Modern web analytics does not require tracking cookies to produce useful insights. This guide explains how privacy-native analytics works in practice, why it matters for GDPR-regulated businesses, and what trade-offs to expect when you switch.
Quick answer
Cookieless analytics identifies sessions server-side — using a short-lived cryptographic hash of the IP address, user agent, and a daily-rotating salt — without setting any persistent identifier on the visitor's browser. You keep pageviews, referrers, UTM attribution, and device breakdowns. What you lose is precise multi-day individual user tracking — and that is the deliberate trade-off. For most European SMBs doing aggregate traffic and campaign analysis, the loss is small and the compliance simplification is significant.
Key takeaways
- A cookieless analytics tracker does not set browser cookies, so it does not trigger the ePrivacy consent requirement for analytics cookies in most EU jurisdictions.
- Server-side session identification (HMAC hash, daily salt) is pseudonymous, not anonymous — the hash is a session identifier, just one that changes daily and cannot be reversed to an IP.
- You can measure pageviews, referrers, UTM campaigns, geographic distribution, device types, custom events, and real-time visitors accurately without cookies.
- You cannot measure multi-day individual user journeys, long-term retention cohorts, or cross-session conversion funnels without persistent identifiers.
- Cookieless analytics reduces analytics-specific GDPR friction. It does not make your whole site compliant — your other vendors, embeds, and pixels each carry their own obligations.
Definitions
Cookieless analytics: web analytics that does not set cookies or persistent browser-side identifiers to track visitors. Session identification is done entirely server-side, typically via a cryptographic hash that changes daily.
GDPR-native by design: a product positioning claim (not a compliance certification) meaning the tool was designed around EU data protection principles from the ground up, rather than retrofitting mitigations onto a consent-based architecture.
Billable event: in Atriqo's context, any event persisted to the analytics database — a pageview, outbound click, file download, 404 page hit, or custom event. This is the quota unit, not "pageviews" alone.
Why cookies became an analytics problem
Traditional analytics platforms like Google Analytics 4 rely on persistent identifiers stored in browser cookies to track individual users across sessions and pages. The _ga and _ga_* cookies that GA4 sets by default (Google developer docs on cookie usage) are non-essential cookies used for analytics tracking.
Under the ePrivacy Directive (Article 5(3), Directive 2002/58/EC) and GDPR, placing non-essential cookies without prior, freely-given consent is not permitted for EU visitors in most jurisdictions. This is the legal basis for the cookie consent banners that appear on virtually every EU-facing website running GA4.
Consent banners partially address this — but they introduce real friction. Visitors who decline cookies are partially or fully invisible to cookie-based tools, distorting the data you actually see. And the operational overhead of implementing, maintaining, and documenting a compliant consent management platform (CMP) is non-trivial.
Cookieless analytics removes the analytics tracking cookie from the picture entirely, which removes the classic consent trigger for that specific data collection (whether any residual Article 5(3) question remains for a given configuration is jurisdiction-dependent — see our cookie banner guide). Your site may still need a banner if you use other tools, pixels, ad networks, or social embeds — the consent obligation is driven by your entire vendor stack, not just the analytics tool.
How cookieless analytics works
A cookieless analytics tracker identifies sessions using a server-side cryptographic mechanism rather than a browser-stored identifier.
The session identification mechanism:
When a visitor loads a page, the analytics server receives the HTTP request with the IP address and user-agent string. Instead of issuing a cookie, the server computes:
visitor_hash = HMAC(secret_key, IP + user_agent + daily_salt)
- The daily salt rotates every 24 hours. The same visitor on Tuesday produces a completely different hash than on Monday.
- The raw IP address is discarded immediately after the hash is computed — it is never written to disk.
- The hash is pseudonymous, not anonymous: it uniquely identifies a visitor within the day, but it cannot be reversed to recover the IP, and it cannot link the same visitor across days.
This architecture means:
- No cross-site tracking — each site's data is siloed: dashboards and queries are scoped to a single site, and visitor data is never combined or reported across different websites.
- No fingerprinting — the tool does not combine multiple browser attributes to create a persistent identifier.
- No cookies set — the tracker script does not write any identifier to the browser's storage.
Atriqo is a privacy-first, cookieless web analytics tool, hosted in the EU (Germany), built as a GDPR-native-by-design alternative to Google Analytics.
