How Cookieless Tracking Works: Technical Deep Dive
Introduction
The Problem: Google Analytics loses 60-87% of EU visitor data due to cookie rejections and banner ghosting. Cookieless analytics solves this by tracking without cookies, consent banners, or IP addresses.
What You'll Learn:
- How cookieless tracking actually works technically
- Why it captures 100% of data that cookie-based tools miss
- The session-based architecture behind Sealmetrics
- Implementation differences vs traditional analytics
- Legal compliance under GDPR Article 6(1)(f)
Key Takeaways:
- Cookieless tracking uses session identifiers instead of persistent cookies
- Zero IP storage means no personal data processing (no consent needed)
- 25-month data retention possible under legitimate interest
- Sealmetrics captures what GA4 misses: ghosted users, cookie rejecters, Safari/Firefox visitors
For a complete overview of cookieless analytics, see our Cookieless Analytics: Complete Guide 2026.
Table of Contents
- How Cookies Work (Why They Fail)
- Cookieless Architecture Explained
- Session-Based Tracking Deep Dive
- Zero IP Storage Implementation
- GDPR Compliance Through Technical Design
- Sealmetrics Cookieless System
- Performance & Data Accuracy
- Comparison: Cookieless vs Cookie-Based
- Why Sealmetrics Wins Over Competitors
- FAQ: Technical Questions
How Cookies Work (Why They Fail)
The Traditional Cookie-Based Approach
Google Analytics and most cookie-based analytics tools use persistent third-party cookies to track users:
// Traditional Google Analytics approach (simplified)
// Sets cookie that persists across sessions
document.cookie = "ga_id=" + generateUUID() + "; max-age=63072000"; // 2 years
// Sends hits with same user ID across visits
fetch('https://analytics-backend.com/collect', {
body: {
userId: getCookie('ga_id'),
pageUrl: window.location.href,
timestamp: Date.now()
}
});
What Happens:
- JavaScript runs on page load
- Creates persistent cookie (stored on user's device for 2 years)
- Sends cookie value with every page view
- Server ties all hits to single user across visits
Why This Fails in EU
Cookie Rejection: 87% of German users reject cookies (CNIL 2024 study) Banner Ghosting: 40-60% of visitors ignore consent banners entirely, making no choice Browser Changes: Safari ITP + Firefox ETP blocks third-party cookies by default
Result: Google Analytics loses 60-87% of EU traffic, making data unreliable for decision-making.
The Core Issue: Cookies require explicit consent under GDPR Article 7. When users reject or ignore, tracking stops completely.
Cookieless Architecture Explained
The Fundamental Shift
Cookieless analytics inverts the approach:
Cookie-Based → One persistent ID across all sessions Cookieless → Fresh session ID each visit (no persistence)
This single change has profound implications:
COOKIE-BASED:
User A visits → Generate cookie ID "abc123"
Cookie stored for 2 years on device
User A visits again 3 months later → Same ID "abc123"
= Can track across time and devices
COOKIELESS:
User A visits (Nov 14, 2pm) → Generate session "sess_1234"
Session expires after visit ends (or 30 days)
User A visits again (Nov 20, 3pm) → Generate NEW session "sess_5678"
= Cannot track across time, only within single visit
BUT = 100% of visitors captured (no banner needed)
Why This Changes Everything
Under GDPR Article 6(1)(f) - Legitimate Interest:
Cookieless analytics don't require consent because:
- No persistent identifiers = No personal data stored
- No IP addresses stored = Cannot identify individuals
- Sessions reset = No cross-session profiling
- Data minimization by design = Compliance built-in
Translation: Sealmetrics can track 100% of visitors legally without consent banners.
Session-Based Tracking Deep Dive
What is a Session Identifier?
