Topic · TRACKING

Analytics without cookies

Cookieless analytics tools and the legal carve-outs that let you skip the banner.

Cookieless analytics tools sidestep the EU cookie banner requirement entirely — but only when configured correctly. The core legal hook is ePrivacy Directive Article 5(3), which conditions consent on “access to or storage of information on terminal equipment”. No storage, no access — no consent needed.

Tools that qualify by default

Plausible Analytics — EU-hosted (Germany), no cookies, no localStorage, no fingerprinting. Hashed IP+UA daily salt rotated for visitor counting.
Fathom Lite — EU-routed via Cloudflare. Hashed visitor IDs, no persistent identifiers.
Pirsch — German-hosted. Same approach as Plausible.
Umami (self-hosted) — open-source, you control the deployment. No cookies in default config.
Matomo with cookies disabled — Matomo can run cookieless via the setRequestMethod('POST') + disableCookies() calls. The German DSK and Dutch AP have published explicit guidance accepting this configuration.

What “cookieless” really means

The standard the regulators use isn’t “no cookies” — it’s “no terminal-equipment access”. A tool can be cookieless and still trigger ePrivacy if it:

Reads localStorage or sessionStorage
Uses etag, cache-control, or other browser-cache fingerprinting
Generates a stable client-side ID derived from canvas, WebGL, fonts, or screen dimensions

Server-side analytics — counting requests in your nginx/CDN logs — is exempt entirely. No client-side code runs.

What you give up

Cookieless tools do not track returning visitors across sessions. Bounce rate is unreliable. Cohort retention isn’t possible. Cross-domain tracking is impossible. Server-to-server CRM enrichment is not built in.

If your business model requires session-level attribution (paid ads, marketplace), Consent Mode v2 + GA4 or Mixpanel with consent is the practical path. Cookieless analytics fits content sites, blogs, documentation, and SaaS dashboards where aggregate visit counts are sufficient.

Stricter regulators

The Italian Garante ruled in 2022 that even some cookieless analytics pings can constitute tracking when tied to identifying context. Plausible-style purely aggregated counters are unaffected; tools that build per-user paths from cookieless pings sit in a grey zone.

See vendor profiles for traffic-light verdicts per jurisdiction.