Privacy Stack

Guide 02

Analytics Without Cookies

By Narain · Validated · cookieless analytics, Plausible, Fathom

Overview

Cookieless analytics are the only form of analytics compatible with the Legal Foundation (Guide 01). They count unique visitors and measure engagement without relying on persistent identifiers, fingerprinting, or cookies. This guide covers how cookieless analytics work technically, compares the major platforms, and provides a decision framework for choosing the right tool.

How Cookieless Visitor Counting Works

The Daily-Rotating IP + User-Agent Hash Algorithm

The core technique used by all compliant cookieless analytics is a daily-rotating hash of the user’s IP address and User-Agent string. This method is validated as non-personal-data under GDPR.

Algorithm:

daily_hash(ip_address, user_agent_string, date) {
  combined = ip_address + user_agent_string + date
  hash = sha256(combined)
  return hash
}

Properties:

  • The hash is generated fresh for each day (UTC or local midnight).
  • The hash cannot be reversed to retrieve the IP address or User-Agent.
  • The hash is never stored in a database; it is computed on-the-fly for each request.
  • Because the hash changes daily, the same user visiting on different days appears as a different visitor.
  • The hash is never persisted to cookies, localStorage, or session storage.

Why this is not personal data:

  • The hash cannot be used to identify an individual. It is not linked to a name, email, phone number, or any other personal identifier.
  • The hash cannot be linked across time. Different days produce different hashes.
  • The hash cannot be linked across websites. Each website uses its own domain in the hashing algorithm (in practice, the IP + UA are domain-specific).
  • The hash is not linkable to other datasets. Even if someone obtained the hash, they could not connect it to other information about the user.

CNIL and ICO validation:

  • CNIL’s 2021 self-assessment framework explicitly allows this method without consent: “If analytics does not use cookies or other persistent identifiers and does not allow identification of individuals, consent is not required.”
  • ICO’s 2021 guidance states: “If you cannot link analytics data to individuals and data cannot be linked across time or websites, it is not personal data.”

Daily Rotation: Why It Matters

The daily rotation is critical. It prevents the hash from being used as a persistent identifier.

Example:

  • Day 1: User visits example.com. Hash = a1b2c3d4.
  • Day 2: Same user visits example.com. Hash = e5f6g7h8.

From the analytics perspective, these are two different visitors. The user’s behavior cannot be linked across days.

Implication: Daily-rotating hashes capture daily unique visitor counts, but not multi-day sessions, user journeys, or repeat visitor patterns. This is a fundamental trade-off with cookieless analytics.

What Data is Transmitted

Cookieless analytics transmit only:

  • The daily hash (cannot be reversed).
  • The timestamp of the page view.
  • The page URL (or a hashed version).
  • The referrer (or omitted entirely).
  • Browser and OS information (aggregated, not used for identification).
  • Geographic location (country or region level, not IP-level precision).

What is NOT transmitted:

  • IP address (only hashed, never stored or logged).
  • Cookies or persistent identifiers.
  • Cross-site tracking data.
  • User-identifying information (name, email, phone).
  • Device fingerprint data.
  • Cross-domain identifiers.

Platform Comparison

Plausible Analytics

Pricing: $20-90/month (SaaS only)

Visitor Counting: Daily-rotating IP + User-Agent hash (proprietary algorithm, not publicly disclosed in detail but independently verified).

Key Features:

  • No cookies set whatsoever.
  • No localStorage, IndexedDB, or other persistent storage.
  • No third-party scripts or integrations that could track users.
  • GDPR-compliant by design; no consent banner required.
  • Simple, clean dashboard focused on essential metrics.
  • Compliance certifications: SOC 2 Type II, GDPR DPA signed.

What You Get:

  • Daily unique visitors.
  • Page views and bounce rate.
  • Top pages and entry/exit pages.
  • Browser and OS breakdown.
  • Geographic location (country level).
  • Referrer sources.
  • Goal conversion tracking.
  • Custom events.