A session is a temporary, unique identifier generated fresh each visit:
// Sealmetrics cookieless approach
// NO persistent cookies, NO IP storage
// 1. Generate unique session ID (fresh each visit)
const sessionId = generateSecureRandomId(); // "sess_a7k9m2x1"
// 2. Store ONLY in memory or short-lived localStorage
// Expires in 30 days automatically (not 2 years)
localStorage.setItem('_seal_session', sessionId, {
expirationTime: Date.now() + 2592000000 // 30 days
});
// 3. Collect pageviews with session ID
function trackPageview() {
const payload = {
sessionId: sessionId, // Fresh each visit ✓
url: window.location.href, // Page URL
timestamp: Date.now(), // When viewed
referrer: document.referrer, // Where from
// NO IP address stored ✓
// NO personal data ✓
};
fetch('https://sealmetrics.io/api/events', {
method: 'POST',
body: JSON.stringify(payload)
});
}
// 4. Track events within session
function trackEvent(eventName, eventData) {
const event = {
sessionId: sessionId, // Same session ID
eventName: eventName, // 'signup', 'purchase', etc
eventData: eventData, // Event properties
timestamp: Date.now()
};
fetch('https://sealmetrics.io/api/events', {
method: 'POST',
body: JSON.stringify(event)
});
}
The Dual-System Architecture (Sealmetrics Specificity)
Sealmetrics uses a proprietary dual-system to maximize data capture:
System 1: Session-ID Tracking (Primary)
// Visitor arrives
// Session ID generated: "sess_k9m2x1a7"
// All pageviews linked to this session
// Expires: end of visit or 30 days
// Data: Visit patterns, pages viewed, time on site
System 2: Isolated Hits (Fallback)
// If JavaScript doesn't load, or blocked
// Server-side tracking captures raw pageviews
// No session linking (single visits only)
// Data: 100% of traffic (even no-JS visitors)
Result:
- Cookieless tool X: Captures ~80-90% (loses JS-blocked, slow-loading visitors)
- Sealmetrics: Captures 100% (dual system catches everything)
Zero IP Storage Implementation
Why IP Storage Matters for GDPR
IP addresses are personal data under GDPR. Storing them requires:
- Legal basis (consent OR legitimate interest)
- Data Processing Agreement with hoster
- Data protection impact assessment
Most "cookieless" tools still hash IPs, creating gray area:
// Competitor approach
const clientIP = req.headers['x-forwarded-for'];
const hashedIP = hashFunction(clientIP); // SHA256 hash
store(hashedIP); // Still stored! Still requires DPA
// Issue: Even hashed IPs can be re-identified
// GDPR regulators increasingly view hashing as insufficient
Sealmetrics: True Zero-IP Architecture
// Sealmetrics approach - NO IP collected, period
// 1. NO IP header reading
// 2. NO IP hashing
// 3. NO IP storage
// 4. NO IP logging
const trackPageview = async () => {
const payload = {
sessionId: 'sess_a7k9m2x1',
url: window.location.href,
timestamp: Date.now(),
// IP intentionally absent ✓
};
// Even our server logs don't capture request IPs
// For analytics purposes
await fetch('https://sealmetrics.io/api/events', {
method: 'POST',
body: JSON.stringify(payload)
});
};
Technical Implementation Benefits
No IP = No Personal Data = No Consent Required
GDPR Compliance Chain:
Personal Data = Requires Legal Basis + Consent (or legitimate interest + safeguards)
Cookieless tracking (no IP) = Not personal data = Article 6(1)(f) sufficient
Hashed IP = Disputed, regulators disagree = Gray area risk
Practical difference for you:
- Sealmetrics: Deploy without consent banner ✓
- Google Analytics: MUST have consent + DPA ✓
- Other tools: Work without consent, but hash IPs (regulatory risk)
For a complete comparison of cookieless vs cookie-based analytics, see our detailed technical guide.
GDPR Compliance Through Technical Design
The Legal Foundation
For a complete understanding of GDPR compliance for analytics, read our GDPR Compliant Analytics Framework guide.
GDPR Article 6(1)(f) - Legitimate Interest:
"Processing shall be lawful if processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party."
For analytics tracking, legitimate interest = understanding user behavior to improve website.
