Cookies and consent management (Browser SDK)

This guide covers functional and technical information on how Amplitude Browser SDK 2 works with cookies, local storage, opt-in/opt-out options, and consent management (including CNIL regulations for France).

Browser SDK 2 compatibility

This guide covers the behavior with Browser SDK 2 (TypeScript SDK). For information about the legacy JavaScript SDK, see the legacy cookies and consent management guide.

Amplitude cookies

A "cookie" is a piece of data from a website that browsers store on users' devices. Websites retrieve cookies later to access stored data for functional or technical purposes. After initialization, Amplitude Browser SDK 2 creates cookies that begin with specific prefixes and include the first 10 digits of your project API key.

For example, if you initialize the SDK with:

import * as amplitude from "@amplitude/analytics-browser";
amplitude.init("a2dbce0e18dfe5f8e...");

Amplitude Browser SDK 2 creates cookies with the following format:

User session cookies: AMP_ with the first 10 characters of your project's API Key appended (for example, AMP_a2dbce0e18)
Marketing campaign cookies: AMP_MKTG_ with the first 10 characters of your project's API Key appended (for example, AMP_MKTG_a2dbce0e18)

Test cookies

During initialization, the SDK may create temporary test cookies to verify cookie functionality:

AMP_TEST_ followed by a timestamp: Tests whether cookies work
AMP_TLDTEST_ followed by a timestamp: Finds the appropriate subdomain for cookie storage

The SDK automatically removes these test cookies after testing completes. If they persist, you can safely delete them manually.

The SDK stores different types of information in cookies:

User session cookies (`AMP_*`)

The user session cookie contains metadata necessary for the SDK to function correctly:

deviceId: A randomly generated string that persists across sessions
userId: When users log in, if your app sends this value to Amplitude, the SDK stores it in the cookie. Set this to uniquely identify users. Amplitude encodes this value as Base64 before storing it.
sessionId: A randomly generated string for each session
lastEventTime: Time of the last event, used to decide when to expire and create a new session ID
lastEventId: An incrementing sequence of identifiers used to distinguish events

Marketing campaign cookies (`AMP_MKTG_*`)

The marketing campaign cookie stores attribution data including:

UTM parameters (utm_source, utm_medium, utm_campaign, utm_term, utm_content)
Referrer information (referrer, referring_domain)
Click IDs (gclid, fbclid, dclid, gbraid, wbraid, ko_click_id, msclkid, ttclid, twclid, li_fat_id, rdt_cid)

Cookie size can vary from approximately 60 bytes to 120 bytes per cookie. With both user session and marketing campaign cookies, expect around 240 bytes total for Amplitude cookies per project API key.

Expiration time

By default, Amplitude cookies expire after 365 days (1 year). You can customize this with the cookieOptions.expiration configuration parameter:

amplitude.init("API_KEY", {
  cookieOptions: {
    expiration: 30, // Set cookies to expire after 30 days
  },
});

Remove Amplitude cookies

To programmatically remove Amplitude cookies, run the following snippet.

const API_KEY = "1234567890abcdefghijklmnopqrstuv"; // Replace it with your API KEY
const cookieName = `AMP_${API_KEY.substring(0, 10)}`;
const cookieNameMktg = `AMP_MKTG_${API_KEY.substring(0, 10)}`;
const cookies = document.cookie.split(";");

cookies.forEach((cookie) => {
  const [name] = cookie.trim().split("=");

  if (name === cookieName || name === cookieNameMktg) {
    document.cookie = `${name}=; Max-Age=0; path=/; SameSite=Lax`;
  }
});

To anonymize users after they log out.

amplitude.reset();

reset does the following:

Sets userId to undefined
Sets deviceId to a new UUID value

With an undefined userId and a new deviceId, the user appears to Amplitude as a new user.

Disable cookies using localStorage

Set the identityStorage option to configure the SDK to use localStorage rather than cookies.

amplitude.init("API_KEY", {
  identityStorage: "localStorage",
});

Data stored in local storage

When using localStorage, the SDK stores the same user session information that would normally be in cookies, plus:

Unsent events: Events that haven't been successfully uploaded to Amplitude
Failed events: Events that failed to send and are queued for retry

The SDK stores data in localStorage with keys that include your project API key:

AMP_unsent_[API_KEY]: Stores unsent events

Local storage limitations

Local Storage restricts access by subdomain. For example, if you track non-identified users across subdomains like www.amplitude.com and analytics.amplitude.com, their device_id value for each subdomain isn't available while browsing the other.

The Amplitude SDK supports cross-site tracking. For more information, see Cross-domain tracking.

