Cookie-Free Analytics: The Complete GDPR Compliance Guide

Most website operators think "GDPR" is the reason they need a cookie banner. In reality, the requirement comes from a different law: the ePrivacy Directive (Directive 2002/58/EC, as amended by Directive 2009/136/EC). Article 5(3) of the ePrivacy Directive requires prior consent before storing or accessing information on a user's device. This is the legal basis for cookie consent banners.

The GDPR, meanwhile, governs the processing of personal data. If your analytics tool collects personal data (IP addresses, device identifiers, user IDs), you need a lawful basis under GDPR Article 6. For most analytics use cases, the relevant bases are either consent (Article 6(1)(a)) or legitimate interest (Article 6(1)(f)).

These two laws overlap but are distinct. A tool that uses no cookies escapes ePrivacy Article 5(3) entirely, but may still fall under the GDPR if it processes personal data. The sweet spot for compliance is a tool that does both: no cookies (bypasses ePrivacy consent requirement) and no personal data processing (bypasses GDPR consent requirement). This is exactly what modern EU analytics tools are designed to achieve.

The European Data Protection Board (EDPB) guidelines on the technical scope of Article 5(3), adopted in November 2023, clarified that the ePrivacy Directive applies to any "information stored in, or accessed from, the terminal equipment of a subscriber or user," not just traditional cookies. This means fingerprinting, local storage, and other tracking mechanisms also require consent. Cookie-free analytics tools that only process server-side data without accessing device storage avoid this trigger entirely.

The phrase "cookie-free analytics" covers several distinct technical approaches. Understanding the differences matters because each has different privacy properties and trade-offs.

Hash-based day sessions (used by Plausible Analytics and Simple Analytics). When a visitor loads a page, the analytics server creates a hash from the visitor's IP address, User-Agent string, and a daily rotating salt. This hash acts as an anonymous session identifier that expires at midnight. The raw IP address is never stored; the hash is not reversible; and because the salt changes daily, the same visitor generates a different hash the next day. There is no cross-day tracking and no persistent identifier. The Plausible data policy details this approach. Crucially, because no information is stored on or read from the visitor's device, ePrivacy Article 5(3) does not apply.

Server-side collection (used by Pirsch Analytics). Instead of embedding a JavaScript tag in the browser, Pirsch can collect analytics data entirely server-side using a Go library or API endpoint. The web server logs the page view and sends anonymised metadata to Pirsch's analytics backend. No JavaScript runs in the visitor's browser, no cookies are set, no device storage is accessed. This is the most privacy-preserving approach because there is literally no client-side footprint. The trade-off is that you need server access to implement it, which is not possible on purely static sites without a backend.

Signal-based anonymisation (used by TelemetryDeck). Designed primarily for mobile apps, TelemetryDeck collects anonymous "signals" via native SDKs (iOS, Android, Flutter, JavaScript). All data is anonymised before transmission using differential privacy techniques. No raw IP addresses, device IDs, or advertising identifiers are ever stored. The anonymisation happens on the client side before the signal reaches TelemetryDeck's EU-hosted servers.

Consent-gated full tracking (used by Piwik PRO). Piwik PRO takes a different approach: it offers full Google Analytics-style tracking (cookies, user-level data, funnels, e-commerce tracking) but bundles a built-in GDPR-compliant Consent Manager. Users who consent get full tracking; users who decline get aggregated, cookie-free analytics. All data is processed on EU servers. This hybrid model is popular with enterprises and government organisations (including the European Commission) that need detailed analytics but must remain fully compliant.

Cookie consent banners are not just a legal inconvenience. They actively damage your website's performance and conversion rates. Research consistently shows the impact:

• Consent rates are low. Studies from consent management platforms show that average opt-in rates for analytics cookies range between 40% and 70% depending on implementation. This means that with Google Analytics behind a consent banner, you are missing data on 30% to 60% of your visitors. Your analytics are incomplete by design.
• Banners increase bounce rates. A 2020 study co-authored by Google researchers found that consent notices led to measurable reductions in page views and increased abandonment, particularly on mobile devices. Users who see a banner before content are more likely to leave immediately.
• CMP overhead slows page load. Consent management platforms (CMPs) like Cookiebot, OneTrust, and TrustArc add significant JavaScript overhead. A typical CMP adds 50 KB to 150 KB of JavaScript, plus additional network requests to check consent status. For a Plausible-style analytics script at under 1 KB with no consent check needed, the performance difference is dramatic. This directly affects Core Web Vitals and search rankings.
• Misconfigured banners are a liability. The CNIL fined Google €150 million and Facebook €60 million in January 2022 specifically for dark patterns in cookie consent interfaces. If your consent banner makes it easier to accept than reject cookies, you may be violating the GDPR yourself. Removing the banner entirely, by using cookie-free analytics, eliminates this risk.

The counter-intuitive result is that cookie-free analytics gives you better data than cookie-based analytics behind a consent banner. With Plausible or Simple Analytics, you see 100% of your traffic. With Google Analytics behind a properly implemented consent banner, you might see 50%. For most websites, the choice is between complete privacy-respecting data and incomplete surveillance-dependent data.

Migrating from Google Analytics to a EU cookie-free alternative is significantly simpler than most infrastructure migrations. Here is what the process looks like:

Step 1: Choose your tool. For most websites, Plausible Analytics (simple, lightweight, open source) or Piwik PRO (full feature parity with GA, free tier) are the strongest choices. For mobile apps, TelemetryDeck. For server-side only, Pirsch. See our detailed comparison for a feature-by-feature breakdown.

Step 2: Install the new script. Most EU analytics tools require adding a single <script> tag to your site header. With Plausible, the entire installation is one line:

<script defer data-domain="yourdomain.com" src="https://plausible.io/js/script.js"></script>

For Piwik PRO, a similar container tag. For Pirsch, either a script tag or a server-side integration via their Go library or HTTP API.

Step 3: Import historical data (optional). Plausible supports direct Google Analytics data import via the Google Analytics Reporting API. Piwik PRO also supports GA imports. This preserves your historical baselines for year-over-year comparisons.

Step 4: Run both in parallel. Keep Google Analytics running alongside your new tool for two to four weeks. Compare the numbers. You will likely find that the EU tool shows higher visitor counts (because it is not blocked by consent banners or ad blockers) and similar behaviour patterns.

Step 5: Remove Google Analytics and the consent banner. Once you are satisfied with the data, remove the Google Analytics tag and, if analytics was the only reason for your cookie banner, remove the consent management platform entirely. Your page load speed will improve, your bounce rate will drop, and your legal exposure will decrease.

The entire migration typically takes less than a day of developer time. There is no database migration, no API rewrite, and no architectural change. You are swapping one script tag for another.