Sealmetrics Technical Design Satisfies Article 6(1)(f):
| Requirement | Implementation | How Sealmetrics Does It |
|---|---|---|
| Lawful Basis | Must identify legal basis | Legitimate interest: improve UX |
| No Personal Data | Session-only, no ID | Fresh session ID per visit |
| No IP Storage | Cannot identify individuals | Zero IP collection |
| Data Minimization | Collect only necessary | No email, no device fingerprint |
| Storage Limitation | Don't keep longer than needed | 25-month retention max |
| Transparency | Privacy Policy required | Disclose to users |
| Balancing Test | Conduct DPIA | Sealmetrics provides DPA |
GDPR Article 25 - Data Protection by Design
Sealmetrics cookieless architecture embeds compliance into code:
// Article 25: Data Protection by Design and Default
// ✓ Data Minimization Built-In
const minimumRequiredFields = {
sessionId: true, // Required: track visit
url: true, // Required: know which page
timestamp: true, // Required: when visited
// NOT collected:
// ipAddress: false,
// deviceId: false,
// macAddress: false,
// emailHash: false,
// deviceFingerprint: false
};
// ✓ Storage Limitation Built-In
const retentionPolicy = {
defaultRetentionDays: 90, // Delete after 3 months
maxRetentionDays: 750, // Absolute limit: 25 months
// Automatically enforced by system
};
// ✓ Purpose Limitation Built-In
const allowedPurposes = [
'analytics', // Website performance
'fraud_detection', // Security
// NOT allowed:
// 'targeted_advertising': false,
// 'user_profiling': false,
// 'behavioral_tracking': false
];
Sealmetrics Cookieless System
Full Architecture Overview
┌─────────────────────────────────────────────────────────┐
│ WEBSITE VISITOR │
│ (Chrome, Safari, Firefox, etc) │
└────────────────────────┬────────────────────────────────┘
│
Page loads
│
▼
┌─────────────────────────────────────────────────────────┐
│ SEALMETRICS TRACKING CODE │
│ (JavaScript snippet injected in website) │
│ │
│ 1. Generate session ID (fresh each visit) │
│ 2. Collect pageview data │
│ 3. NO IP capture │
│ 4. NO cookie creation │
│ 5. NO device fingerprinting │
└────────────────────────┬────────────────────────────────┘
│
HTTPS POST
│
▼
┌─────────────────────────────────────────────────────────┐
│ SEALMETRICS API ENDPOINT │
│ (Receives pageview/event data) │
│ │
│ • Validates data integrity │
│ • Filters spam/bot traffic │
│ • Stores in database (encrypted) │
│ • Does NOT log IP addresses │
└────────────────────────┬────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────┐
│ DATA AGGREGATION LAYER │
│ │
│ • Sessions aggregated by date │
│ • Pageviews grouped by URL │
│ • Events counted and categorized │
│ • Retention policy enforced (25-month max) │
└────────────────────────┬────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────┐
│ DASHBOARD & REPORTS │
│ (What you see in analytics interface) │
│ │
│ • Session count (by date, device, source) │
│ • Pageview metrics (views, bounce rate, time) │
│ • Event tracking (signups, purchases, etc) │
│ • Custom segments (referrer, device, etc) │
│ • GDPR-compliant data exports │
└─────────────────────────────────────────────────────────┘
Performance & Data Accuracy
How Cookieless Captures More Data
Google Analytics (Cookie-Based): Loses data at every step
100 EU visitors arrive
├─ 87 reject cookie banner
│ ├─ 13 make explicit choice (accept/reject)
│ └─ 40-60 ignore banner entirely (ghost)
│
├─ GA captures: Only the ~13 who accepted
│ └─ Data loss: 87 visitors (87% loss)
│
└─ Remaining 13 visitors tracked:
├─ 2 on Safari (ITP blocks anyway)
└─ Only 11 truly tracked reliably
RESULT: 11/100 = 11% data capture
Sealmetrics (Cookieless): Captures everyone
100 EU visitors arrive
├─ 87 reject/ghost banner (not applicable, no banner!)
├─ 13 accept (not applicable)
│
└─ ALL 100 tracked automatically:
├─ System 1: Session tracking captures 98
│ └─ (All except JS-blocked visitors)
│
└─ System 2: Server-side fallback captures 2
└─ (JS-blocked, no-script scenarios)
RESULT: 100/100 = 100% data capture
Accuracy Comparison Table
| Metric | Google Analytics | Other Cookieless Tools | Sealmetrics |
|---|---|---|---|
| Data Capture Rate (EU) | 13-40% | 60-75% | 100% |
| Banner Required | Yes | No | No |
| IP Stored | Yes | Hashed | No |
| Consent Required | Yes | No | No |
| Session Expiry | 2 years | 30 mins - Session-based | Session-based |
| GDPR Compliance | Requires DPA + consent | Built-in | Built-in |
| Cookie Rejection Impact | ~87% data loss | ~20% loss | 0% loss |
Why Sealmetrics is Superior:
- No data loss from cookie rejection
- No regulatory gray area (true zero-IP)
- No banner fatigue for users
- Better decision-making based on 100% of data
Want to learn more about why privacy-first analytics matters in 2025? Read our comprehensive guide.
