Why Cookieless is Not Consentless: The Legal & Technical Reality of EU Web Analytics

Quick Answer: No, adopting “cookieless” web analytics platforms (such as Plausible, Fathom, or Simple Analytics) does not automatically eliminate the requirement for a GDPR/ePrivacy consent banner in the European Union. While removing HTTP cookies strips away local write operations, client-side JavaScript trackers still actively execute code to extract device parameters (User-Agent, screen width, language, network routing telemetry). Under the European Data Protection Board’s (EDPB) latest Guidelines 2/2023 on the Technical Scope of Article 5(3), this interaction constitutes “gaining access to information stored in terminal equipment,” which explicitly mandates prior, opt-in consent regardless of whether a physical cookie is written to the browser cache.

---

1. Introduction: The Rise of the “No Cookie Banner!” Marketing Myth

As third-party cookies phase out globally and standard user opt-in metrics continue to decline, web analytics frameworks have shifted toward cookie-free architectures. This engineering migration has accelerated the market adoption of “privacy-first” analytics platforms.

These alternative systems are frequently marketed under a clean, compelling premise: “No cookies, no personal data collection, zero consent banner requirements.”

To an operations director or a data analyst handling up to a 50% data loss from cookie opt-outs, this looks like the perfect operational loophole. To a Data Protection Officer (DPO), however, this direct translation of software features into legal compliance represents a significant operational risk.

The term “Cookie Law” is a colloquial misnomer. European digital privacy legislation does not focus strictly on the text file known as a cookie; it governs the technical mechanism of client-side tracking across local storage nodes, pixels, tracking scripts, and server-side interfaces.

The regulatory reality is uncompromised: cookieless tracking is not automatically consent-exempt under the ePrivacy Directive or the GDPR.

---

2. The Legal Foundations: ePrivacy vs. GDPR in Web Analytics

To understand how cookieless tracking systems trigger explicit consent requirements, developers must separate the technical criteria of the two core European digital frameworks:

                  ┌────────────────────────────────────────┐
                  │          EU DIGITAL PRIVACY            │
                  └───────────────────┬────────────────────┘
                                      │
             ┌────────────────────────┴────────────────────────┐
             ▼                                                 ▼
┌───────────────────────────┐                     ┌───────────────────────────┐
│     ePrivacy Directive    │                     │           GDPR            │
│       (Article 5(3))      │                     │      (Regulation 2016)    │
├───────────────────────────┤                     ├───────────────────────────┤
│ Governs access to/storage │                     │ Governs processing of     │
│ of data on user's device. │                     │ Personal Data (including  │
│ Applies to ALL data,      │                     │ pseudonymized IDs, IPs).  │
│ anonymous or personal.    │                     │                           │
│                           │                     │ Lawful basis required     │
│ Triggered by:             │                     │ (Consent vs. Legitimate   │
│ Reading User-Agent,       │                     │ Interest).                │
│ screen size, JS APIs.     │                     │                           │
└────────────┬──────────────┘                     └─────────────┬─────────────┘
             │                                                  │
             └────────────────────────┬─────────────────────────┘
                                      ▼
                      [CONSENT REQUIREMENTS TRIGGERED]

The ePrivacy Directive: Article 5(3) (Terminal Protection)

Article 5(3) of Directive 2002/58/EC (as amended by Directive 2009/136/EC) establishes clear bounds on device integrity:

“Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent…”

The critical operational phrasing is “gaining of access to information already stored.”

• The word “cookie” does not explicitly appear anywhere within the core statutory directive.
• A user’s browser version, operating system configurations, display dimensions, language variables, and outbound network attributes (such as the raw IP address) are technical parameters already stored on their local terminal equipment.
• When an analytics script executes client-side JavaScript to pull these parameters and pipe them out to an analytical collection endpoint, it performs a structural “access read” operation under the law.

Under ePrivacy, the programmatic reading of this device configuration data strictly requires prior opt-in consent, unless the collection operation is “strictly necessary” to deliver an explicit service requested by the user. Supervisory authorities have consistently clarified that aggregate performance analytics do not fulfill the “strictly necessary” optimization threshold.

The GDPR: Personal Data & Pseudonymization

Under GDPR Article 4(1), personal data encompasses any data stream capable of directly or indirectly isolating a natural person.

