Why Cookie-Free Analytics Matter in 2026
Consent rates across European websites hover between 30% and 70%, depending on banner design and audience. For site owners relying on analytics cookies, that means a significant share of traffic simply vanishes from reports the moment a visitor clicks reject.
The result is skewed data, unreliable conversion counts, and marketing budgets allocated on partial information. A growing category of analytics tools aims to solve this problem by collecting traffic data without setting cookies at all. Plausible, Fathom, Simple Analytics, and Matomo (in cookieless mode) each claim to operate without triggering consent requirements.
But "no cookies" does not automatically mean "no consent needed." The legal question hinges on Article 5(3) of the ePrivacy Directive, which covers more than just cookies.
How Privacy-First Analytics Platforms Avoid Cookies
Traditional analytics tools like Google Analytics 4 rely on cookies such as _ga and _ga_XXXXXXX to identify returning visitors and stitch sessions together. Privacy-first alternatives take a fundamentally different approach.
Instead of storing a persistent identifier on the visitor's device, these tools generate a daily hash from non-personal signals - typically the visitor's IP address, the User-Agent string, and the website's domain. The hash rotates every 24 hours, meaning the tool can count unique visitors within a single day but cannot track individuals across days. IP addresses are discarded after hashing and never stored in raw form.
No cookie is written. No data persists on the visitor's device between sessions. No cross-site tracking is possible.
This is a genuine architectural difference, not a marketing rebranding of first-party cookies. The trade-off is reduced granularity: you lose multi-day user journeys, cohort analysis, and precise returning-visitor counts.
Plausible, Fathom, and Matomo Compared
Each platform handles cookieless tracking slightly differently. The table below summarises the key distinctions.
| Feature | Plausible | Fathom | Matomo (Cookieless Mode) |
|---|---|---|---|
| Cookies set | None | None | None (when cookieless mode enabled) |
| Visitor identification | Daily rotating hash | Daily rotating hash | Config-dependent; fingerprint or none |
| IP address stored | No | No | No (with anonymisation on) |
| Self-hosted option | Yes (Community Edition) | No | Yes |
| Data hosting (cloud) | EU (Germany) | EU (Germany) + Canada | EU or self-hosted |
| CNIL exemption eligible | Claimed, not officially listed | Claimed, not officially listed | Yes - officially recognised by CNIL |
| Script size | Under 1 KB | Under 2 KB | ~22 KB (full), lighter in basic mode |
| Event tracking | Custom events, goals | Custom events, goals | Full event tracking, e-commerce |
| Pricing (cloud) | From EUR 9/month | From USD 15/month | Free (self-hosted) or from EUR 19/month |
Matomo stands apart because the French data protection authority (CNIL) has officially recognised it as eligible for the analytics consent exemption - provided specific configuration requirements are met. Plausible and Fathom make strong privacy claims but have not received the same formal recognition from any EU supervisory authority.
What Matomo's CNIL Exemption Actually Requires
Simply installing Matomo does not grant an automatic exemption. The CNIL's conditions are cumulative: IP anonymisation must be enabled, cookie lifetime must be limited to 13 months, data must not be shared with third parties, and the tool must be used strictly for audience measurement. If you add other tracking, cross-reference with CRM data, or share analytics with advertising partners, the exemption falls away.
The same logic applies to any tool claiming consent-free operation. The exemption is not about the tool itself but about how it is configured and used.
The ePrivacy Directive Problem: Cookies Are Not the Only Trigger
Article 5(3) of the ePrivacy Directive does not mention cookies by name. It covers "the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user." The EDPB's Guidelines 2/2023 confirmed that this scope extends to local storage, session storage, and even certain JavaScript API calls that read device information.
A cookieless analytics script that reads the User-Agent string, screen resolution, or browser language from the visitor's device is technically "gaining access to information already stored in the terminal equipment." Under a strict reading of Article 5(3), this access requires either consent or qualification under one of the narrow exemptions.
The EDPB guidelines state that even reading information for the purpose of generating a hash-based identifier can fall within scope.
How Different Countries Interpret the Exemption
EU member states have transposed the ePrivacy Directive differently, and their supervisory authorities interpret the analytics exemption with varying degrees of flexibility.
France, through the CNIL, explicitly allows audience measurement tools to operate without consent when configured to meet strict conditions. Spain's AEPD and Italy's Garante have taken similar positions, recognising that basic, non-invasive analytics can qualify as "strictly necessary" for the service requested by the user.
Germany's federal and state data protection authorities generally require consent for all analytics, including cookieless variants. The Netherlands' Autoriteit Persoonsgegevens has taken a comparably strict position. In these jurisdictions, even a fully anonymised, cookieless analytics tool may still require a consent prompt.