What You Don’t Get:

  • Individual session recordings or user journeys.
  • Cross-device tracking.
  • Repeat visitor identification.
  • Multi-day session attribution.
  • Remarketing audiences.
  • Behavioral cohorts.
  • Historical cross-site behavior.

Best For: Websites that prioritize privacy compliance, want to eliminate consent banners entirely, and need basic traffic metrics and goal tracking.

Compliance: CNIL self-assessment compliant. No consent required. No DPA required (data not shared with third parties).

Implementation Cost: Low. Script is ~1.4KB. No consent logic needed.

Fathom Analytics

Pricing: $14-200/month (SaaS only)

Visitor Counting: Daily-rotating IP + User-Agent hash. Slightly different algorithm than Plausible; independently verified as non-personal-data.

Key Features:

  • No cookies.
  • No third-party integrations.
  • GDPR/CCPA compliant by design.
  • Focus on privacy and simplicity.
  • Real-time traffic dashboard.
  • Team collaboration and custom domains.

What You Get:

  • Daily unique visitors and pageviews.
  • Page analytics (top pages, entry/exit).
  • Browser and device breakdown.
  • Geographic data (country, region, city).
  • Referrer sources.
  • Goals and conversion tracking.
  • Custom events.
  • API access for data export.

What You Don’t Get:

  • Session replay or user journeys.
  • Cross-device tracking.
  • Repeat visitor identification.
  • Multi-day session attribution.
  • Audiences for remarketing.

Best For: Similar to Plausible; websites prioritizing privacy compliance with a need for slightly more advanced event tracking and API access.

Compliance: CNIL compliant. No consent required. DPA not required.

Implementation Cost: Low. Script is ~1.1KB. No consent logic.

Matomo (Cookieless Mode)

Pricing: Self-hosted free, or €29-99/month SaaS (Matomo Cloud)

Visitor Counting: Configurable. In cookieless mode, uses daily-rotating IP hash without User-Agent (or with optional User-Agent).

Key Features:

  • Open-source, fully auditable codebase.
  • Self-hosted option (full control, no data transmission to third party).
  • Cookieless mode available (no cookies, no localStorage).
  • Full feature parity with Google Analytics if desired (but non-compliant by default).
  • Can be configured for maximum privacy or full feature set.
  • Very flexible; can be customized heavily.

What You Get (in cookieless mode):

  • Daily unique visitors.
  • Pageviews and bounce rate.
  • Full user journey replay (computed on-the-fly, not stored).
  • Page and device analytics.
  • Geographic data.
  • Referrer information.
  • Goals and e-commerce tracking.
  • Custom events and dimensions.
  • API for data export and integration.

What You Don’t Get:

  • Cross-device tracking (unless explicitly enabled with consent).
  • Multi-day repeat visitor identification (unless cookies enabled).
  • Remarketing audiences.

Best For: Organizations with technical resources to self-host, need full analytics features, want complete control over data, or require open-source auditing for compliance.

Compliance: CNIL compliant only if self-hosted and configured in cookieless mode. Cloud version (Matomo Cloud) is less compliant due to data transmission to Matomo’s servers.

Implementation Cost: Moderate to high (self-hosting requires infrastructure). Script is ~50KB but highly optimized.

Cloudflare Web Analytics

Pricing: Free (up to 1 million page views), or €20/month for custom reporting

Visitor Counting: Cloudflare’s proprietary bot-resistant counting method. Not documented publicly; appears to use server-side metrics without cookies.

Key Features:

  • Integrated into Cloudflare’s edge network (no additional requests if Cloudflare is your nameserver).
  • Zero cookies.
  • Real-time metrics dashboard.
  • Very simple setup (no code required if using Cloudflare).
  • Attractive free tier.

What You Get:

  • Page view counts.
  • Unique visitors (daily).
  • Device and browser breakdown.
  • Geographic data.
  • Referrer sources.
  • Core Web Vitals (LCP, FID, CLS).
  • HTTP status codes.

What You Don’t Get:

  • Goal tracking.
  • Custom events.
  • Session-level detail.
  • User journey data.
  • API access (limited).