Many cookieless tracking utilities argue they bypass GDPR restrictions because they convert the inbound client IP address and User-Agent parameters immediately into an ephemeral, daily-rotating hash identifier. Structurally, the processing function works like this:

User Hash = SHA-256(IP Address + User-Agent + Daily Salt)

While this dynamic salt alternation successfully prevents long-term user tracking across weeks or months, it fails to circumvent the core scope of the GDPR for two technical reasons:

1. Upstream Processing: The raw client IP address must hit the collection endpoint and be processed in memory by the tracking engine server to calculate the hash string. Under GDPR Article 4(2), this transient ingestion represents a data processing operation.
2. Pseudonymized vs. Anonymized: The resulting hash string is structurally pseudonymized data, not anonymized data. As confirmed by the CJEU in Breyer v. Bundesrepublik Deutschland (Case C-582/14), dynamic IP parameters qualify as personal data. Because the generated hash is engineered to uniquely isolate a single browser session to evaluate distinct multi-page traversal paths over a 24-hour window, it operates as a distinct persistent identifier.

---

3. The Paper Trail: Official Regulatory Guidelines

To construct a robust legal defense for an analytical data stack, engineering and legal teams must rely on direct supervisory pronouncements rather than software vendor documentation.

1. European Data Protection Board (EDPB)

• Guidelines 2/2023 on the Technical Scope of Article 5(3) of the ePrivacy Directive: The EDPB explicitly targeted tracking configurations that skip cookie writes but analyze browser footprints. The Board confirmed that ePrivacy protections are activated the moment a platform instructs a client browser to execute local code (such as a JavaScript file) to return device properties like display width, browser types, or system font indices.
• The Web Beacon/Pixel Analysis: Section 4.2 confirms that script-based metadata harvesting falls squarely under the scope of Article 5(3) because the technology relies fundamentally on retrieving local parameters. If your cookieless tracker evaluates user layout metrics to differentiate unique visitors from repeat sessions, prior consent must be captured.

2. Germany: Datenschutzkonferenz (DSK) & TDDDG

• TDDDG Section 25: This section transposes Article 5(3) of the ePrivacy Directive directly into German federal law, asserting absolute terminal device protection rules.
• DSK Guidance for Telemedia Providers: The DSK (representing the assembly of German state authorities) enforces a strict position on tracking telemetry. Their guidance notes that any programmatic process that consumes client-side telemetry to construct cross-page user flows or user path modeling requires active user opt-in. German regulatory groups do not recognize aggregate performance metrics as “strictly necessary” for basic site performance under Section 25(2) No. 2 TDDDG.

3. France: Commission Nationale de l’Informatique et des Libertés (CNIL)

• The Audience Measurement Exemption Framework: The CNIL provides a highly specific, narrow framework under which certain audience measurement configurations can bypass the consent banner requirement. However, this exception is not granted simply because a script is “cookieless.” To achieve a valid CNIL consent exemption, the tracking configuration must satisfy exceptional technical hurdles:
  • The processing must remain strictly isolated to the generation of anonymous, aggregated statistical dashboards reserved exclusively for the core site publisher.
  • The analytics data stream must never be passed to third-party endpoints, matched with distinct external user sets, or utilized for auxiliary marketing optimizations.
  • The site must deliver an immediate, accessible upfront opt-out mechanism directly inside the layout architecture or privacy index page.
  • Client IP processing must apply structural truncation (masking trailing octets) before executing any coarse regional geolocation lookup queries.

4. Ireland: Data Protection Commission (DPC)

• Guidance on Tracking Technologies: The Irish DPC asserts that ePrivacy protections apply comprehensively to all functional equivalents of cookie files. They explicitly list browser fingerprinting (assembling client telemetry to generate matching hashes) as an architecture that is legally identical to setting local cookie trackers. The DPC states that analytics tools require prior consent since they are built for the platform operator’s operational clarity rather than a core service delivery requested by the user.

---

4. Technical Audit: How “Cookieless” Tools Single Out Users

To evaluate why European data protection authorities track cookieless collection setups as a potential compliance risk, let’s look at how a privacy-focused JavaScript tracking payload functions under the hood compared to standard GA4 tracking and native server logging:

