ceaksan - E-commerce & User Behavior Analytics

Cookies, User and Activity Tracking

Understand how cookie tracking works today—with privacy in mind and clear visibility into user behavior across platforms.

Ceyhun Enki Aksan
Ceyhun Enki Aksan Entrepreneur, Maker

In my previous article, I briefly touched upon first- and third-party cookies. Various rules relating to user data privacy—starting with GDPR—apply to the collection and storage of such information.

Therefore, advertisers and marketing professionals are required to act in accordance with these rules. Naturally, the implementation of these rules may take somewhat longer than expected. In addition to the articles beginning with GDPR, followed by personal data and cookies, I will discuss how monitoring processes should be configured1 2 3 4 5.

User Notification

All publishers must clearly provide a privacy policy that informs visitors about the purposes for which their data (including cookies and visitor information) is collected, as well as the relevant services and tools involved. In addition, all publishers are responsible for complying with existing legal requirements regarding the collection of visitor data.

Google Marketing Platform Advertising Products and Google Ad Manager

Google conducts compliance activities for each country and/or state where its advertising products are valid and shares updates accordingly. In this context, Google has committed to complying with the General Data Protection Regulation (GDPR), which applies to users in the European Economic Area (EEA), since 2017.

Google Marketing Platform advertising products (Display & Video 360, Search Ads 360, and Campaign Manager 360) and Google Ad Manager use cookies to enhance advertising capabilities6. Cookies are widely used for various functions such as making advertisements relevant to users, targeting users, improving campaign performance reports, and preventing the re-display of ads that users have already seen. These cookies do not contain user identity information. However, depending on the publisher’s and user’s settings, data related to cookies used in advertising may be added to the user’s Google account.

Google Marketing Platform advertising products and Google Ad Manager send a cookie to the browser after any interaction—such as an ad impression, click, or request to our servers—once the browser accepts the cookie, it is stored locally. Visiting a website or app does not require viewing advertisements for these operations to take place. The presence of a cookie is sufficient if the visited website or app includes Google Marketing Platform advertising products or Google Ad Manager ad tags7. Additionally, these products or tags can also load a click tracker or impression pixel instead of a cookie.

Ad Personalization
Ad Personalization

Personalized Ads

The article can be briefly summarized as follows: remarketing, and personalized ads, involves selecting users based on specific behaviors and/or identifiers (such as cookies) and then running marketing activities (like ads) targeting those users. Personalized ads are, in fact, a form of remarketing. However, they are executed using additional user data only when the user explicitly grants permission. In short, personalized ads represent an expanded version of the remarketing process. These permissions regarding Google ads are managed via the Google Ad Manager page8.

Of course, there’s an important note to keep in mind: disabling personalization (i.e., turning off online behavioral ads) does not mean that users will no longer see ads online. Rather, these ads will simply not be tailored to potential interests or preferences based on the web browser being used. On the other hand, different ad networks may implement this process in different ways.

Use of Remarketing Data

Google Ads (formerly known as AdWords) enables targeted ads to be displayed to customers through its remarketing feature, using the global site tag (global site tag / gtag), activity snippets, or remarketing tags defined on a website or app. In these targeted ads, customer data sent to Google servers via the relevant tags forms the basis for targeting. The relevant customer data consists of URL and redirect URL associated with a tag trigger, specific parameters used in the tracking tag, and ultimately the resulting list of remarketing members.

<script async src="https://www.googletagmanager.com/gtag/js?id=AW-123456789"> </script>
<script>
window.dataLayer = window.dataLayer || [];
function gtag() { dataLayer.push(arguments); }
gtag('js', new Date());
gtag('config', 'AW-123456789');
</script>
Google is responsible for the confidentiality and security of data sent to its servers. However, the scope of customer data used for retargeting falls under the responsibility of the publisher[^18]. For example, data related to the Customer Matching feature may also be sent to Google servers. On the other hand, reports containing audience data can be used across your Google Ads account and all other accounts where you've shared your audiences[^20]. Additionally, if permitted, Google may also analyze aggregated and anonymized retargeting data beneficial to all advertisers, including improving similar audience segments[^7].