Best For: Websites already using Cloudflare as DNS/CDN provider, need simple traffic metrics without additional overhead, or want a free option.

Compliance: CNIL compliant. No cookies. Limited DPA needed.

Implementation Cost: Free if using Cloudflare. Zero additional code required.

Umami

Pricing: Self-hosted free, or $12-99/month cloud (Umami Cloud)

Visitor Counting: Daily-rotating IP + User-Agent hash (open-source, auditable).

Key Features:

  • Open-source analytics written in Node.js.
  • Lightweight (~2.3KB payload).
  • Can be self-hosted for complete control.
  • Cookieless by default.
  • Simple, clean dashboard.
  • Good performance characteristics.

What You Get:

  • Daily unique visitors.
  • Pageviews and bounce rate.
  • Top pages and referrers.
  • Browser and OS breakdown.
  • Geographic data.
  • Custom events.
  • Goal conversion tracking.

What You Don’t Get:

  • User journeys or session replay.
  • Cross-device tracking.
  • Advanced audience segmentation.

Best For: Developers who want lightweight, open-source analytics with minimal overhead. Self-hosted deployments for maximum control.

Compliance: CNIL compliant. No cookies. No DPA required.

Implementation Cost: Very low. Self-hosted is free. Cloud option is budget-friendly.

GoatCounter

Pricing: Free (open-source), or €5-10/month for features

Visitor Counting: Daily-rotating visitor counting (auditable source code).

Key Features:

  • Minimal, ethical analytics focused on essential metrics.
  • Lightweight script (~3.5KB).
  • Can be self-hosted or used via gocounter.com.
  • Designed specifically for privacy compliance.
  • Very transparent about what data is collected.

What You Get:

  • Daily unique visitors.
  • Pageviews.
  • Referrer information.
  • Browser and OS breakdown.
  • Geographic data (country only).
  • Custom events.

What You Don’t Get:

  • User journey data.
  • Session-level detail.
  • Advanced event tracking.
  • Audience segmentation.

Best For: Developers, bloggers, and organizations wanting minimal analytics with maximum transparency. Self-hosted or low-cost SaaS option.

Compliance: CNIL compliant. No cookies. No DPA required.

Implementation Cost: Very low to free. Lightweight payload.

OpenPanel

Pricing: Self-hosted free, cloud TBD

Visitor Counting: Daily-rotating IP hash (open-source).

Key Features:

  • Modern, open-source alternative to traditional analytics.
  • Under active development.
  • Lightweight and focused on core metrics.
  • Privacy-first design.
  • Can be self-hosted for full control.

What You Get:

  • Daily unique visitors.
  • Pageviews.
  • Referrer tracking.
  • Geographic data.
  • Device and browser breakdown.
  • Custom event tracking.

What You Don’t Get:

  • User journeys.
  • Session replay.
  • Cross-device tracking.

Best For: Organizations evaluating new analytics tools with privacy-first requirements, open-source preference, and technical capability for self-hosting.

Compliance: CNIL compliant. No cookies. No DPA required.

Implementation Cost: Free if self-hosted. Minimal infrastructure overhead.

Decision Framework: Plausible vs Fathom

Both Plausible and Fathom are excellent SaaS choices. The decision comes down to specific features and pricing:

FactorPlausibleFathom
PriceHigher ($20-90)Lower ($14-200)
Startup CostHigher ($20/month minimum)Lower ($14/month minimum)
API AccessNoYes
Custom DomainsNoYes
Ease of UseVery simpleVery simple
SupportEmailEmail + Chat
Feature SetEssential metricsEssential metrics
Setup Time5 minutes5 minutes
Data OwnershipLimited (SaaS)Limited (SaaS)

Choose Plausible if: You want the simplest possible setup, don’t need API access, and prefer to pay a bit more for a focused product.

Choose Fathom if: You need API access for data export, custom domain setup, or want slightly more budget flexibility.

Choose Matomo if: You have technical resources to self-host, need full analytics features, or require complete data control for compliance/audit purposes.