Technical Attribute	Traditional Analytics (GA4)	Cookieless Analytics (e.g., Plausible)	Server-Side Log Analysis (Compliance Baseline)
Storage Mechanism	Writes persistent cookie tokens (_ga, _gid) directly to local browser storage.	No browser storage operations performed (No cookies, no local storage keys).	No local browser or terminal storage operations performed.
Client-Side Script	Deploys a comprehensive tracking library (gtag.js) to parse deep device telemetry layers.	Deploys a lightweight script (plausible.js) to capture explicit device and path metrics.	None. Zero external tracking scripts are initialized or run within the browser client.
Unique Identification	Generates a persistent unique client identifier stored inside the local cookie file.	Assembles an ephemeral, 24-hour rotating cryptographic hash signature.	No unique user identifiers or session tokens are synthesized.
ePrivacy Trigger	Yes (Executes both write and read tracking operations on the user’s terminal device).	Yes (Performs technical parameter reads via active client-side JavaScript execution).	No (Only interprets baseline networking packets naturally passed during standard HTTP routing).
GDPR Trigger	Yes (Processes persistent behavioral signatures and direct networking personal data elements).	Yes (Processes raw connection IP entries to construct transient pseudonymized hashes).	Yes (Processes standard raw infrastructure server log arrays under a Legitimate Interest basis).

The Mechanics of the “Daily Hash” Pipeline

[Browser Visits Page] ──► [Executes tracker.js] ──► [Reads User-Agent + Viewport]
                                                               │
[Server Generates Hash] ◄── [Ingests Incoming Client IP] ◄──────┘

1. A standard web client requests access to a page routing address.
2. The tracking script initializes inside the viewport environment, programmatically reading the local browser configuration parameters, system settings, and document referrer variables.
3. The browser establishes an HTTP POST network request, forwarding these parsed technical parameters to the target collection server.
4. The destination tracking engine parses the network packet, extracting the raw TCP/IP header string containing the user’s explicit connection IP.
5. The server joins these variables together to construct the hash architecture:

Raw IP (192.0.2.1) + User-Agent (Mozilla/5.0...) + Salt (xyz123) ──► Hash: 8f9b2d...

The tracking architecture immediately deletes the raw source IP, saving the generated pseudonymized hash token to group subsequent actions into a distinct single-session path.

The regulatory vulnerability here centers on the initial setup: even if the raw IP address is dropped in milliseconds, the platform has still programmatically processed personal data (the connection IP entry) to synthesize the hash code. More critically, the system ran local code inside the user’s browser environment to extract the underlying metadata layout variables, which directly triggers ePrivacy Article 5(3) under the EDPB’s latest guidelines.

---

5. Compliance Frameworks: How to Legally Deploy Web Analytics

Depending on your organization’s technical stack requirements and specific legal appetite, there are three primary engineering paths to maintain full alignment with European privacy mandates:

Option A: The Consent-First Pathway (Zero Regulatory Risk)

If your application tracking plan requires advanced long-term user path tracking, conversion modeling, or multi-channel marketing attribution (such as Google Analytics 4 or HubSpot tracking), you must tie execution directly to a Consent Management Platform (CMP).

• The Logic: Hard-block the execution of the tracking scripts (regardless of whether they write cookies or use cookieless signatures) inside Google Tag Manager until your CMP registers an explicit granted state for analytics properties.
• Result: Fully compliant across all EU jurisdictions, but subjects your collection plan to standard 30% to 50% data gaps based on user banner opt-out rates.

Option B: The DPA-Compliant Exemption Pathway (Country-Specific)

If your primary users route through jurisdictions that actively maintain an audience measurement exemption framework (like France, Italy, or Spain), you can run localized cookieless configurations without a pre-consent banner by locking down your collection configuration:

• Configure your tracking engine (e.g., self-hosted Matomo or custom Plausible instances) to strictly skip all local browser storage writes.
• Truncate inbound IP data strings immediately at the packet entry layer (e.g., zeroing out the final two bytes of an IPv4 string: 192.168.xx.xx) before executing any database parsing or regional lookup calls.
• Maintain an accessible, explicit Opt-Out link directly inside your application footer or localized data protection statement. If a user triggers the opt-out selection, the client script must be structurally blocked from running.
• Enforce a strict first-party boundary: tracking data must never be shared with downstream third-party ad networks or cross-matched with separate customer datasets.

Option C: The Zero-JS Server-Side Log Pathway (Truly Consent-Free)

If your platform requires a completely consent-free analytics solution that can be safely run across every EU country without loading a cookie banner, you must decouple tracking from the client browser entirely. This is achieved by running Server-Side Log Analysis (such as GoAccess or Cloudflare Web Analytics configured without client-side script tags).

