What Happens When You Load Google Analytics: A Packet-by-Packet Breakdown

Most website owners add Google Analytics because it's free and everyone uses it. But few have actually looked at what happens under the hood when GA loads on a page.

I did. Here's every request, every cookie, and every data point GA sends to Google when someone visits your site.

The initial load: gtag.js

When your page loads with the standard GA4 snippet, the browser makes its first request:

GET https://www.googletagmanager.com/gtag/js?id=G-XXXXXXXXXX

This returns ~82 KB of JavaScript (minified). For context, our entire analytics script at Fairlytics is 510 bytes gzipped. GA's script is roughly 160x larger.

But the size isn't the real issue. It's what that script does next.

The cookies: what GA plants in your browser

Immediately after loading, GA sets these cookies:

_ga=GA1.1.1234567890.1712345678     // Unique user ID — expires in 2 years
_ga_XXXXXXXXXX=GS1.1.1712345678...  // Session data — expires in 2 years

The _ga cookie contains a client ID — a unique identifier that persists across sessions for two years. This is why GA requires a cookie consent banner under GDPR. This single cookie is enough to constitute personal data processing under EU law.

Some GA4 configurations also set:

_gid=GA1.1.9876543210.1712345678    // 24-hour user identifier
_gat_gtag_XXXXXXXXXX=1              // Throttle token

That's up to 4 cookies set before the user has done anything except load your page.

The collection request: what gets sent to Google

After setting cookies, GA fires a request to Google's collection endpoint. Here's what a real GA4 collect request looks like:

POST https://www.google-analytics.com/g/collect
  ?v=2                          // Protocol version
  &tid=G-XXXXXXXXXX             // Your measurement ID
  &gtm=45je4...                 // GTM container hash
  &_p=1234567890                // Page load hash
  &cid=1234567890.1712345678    // Client ID (from _ga cookie)
  &ul=en-us                     // User language
  &sr=1920x1080                 // Screen resolution
  &uaa=x86                     // CPU architecture
  &uab=64                      // Architecture bitness
  &uafvl=Chromium%3B124...     // Full browser version list
  &uamb=0                      // Mobile flag
  &uam=                        // Device model
  &uap=Windows                 // Platform
  &uapv=10.0.0                 // Platform version
  &uaw=0                       // WoW64 flag
  &_s=1                        // Session hit count
  &sid=1712345678              // Session ID
  &sct=1                       // Session count
  &seg=1                       // Session engaged flag
  &dl=https://yoursite.com/page  // Full page URL
  &dr=https://google.com/      // Full referrer URL
  &dt=Page%20Title             // Page title
  &en=page_view                // Event name

Let's count the data points: client ID, language, screen resolution, CPU architecture, bitness, full browser version, mobile flag, device model, platform, platform version, WoW64 flag, session ID, session count, full page URL, full referrer, and page title.

That's at least 17 data points per page view, many of which are high-entropy values that can contribute to browser fingerprinting.

What Google knows from this single request

From one page view, Google can derive:

  1. Who you are — the cid parameter tracks you across sessions for 2 years
  2. Your exact browser — the User-Agent Client Hints fields (uafvl, uaa, uab) give Google precise browser fingerprinting data
  3. Your device — screen resolution, platform, architecture, device model
  4. Where you came from — the full referrer URL, not just the domain
  5. Where you are — your IP address (used server-side for geolocation and audience reports)
  6. Your browsing pattern — session count, session engagement, hit count

And this data goes to Google's servers in the US. Which is why multiple EU authorities have ruled Google Analytics illegal — because this constitutes a transfer of EU personal data to a jurisdiction without adequate protection.

The consent paradox

Here's where it gets absurd. Because GA sets cookies and collects the data above, EU law requires you to show a consent banner. But research consistently shows that 50–80% of users reject cookie banners when given a fair choice.

So your analytics are incomplete by design. You're collecting invasive data from the users who accept, and no data from the users who reject. Your analytics are both a privacy violation and inaccurate.

What a privacy-first alternative sends

Here's what Fairlytics sends when a visitor loads your page:

POST https://app.fairlytics.dev/api/collect

{
  "site": "abc123",
  "url": "/blog/my-post",
  "ref": "google.com",
  "title": "My Post"
}

Four fields. That's it.

What happens server-side:

  1. IP address → used to derive a 2-letter country code → immediately discarded (never touches disk)
  2. User-Agent → parsed into browser family + OS family → raw string discarded
  3. Referrer → reduced to domain only → full URL discarded
  4. URL → query parameters stripped

No cookies. No client ID. No session persistence across visits. No screen resolution. No CPU architecture. No browser fingerprinting. No data sent to any third party.

The result: you get page views, unique visitors (estimated via daily-rotating anonymous hashes), top pages, referrers, countries, and devices. Everything you actually need to understand your traffic. Nothing you don't.

The numbers compared

Data point Google Analytics 4 Fairlytics
Script size ~82 KB 510 bytes gzipped
Cookies set 2–4 0
User tracking duration 2 years None
Data fields per pageview 17+ 4
IP address storage Yes (for geolocation) Never stored
Requires consent banner Yes (EU, UK, many US states) No
Data sent to third party Google (US) Nowhere

Why this matters beyond privacy

This isn't just about GDPR compliance or being nice to your users. There are practical consequences:

  1. Performance: loading 82 KB of tracking JS measurably slows your page. On mobile connections, it's worse. Core Web Vitals matter for SEO.
  2. Accuracy: if half your users reject the cookie banner, you're making decisions based on a biased sample.
  3. Legal risk: GDPR fines can reach 4% of global revenue. Multiple companies have already been fined for using Google Analytics without valid consent.
  4. Trust: users notice cookie banners. They notice tracking. It affects how they perceive your brand.

What you can do

If you want to understand your traffic without all the baggage:

  1. Remove Google Analytics
  2. Add a privacy-first alternative — it takes about 60 seconds
  3. Delete your cookie consent banner — you won't need it anymore

Your analytics will actually be more accurate because you'll be measuring 100% of your visitors, not just the ones who clicked "Accept."

Fairlytics is a privacy-first analytics tool built in Barcelona. 510 bytes. Zero cookies. Try it free — takes under 2 minutes to set up.