Analytics Cookies 101: What They Do & What’s Changing in 2025

Analytics cookies are foundational to digital marketing, user experience design, and data-driven decision-making. From tracking conversions to optimising page layouts and personalising content, these tiny data files drive immense value. However, the regulatory landscape is shifting, and cookieless tracking technologies are challenging the way we collect and use data.

This guide offers the detailed breakdown of analytics cookies, covering their technical structure, applications in leading tools, compliance standards, and future-proof strategies for privacy-first analytics.

Analytics cookies are small, non-essential cookies that store user interaction data to help website owners understand how visitors engage with their websites. These cookies do not store personal information directly but can be used to identify behaviour patterns when paired with other identifiers.

What they collect:

• Pages visited
  
• Time spent on each page
  
• Traffic sources (e.g. referrals, direct, paid)
  
• Navigation patterns (e.g. clicks, scrolls, exits)
  
• Device and browser information
  

Common applications:

• A/B testing
  
• Funnel analysis
  
• Retention metrics
  
• Audience segmentation
  
• Cross-channel attribution
  

These cookies are instrumental for marketers, UX designers, product managers, and analysts.

Understanding how analytics cookies are classified is essential for two reasons: compliance and optimisation. From a legal standpoint, different types of cookies are subject to different rules depending on their purpose and persistence. On the optimisation side, classifying cookies correctly helps organisations deploy tracking technologies that align with business goals while maintaining user trust.

Cookies can be grouped by their lifespan and origin:

1. By lifespan:

• Session cookies: Temporary. Cleared once the user exits the browser. Useful for real-time analytics.
  
• Persistent cookies: Stored for a set duration (e.g., 6 months, 2 years). Useful for recognising repeat visits.
  

2. By origin:

• First-party cookies: Created by the website domain the user is visiting. Preferred under GDPR and modern browser policies.
  
• Third-party cookies: Created by external domains (e.g., ad networks). Now blocked or deprecated in most browsers.
  

A cookie typically contains:

• Name: e.g., _ga, hubspotutk
  
• Value: An encrypted or hashed user/session ID.
  
• Domain: The domain that set the cookie. E.g. clariyt.ms
  
• Path: The URL path the cookie applies to. E.g. adobedtm.com|sc-static.net
  
• Expiry date: Determines how long the cookie is valid
  
• Secure flag: Ensures it’s sent only over HTTPS
  
• SameSite attribute: Controls whether it is sent with cross-site requests
  

Different analytics tools leverage cookies to collect, structure, and analyse behavioural data in various ways. The following section explores how each platform uses its cookies, supported by scenarios showing how businesses can derive practical value. While we have listed the most widely used and important cookies for each tool, these platforms often use additional cookies for session integrity, campaign attribution, experimentation, and feature functionality. You can find the full cookie lists in their official documentation or developer resources.

Google Analytics 4 (GA4)

GA4 uses cookies like _ga, _gid, and _gat to manage user and session IDs. For instance, an e-commerce store may use these cookies to identify new versus returning customers and evaluate purchase paths over multiple sessions. The data can help optimise category pages that see high drop-off.

• _ga: Distinguishes users (2 years)
  
• _gid: Tracks session-level data (24 hours)
  
• _gat: Regulates request rates (1 minute)
  

Through Consent Mode, GA4 can anonymise user data when consent is withheld, still offering aggregate performance metrics.

Adobe Analytics

Adobe Analytics offers robust tracking through cookies such as s_vi, s_fid, and s_ecid. A B2B SaaS provider might use Adobe to monitor which whitepaper downloads lead to demo requests across long sales cycles. CNAME subdomain implementation ensures cookies remain first-party.

• s_vi: Unique visitor tracking (2 years)
  
• s_fid: Backup identifier when standard cookie is blocked
  
• s_ecid: Persistent ID linked to Adobe Experience Cloud
  

Adobe’s real-time segmentation and data feeds rely heavily on these identifiers.

Microsoft Clarity

Clarity focuses on user behaviour through session replays and heatmaps. A content-driven website can use Clarity cookies to visualise where readers lose interest or drop off, allowing refinement of article layout or CTAs.

• _clck: Retains visitor ID for consistent tracking
  
• _clsk: Links multiple pageviews into a session
  
• CLID: Recognises first-time users across domains
  

Clarity’s Consent API ensures these cookies only fire after consent.

HubSpot

HubSpot combines analytics with CRM functionality. A B2B company may track user journeys from email click to form submission to sales call, linking this data via hubspotutk and __hstc cookies.

• hubspotutk: Tracks user identity from forms (6 months)
  
• __hstc: Logs session timestamps and counts
  
• __hssc: Tracks pageviews per session
  
• __hssrc: Detects new sessions when the browser restarts
  

HubSpot’s ability to attribute user activity to contact records relies on these analytics cookies being active.

Each of these platforms serves distinct business goals—from top-of-funnel awareness to conversion tracking—and their cookie implementation reflects those priorities.

Other analytics tools that use cookies include:

Hotjar

• Heatmaps, scrollmaps, clickmaps
  
• hjSessionUser, _hjIncludedInSessionSample: Identify session behaviour
  

Matomo

• Privacy-centric open-source platform
  
• _pk_id, _pk_ses: Track unique visitors and sessions
  _pk_id

Facebook, TikTok, LinkedIn Pixels

• Trigger cookies for remarketing, event tracking, and cross-device attribution
  
• Require explicit consent per GDPR/CCPA

No, analytics cookies are not considered essential.