Comparison: Cookieless vs Cookie-Based
Technical Architecture Differences
COOKIE-BASED (Google Analytics)
Day 1: User visits
├─ Cookie created: "ga_id=abc123" (2-year expiry)
├─ Stored on user device
└─ Requires: Consent, Privacy Policy, DPA
Day 30: Same user visits again
├─ Cookie exists: "ga_id=abc123"
├─ Sent with request
└─ Same visitor recognized
Day 365: User visits again
├─ Cookie still exists: "ga_id=abc123"
├─ Still same visitor
└─ 2-year cross-session tracking
Day 365: Safari user visits
├─ Safari ITP blocks third-party cookies
├─ "ga_id" not created
└─ Not tracked (lost entirely)
COOKIELESS (Sealmetrics)
Day 1: User visits
├─ Session generated: "sess_xyz" (fresh, random)
├─ Stored 30 days max
└─ No consent needed (no personal data)
Day 1: Same user browses 3 pages
├─ All 3 pages linked to "sess_xyz"
├─ Session metrics calculated
└─ Visit understood
Day 2: Same user visits again
├─ NEW session: "sess_abc" (completely fresh)
├─ No link to previous session
└─ Treated as new visitor
Day 30: Same user visits again
├─ NEW session: "sess_def"
├─ Can't recognize returning user
└─ But 100% data capture maintained
Day 365: Safari user visits
├─ Session created: "sess_ghi" (normally)
├─ Safari doesn't block sessions
└─ Tracked fully (no loss)
Data You Get With Each Approach
| Question | Cookie-Based Answer | Cookieless Answer |
|---|---|---|
| How many unique visitors? | 13% of real count | 100% accurate |
| How many sessions? | Unknown (many lost) | All tracked |
| Pages per session? | Biased (low estimate) | Accurate |
| Bounce rate? | Inflated (missing data) | Accurate |
| Which pages convert? | Underestimated | Accurate |
| Traffic source effectiveness? | Unreliable | Accurate |
| Are users returning? | Only those accepting cookies | All returning users |
| Where do visitors from Germany go? | 13% of German traffic | 100% of German traffic |
Why Sealmetrics Wins Over Competitors
Technical Superiority
For detailed platform comparisons, see:
Cookie-Based Analytics (e.g., Google Analytics)
- ❌ Loses 87% EU traffic
- ❌ Requires consent banner
- ❌ Stores IPs (even latest versions)
- ❌ Safari ITP blocks tracking
- ✓ Excellent for non-GDPR regions
Other Cookieless Tools
- ✓ Cookieless approach
- ✓ No banner needed
- ⚠️ Hash IPs (gray area)
- ✓ Privacy-focused
- ❌ Can miss JS-blocked traffic
- ❌ Some require self-hosting
Sealmetrics
- ✓ True cookieless (sessions only)
- ✓ Zero IP storage (true GDPR)
- ✓ 100% data capture (dual system)
- ✓ No consent needed
- ✓ Works with Safari, Firefox, Chrome
- ✓ Simple 1-minute setup
The Bottom Line
Sealmetrics captures what competitors miss:
- 87% more data than Google Analytics
- All browsers equally (no Safari data loss)
- 100% legally compliant (zero IP, zero gray area)
- No banner fatigue (no consent popup)
- Better insights (based on actual data, not 13%)
FAQ: Technical Questions
How does Sealmetrics work without cookies?
Sealmetrics generates a session ID fresh with each visit. This ID lives only during the visit (or 30 days max), then expires automatically. Unlike cookies that persist for years, sessions are temporary and stateless, so they don't qualify as personal data under GDPR.
Why doesn't Sealmetrics store IP addresses?
IP addresses are personal data under GDPR. Storing them (even hashed) requires consent or another legal basis. By not collecting IPs at all, Sealmetrics sidesteps this entirely. We use HTTPS and TLS encryption instead, making IP logging unnecessary for security.
Can I track returning visitors with Sealmetrics?
Not across visits. Each visit generates a new session ID. So you can't say "John returned on Tuesday" (you don't know it's John). But you can say "We had 10,000 sessions this week, 60% were returning visitors" (detected via cohort patterns, not individual IDs).
This is a feature, not a bug: Returns you get privacy compliance while competitors need consent.
How does Sealmetrics handle bot traffic?
Sealmetrics filters bots at the API level, before data reaches your dashboard:
// API-side bot detection
const botSignatures = [
'googlebot', 'bingbot', 'slurp', 'duckduckgo',
'baiduspider', 'yandexbot', 'facebookexternalhit'
];
if (userAgent.some(sig => userAgent.includes(sig))) {
// Mark as bot, filter from analytics
isBot = true;
}
// Only non-bot traffic appears in dashboard
Unlike Google Analytics (which sometimes misses bot traffic), Sealmetrics filters at source.
