A growing number of site owners are asking whether they can ditch cookies entirely. The short answer: yes, but with conditions. A simple informational website with no login system, no analytics tracking, and no third-party embeds can run without setting a single cookie. The moment you add a contact form with session protection, an embedded YouTube video, or a Google Analytics tag, cookies creep back in.
The real question is not whether a zero-cookie website is possible. It is whether the trade-offs are worth it for your specific situation.
What Counts as a Cookie Under Privacy Law
Article 5(3) of the ePrivacy Directive does not mention the word "cookie" at all. It covers the storing of information, or the gaining of access to information already stored, on a user's terminal equipment. That scope is deliberately broad. The EDPB's Guidelines 2/2023 confirmed that the consent requirement extends well beyond traditional HTTP cookies to include local storage, session storage, tracking pixels, browser fingerprinting, and even information cached temporarily in RAM.
This matters because swapping cookies for localStorage or sessionStorage does not exempt you from consent obligations. If your code writes data to a visitor's device for non-essential purposes, the same rules apply regardless of the storage mechanism.
Cookies You Can Eliminate Today
Most websites carry cookies that are not strictly necessary. Third-party analytics cookies such as _ga, _gid, and _gat from Google Analytics are the most common. Marketing cookies from Facebook (_fbp), LinkedIn (li_fat_id), and advertising networks form another large group. Social sharing widgets, embedded maps, and chat tools each set their own cookies too.
Removing these is straightforward. Strip out the tracking scripts, replace embedded content with static alternatives or privacy-gated embeds, and the cookies disappear with them.
| Cookie source | Typical cookies set | Cookieless alternative |
|---|---|---|
| Google Analytics 4 | _ga, _gid | Plausible, Fathom, Matomo (cookieless mode) |
| Facebook Pixel | _fbp, _fbc | Conversions API (server-side) |
| YouTube embed | Multiple third-party cookies | youtube-nocookie.com embed or static thumbnail with click-to-load |
| Google Maps embed | Multiple third-party cookies | Static map image linking to Google Maps |
| Live chat widgets | Session and tracking cookies | Simple contact form or email link |
Cookies That Are Harder to Remove
Some cookies serve the visitor directly. A session cookie like PHPSESSID or a framework-equivalent keeps a logged-in user authenticated as they move between pages. A CSRF token cookie prevents cross-site request forgery on form submissions. A load-balancing cookie routes repeat requests to the same server so a session does not break mid-transaction.
Under the ePrivacy Directive, these qualify as "strictly necessary" because they exist solely to provide a service the user explicitly requested. The Article 29 Working Party's Opinion 04/2012 set out two exemption criteria: the cookie is needed for transmitting a communication over a network, or it is strictly necessary to provide a service the user asked for. Authentication cookies, shopping cart cookies, and security tokens all pass this test.
If your site has user accounts, e-commerce, or form submissions with server-side sessions, removing these cookies would break core functionality. The good news is that strictly necessary cookies do not require consent and do not need a cookie banner - though you should still disclose them in your cookie policy.
The Cookieless Analytics Option
Dropping analytics is the biggest change most site owners resist. Traffic data drives decisions about content, marketing spend, and conversion optimisation. Going fully cookieless does not mean going data-blind.
Privacy-focused analytics tools such as Plausible, Fathom, and Matomo in cookieless mode collect aggregate metrics - page views, referrers, device types, bounce rates - without writing anything to the visitor's device. They rely on techniques like hashing the visitor's IP address with a daily rotating salt so that unique visits can be counted within a session without creating a persistent identifier.
The legal position of these tools varies by jurisdiction. The French CNIL updated its audience measurement exemption guidance in July 2025, allowing analytics tools that meet strict criteria - limited event types, pseudonymised IP addresses, no cross-site tracking - to operate without consent. Matomo's self-hosted configuration is one tool that has qualified. Other data protection authorities, including the UK's ICO, take a stricter view and maintain that any analytics tracking requires prior consent under UK GDPR and PECR, regardless of whether cookies are involved.
Whether a cookieless analytics tool still needs a consent banner depends on where your visitors are and which DPA has jurisdiction. The tool may not set cookies, but if it accesses information on the visitor's device - which most JavaScript-based analytics do at some level - Article 5(3) can still apply.