The UK's position shifted with the Data Use and Access Act, which introduced a specific exemption for analytics that are purely statistical, do not share data with third parties, and provide users with clear information and an opt-out mechanism.
What You Still Need Even Without Cookies
Dropping cookies from your analytics stack does not eliminate all compliance obligations. Several requirements persist regardless of the tracking method used.
Your privacy policy must still disclose the use of analytics, the data processed (even if anonymised), the legal basis relied upon, and the identity of any third-party processor. If you use a cloud-hosted analytics service, you likely need a data processing agreement under GDPR Article 28.
Under the GDPR's transparency principle (Article 13), visitors must be informed about data collection even when consent is not the legal basis. A short, clear notice in your privacy policy explaining what your analytics tool collects and why is not optional - it is a legal requirement.
If your analytics provider processes data outside the EEA, cross-border data transfer safeguards apply. Plausible's EU-only hosting avoids this issue. Fathom routes European traffic to German servers but is a Canadian company, so the adequacy decision for Canada under GDPR may be relevant.
Google Analytics 4 vs Cookieless Alternatives: The Data Trade-Off
Switching from Google Analytics 4 to a cookieless tool is not a like-for-like replacement. GA4 offers audience segmentation, predictive metrics, integration with Google Ads, and conversion modelling through Consent Mode v2. Privacy-first tools intentionally sacrifice these features.
The practical question is whether your reporting needs justify the complexity. If you need to know which pages get traffic, which referral sources perform, and how visitors flow through your site on a per-session basis, Plausible or Fathom will cover it. If you need multi-touch attribution, remarketing audiences, or predictive lifetime value, you still need GA4 - and you still need consent.
Many site owners run both: a cookieless tool for baseline traffic data (available for 100% of visitors) and GA4 behind a consent gate for deeper analysis of consenting users. This hybrid approach gives you complete page-view counts alongside richer behavioural data from the subset who opt in.
Choosing the Right Tool for Your Compliance Context
The right choice depends on where your visitors are located and which supervisory authority oversees your processing.
If your audience is primarily in France, Matomo in cookieless mode with CNIL-compliant configuration is the safest option with formal regulatory backing. For UK-focused sites, the Data Use and Access Act's new analytics exemption opens the door to most cookieless tools, provided you meet the conditions around transparency and opt-out.
For sites with significant German traffic, no cookieless tool currently eliminates the need for consent under the prevailing regulatory interpretation. You may still want a cookie banner - though the consent prompt can be simpler when no actual cookies are involved.
If you serve a global audience, the hybrid approach described above often makes the most practical sense. Run a cookieless tool for universal baseline data and load Google Consent Mode-compatible tags only after consent.
Frequently Asked Questions
Do I need a cookie banner if I only use Plausible Analytics?
It depends on your jurisdiction. In France, Spain, and the UK (under the Data Use and Access Act), Plausible's cookieless approach likely qualifies for an analytics exemption. In Germany and the Netherlands, supervisory authorities may still require consent for any analytics access to terminal equipment, even without cookies.
Is Matomo exempt from cookie consent under GDPR?
The consent exemption comes from the ePrivacy Directive, not the GDPR itself. The CNIL has recognised Matomo as eligible for its analytics exemption, but only when configured with IP anonymisation, no data sharing, limited cookie lifetime, and use restricted to audience measurement.
Can privacy-preserving analytics track individual users across sessions?
No. Tools like Plausible and Fathom use daily rotating hashes that reset every 24 hours. They can count unique visitors within a single day but cannot identify the same person returning the next day. This is a deliberate design choice that limits tracking capability.
What data do cookieless analytics tools actually collect?
Typical data points include page URL, referral source, browser type, operating system, screen size, and country (derived from IP, which is then discarded). No names, email addresses, or persistent identifiers are stored.
Does the ePrivacy Directive only apply to cookies?
No. Article 5(3) covers any storing of information or gaining access to information on a user's terminal equipment. This includes cookies, local storage, browser fingerprinting techniques, and even reading device properties through JavaScript APIs.
Can I use Plausible or Fathom alongside Google Analytics?
Yes. Many site owners run a cookieless tool for complete baseline traffic data and load GA4 only after consent. This hybrid approach ensures you always have page-view counts while getting richer data from visitors who opt in.
Take Control of Your Cookie Compliance
Whether you switch to a fully cookieless analytics platform or run a hybrid setup, your cookie banner and scanning configuration still matters. Kukie.io detects every cookie and tracker on your site, categorises them, and helps you build a consent flow that matches your analytics stack - so your visitors get a clear choice, and your compliance holds up to scrutiny.