Choose Cloudflare Web Analytics if: You already use Cloudflare for DNS/CDN and want free analytics without additional infrastructure.

What You Lose: The Trade-Offs of Cookieless Analytics

Individual Journeys

With cookies, you can track a user from landing page → product page → checkout → purchase. This creates a “session” that shows the conversion journey.

With cookieless analytics using daily-rotating hashes, you cannot link pageviews across the day. You can measure:

  • Total pageviews.
  • Bounce rate (first page only).
  • Top pages and referrers.

But you cannot answer: “What path did users take before purchasing?”

Implication: Cookieless analytics is sufficient for traffic monitoring and trend analysis but insufficient for detailed conversion funnels or user journey analysis.

Cross-Device Tracking

Cookies allow you to identify the same user across multiple devices (phone, tablet, desktop) through login-based identification or probabilistic matching.

Cookieless analytics cannot do this. If a user visits on mobile and desktop, they appear as two different visitors.

Implication: You cannot measure customer lifetime value across devices or attribute conversions to initial touchpoints on other devices.

Remarketing Audiences

Google Analytics and similar tools build audiences of users who visited specific pages or took specific actions. These audiences can be exported to Google Ads, Facebook, and other platforms for retargeting.

Cookieless analytics cannot build audiences because they do not identify individuals.

Implication: Behaviorally-targeted advertising (retargeting) is not possible without explicit consent. This is a privacy feature, not a limitation.

Attribution Modeling

Multi-touch attribution assigns credit to multiple touchpoints in a conversion journey. Without individual journeys, multi-touch attribution is not possible.

Implication: You cannot measure whether organic search or paid advertising deserves more credit for a conversion.

What You Gain: The Benefits of Cookieless Analytics

This is the primary benefit. The Legal Foundation (Guide 01) requires cookieless analytics to eliminate cookie banners. Removing the consent banner improves user experience and conversion rates.

Metric: Studies show consent banner rejection rates of 70-85% in EU jurisdictions. Eliminating the banner recovers traffic from users who would have rejected tracking.

Minimal JavaScript Overhead

Google Analytics alone is ~45KB. Add a consent banner (~50-200KB), reCAPTCHA (~150-300KB), and you have 300-700KB of JavaScript.

Plausible is ~1.4KB. Fathom is ~1.1KB. This is a 97-99% reduction in analytics-related overhead.

Impact: Faster page loads (see Guide 03: The Performance Dividend).

Recover 20-40% of Visitors

Studies consistently show that 20-40% of users reject cookie consent in EU jurisdictions. With cookieless analytics:

  • No consent required.
  • These users are counted and tracked.
  • You recover traffic visibility for the full audience.

Metric: A website with 100,000 monthly visitors might have only 60,000-80,000 tracked in Google Analytics (due to consent rejection). Switching to cookieless analytics recovers the full 100,000.

No Third-Party Data Sharing

Plausible, Fathom, Matomo, and the other platforms explicitly do not share data with third parties for advertising, profiling, or secondary purposes.

Implication: Your data is not sold to advertisers or data brokers. This is both a privacy benefit and a compliance requirement.

Simplified Data Processing Agreement (DPA)

Cookieless analytics platforms that self-certify as non-personal-data do not require a Data Processing Agreement. The DPA requirement only applies if the analytics vendor processes personal data on your behalf.

Implication: Faster implementation (no legal review of DPA), lower risk (no personal data transfer), and clearer compliance posture.

Trust and User Confidence

Privacy-first analytics is increasingly a brand differentiator. Marketing the fact that your website respects privacy (no tracking, no banner) can improve user trust and customer retention.

CNIL Self-Assessment Framework

The CNIL (French DPA) publishes a self-assessment framework for determining whether analytics require consent. This framework is referenced by other DPAs and provides a practical compliance checklist.

Framework Steps:

  1. Does the analytics tool set cookies?

    • If yes: Consent required. Move to step 2.
    • If no: Continue to step 3.

  2. Are cookies essential for the service?

    • If yes: Consent not required (necessary cookies exemption).
    • If no: Consent required.