Disable cookies and local storage (opt-out storage)

You can disable all persistent storage by setting identityStorage to none:

amplitude.init("API_KEY", {
  identityStorage: "none",
});

When you disable all storage, Amplitude creates a new device_id for that user every time they visit your site because the SDK can't find an existing ID. If the user logs in or provides other identifying information, Amplitude's identity resolution system ties the various device_id values together with that user ID.

Certain jurisdictions require that users consent to non-essential cookies before any data can be collected. You are ultimately responsible for ensuring that you get any necessary consents and make any necessary disclosures for the personal data you collect and send to Amplitude. You're also responsible for determining how you classify the Amplitude cookies in your cookie policy based on your specific use case and the jurisdictions in which you use them.

Amplitude cookies may be created as soon as the SDK is initialized, regardless of the user's opt-out status. If you require that no cookies are created before consent, you must defer SDK initialization until after consent is obtained.

If you use the Amplitude SDK in one of these jurisdictions, don't initialize the SDK until the user has consented to your use of cookies. This is because Amplitude functions (for example, cookie storage, local storage, and tracking events) are enabled or disabled upon SDK initialization.

Deferred initialization approach

For consent management, you can track events before cookie consent and initialize the SDK later:

// Track events
amplitude.track("Button Clicked");

// Later, when user provides consent,
// initialize the SDK
amplitude.init("API_KEY");

This table gives a brief overview of each option related to storage in Browser SDK 2:

Option	Default Value	Definition
`cookieOptions.expiration`	365	The number of days after which the Amplitude cookie expires. The default 12 months is for GDPR compliance.
`cookieOptions.domain`	`undefined`	Set a custom domain for the Amplitude cookie. To include subdomains, add a preceding period, for example: `.amplitude.com`.
`cookieOptions.secure`	`false`	If `true`, the Amplitude cookie is set with the Secure flag. The secure flag lets the browser send this cookie only when on encrypted HTTPS transmissions.
`cookieOptions.sameSite`	`Lax`	Sets the SameSite flag on the amplitude cookie. Decides cookie privacy policy.
`identityStorage`	`cookie`	Sets storage API for user identity. Options include `cookie` for `document.cookie`, `localStorage` for `localStorage`, `sessionStorage` for `sessionStorage`, or `none` to opt-out of persisting user identity.
`storageProvider`	`LocalStorage`	Sets a custom implementation of `Storage<Event[]>` to persist unsent events.

Abstraction layer for storage

You can find the abstraction layer for storage and available options as well as the metadata that's stored in Amplitude's GitHub repository for the TypeScript SDK:

Frequently asked questions

CNIL France - Frequently asked questions

CNIL France FAQs

FAQs related to CNIL aren't intended as legal or regulatory advice and don't constitute any warranty or contractual commitment on the part of Amplitude. Amplitude encourages customers to seek independent legal advice on your legal and regulatory obligations with issues related to this subject matter.

Was this helpful?

Cookies and consent management (Browser SDK)

Amplitude cookies

Test cookies

Cookie data

User session cookies (AMP_*)

Marketing campaign cookies (AMP_MKTG_*)

Cookie size

Expiration time

Remove Amplitude cookies

Disable cookies using localStorage

Data stored in local storage

Disable cookies and local storage (opt-out storage)

Managing cookie consent

Deferred initialization approach

Configuration options related to storage

Abstraction layer for storage

Frequently asked questions

Are Amplitude's cookies first-party or third-party cookies?

Will Google Chrome's plan to remove third party cookies affect Amplitude?

Why aren't Amplitude cookies marked as `HttpOnly`?

Why aren't Amplitude's cookies marked as secure?

Will cookies cause unsent events to send to a project with a different API key?

How do you integrate with third-party Consent Management Platforms?

Can I use OneTrust with Amplitude to stay GDPR compliant?

CNIL France - Frequently asked questions

CNIL France - What is the CNIL cookie exemption?

CNIL France - What does the CNIL cookie exemption really mean?

CNIL France - What does the CNIL exemption mean for Amplitude and our cookies?

CNIL France - 13-month cookie limit

CNIL France - 25-month data retention max

CNIL France - Purpose strictly limited to the sole measurement of the site's or application's audience

CNIL France - Only serve to produce anonymous statistical data

CNIL France - Compliant with GDPR

CNIL France - Cookies must not lead to a cross-checking of the data with other processing or that data be passed on to third parties.

CNIL France - Cookies must not allow the global follow-up

CNIL France - The data is collected, processed and stored independently for each publisher

CNIL France - The trackers are completely independent of each other and of any other tracker

User session cookies (`AMP_*`)

Marketing campaign cookies (`AMP_MKTG_*`)