Google recently modified Google Analytics 4, to allow site owners to configure the duration that specific cookies set by gtag.js would persist for end users. They’ve also released a associated support article which can be viewed here.
Where can I find this setting?
The setting is rather buried in the GA admin screens. To access it in the Property column, find Data Streams, select the Web data stream, then toward the bottom of the stream configuration you’ll see an option for More Tagging Settings. With-in that submenu find Override Cookie Settings, then you’ll get a screen like below, where you’ll need to check the Override Default Cookie Settings checkbox to access the duration and update settings.
In the above menu you can set the duration for any span ranging from 0 (expires at end of session) up to a max of 25 months. This will prompt the associated gtag.js cookies to align to the desired setting. It is recommended this duration be aligned to other data governance requirements, should they exist.
You can also determine here if you want the cookies to reset the expire based on the most recent visit (which is recommended) or the initial visit (which may be useful for some use cases).
Note: While the menu described above allows you to adjust the duration, other cookie options such as Renaming the cookies, toggling the auto-updating of the cookies or setting a custom domain for the cookies needs to be done at either the page configuration, or tag manager level. Directions for those processes can be found here.
What’s the Impact to Reporting?
Generally, what happens when a cookie duration is exceeded is the browser deletes the cookie. This causes GA4 to potentially consider the user a ‘new visitor’ on a subsequent visit, and in such scenarios campaign performance attribution may be lost and any conversion metrics may be attributed to Direct as a result. This scenario should be expected if you believe most of your traffic is being identified by GA4 by anonymous device-id (from the _ga cookie, for example).
You’ll notice I said potentially. The reason for that comes down to the Reporting Identity cascade inside of GA4. The default cascade under the Balanced configuration is User-ID, Google Signals, Device-ID then Data Modeling.
Resetting the cookies may or may not impact a user depending on which of those identification methods GA4 may be using for identification of the user. If, for example, the site was always supplying the User-ID on each visit, the fact the anonymous device-id is being reset between visits would likely not matter a great deal.
As a result, reporting (particularly cohort analysis and campaign performance analysis) is impacted to a greater or lesser degree based on which settings for the cookie are used, which Reporting Identity setting is selected, and which identifier with-in the selected Reporting Identity is used for identification.
Other Aspects Worth Considering
Not mentioned in the documentation or menus, but it’s important to note that the duration setting is a maximum, in reality, it may be far shorter. Cookies are set by gtag.js, which means they are set on the client (browser) using JavaScript. This is why we can adjust how the cookies are set or named via configurations in the Admin Panel or Google Tag Manager.
With that flexibility comes drawbacks. It is because they are set with JavaScript that we may run into problems. Webkit browsers (Safari for Desktop, all iOS browsers, all iPadOS browsers) have a series of privacy controls known as Intelligent Tracking Prevention (ITP) and via this process, despite the desire to have a 25 month cookie expiry, ITP will override your desires at the browser level and cap any cookie set to a maximum of 7 days in most scenarios. In some specific marketing scenarios – this could be as low as 24 hours. If you want precise control over cookie duration, you’d need to explore setting the cookies server side, such as perhaps via Server Side Tagging.
Additionally, it should be noted that while limiting cookie duration to a lower span is typically considered a good thing for limitation purposes, it may not be the primary vector in which analytics identification is being done on a specific site setup. So from a disclosure perspective you’ll want to ensure your various disclosures (such as your privacy policy) reflect all the relevant information accurately for your specific site configuration – particularly if you start adjusting these settings.