##### Processing of Retargeting Data

Google processes data sent for retargeting purposes as follows[^7]:

**Access**  
: Access controls are implemented to prevent unauthorized access by employees.

**Sharing**  
: Retargeting lists are not shared with any third party, including other advertisers, without your explicit consent. However, data may be shared in compliance with applicable legal requirements, regulations, legal obligations, or official requests.

**Retention**  
: Users in retargeting lists are retained for a specified period (between 1 and 540 days, or a minimum of 30 days in certain cases)[^22]. The obligation to comply with retention period limits falls on the publisher/advertiser. Retargeting data obtained from engagement activities is retained for approximately 30 days to support compliance with advertising policies and to pre-populate newly created retargeting lists.
Excluding Retargeting Data Collection

As mentioned under the Personalized Ads section, users can disable personalized ads based on their own user data. However, in addition to user preference, this action can also be centrally implemented for users who do not wish to see personalized ads, or for reasons related to compliance with rules9.

gtag('set', 'allow_ad_personalization_signals', false);
gtag('config', 'GA_MEASUREMENT_ID', { 'allow_ad_personalization_signals': false });

We use the allow_ad_personalization_signals parameter for this action. By default, this parameter is set to true (true). When we set its value to false (false), data collection for personalized ads is disabled. This parameter only prevents the collection of data related to personalized ads, and therefore does not affect conversion tracking10 9.

To perform this action via the measurement protocol, we use the npa=1 parameter11.

If we wish to disable all advertising, reporting, and retargeting features, we can use the allow_google_signals parameter12.

gtag('set', 'allow_google_signals', false);
gtag('config', 'GA_MEASUREMENT_ID', { 'allow_google_signals': false });

To assist advertisers in complying with the California Consumer Privacy Act (CCPA), the restricted_data_processing parameter can be added to the Google Ads tag to indicate whether restricted data processing (RDP) is enabled or not. This option is also available in the Google Tag Manager-defined ad tags. By default, the parameter is set to false (off). When set to true (on), it imposes restrictions on the use of certain data for users residing in California13.

gtag('config', 'AW-123456789', { 'restricted_data_processing': true });

In cases where the AdWords API is used, ensure that the request includes the rdp=1 parameter to indicate restricted data processing14.

Earlier, in the introduction section of the article, I mentioned first-party cookies. To ensure that users can track all conversions generated through Google Ads campaigns regardless of the browser they are using, new cookies are created in the remarketing tag to store information about ad clicks that redirect users to a website or app156. To prevent the remarketing tag from creating first-party cookies on the website/app domain, the following line must be added before loading the command script:

var google_conversion_linker = false;

When using conversion_async.js, the setting must be implemented via the google_trackConversion method as follows:

window.google_trackConversion({ google_conversion_linker: false });

Disabling first-party cookies will affect the accuracy of conversion measurement15. For further details, refer to the section Usage of Conversion Activity Data > Google Ads.

Use of Conversion Action Data

Google and many other advertising platforms leverage conversion action data as input for campaign performance measurement16. This data is used not only to measure conversion performance but also collectively by platforms for the benefit of advertisers. However, conversion action data belonging to an advertiser is not shared with other advertisers without the advertiser’s explicit permission. Of course, regularly reviewing the content provided by advertising platforms on this topic—content that is frequently updated—would be beneficial.

Accurate measurement of conversions will also enable more informed decision-making in campaign management. Furthermore, the ability for platforms to automatically utilize conversion data enables automatic optimization of recommendations based on conversion data. However, for such features (automatic bid suggestions, smart bidding, etc.) to provide value, the platform must have access to the advertiser’s historical conversion data17.

Website-Level Tag Usage

Google recommends using website-level tags for the most accurate measurement of conversion actions. When the automatic tagging feature is enabled in your Google Ads account, a GCLID (Google Click ID) parameter is appended to links. Additionally, new cookies are created to store information about ad clicks and the associated GCLID parameter18.