When Going Cookie-Free Makes Sense
A static marketing site, a personal blog, a portfolio, or a documentation hub with no login system is a strong candidate. These sites can deliver content without storing anything on the visitor's device. The Swiss Federal University for Vocational Education and Training (SFUVET) moved to a fully cookie-free website in 2025, replacing Google Analytics with a self-hosted Matomo instance that collects only anonymised data.
Content-heavy publishers, SaaS platforms with user dashboards, and e-commerce stores face a different equation. Removing session cookies from a checkout flow or stripping authentication tokens from a logged-in experience is not practical. The goal for these sites is reducing non-essential cookies to a minimum rather than reaching zero.
Why Cookie-Free Does Not Mean Compliance-Free
Removing all cookies does not automatically remove privacy obligations. The GDPR applies whenever personal data is processed, not just when cookies are set. Server logs that record IP addresses, contact forms that collect email addresses, and server-side tracking that profiles visitors all trigger GDPR requirements independently of cookies.
The EDPB's Guidelines 2/2023 also broadened the scope of Article 5(3) beyond cookies to cover tracking pixels, JavaScript-based device fingerprinting, and even some forms of IP address collection. A website that sets zero cookies but loads a tracking pixel in every page still falls under consent rules.
The CNIL's enforcement record makes this tangible. In September 2025, the authority fined Google a total of 325 million euros and Shein 150 million euros for cookie consent violations. Between December 2022 and December 2024, the CNIL issued combined fines exceeding 139 million euros for breaches of the French implementation of Article 5(3). These actions targeted not just cookies but the broader practice of storing or accessing information on user devices without valid consent.
A Practical Checklist for Reducing Cookies
Start by running a cookie scan on your site to see exactly what is being set. Many site owners are surprised to find cookies from scripts they forgot they installed or third-party embeds buried deep in page templates.
Once you have a full inventory, work through each cookie. Remove tracking and advertising scripts you no longer need. Replace Google Analytics with a privacy-preserving analytics tool if aggregate metrics meet your needs. Switch embedded videos to privacy-enhanced mode or use static placeholders with click-to-load consent gates. Audit your CMS and plugins for hidden cookies - WordPress plugins, for instance, often set cookies that are not immediately obvious.
For each remaining cookie, determine whether it qualifies as strictly necessary. If it does, document its purpose and duration in your cookie policy. If it does not, either remove it or put it behind a consent mechanism.
Frequently Asked Questions
Do I still need a cookie banner if my site sets zero cookies?
Not for cookie consent specifically. If your site genuinely sets no cookies and uses no other tracking technologies covered by the ePrivacy Directive, you do not need a cookie consent banner. You should still maintain a privacy policy if you process any personal data, such as through contact forms or server logs.
Does using localStorage instead of cookies avoid consent requirements?
No. Article 5(3) of the ePrivacy Directive covers the storing of any information on a user's device, not just cookies. The EDPB's Guidelines 2/2023 confirmed that local storage, session storage, and similar browser APIs fall within scope. If the storage serves a non-essential purpose, consent is required.
Can I use Google Analytics 4 without cookies?
GA4 offers a cookieless mode that uses modelled data and server-side pings instead of client-side cookies. It still collects device and browser information, which means it may still fall under Article 5(3) depending on your DPA's interpretation. For truly cookieless analytics, standalone tools like Plausible or Fathom are simpler to configure and more transparent.
Are session cookies for login considered strictly necessary?
Yes. A session cookie that maintains authentication state after a user logs in qualifies as strictly necessary under the ePrivacy Directive's exemption. It provides a service the user explicitly requested. These cookies do not need consent, but they should still be documented in your cookie policy.
Will removing cookies hurt my SEO rankings?
No. Search engine crawlers do not rely on cookies to index pages. Removing analytics and marketing cookies has no direct effect on rankings. If anything, faster page load times from fewer third-party scripts can improve Core Web Vitals, which Google does factor into ranking signals.
Simplify Your Cookie Setup
If you want to audit exactly which cookies your site sets before deciding what to keep or cut, a free scan is the fastest starting point. Kukie.io detects first-party and third-party cookies across your pages and categorises each one, so you can see precisely where you stand.