Essential cookies are those strictly necessary for a website to function, like remembering login details, keeping items in a shopping cart, or enabling core site navigation. These can be set without user consent under laws like the GDPR.

Analytics cookies, on the other hand, track user behaviour to help website owners understand how visitors use their site, such as which pages get the most traffic, how long users stay, or where they drop off. While incredibly useful for improving user experience and making data-driven decisions, these cookies are not required for basic site functionality.

Because they process behavioural data, analytics cookies are considered non-essential. As such, they must be handled transparently and in full compliance with privacy laws.

Effective consent management is at the heart of privacy-first analytics. With regulations like the GDPR requiring user consent before dropping non-essential anaytics cookies, businesses must design clear and trustworthy consent flows. This isn’t just a compliance checkbox, but a way to build long-term trust with your audience while ensuring data accuracy and legal safety.

Here are some key best practices to implement:

1. Categorise cookies: Clearly separate cookies into Essential, Analytics, and Marketing categories. This helps users make informed decisions and enables granular consent management.
2. Display clear, accessible banners: Ensure your cookie banner appears promptly, doesn’t obstruct content, and explains cookie usage in plain language.
3. Block analytics cookies until consent is given: Don’t load scripts like Google Analytics or Hotjar until the user opts in. Use tag managers and consent frameworks to enforce this.
4. Record and manage consent logs: Maintain a secure record of when and how consent was given, as required under the GDPR.
5. Provide opt-out and preference change mechanisms: Users should be able to withdraw or update consent as easily as they gave it. Offer persistent consent icons or links.
6. Comply with Consent Mode & IAB TCF v2.2 if applicable: If you are involved in programmatic advertising in the EU, ensure your CMP is aligned with the Transparency and Consent Framework (TCF) to ensure ad tech compatibility and compliance. Also, make sure your CMP supports GCM.

The transition to a cookieless tracking is one of the most significant changes in digital marketing and analytics. It’s driven by a confluence of evolving user expectations, tighter data protection laws, and strategic shifts from major browser developers and tech platforms. This shift challenges businesses to rethink how they collect, measure, and use behavioural data while maintaining transparency and user trust.

What’s driving the shift?

• Browser-level restrictions: Major browsers like Safari and Firefox have already blocked third-party cookies by default. Google Chrome, the last major holdout, is also offering alternatives like Privacy Sandbox initiative.
• User privacy awareness: Users are more conscious of how their data is collected and shared. Consent fatigue, data breaches, and heightened media scrutiny have made privacy a top concern.
• AdTech accountability: Regulatory pressure and ethical debates are pushing advertisers and data brokers to reduce opaque tracking practices and focus on measurable, permission-based engagement.

Emerging alternatives

To adapt, businesses and platforms are turning to solutions that preserve functionality without relying on traditional third-party cookies:

• Server-side tagging: Shifts data collection from the browser to the server, reducing reliance on cookies and increasing data control. It’s particularly useful for ensuring tracking continuity despite browser-level blocks.
• Google Privacy Sandbox: A suite of APIs including Topics (interest-based targeting), FLEDGE (retargeting without cross-site tracking), and Attribution Reporting. These aim to replace third-party cookies with aggregated, anonymised data.
• Identity resolution tools: Solutions like UID 2.0 use hashed and encrypted email addresses (with consent) to track user behaviour across platforms in a privacy-conscious way.
• First-party tracking scripts: Businesses are increasingly deploying their own tracking scripts hosted on their domains, which set first-party cookies and avoid third-party restrictions.
• On-device data processing: User data is processed locally on the device rather than sent to a central server. This model supports personalised experiences while minimising data exposure.

Together, these technologies offer a future-proof way to continue capturing meaningful analytics without compromising on privacy or regulatory compliance.

In response to evolving regulations and heightened user expectations, privacy-preserving analytics technologies are becoming essential. These methods allow businesses to maintain meaningful insights while minimising or eliminating the use of personally identifiable information (PII). Below are some of the most widely researched and implemented techniques, along with an overview of their practical adoption and industry relevance.

1. Differential Privacy

Adds statistical noise to datasets to obscure individual-level information while preserving the accuracy of aggregated results. It is highly regarded in academic and government settings, used by Apple and the U.S. Census Bureau, but is still gaining traction in mainstream commercial applications.

2. Federated Learning

Trains models locally on user devices without centralising raw data. Only the updated model parameters are shared, enhancing privacy. It’s a promising technique adopted by Google for mobile apps and predictive typing, though it’s complex to scale across diverse web environments.

3. Homomorphic Encryption

Allows data to remain encrypted during processing, enabling analytics on protected data. Though mathematically powerful and secure, it remains computationally intensive and is primarily used in highly regulated sectors like healthcare and finance.

4. Synthetic Data Generation

Creates artificial datasets that mimic real data distributions without exposing actual user data. This method is especially useful for testing, training machine learning models, and compliance validation. Its adoption is growing due to its balance between privacy and utility, especially in analytics and R&D.

5. K-Anonymity and L-Diversity

These anonymisation techniques generalise data to prevent individual identification. While relatively easier to implement than encryption-based methods, their effectiveness can diminish with highly granular or complex datasets. Still, they remain foundational for many data masking and de-identification strategies.

Choosing the right privacy-preserving technique depends on the balance between your organisation’s regulatory obligations, technical capacity, and analytical goals.