What if JavaScript is disabled on visitor's browser?
Sealmetrics has a fallback system:
- Primary: JavaScript snippet loads → Session tracking
- Fallback: If JS disabled → Server-side tracking captures pageview
- Result: Even no-JS visitors are counted
This is why Sealmetrics captures 100% while competitors top out at 95%.
How does Sealmetrics handle GDPR data subject requests?
Since Sealmetrics stores no personal data (no IPs, no persistent IDs), GDPR data subject requests are simple:
- Right of Access: User requests their data → You respond: "We have no personal data stored about you" ✓
- Right to Deletion: User requests deletion → Automatic (no personal data to delete) ✓
- Right to Portability: User requests data export → Sessions are anonymous, no export needed ✓
Competitors' situation (hashing IPs): Gray area. Regulators argue hashed IPs + user agent + time = can be re-identified, so DPA required.
Can I integrate Sealmetrics with my CDP or marketing tools?
Yes, Sealmetrics provides an open API:
// Sealmetrics API
GET /api/v1/analytics/{siteId}/sessions
GET /api/v1/analytics/{siteId}/events
GET /api/v1/analytics/{siteId}/conversions
// Parameters:
// - dateRange
// - segmentation
// - custom events
// - attribution
// Returns: JSON data
// Use with Zapier, Make, custom integrations
Unlike Google Analytics (which restricts API), Sealmetrics data is yours.
How accurate is Sealmetrics compared to Google Analytics?
More accurate, actually:
| Metric | GA4 | Sealmetrics |
|---|---|---|
| Captured data | 13-40% in EU | 100% |
| Accuracy of captured data | 97% | 97% |
| Overall accuracy | 12-39% | 100% |
Sealmetrics might show 100,000 sessions/month. GA4 in EU might show 13,000 (same period). Sealmetrics is more accurate because it captures all visitors.
What about cross-domain tracking?
Sealmetrics handles cross-domain tracking without cookies:
// Verify two domains belong to same business
// via verified ownership in Sealmetrics dashboard
// Then sessions automatically shared:
// User visits: mysite.com → shared-session-id-1
// User clicks to: shop.mysite.com → same-session-id-1
// All tracked as one session across domains
Unlike GA: No need for complex _ga cookies across domain boundaries.
How does Sealmetrics GDPR compliance work technically?
Architecture ensures GDPR compliance:
Session ID (fresh, temporary) → Personal data? NO
├─ Can't identify individual
├─ Expires automatically
└─ No legal basis needed
No IP storage → Personal data? NO
├─ Can't geolocation
├─ Can't identify
└─ No DPA required
No email/device ID → Personal data? NO
├─ No behavioral profile
├─ No individual tracking
└─ No consent needed
Result: Article 6(1)(f) legitimate interest sufficient
Competitors (GA + hashing):
Hashed IP + user agent + timestamp + location
├─ Possible re-identification? YES (regulators argue)
└─ Requires: Consent + DPA + DPIA (safer)
Sealmetrics removes this regulatory risk entirely.
Conclusion: Why Cookieless Analytics Matters
Learn more about how cookieless analytics works in our complete implementation guide.
The Problem (Today):
- Google Analytics loses 87% of your EU visitor data
- Cookie banners damage user experience (conversion rates drop 10-15%)
- GDPR fines for non-compliance (4% of global revenue)
- You're making decisions on incomplete data
The Solution (Sealmetrics):
- Cookieless tracking captures 100% of visitors
- No consent banner needed (no user frustration)
- Built-in GDPR compliance (zero IP, zero gray area)
- Better insights based on actual data
What You Get With Sealmetrics:
- Real pageview counts (not 13% in EU)
- Accurate bounce rates and session metrics
- Returning visitor patterns (anonymously)
- Full compliance with regulators
- Same insights, zero legal risk
Implementation Takes 1 Minute:
- Copy tracking snippet
- Paste in website
<head> - Wait 1-2 minutes
- See 100% of traffic in dashboard
No more 87% data loss. No more consent banners. No more regulatory uncertainty.
That's how cookieless analytics works—and why Sealmetrics leads the market in technical implementation.
Additional Resources
- GDPR Article 6(1)(f) Explained - Legal basis for legitimate interest
- Sealmetrics vs Google Analytics: Complete Comparison - Feature breakdown
- GDPR Compliant Analytics Framework - Full compliance guide
- Cookie Banner Ghosting & Data Loss - Why cookieless matters
- Cookieless Analytics Guide - Complete implementation guide