Dropping cookies from your analytics stack feels like the right privacy move. No cookies, no consent banner, no problem — right? Not exactly. The legal reality is more layered than the marketing around "cookieless" solutions suggests, and getting it wrong puts you squarely in the crosshairs of regulators who've been specifically updating their guidance to address exactly this shift.
Here's what the actual law says, drawn from the primary sources regulators use to make enforcement decisions.
The cookie law was never really about cookies
This is the foundational misunderstanding. What people call "the cookie law" is actually Article 5(3) of the ePrivacy Directive (Directive 2002/58/EC, as amended by 2009/136/EC). Its text doesn't mention cookies at all. It covers any storing of information — or access to already-stored information — on a user's terminal equipment.
So the real question isn't "am I using cookies?" but "am I storing or accessing information on someone's device?"
If the answer is yes, you need prior consent from the user — or you must qualify for one of the narrow exemptions. Removing cookies doesn't change this analysis. It just changes the technology.
The European Data Protection Board made this explicit in its Guidelines 2/2023 on the Technical Scope of Article 5(3), adopted in final form on October 7, 2024. Those guidelines were issued precisely because of the proliferation of cookieless tracking technologies, and they confirm that the directive applies to tracking pixels, URL-based tracking, local processing systems, IoT device data transmissions, and — critically — device fingerprinting.
Device fingerprinting requires consent
Browser fingerprinting works by reading a combination of device and browser characteristics — screen resolution, installed fonts, user-agent string, time zone, canvas rendering behavior — to generate a unique identifier without storing anything in the browser. Many vendors pitch this as a consent-free alternative to cookies.
It isn't.
The Article 29 Working Party addressed device fingerprinting directly in Opinion 9/2014, concluding that the act of accessing device characteristics to generate an identifier constitutes "access to information stored in terminal equipment" under Article 5(3). The EDPB's 2024 guidelines built on this position, making clear that fingerprinting techniques fall within the directive's scope regardless of whether data is persisted on the device.
France's CNIL has been especially direct. Its 2020 guidelines on cookies and other trackers (Recommandations sur les cookies et autres traceurs) explicitly listed fingerprinting ("empreinte du terminal") as a tracking method requiring prior user consent under the same rules as cookies.
The UK's ICO takes the same position in its guidance on cookies and similar technologies: any technique that accesses device information to identify or track a user — whether or not it uses traditional cookie storage — falls under PECR's consent requirements (PECR being the UK implementation of Article 5(3)).
So if your "cookieless" solution is actually fingerprint-based, you still need a consent mechanism. The architecture changed; the legal obligation didn't.
Hashed identifiers don't make data anonymous
Another common assumption: if you hash user identifiers — like email addresses — before processing them, the data becomes anonymous and GDPR stops applying. This is wrong under established EU data protection law.
GDPR's Recital 26 defines anonymous information as data that "does not relate to an identified or identifiable natural person." Whether data meets that standard depends on whether re-identification is "reasonably likely" using means available to the processor or to any third party.
Hashed email addresses fail this test. SHA-256 is deterministic — the same email always produces the same hash, so a hash can be matched against a known email list. The EDPB's Guidelines 01/2025 on Pseudonymisation (published January 2025) confirmed that pseudonymised data, including hashed identifiers, remains personal data subject to GDPR obligations if re-identification is reasonably possible.
The Court of Justice of the EU reinforced the underlying logic in its 2016 Breyer judgment (Case C-582/14), where it held that even dynamic IP addresses constitute personal data when the data controller has a legal means of obtaining the additional information needed to identify the user — the fact that re-identification requires an extra step doesn't take the data outside GDPR's scope.
For cookieless tracking that uses hashed emails or persistent user IDs derived from personal data, this means GDPR's full framework applies: you need a lawful basis under Article 6, data minimization obligations apply, and you must honor subject rights requests.
So when is cookieless tracking actually compliant?
The answer isn't "never" — it requires precision about what you're actually doing.
Genuinely anonymous aggregate analytics can be compliant without consent. GDPR Recital 26 excludes truly anonymous information from its scope entirely. If your analytics collect only aggregate, non-individual data with no persistent identifiers, no fingerprinting, and no IP address processing that could enable re-identification, you're likely operating outside both GDPR and Article 5(3).
The CNIL's own audience measurement exemption, set out in its Sheet n°16 on using analytics, confirms this approach for certain strictly-configured tools. To qualify, the analytics must be used solely for audience measurement (not marketing or profiling), data must not be shared with third parties, IP addresses must be anonymized, and a user opt-out mechanism must be provided. Matomo received CNIL's recognition as an exempt tool when configured according to these conditions — but the exemption is conditional, not automatic.