What you can measure without cookies
Cookieless analytics is more capable than most people expect before they try it. The daily-hash mechanism gives you reliable same-day session counting; aggregate weekly and monthly data is a reasonable estimate.
| Metric | Available | Notes |
|---|---|---|
| Pageviews | Yes | Per path, with full URL (query strings configurable) |
| Unique visitors | Yes | Precise within the day; estimates for longer periods |
| Sessions | Yes | 30-minute inactivity window |
| Bounce rate | Yes | Sessions with exactly one pageview (custom events, outbound clicks, or downloads in the same session do not prevent a bounce) |
| Average session duration | Yes | Last event minus first event in session |
| Top pages | Yes | Ranked by pageviews and unique visitors |
| Referrers | Yes | Host and path; no cross-site visitor identity |
| UTM campaign attribution | Yes | Source, medium, campaign, term, content from URL parameters |
| Geographic distribution (country) | Yes | GeoIP lookup; IP is not stored |
| Device type (desktop / mobile / tablet) | Yes | Parsed from User-Agent |
| Browser and operating system | Yes | Parsed from User-Agent |
| Custom events with properties | Yes | Goal tracking, button clicks, video plays |
| Outbound link tracking | Yes | Clicks leaving your domain |
| File download tracking | Yes | PDF, ZIP, and other configured file types |
| 404 page tracking | Yes | Pages returning a not-found status |
| Real-time active visitors | Yes | Count of distinct visitor hashes in the last 5 minutes |
What you cannot measure without cookies
Cross-day individual user journeys and long-term retention are not measurable with cookieless tracking alone. The daily hash rotation is what makes the privacy architecture work — but it also means the same physical user on Wednesday has a different hash than they did on Tuesday.
Specifically, cookieless analytics is not the right fit for:
- Multi-day individual user journeys (e.g. "this specific user visited the pricing page on Monday and signed up on Friday")
- Long-term cohort retention analysis (e.g. "of the users who first visited in January, what percentage returned in March?")
- Cross-session revenue attribution that requires linking a purchase to a visit that happened days earlier
- Session replay, heatmaps, or any feature requiring individual user-level recordings
If your primary business case requires precise individual tracking over time, cookieless analytics is not a complete replacement for consent-based tracking. That requires persistent identifiers — which means cookies — and a compliant consent flow to go with them.
For most European SMBs whose core analytics need is aggregate traffic analysis, campaign performance measurement, and understanding which pages and sources drive conversions within a session, cookieless analytics is accurate enough.
Facts vs interpretation
Documented facts: The ePrivacy Directive requires consent for non-essential cookies in most EU jurisdictions. Cookieless analytics tools do not set analytics tracking cookies. An HMAC-with-daily-salt mechanism produces pseudonymous, not anonymous, session identifiers — the hash cannot be reversed to an IP, but it is still a session identifier.
Our interpretation: That these facts make cookieless analytics a better-fit default for EU businesses is Atriqo's commercial position. Your specific compliance picture depends on your full vendor stack, your data protection officer's guidance, and your DPA's published positions. This article does not constitute legal advice.
The GDPR overhead in practice
The practical cost of cookie-based analytics for an EU site is often underestimated:
- Consent Management Platform (CMP): you need a compliant CMP. Reputable platforms typically cost €50–500/month depending on traffic.
- Banner implementation and maintenance: the consent flow needs to be compliant with your DPA's guidance — pre-ticked boxes are not valid consent, "Reject all" must be as easy to find as "Accept all", etc.
- Data gap: visitors who reject cookies are invisible. Typical rejection rates on European sites range from 20% to 60% depending on the audience and banner design.
- Ongoing legal review: as DPA guidance evolves (and it does), consent implementations require updates.
A cookieless analytics tool removes items 1–4 for the analytics layer specifically. The CMP and banner may still be necessary if you have other vendors requiring consent.
Switching from GA4: what to expect
If you are moving from Google Analytics 4 to a cookieless tool:
Data will look different. Cookieless tools typically show higher unique visitor counts for sites with returning visitors, because the daily hash treats the same physical user as a new visitor each day. Pageview and session counts are generally consistent.
The dashboard will be simpler. Cookieless analytics dashboards are intentionally focused on aggregate metrics. You will not have user-level exploration, audience segments, or attribution modelling in the GA4 sense.
Setup is faster. Add the script tag, check your first event appears in the real-time panel, done. No consent mode configuration, no cookie policy table updates, no CMP integration.
You keep the metrics that matter for most decisions. Traffic trends, top pages, referrer sources, UTM campaign performance, device breakdown, country distribution — all available, all accurate for aggregate analysis.
Getting started with Atriqo
Atriqo is a privacy-first, cookieless web analytics tool hosted in the EU (Germany — Hetzner, Falkenstein). The free tier — 10,000 billable events per month (a billable event is any tracked event: pageview, outbound click, file download, 404, or custom event), no credit card required, no expiry — will be available at launch.
If you want early access, join the waitlist.
This article explains how cookieless analytics works and describes the technical architecture of Atriqo. It does not constitute legal advice. For specific compliance guidance on your site's vendor stack, consult a qualified legal professional familiar with EU data protection law.