To disable the first-party cookie settings for the automatically generated conversion tracking feature created with the Global Site Tag, simply add the conversion_linker parameter to the config command.

gtag('config', 'AW-123456789', {'conversion_linker': false });

Conversion Tracker is one of the recommended tags by Google Tag Manager. If you’ve already enabled this tag (Add Tag > Tag Configuration > Conversion Tracker), simply disabling the relevant tag will suffice. If you’d like to disable the tag only for specific pages, you can select Trigger as All Pages and instead choose the relevant pages or other trigger types.

Google Analytics

If the automatic tagging feature is enabled in your Google Ads account and Google Analytics tag is already installed on your website, a GCLID will be stored in a Google Analytics cookie (_gac) for ad clicks19. The Google Ads conversion tracking tag can use this GCLID value stored in the Google Analytics cookie. For this to work, your Google Ads account must be linked to an active Google Analytics property.

When Google Analytics is configured not to store GCLID in the relevant cookies, you can use the exclusion parameter19.

gtag('config', 'UA-XXXXX-Y', {'store_gac': false });

This action can be associated with multiple domain names18.

gtag('set', 'linker', {
'domains': ['landing-destination.com', 'conversion-destination.com']
});

To perform the relevant action via Google Tag Manager, follow these steps: Configuration Settings > Tag Configuration. Simply setting the value of storeGac to false and saving and applying the tag configuration will suffice to exclude the tag19.

note

The actions mentioned above may lead to a decrease in the accuracy of conversion tracking.

IP Anonymization (Anonymization) or Masking

Following the disabling of re-targeting, personalization, and cookie sharing features, the next step is IP anonymization or, alternatively, masking20.

IP Anonymization
IP Anonymization

With the IP anonymization request, Google Analytics anonymizes the IP address as early as possible within the data collection network, regardless of whether such a technical possibility exists. This process involves setting the IP address to zero in memory after the last eight bits of the IPv4 user IP address and the last 80 bits of the IPv6 address have been sent to the Analytics Collection Network. As a result, the full IP address is prevented from being written to disk.

Google Analytics v4 (GA4)
: IP anonymization is always enabled when data is collected from your application and/or website. With this option, data can be collected from your website by leveraging a global site tag containing a Measurement ID, which is used in Firebase SDKs for apps and web data flows21. This process also applies to the Measurement Protocol.

Universal Analytics (UA)
: IP anonymization is optional. This process is performed using the aip=1 parameter in the Measurement Protocol11.

We can pass the IP masking request for all activities via the config parameter22.

gtag('config', '<GA_MEASURMENT_ID>', { 'anonymize_ip': true });

For only specific events, the IP masking request must be passed along with the corresponding event.

gtag('event', 'your_event', { 'anonymize_ip': true });

Opt-out

Some situations may require us to disable the Google Analytics tag without removing it from the website or app. For example, if your website or app allows users to opt out of Google Analytics tracking, you may need to verify the tag’s behavior in response to user requests. For such operations, Google Analytics provides the window['ga-disable-UA-XXXXX-Y'] usage, associated with the relevant measurement ID. By setting the value of the corresponding variable to true, Google Analytics will not perform tracking for the specified ID23.

window['ga-disable-UA-XXXXX-Y'] = true;

The relevant setting must be defined prior to the gtag() function.

<script async src="https://www.googletagmanager.com/gtag/js?id=MEASUREMENT_ID"></script>
<script>
  window['ga-disable-MEASUREMENT_ID'] = true;

  window.dataLayer = window.dataLayer || [];
  function gtag(){dataLayer.push(arguments);}
  gtag('js', new Date());

  gtag('config', 'MEASUREMENT_ID');
</script>

Consent Mode (Consent Mode) allows you to configure how tracking tags behave based on user consent. With this mode, Google Analytics, along with other tracking tools such as Google Ads and Facebook Analytics, can indicate whether cookies used for tracking are permitted or denied. This ensures that only cookies for specific user purposes (analytics, statistics, advertising, etc.) are created, based on the user’s consent24.

Consent Mode should be implemented such that it loads before any consent message is displayed for tags. In this way, tags will adjust their behavior based on the user’s cookie consent settings. When all cookie usage is permitted, associated tags will operate normally.