Server-side tracking isn't a magic exemption. Processing data on your own servers rather than in the browser can improve security and reduce third-party data sharing. But if the server-side system still receives IP addresses, processes unique user identifiers, or accesses information sent from the user's terminal equipment to enable tracking, Article 5(3) and GDPR still apply. The data flows through a different pipe; the legal analysis is the same.
IP-only tracking carries real risk. The EDPB's 2024 Guidelines on Article 5(3) specifically address IP-address-only tracking, noting it can fall within the directive's scope when the IP address originates from the user's terminal equipment and is used for tracking. The Breyer judgment already established that IP addresses can be personal data. Processing IP addresses for analytics without a lawful basis isn't a safe harbor.
The GDPR layer still applies even if ePrivacy is satisfied
Dropping cookies resolves the Article 5(3) question only if you're genuinely not storing or accessing device information. But if your cookieless tracking processes any personal data — IP addresses, hashed emails, behavioral profiles — GDPR kicks in independently.
The EDPB's Guidelines 05/2020 on Consent confirmed that consent under GDPR must be freely given, specific, informed, and unambiguous. Cookie walls — making site access conditional on accepting tracking — are not valid consent. Scrolling through a page is not valid consent. Pre-ticked boxes are not valid consent.
For behavioral analytics and marketing tracking, consent is almost always the only viable legal basis. The EDPB has consistently rejected legitimate interests as a basis for behavioral advertising tracking — a position reinforced by the CJEU's 2023 judgment in Case C-252/21 (Meta Platforms Ireland v Bundeskartellamt), which held that Meta could not rely on contractual necessity or legitimate interests to justify processing personal data for personalized advertising.
That judgment matters because it applies beyond Meta: any analytics system that builds behavioral profiles of users for advertising or personalization purposes faces the same legal constraint.
What genuinely compliant cookieless analytics looks like
There's a practical path through this. Analytics platforms that collect only aggregated, non-identifiable data — with no persistent user IDs, no fingerprinting, no raw IP address storage, and no cross-site tracking — operate at the boundary of what GDPR and ePrivacy consider personal data. When properly configured, they don't require consent banners because they're not processing personal data or accessing device information to track individuals.
This is the architecture that tools like Databuddy are built around: zero cookies, no fingerprinting, IP addresses not stored in identifiable form, and no personal data leaving the user's device to be processed for tracking purposes. The result is analytics that's genuinely compliant by design rather than by assertion — a distinction regulators increasingly care about when reviewing enforcement cases.
The key signals that a cookieless platform is actually compliant:
- No persistent identifiers assigned to individual users
- No device fingerprinting or browser characteristic collection
- IP addresses anonymized or not stored in identifiable form
- Data not combined with third-party datasets
- No cross-site or cross-service user tracking
- Opt-out mechanism available
If a platform markets itself as "cookieless and consent-free" but uses fingerprinting or persistent session IDs derived from device characteristics, it's making a compliance claim that doesn't hold under current EU guidance. The EDPB's 2024 Guidelines 2/2023 were adopted specifically to close that gap.
For a deeper look at how this plays out technically, the cookieless analytics guide from Databuddy's documentation walks through the architecture choices that determine whether a given setup actually falls outside GDPR's scope.
The enforcement trajectory is clear
Regulators aren't distinguishing between "cookie-based" and "cookieless" tracking when making enforcement decisions. They're asking whether personal data was processed, whether device information was accessed without consent, and whether users had meaningful control.
The CNIL's enforcement actions against Criteo (€40 million fine in 2023 for failing to demonstrate valid consent for behavioral advertising) and its repeated actions against companies for inadequate cookie consent demonstrate that the standard is getting stricter, not looser. The EDPB's October 2024 final guidelines on Article 5(3) signal that DPAs across the EU now have clear, harmonized guidance to apply to cookieless tracking technologies.
Removing cookies from your analytics stack is a meaningful step toward privacy. But it's the first step, not the last. The question compliance teams and developers need to answer isn't "are we using cookies?" — it's "are we processing personal data, and if so, do we have a lawful basis?" The answer to that question depends entirely on the technical architecture of the specific tracking implementation, not on whether the word "cookieless" appears in the vendor's marketing copy.
For teams evaluating their current setup, the GDPR compliance guide for web analytics provides a structured framework for auditing which data flows require consent and which can be handled under other lawful bases — or avoided entirely through genuinely anonymous data collection.
Building analytics on a privacy-first analytics platform that eliminates personal data collection at the source is the most defensible position under the current regulatory environment — not because it's easier to manage, but because it removes the compliance question entirely rather than shifting it around.