/or apps, while IP addresses are used to provide and protect the security of the service, and to give the customer a sense of where in the world their users come from.
Google Analytics Cookie Usage on Websites
This document describes how Google Analytics uses cookies to measure user-interactions on websites.
Overview
Google Analytics is a simple, easy-to-use tool that helps website owners measure how users interact with website content. As a user navigates between web pages, Google Analytics provides website owners JavaScript tags (libraries) to record information about the page a user has seen, for example the URL of the page. The Google Analytics JavaScript libraries use HTTP Cookies to “remember” what a user has done on previous pages / interactions with the website.
Google Analytics supports three JavaScript libraries (tags) for measuring website usage: gtag.js, analytics.js, and ga.js. The following sections describe how each use cookies.
gtag.js and analytics.js – cookie usage
The analytics.js JavaScript library is part of Universal Analytics and uses first-party cookies to:
- Distinguish unique users
- Throttle the request rate
When using the recommended JavaScript snippet, cookies are set at the highest possible domain level. For example, if your website address is blog.example.co.uk, analytics.js will set the cookie domain to .example.co.uk. Setting cookies on the highest level domain possible allows measurement to occur across subdomains without any extra configuration.
gtag.js and analytics.js set the following cookies:
| Cookie Name | Expiration Time | Description |
|---|---|---|
_ga |
2 years | Used to distinguish users. |
_gid |
24 hours | Used to distinguish users. |
_gat |
1 minute | Used to throttle request rate. If Google Analytics is deployed via Google Tag Manager, this cookie will be named _dc_gtm_<property-id>. |
AMP_TOKEN |
30 seconds to 1 year | Contains a token that can be used to retrieve a Client ID from AMP Client ID service. Other possible values indicate opt-out, inflight request or an error retrieving a Client ID from AMP Client ID service. |
_gac_<property-id> |
90 days | Contains campaign related information for the user. If you have linked your Google Analytics and Google Ads accounts, Google Ads website conversion tags will read this cookie unless you opt-out. Learn more. |
Customization
Read the gtag.js Domains & Cookies developer guide to learn all the ways these default settings can be customized with gtag.js.
Read the analytics.js Domains & Cookies developer guide to learn all the ways these default settings can be customized with analytics.js.
Read the Security and privacy in Universal Analytics document for more information about Universal Analytics and cookies.
ga.js – cookie usage
The ga.js JavaScript library uses first-party cookies to:
- Determine which domain to measure
- Distinguish unique users
- Throttle the request rate
- Remember the number and time of previous visits
- Remember traffic source information
- Determine the start and end of a session
- Remember the value of visitor-level custom variables
By default, this library sets cookies on the domain specified in the document.host browser property and sets the cookie path to the root level (/).
This library sets the following cookies:
| Cookie Name | Default Expiration Time | Description |
|---|---|---|
__utma |
2 years from set/update | Used to distinguish users and sessions. The cookie is created when the javascript library executes and no existing __utma cookies exists. The cookie is updated every time data is sent to Google Analytics. |
__utmt |
10 minutes | Used to throttle request rate. |
__utmb |
30 mins from set/update | Used to determine new sessions/visits. The cookie is created when the javascript library executes and no existing __utmb cookies exists. The cookie is updated every time data is sent to Google Analytics. |
__utmc |
End of browser session | Not used in ga.js. Set for interoperability with urchin.js. Historically, this cookie operated in conjunction with the __utmb cookie to determine whether the user was in a new session/visit. |
__utmz |
6 months from set/update | Stores the traffic source or campaign that explains how the user reached your site. The cookie is created when the javascript library executes and is updated every time data is sent to Google Analytics. |
__utmv |
2 years from set/update | Used to store visitor-level custom variable data. This cookie is created when a developer uses the _setCustomVar method with a visitor level custom variable. This cookie was also used for the deprecated _setVar method. The cookie is updated every time data is sent to Google Analytics. |
Customization
The following methods can be used to customize how cookies are set:
-
_setDomainName– Sets the domain to which all cookies will be set. -
_setCookiePath– Sets the path to which all cookies will be set. -
_setVisitorCookieTimeout– Sets the Google Analytics visitor cookie expiration in milliseconds. -
_setSessionCookieTimeout– Sets the new session cookie timeout in milliseconds. -
_setCampaignCookieTimeout– Sets the campaign cookie expiration time in milliseconds. -
_storeGac– Pass infalseto disable the GAC cookie. Defaults totrue
Read the Tracking Multiple Domains guide to learn how to configure ga.js to measure user interaction across domains.
urchin.js – cookie usage
Historically, Google Analytics provided a JavaScript measurement library named urchin.js. When the newer ga.js library launched, developers were encouraged to migrate to the new library. For sites that have not completed the migration, urchin.js sets cookies identically to what is set in ga.js. Read the ga.js cookie usage section above for more details.
Google Analytics for Display Advertisers – cookie usage
For customers that are using Google Analytics’ Display Advertiser features, such as remarketing, a third-party DoubleClick cookie is used in addition to the other cookies described in this document for just these features. For more information about this cookie, visit the Google Advertising Privacy FAQ.
Content Experiments – cookie usage
For websites using Google Analytics content experiments, the following cookies are used for these features in addition to the other cookies described in this document:
| Cookie Name | Expiration Time | Description |
|---|---|---|
__utmx |
18 months | Used to determine a user’s inclusion in an experiment. |
__utmxx |
18 months | Used to determine the expiry of experiments a user has been included in. |
Optimize – cookie usage
For websites using Optimize, the following cookies are used in addition to the other cookies described in this document:
| Cookie Name | Expiration Time | Description |
|---|---|---|
_gaexp |
Depends on the length of the experiment, but typically 90 days. | Used to determine a user’s inclusion in an experiment and the expiry of experiments a user has been included in. |
_opt_awcid |
24 hours | Used for campaigns mapped to Google Ads Customer IDs. |
_opt_awmid |
24 hours | Used for campaigns mapped to Google Ads Campaign IDs. |
_opt_awgid |
24 hours | Used for campaigns mapped to Google Ads Ad Group IDs |
_opt_awkid |
24 hours | Used for campaigns mapped to Google Ads Criterion IDs |
_opt_utmc |
24 hours | Stores the last utm_campaign query parameter. |