  • Google Ads (includes Conversion Tracking and Retargeting. Phone Call Conversions support is not yet available.)
  • Floodlight
  • Google Analytics

Permission mode works as follows:

Permission status ping notifications : These pings are sent whenever the permission mode is applied or when the permission status changes (e.g., when the user signs in), and from each page visited, depending on the user’s permission status. These pings report the permission status (e.g., granted or denied) for each permission type (e.g., ad, analysis, etc.).

Conversion pings : Sent to indicate that a conversion has occurred.

Google Analytics pings : Sent from all pages of a website that has an active Google Analytics tag after tracking events have been recorded.

The relevant pings include the following information in each case:

Pings in each situation may contain the following:

  • Functional data (e.g., headers passively added by the browser):
    • Timestamp
    • User Agent (user agent / only for websites)
    • Referrer
  • Aggregated or non-identifying data:
    • An indication of whether advertising click data (e.g., GCLID/DCLID) was present in the URL of the current or previous page during the user’s navigation on the site
    • Boolean values related to permission status
    • A random number generated on each page load

Permission Mode Behavior

Permission and conversion pings may exhibit the following behaviors, depending on the status of permission settings and the configuration of tags.

  • ad_storage='granted' and analytics_storage='granted' (“default”)
    • Ad-related cookies are readable and writable.
    • IP addresses are collected.
    • The full page URL, including ad click information from URL parameters (e.g. GCLID/DCLID), is collected.
    • Third-party cookies previously set on google.com and doubleclick.net, as well as first-party conversion cookies (e.g. _gcl_*), are accessible.
  • ad_storage='denied'
    • No new ad-related cookies can be created.
    • Existing first-party ad cookies cannot be read.
    • Third-party cookies previously set on google.com and doubleclick.net can be sent in request headers (although their use for spam and fraud is restricted).
    • Google Analytics does not read or write Google Ads cookies. Google signals features also do not collect data for this traffic.
    • IP addresses are used to determine IP location. However, they are never stored in Google Ads Floodlight systems and are immediately deleted after collection.
    • The full page URL, including ad click information from URL parameters (e.g. GCLID/DCLID), is collected.
  • ad_storage='denied' and ads_data_redaction=true
    • No new ad-related cookies can be created.
    • Existing ad cookies cannot be read.
    • Requests are sent via a different field. This setting prevents previously configured third-party cookies from being sent in request headers.
    • Google Analytics does not read or write Google Ads cookies. Google signals features also do not collect data for this traffic.
    • Ad click identifiers (e.g. GCLID/DCLID) in request and conversion pings are removed.
    • IP addresses are used to determine IP location.

However, Google Ads and Floodlight systems are never recorded and are immediately deleted after being collected.

  • Page URL identifiers, which indicate ad clicks, are extracted.
  • analytics_storage='denied':
    • First-party analytics cookies are neither read nor written.
    • Ping requests without cookies are sent to Google Analytics for basic measurement and modeling operations.
    • Google Optimize is unaffected by this setting.

Consent settings are implemented as follows:

// dataLayer and gtag () code
//...
gtag('consent', '<consent_command>', {<consent_type_settings>});

The <consent_type_settings> value can be either default or update. default is used to define the default consent settings applied to a page. update is used to update existing consent settings, typically after a user grants consent through a consent tool24 25.

window.dataLayer = window.dataLayer || [];
function gtag(){
    dataLayer.push(arguments);
}

// ...
gtag('consent', 'default', {
  'ad_storage': 'denied',
  'analytics_storage': 'granted'
});

The <consent_type_settings> determines the behavior of the tag. It can take values of ad_storage and analytics_storage. ad_storage specifies advertising-related cookies, while analytics_storage specifies analytics-related cookies.

For example, to block cookie usage for advertising or analytics purposes, you can set the consent type to “denied” in the “default” command within gtag.js or the Tag Manager container snippet.

gtag('consent', 'default', {
  'ad_storage': 'denied',
  'analytics_storage': 'denied'
});

These actions can also be performed by specifying a region26 25.

gtag('consent', 'default', {
  'ad_storage': 'denied',
  'region': ['ES', 'FR'] // Spain and France
});
gtag('consent', 'default', {
  'analytics_storage': 'denied',
  'region': ['GB'] // United Kingdom and Northern Ireland
});

Region definitions are valid only for gtag('consent', 'default'), and definitions sent via gtag('consent', 'update') are ignored. If, on the same page, two default settings for a region and its subregions are provided using different consent_type_settings, the definition matching the visitor’s location is applied specifically to that region.

