Utma, utmb, utmz cookies
The cookies named __utma through __utmz are stored by websites that choose to use Google Analytics to see how people use their websites.
These cookies support the part of analytics that take some amount of remembering to figure out
(other details, such as screen resolution, can be figured out on the spot).
Some details:
- __utmz records whether the visitor came from...
- a search engine (and if so, the search keyword used),
- a link, or
- from no previous page - as is the case when you use a bookmark, or typed in a URL themselves
- __utma stores
- the amount of your visits
- the time of the first visit, the previous visit, and the current visit
- __utmb and __utmc are used to approximate how fast people leave, by recording when a visit starts, and approximately ends.
- If you look at cookie state changes (e.g. using firecookie), you will see these change regularly and __utmc expire quickly.
Also:
- __utmv is used for user-custom variables [1]
- __utmx is used by Website Optimizer, when it is being used(verify)
- __utmt is "used to throttle request rate"[2]
- __utmk seem digest hashes of utm values (verify)
These cookie names seem to come from an earlier versions of google analytics called urchin.js, Urchin Tracking Module.
The names are still used by the newer ga.js.
It seems that similar lettering, without the utm, was used by analytics.js (Universal Analytics).
What about the analytics they are part of?
The mentioned cookies support things that rely on some sort of memory.
- how you got there (search, link, or bookmark)
- how often you visit
- how long you stay
To get some idea of what else is sent in (mostly things that can be figured on the spot),
you can e.g. use your browser's debug console to look at the request made.
For ga.js, the request to google (to __utm.gif) includes things like
- utmcc - contains the __utma through __utmz cookies
- utmht - timestamp
- utmhn - hostname that you are visiting
- utmp - path on site
- utmdt - document title
- utmul - user/browser(?) language, e.g. "en-us"
- utmsr - screen resolution, e.g. "1920x1080"
- utmsc - screen colors, e.g. "24-bit"
- utmje - java enabled, either "0" or "1"?
- utmfl - flash version, now often "-" as Flash has been retired
- utmac - the analytics account this is reported to
- utmwv - version (of tracking code)
- utmn - random number (to avoid missed reports due to cached requests?(verify))
(these names happen to be named similarly, but are not cookies - they don't need to be)
Since this contains information about the visit, not so much and not about you, none of this seems particularly privacy-sensitive to reveal
to the site owner, or to google.
Yet if you wish to block such reporting on principle, and get an active idea how common such invisible tracking is rather than just block them (ABP, Privacy Badger), look at things like Ghostery, which shows you the list of used trackers, and which one it's been configured to block.