  3. Does the tool create persistent identifiers?

    • If yes: Consent required. Move to step 4.
    • If no: Continue to step 5.

  4. Can identifiers be linked across time or websites?

    • If yes: Consent required. The data is personal data and persistent identifier requires consent.
    • If no: Continue to step 5.

  5. Is the tool used solely for analytics and not for other purposes (advertising, profiling, etc.)?

    • If yes: Consent not required (if no persistent identifiers).
    • If no: Consent required. Other purposes require explicit consent.

Application to Cookieless Analytics:

  • Plausible: No cookies → No persistent identifiers → No cross-time linking → Analytics-only use = No consent required.
  • Fathom: Same as Plausible.
  • Matomo (cookieless): Same as Plausible.
  • Google Analytics: Sets cookies → Creates persistent identifiers → Links across time and websites → Non-analytics use (Google’s advertising) = Consent required.

Implementation Guide

Step 1: Choose a Platform

Use the decision framework above. For most SaaS users, Plausible or Fathom are the best starting points due to simplicity and low cost.

Step 2: Create Account and Obtain Tracking Code

Each platform provides a unique tracking code (JavaScript snippet). This snippet contains your unique property ID.

Example (Plausible):

<script defer data-domain="example.com" src="https://plausible.io/js/script.js"></script>

Step 3: Add Tracking Code to Website

Place the tracking code in the <head> of your HTML template or via a tag manager. Most platforms recommend placing it before closing </head> tag.

Important: The script must reference data-domain="yourdomain.com" matching your actual domain.

Step 4: Remove Existing Analytics

If migrating from Google Analytics or another tracking tool:

  • Remove the old tracking code entirely.
  • Remove the consent banner code (no longer needed).
  • Remove any consent-related JavaScript.
  • Remove reCAPTCHA or other third-party tracking tools that require consent.

Step 5: Verify Implementation

Wait 24 hours for data to accumulate, then verify:

  • Dashboard shows traffic from your domain.
  • Browser DevTools shows the analytics request (should see API call to plausible.io or fathom.app).
  • No consent banner displays.
  • Page load time is noticeably faster.

Step 6: Set Up Goals (Optional)

Most cookieless analytics platforms support goal tracking for conversions.

Example goal: Track button clicks, form submissions, or specific page views as conversion goals.

Configure goals in the platform’s dashboard. Goals do not require additional code unless using event tracking.

Technical Details: IP Hashing Algorithm

For those implementing custom cookieless analytics, here is a reference implementation of the daily-rotating IP+UA hash:

function getDailyHash(ipAddress, userAgent) {
  // Get today's date in UTC (YYYY-MM-DD format)
  const today = new Date().toISOString().split('T')[0];

  // Concatenate IP + UA + date
  const input = ipAddress + userAgent + today;

  // Hash using SHA256 (requires crypto library)
  const encoder = new TextEncoder();
  const data = encoder.encode(input);
  const hashBuffer = await crypto.subtle.digest('SHA-256', data);
  const hashArray = Array.from(new Uint8Array(hashBuffer));
  const hashHex = hashArray.map(b => b.toString(16).padStart(2, '0')).join('');

  return hashHex;
}

Properties:

  • The hash is unique per user per day.
  • Different dates produce different hashes for the same user.
  • The hash is computationally infeasible to reverse.
  • No persistent storage is required; the hash is computed fresh on each request.

Limitations and Honest Assessment

Cookieless analytics are not a perfect replacement for Google Analytics. Specific limitations:

  1. No Individual Sessions: You cannot replay a user’s journey through your site.
  2. No Cross-Device Tracking: You cannot identify the same user across devices.
  3. No Historical Attribution: You cannot measure which touchpoint led to conversion.
  4. No Audience Building: You cannot create audiences for remarketing.
  5. No Behavioral Profiling: You cannot segment users into behavioral cohorts.

However: All five limitations are actually privacy features. Removing these capabilities is the entire point. If your business requires these capabilities, you must obtain explicit user consent.

References

Related Guides