Every Cookie Set by Every Major Analytics Tool, Cataloged
Key Takeaways
- Four analytics tools (SealMetrics, Plausible, Fathom, Simple Analytics) set zero cookies; Adobe Analytics sets 6 including 2 third-party cookies.
- GA4 sets 2 first-party cookies (_ga and _ga_XXXX) with a 2-year expiry — each one requires consent under the ePrivacy Directive.
- EU consent rejection rates run between 60% and 70%, meaning any tool that sets cookies measures at most 30-40% of actual traffic.
- Zero cookies means zero consent dependency means 100% data capture — every cookie above zero is a gate most EU visitors will close.
Every cookie your analytics tool sets is a legal liability under the ePrivacy Directive. If the cookie is non-essential and the visitor rejects the consent banner, you lose the data. Not some of it — all of it, for that visitor.
We cataloged every cookie from 9 analytics tools — name, domain, type, expiry, and purpose — using official vendor documentation and DevTools verification on clean browser profiles.
The summary
| Tool | Cookies | 1st-party | 3rd-party | Size (bytes) | Max Expiry |
|---|---|---|---|---|---|
| SealMetrics | 0 | 0 | 0 | 0 | — |
| Plausible | 0 | 0 | 0 | 0 | — |
| Fathom | 0 | 0 | 0 | 0 | — |
| Simple Analytics | 0 | 0 | 0 | 0 | — |
| PostHog | 1 | 1 | 0 | ~70 | 365 days |
| Piwik PRO | 2 | 2 | 0 | ~80 | 13 months |
| Mixpanel | 2 | 2 | 0 | ~200 | 365 days |
| Google Analytics 4 | 2 | 2 | 0 | ~120 | 2 years |
| Adobe Analytics | 6 | 4 | 2 | ~450 | 2 years |
Total cookies (base configuration)
Four tools set zero cookies. The rest range from 1 to 6. Adobe Analytics leads with 6 cookies including 2 third-party cookies on external domains. GA4 sets 2 first-party cookies in its base configuration — fewer than many assume, but each one persists for 2 years.
GA4 cookies in detail
A base GA4 installation (gtag.js, no Google Ads, no Google Signals) sets 2 first-party cookies. Both are placed on your domain. No third-party cookies are set by GA4 itself.
| Cookie | Domain | Type | Expiry | Purpose |
|---|---|---|---|---|
| _ga | .example.com | First-party | 2 years | Client ID — identifies unique browsers |
| _ga_XXXX | .example.com | First-party | 2 years | Session state (session ID, count, engagement) |
Google's _ga cookie persists for 2 years. Once a visitor accepts your consent banner, GA4 can recognize them for up to 24 months. If they reject, GA4 cannot recognize them at all.
A common misconception is that GA4 sets third-party cookies on .doubleclick.net. It does not — not in its base configuration. Third-party cookies on doubleclick.net (like IDE) only appear when Google Signals or Google Ads linking is enabled. With Google Ads, GA4 also sets _gac_gb_* and _gcl_* cookies — but these are first-party cookies on your domain, not third-party. Note: the legacy _gid cookie (24 hours) no longer appears in Google's official documentation, though it may still be set on some older implementations.
Adobe Analytics cookies in detail
A typical Adobe Analytics deployment with the Experience Cloud ID Service (ECID) sets 6 cookies — the most of any tool we tested. Four are first-party. Two are third-party cookies on Adobe's tracking domains: .omtrdc.net and .demdex.net.
| Cookie | Domain | Type | Expiry | Purpose |
|---|---|---|---|---|
| s_vi | .omtrdc.net | Third-party* | 2 years | Visitor ID |
| s_fid | .example.com | First-party | 2 years | Fallback visitor ID (when s_vi fails) |
| AMCV_* | .example.com | First-party | 13 months | Experience Cloud visitor ID (ECID) |
| AMCVS_* | .example.com | First-party | Session | Session initialization flag |
| s_cc | .example.com | First-party | Session | Cookie support check |
| demdex | .demdex.net | Third-party | 180 days | Cross-domain user ID (ECID infrastructure) |
*The s_vi cookie is third-party by default (on .omtrdc.net), but becomes first-party when a CNAME record is configured. With CNAME on Safari, it is capped to 7 days by Intelligent Tracking Prevention.