• The Architecture: Instead of injecting script files into the visitor’s browser engine, your edge infrastructure (Nginx, Apache, or CDN edge layers) directly records standard incoming HTTP request headers.
• ePrivacy Alignment: Because this process avoids running scripts inside the visitor’s terminal browser and doesn’t read configuration values that aren’t naturally transmitted during normal network packet routing, it does not trigger ePrivacy Article 5(3).
• GDPR Strategy: You can justify processing standard infrastructure web server logs for security, optimization, and basic aggregate traffic metrics under GDPR Article 6(1)(f) (Legitimate Interest), provided your retention window is short and logs are deleted or anonymized quickly.

---

6. FAQ Section

Q1: If cookieless tools don’t write cookies, why do they still fall under the ePrivacy Directive?

The ePrivacy Directive (Article 5(3)) is not a cookie-exclusive text; it protects the entire terminal device of a user from uninvited tracking interactions. The law explicitly requires prior consent for storing information on a device or for gaining access to information already stored. Because client-side JavaScript analytics scripts must read existing device configurations (User-Agent strings, viewport scaling, browser lang properties) to transmit them to a collection server, they perform an active “access” operation. The EDPB Guidelines confirmed that client-side script extraction triggers these consent bounds, regardless of whether a cookie file is written to the device storage.

Q2: Is an IP address still personal data if it is hashed immediately?

Yes. Under GDPR Article 4(1) and the established Breyer ruling, a network IP address remains personal data because it allows an individual to be indirectly identified. Converting an IP address and User-Agent parameters into a cryptographic hash represents a form of pseudonymization, not anonymization. Because the resulting hash string is explicitly engineered to single out a distinct browser session to follow its traversal across multiple page addresses over a 24-hour window, the underlying processing mechanism interacts with personal data and requires a valid legal basis.

Q3: Can I justify cookieless analytics under “Legitimate Interest” (Article 6(1)(f) GDPR)?

No, not if your data collection script triggers the ePrivacy Directive first. In European digital law, the ePrivacy Directive functions as a lex specialis (specialized framework) that overrides the general rules of the GDPR (lex generalis). Because ePrivacy Article 5(3) strictly mandates consent for accessing local terminal equipment information, you cannot use GDPR “Legitimate Interest” to bypass an unfulfilled ePrivacy consent requirement. If the initial extraction of device data is invalid due to a missing user opt-in, any subsequent data processing is legally compromised.

Q4: Does Plausible Analytics require a cookie banner in Germany?

Based on Germany’s strict transposition of ePrivacy under Section 25 of the TDDDG and the formal DSK Orientierungshilfe Telemedien rulings, yes. German supervisory bodies do not exempt analytics configurations from consent unless the script is structurally indispensable to run a service explicitly demanded by the user. Because analytics tools are deployed for the site operator’s statistical visibility rather than the direct benefit of the visiting user, running any client-side web tracking script on German traffic requires prior, explicit consent.

Q5: How can I track aggregate traffic metrics without a consent banner?

The only risk-free, legally sound architecture to capture web traffic metrics without loading a consent banner in the EU is to use Server-Side Log Analysis. By interpreting standard HTTP network routing requests directly at your web server layer (monitoring page hit requests, server status codes, and server traffic logs) without injecting tracking scripts or web beacons into the visitor’s browser client, you operate outside the scope of ePrivacy Article 5(3). This server configuration can then be safely justified under GDPR Legitimate Interest for security maintenance and technical application optimization.

---

7. Actionable Decision Matrix for Technical Teams

Use this matrix to guide your tracking layout depending on your organization’s risk profile:

                  ┌────────────────────────────────────────┐
                  │ What is your primary compliance goal?  │
                  └───────────────────┬────────────────────┘
                                      │
         ┌────────────────────────────┼────────────────────────────┐
         ▼                            ▼                            ▼
[Zero Risk Tolerance]       [Balanced Compliance]       [Performance & Deep Metrics]
         │                            │                            │
  Use Server-Side              Use Cookieless (Matomo/      Deploy GA4 / Marketing
  Log Analysis (Nginx)         Plausible) WITH:             Pixels WITH:
  - No client-side JS          - CNIL-certified config      - Enterprise CMP
  - No terminal access         - Strict IP truncation       - Hard-blocked GTM tags
  - GDPR Legitimate Interest   - Clear user opt-out         - Google Consent Mode v2
         │                            │                            │
         ▼                            ▼                            ▼
 [No Banner Needed]           [Banner Needed in Germany;   [Strict Banner Needed
                               Exempt in France (Opt-out)]   Everywhere in EU/UK]

---