If the used consent tool is loaded asynchronously, it might not be guaranteed to load before Google tags. In such cases, the wait_for_update parameter can be used to define a waiting period.

// Set 'ad_storage' to 'denied', but wait for 500 ms if an update is pending.
gtag('consent', 'default', {
  'ad_storage': 'denied',
  'wait_for_update': 500  // milliseconds
});

These actions are processed by Facebook as follows.

fbq('consent', '<consent_command>');
fbq('init', '<pixel-ID>');
fbq('track', 'PageView');

Either the revoke or the grant value must be provided for <consent_command>. The grant grants the relevant cookie permissions, while revoke will block cookie usage.27 28

Data Collection, Deletion, and Storage

Data Collection

As mentioned in my article, advertisers who engage in retargeting, personalized advertising, and conversion tracking must obtain consent for the use of cookies29. This consent also covers previous user data. Therefore, if data has already been collected to identify users, such data must be deleted. Of course, data that is currently being stored on behalf of users must also be deleted upon user request. In addition, users may use identifying information (e.g., during site searches) in their interactions. When such personal identifying information (PII) is detected, the relevant data must be deleted30. For example, in some cases, like in the UK, a postal code can uniquely match a single property. Thus, such data should also be considered personal identifying information31.

Data Retention

Data retention processes may allow tracking and advertising tools to determine the period during which data is stored. For instance, Google, under the retention period definition, permits data to be retained at the user level and activity level, including user identifiers (e.g., User ID) and advertising identifiers (e.g., DoubleClick cookies, Android Ad ID, Apple Ad Identifier)31.

The following points should be observed regarding retention periods:

  • Standard Google Analytics bulk reports are outside the scope of this policy. Data related to users and activities managed by this setting is only required when you use specific advanced features such as creating custom report segments or unusual, ad-hoc reports.
  • Data retention and user engagement reset controls cover activity and user-level data stored by Google Analytics, while certain user-property-based data is automatically deleted by Google Analytics if it has not been used for a particular user for six months.
  • When the retention period is reduced, all affected data is deleted in the following monthly cycle. For example, if the period is changed from 26 months to 14 months, data older than 14 months will be deleted in the next monthly cycle.
  • Whenever the retention period is changed, Analytics implements the change 24 hours later. During this 24-hour window, the changes can be reverted without affecting previously stored data.

Data retention settings are applied at the property level.

Universal Analytics (UA) and Data Retention Period

For Universal Analytics properties, user and activity-level data can be retained for 14 months, 26 months, 8 months, 50 months, or indefinitely. The maximum retention period for data related to Google signals in Analytics is 26 months, regardless of your settings. Changing the retention period or selecting the “retains indefinitely” option does not affect previously collected data. For example, data collected when the 14-month option was selected will be deleted 14 months after collection, even if the retention period is later changed to 26 months. The new retention period applies to data collected after the relevant setting change.

GA4 and Data Retention Period

In GA4 properties, the retention period for user-level data, including conversions, is fixed at a maximum of 14 months. For all other activity data, the retention period may be either 2 months or 14 months. The 2-month retention period is always applied to age, gender, and interest data, independently of settings. Changes to extend the retention period or set it to automatically expire also affect previously collected data.

The data files uploaded by advertisers are retained only for the duration necessary to create Customer Matching audience lists and to verify compliance with Google’s advertising policies. After these processes are completed, the data files uploaded to Google Ads or the Google Ads API are immediately deleted32.

Retargeting with Google Ads or Floodlight Tags and Data Retention Period

Advertisers determine which users are added to or excluded from retargeting lists and for how long they remain in each list32.

Audience Lists Provided by Campaign Manager 360 and Data Retention Period

Advertisers control how long cookies remain in a specific audience list32.