The demdex cookie is part of the ECID infrastructure — it appears even without Adobe Audience Manager. With Audience Manager enabled, additional third-party cookies (dextp, dst) may also appear on .demdex.net. Safari and Firefox already block these third-party cookies by default.
Why cookies equal consent equal data loss
The ePrivacy Directive (often called the Cookie Law) is clear: non-essential cookies require informed consent before being set. Analytics cookies are non-essential. That means every tool in the table above that sets cookies requires a consent management platform to collect the visitor's permission first.
In the EU, consent rejection rates run between 60% and 70%. That is not a hypothetical — it is what CMPs report across European sites. If your analytics tool sets cookies, you are measuring at most 30–40% of your actual traffic. The rest is invisible.
This is why cookieless analytics is not a privacy preference — it is a data completeness requirement. Every cookie in the tables above represents a consent gate between you and your data.
The third-party cookie problem
Third-party cookies — those set on domains you do not own, like .omtrdc.net or .demdex.net — face an additional problem beyond consent. Browsers are killing them.
Safari's Intelligent Tracking Prevention already blocks all third-party cookies by default. Firefox's Enhanced Tracking Protection does the same. Chrome has restricted third-party cookie access and continues to tighten controls. Adobe's s_vi on omtrdc.net and demdex on demdex.net are already non-functional for a significant share of browsers. When Google Signals is enabled, GA4 also relies on third-party cookies on doubleclick.net — equally blocked.
Tools that depend on third-party cookies for conversion tracking or audience syncing face a shrinking window. The data they claim to capture is already incomplete — and getting worse with every browser update.
The zero-cookie approach
Four tools in our audit set zero cookies: SealMetrics, Plausible, Fathom, and Simple Analytics. All four can operate without consent banners under GDPR because they process no personal data through cookies.
The difference is in what you get beyond zero cookies. Plausible, Fathom, and Simple Analytics are privacy-first lightweight alternatives — they give you pageviews, referrers, and basic metrics. SealMetrics combines zero cookies with enterprise-grade attribution, multi-touch journey mapping, and cookieless first-party data collection that captures 100% of traffic. Zero cookies, zero consent dependency, zero data loss — with the depth that marketing teams at enterprise companies actually need.
How we cataloged
We used two sources for each tool:
- Official vendor documentation — cookie names, domains, types, and expiry periods as published by each vendor (linked in sources below)
- DevTools verification — clean Chrome profile, no extensions, no ad blockers, default settings. Loaded each tool's default installation and checked Application > Cookies
Cookie names, domains, types, and expiry periods come from official documentation. Byte sizes are approximate. Some tools may set additional cookies depending on configuration — GA4 with Google Ads adds first-party _gac_* and _gcl_* cookies; Adobe with Audience Manager adds dextp and dst on demdex.net. The counts above reflect base configurations.
Sources: Google Analytics support.google.com/analytics/answer/11397207, Adobe Experience League experienceleague.adobe.com/docs/core-services/interface/data-collection/cookies/analytics, Piwik PRO Help help.piwik.pro/support/privacy/cookies-created-for-visitors-by-piwik-pro, PostHog Docs posthog.com/docs/libraries/js/persistence, Mixpanel Docs docs.mixpanel.com/docs/tracking-methods/sdks/javascript.
The bottom line
The number of cookies an analytics tool sets directly determines how much of your traffic you can actually measure. Zero cookies means zero consent dependency means 100% data capture. Every cookie above zero is a gate that 60–70% of EU visitors will close.
SealMetrics captures every visit through cookieless first-party collection — no cookies, no consent banners, no data loss. Read more about how we handle data security and compliance, or calculate how much data your current setup is losing.