Cookieless analytics: a complete guide to measuring without consent

TL;DR — Cookieless analytics refers to web measurement techniques that do not place consent-required tracking cookies. Two main approaches exist: a regulatory exemption for strictly configured audience measurement tools (the CNIL exemption in France, equivalent guidance in other EU countries) and cookieless alternatives that use different technical mechanisms. Both allow traffic measurement without a consent banner, under specific conditions.

Measuring website traffic without analytics cookies has become a central challenge since 2022. European data protection authorities stepped up enforcement of the ePrivacy Directive, Google Analytics faced adverse decisions in several EU countries, and cookie refusal rates climbed. Many sites are now working with less than 60% analytics coverage. This guide covers the real options, their conditions and their practical limits.

What is cookieless analytics?

Cookieless analytics covers all web traffic measurement techniques that do not rely on placing persistent cookies requiring consent. It includes two broad categories: tools benefiting from a regulatory exemption and alternatives that bypass tracking cookies through other technical mechanisms.

What 'cookieless' actually means

Cookieless does not mean data-free. Some tools use server-side session tokens; others aggregate data without identifying individuals. The absence of a cookie does not remove a processing activity from the scope of GDPR if personal data is still involved. The relevant question is whether the technique allows individual identification.

Regulatory exemption vs cookieless alternatives

The first category covers tools benefiting from a legal exemption (Matomo in strict mode, some European analytics solutions recognised by the relevant authority). The second covers cookieless solutions using other non-consent-required measurement techniques (server logs, aggregated data, modelling). These two approaches differ significantly in terms of conditions and data precision.

The EU audience measurement exemption

Several EU data protection authorities grant a consent exemption to audience measurement tools that meet strict conditions. In France, this is set out in the CNIL deliberation of 28 September 2020. In the UK, the ICO has issued similar guidance. A tool meeting these conditions can be deployed without a cookie banner for the analytics component.

The five conditions for the exemption

1. Strictly limited purpose: audience measurement only, no profiling, no cross-referencing with other data.
2. Site-specific scope: data must not be shared with third parties or used across different sites.
3. Limited retention: maximum 13 months for data, 6 months for associated consent validity.
4. User information: visitors must be informed and given a means to opt out.
5. No cross-site tracking: the same user must not be tracked across different domains.

Which tools qualify?

Matomo (formerly Piwik) is the reference tool for the CNIL exemption when configured in exempt mode: cookies disabled, IP anonymised, minimal local storage, no data sharing. Standard Matomo configuration places cookies and is not exempt. Other European-hosted analytics solutions also target this exemption. Google Analytics 4 in its standard configuration does not qualify: data transits through US servers and is potentially cross-referenced with other Google services.

Available cookieless alternatives

Beyond the regulatory exemption, several approaches allow audience measurement without consent-required tracking cookies.

Server log analysis

Server access logs (Apache, Nginx) record every request without a cookie. This is lawful without consent (operational data) and provides overall traffic data. Limitations: it does not distinguish bots from humans, does not capture in-page behaviour (scroll, clicks) and is less precise than a modern analytics tool. Useful for simple sites or as a complement to another solution.

Aggregated data and modelling

Some tools offer aggregated, anonymised data without attempting to identify individuals. They estimate trends (popular pages, traffic sources, approximate bounce rate) using non-persistent session data. These approaches are less precise but require no consent if no personal data is processed within the meaning of GDPR.

Google Consent Mode v2 and conversion modelling

Google Consent Mode v2 enables statistical conversion modelling even without explicit consent. In basic mode, GA4 sends aggregated signals without identifying refusing users, then Google models the missing conversions. This approach does not replace full analytics but recovers part of the lost conversion data. It remains subject to EU law and requires a compliant CMP. See the FlowConsent guide on /en/blog/google-consent-mode-v2-implementation-guide for configuration details.

Common mistakes

Confusing 'cookieless' with 'no consent needed'. A tool can be cookieless but still process personal data (digital fingerprint, IP address) that requires a legal basis.

Assuming Matomo is exempt by default. Standard Matomo places cookies and is not exempt. The exemption requires a specific, documented configuration.

Forgetting to inform users. The regulatory exemption does not remove the obligation to inform visitors in the privacy policy and provide an opt-out mechanism.

Thinking GA4 is consent-exempt. GA4 is not exempt under GDPR. It requires a compliant CMP and Consent Mode v2 to be used lawfully in the EU.

Combining multiple tools without an audit. Running a cookieless tool alongside GA4 can create data duplication and legal basis questions. Document each processing activity in the GDPR register.

Cookieless analytics checklist

1. Define your need: audience measurement only, or conversion tracking and advertising?
2. For audience measurement: evaluate Matomo in exempt mode or a recognised European analytics solution.
3. Verify all exemption conditions: purpose, scope, retention, user information, no cross-site tracking.
4. For conversion tracking: activate Google Consent Mode v2 with a compliant CMP.
5. Document all analytics processing activities in the data processing register.
6. Inform visitors in the privacy policy with a direct opt-out link.
7. Test in private browsing that no consent-required analytics script loads without agreement.
8. Audit your site at /en/scan to identify all active analytics cookies.
9. Schedule a re-scan after every analytics tool update.
10. Consult a DPO if combining multiple tools or if the site processes sensitive data.

Cookieless analytics involves a trade-off between data precision, regulatory compliance and technical resources. The EU exemption is the most direct route for sites seeking to remove the analytics consent banner, under strict conditions. For sites with conversion and advertising requirements, Consent Mode v2 remains essential as a complement. Scan your site at /en/scan to see exactly which analytics cookies are currently active.