Analytics - Data Deletion Procedures
Analytics - Data Deletion Procedures

Data Deletion

If data collected from Analytics servers needs to be deleted, the Data Deletion Request feature can be used to request the removal of such data. Data deletion requests are processed in the UTC time zone.

GA4

At most, 25 data requests can be sent simultaneously per property. Sent requests can be tracked by property, and these requests can be canceled within 7 days from the time they are created33.

Analytics - Data Deletion Procedures
Analytics - Data Deletion Procedures
Universal Analytics (UA)

Up to 250 active (pending) requests can be sent per property. Once the data deletion process has started, there is no option to cancel the request34.

Analytics Help

Footnotes

  1. William Malcolm. (2017). Getting ready for Europe’s new data protection rules
  2. Helping advertisers comply with GDPR. Google Ads Support
  3. Ezequiel Bruni. (2019). Does the Web Really Need Cookies?
  4. Websites and apps that use Google advertising services. Your Online Choices
  5. Helping publishers and advertisers with consent. Google Cookie Choices
  6. How does Google use cookies? Google Privacy & Terms 2
  7. How do Google Marketing Platform advertising products and Google Ad Manager use cookies? Display & Video 360 Support
  8. Personalized advertising. Google Ad Manager
  9. Opt out of personalized advertising data collection. Google Ads Support 2
  10. Disable Advertising Features. Google Analytics
  11. [Measurement Protocol Parameter Reference. 2
  12. Disable Advertising Features. GA4 https://developers.google.com/analytics/devguides/collection/ga4/display-features?target=_blank&rel=noopener,noreferrer
  13. Helping advertisers comply with CCPA in Google Ads. Google Ads Support
  14. Restricted data processing (CCPA) settings in Google’s publisher ad tags. Google AdMob Help
  15. Tag your website for retargeting. Google Ads Help 2
  16. About conversion tracking. Google Ads Help
  17. How does Google use conversion data? Google Ads Help
  18. How does Google Ads track website conversions? Google Ads Help 2
  19. Use Google Analytics to support conversion tracking in Google Ads. Analytics Help 2 3
  20. Account setup with additional privacy features
  21. Add account, property, or data stream. Analytics Help https://support.google.com/analytics/answer/9304153?visit_id=637444791761185926-1672909639&rd=1&target=_blank&rel=noopener,noreferrer
  22. IP anonymization with gtag.js. Google Analytics https://developers.google.com/analytics/devguides/collection/gtagjs/ip-anonymization?target=_blank&rel=noopener,noreferrer
  23. User Opt-out. Google Analytics https://developers.google.com/analytics/devguides/collection/analyticsjs/user-opt-out?target=_blank&rel=noopener,noreferrer) & Disable Google Analytics https://developers.google.com/analytics/devguides/collection/ga4/disable-analytics?target=_blank&rel=noopener,noreferrer
  24. Opt-out Mode. Google Analytics https://support.google.com/analytics/answer/9976101?hl=tr&ref_topic=2919631&target=_blank&rel=noopener,noreferrer 2
  25. Adjust tag behavior based on consent. Google Site Tag https://developers.google.com/gtagjs/devguide/consent?target=_blank&rel=noopener,noreferrer 2
  26. ISO 3166-2. Wikipedia https://en.wikipedia.org/wiki/ISO_3166-2?target=_blank&rel=noopener,noreferrer
  27. General Data Protection Regulation. Facebook for Developers https://developers.facebook.com/docs/facebook-pixel/implementation/gdpr/?target=_blank&rel=noopener,noreferrer
  28. Cookie Settings for the Facebook Pixel. Facebook for Business https://www.facebook.com/business/help/471978536642445?id=1205376682832142&target=_blank&rel=noopener,noreferrer
  29. [Google Analytics Cookie Usage on Websites.
  30. Best practices to prevent transmission of personally identifiable information (PII).
  31. Data retention. Analytics Help 2
  32. Assisting advertisers in complying with GDPR. Google Ads Help 2 3
  33. Data deletion requests (Google Analytics 4). Analytics Help
  34. Data deletion requests (Universal Analytics). Analytics Help
analysis google-analytics ads gtm cookie data