1. Cookieless Does Not Mean Consent-Free
The biggest misconception about cookieless tracking is that it bypasses consent requirements entirely. This confusion stems from mixing two distinct legal frameworks: the ePrivacy Directive (often called the "Cookie Law") and the GDPR.
The ePrivacy Directive Article 5(3) regulates any technology that accesses or stores information on a user's device—whether it's cookies, local storage, or device fingerprinting. The EDPB's 2024 Guidelines on the technical scope of Article 5(3) make it clear: if your tracking method reads browser settings, device characteristics, or any stored data to identify users, you still need prior consent.
Meanwhile, the GDPR applies whenever you process personal data. Even if you don't use cookies, if your tracking method collects data that can identify or profile individuals—such as IP addresses, hashed emails, or unique device signatures—you must have a lawful basis under Article 6 (typically consent or legitimate interest).
Simply put: going cookieless sidesteps the Cookie Law's device-storage rule, but it doesn't exempt you from GDPR if you're still processing personal data.
2. Device Fingerprinting Requires Consent
Many "cookieless" solutions rely on device fingerprinting—collecting information like screen resolution, browser version, installed fonts, and timezone to create a unique "fingerprint" for each visitor. While this approach doesn't use traditional cookies, it's far from consent-free.
The Article 29 Working Party's Opinion 9/2014 and the EDPB's updated Guidelines 2/2023 explicitly state that fingerprinting falls under Article 5(3) of the ePrivacy Directive because it involves accessing information from a user's device. According to these authorities, fingerprinting for analytics or advertising purposes requires informed, prior consent.
Regulators across Europe have reinforced this position. The French data protection authority (CNIL) and the UK's Information Commissioner's Office (ICO) both classify fingerprinting as a tracking technology that requires consent, except in the narrow case of strictly necessary technical operations.
If your analytics platform uses fingerprinting, you cannot claim to be "consent-free" under EU law.
3. Online Identifiers Are Personal Data Under GDPR
GDPR Recital 30 makes it explicit: online identifiers—including IP addresses, cookie identifiers, device IDs, and RFID tags—are considered personal data when they can be used to identify or profile individuals.
This means even if you're not using cookies, collecting IP addresses, device signatures, or other online identifiers brings your analytics squarely under GDPR's jurisdiction. You must:
Have a valid legal basis (consent or legitimate interest)
Provide transparent information in your privacy policy
Respect user rights (access, deletion, portability)
Implement appropriate security measures
Many cookieless analytics vendors claim their techniques are "anonymous." But according to GDPR Recital 26, data is only truly anonymous if it cannot be linked back to an individual using "reasonable means." If there's any realistic way to re-identify users—by combining datasets, reverse-engineering hashes, or cross-referencing timestamps—the data remains personal data.
4. Hashed Emails and Pseudonymised Data Still Count as Personal Data
Some marketing platforms promote hashed email addresses as a privacy-friendly alternative to cookies. But under GDPR, hashing is a form of pseudonymisation, not anonymisation.
The EDPB's January 2025 Guidelines on Pseudonymisation confirm that pseudonymised data is still personal data and remains subject to GDPR requirements. Hashed emails can often be reversed using lookup tables (rainbow tables) or matched against other datasets, meaning they can identify individuals.
The UK ICO and European supervisory authorities agree: hashing does not remove data from GDPR's scope. To enhance protection, regulators recommend salting hashes (adding a random value) and storing the salt separately. But even with these measures, hashed emails are not anonymous and require a lawful basis for processing.
If your cookieless tracking relies on hashed identifiers, you cannot skip consent or legitimate interest assessments.
5. Server-Side Tracking Improves Privacy But Isn't Automatically Compliant
Server-side tracking has become popular because it processes data on your own servers instead of the user's browser. This approach offers several advantages: better control over what data is sent to third parties, improved security, and reduced reliance on client-side scripts.
However, server-side tracking is not a legal shortcut. If your server collects IP addresses, user agents, or other identifiable information, you're still processing personal data under GDPR. The location of the processing (server vs. browser) doesn't change the legal classification of the data.
To make server-side tracking GDPR compliant without consent, you must:
Anonymize IP addresses before storage (e.g., truncate the last octets)
Avoid creating persistent user profiles across sessions or devices
Not share data with third-party advertisers or data brokers
Minimize data collection to only what's necessary for your stated purpose
When configured with strong privacy safeguards, server-side analytics can potentially rely on legitimate interest under Article 6(1)(f) rather than requiring explicit consent—but this depends on your specific implementation and jurisdiction.
6. Some Cookieless Analytics Qualify as Consent-Exempt
Not all cookieless tracking requires consent. Under certain conditions, privacy-first analytics can be exempt from consent requirements.
The CNIL (French data protection authority) issued guidance allowing analytics tools to operate without consent if they meet strict criteria:
Use only first-party, short-lived identifiers
Anonymize data at the point of collection (e.g., IP address anonymization)
Do not track users across websites or create long-term profiles
Serve only audience measurement purposes (not advertising or behavioral profiling)
Provide clear information in the privacy policy
Several privacy-focused analytics platforms meet these criteria by design. Databuddy, for example, collects only aggregated, anonymous metrics without cookies or personal identifiers, allowing you to track performance and conversions without consent banners.
Other regulators—including Spain's AEPD—have issued similar exemptions for analytics that are truly minimal, transparent, and privacy-preserving. The key is that the analytics must be genuinely anonymous and not capable of singling out individuals.
7. Legitimate Interest Is Not a Free Pass for Tracking
Some organizations attempt to use "legitimate interest" (Article 6(1)(f)) as a legal basis for cookieless tracking, arguing that understanding website performance is a valid business need.
While legitimate interest can be appropriate for some first-party analytics, it's not a blanket authorization. The EDPB and the Court of Justice of the European Union (CJEU) have issued clear guidance:
Behavioral advertising and cross-site tracking generally cannot rely on legitimate interest (CJEU Case C-252/21 Meta Platforms)
You must conduct a legitimate interest assessment (LIA) weighing your business needs against user privacy expectations
Users must have an easy way to object to the processing
Legitimate interest is more defensible when data is truly anonymized, minimized, and transparently disclosed
The EDPB's 2020 Guidelines on Consent make it clear that scrolling, continued browsing, or "cookie walls" (blocking access unless users consent) do not constitute valid consent. If you choose legitimate interest as your legal basis, you must still respect the principles of data minimization, purpose limitation, and fairness.
For most businesses, the safest approach is to use privacy-first analytics platforms that collect only anonymous, aggregated data—eliminating the need for both consent and legitimate interest justifications.
Making Cookieless Tracking Truly Compliant
Cookieless tracking can be GDPR compliant, but compliance isn't automatic. The legal reality depends on your implementation:
Generally compliant without consent:
Truly anonymous, aggregated analytics with no user-level tracking
First-party analytics with immediate IP anonymization and no persistent identifiers
Contextual advertising based on page content, not user behavior
Requires consent or strong legitimate interest justification:
Server-side tracking that collects IP addresses or user agents without anonymization
Hashed email matching for advertising purposes
Any cross-site or cross-session user profiling
Requires consent:
Device fingerprinting for analytics or advertising
Tracking pixels and embedded third-party scripts that share data
Any method that builds persistent user profiles
If you want to track user behavior without the complexity and conversion loss of consent banners, choose an analytics solution that's privacy-first by design—one that collects only anonymous, aggregated data and gives you full control and ownership of your analytics data.
The future of web analytics isn't just cookieless—it's privacy-first, transparent, and built to respect both the law and your users' trust.