GDPR and Cookieless Analytics

Cookieless analytics represent a fundamental shift in how websites measure traffic while complying with GDPR. By eliminating persistent user identifiers, cookieless solutions can provide comprehensive analytics without consent banners, data loss, or privacy violations.

The GDPR Challenge for Traditional Analytics

Why Cookies Trigger GDPR

Cookies = Personal Data (in most cases):

When a cookie contains a unique identifier that can be linked to an individual—even indirectly—it constitutes personal data under GDPR Article 4(1):

"Personal data means any information relating to an identified or identifiable natural person"

Traditional analytics cookies:

• Unique visitor IDs
• Session identifiers
• Tracking across visits
• Building behavioral profiles over time

Result: Processing personal data requires lawful basis under GDPR Article 6.

Common (Problematic) Approaches

Approach 1: Consent (Article 6(1)(a))

Implementation: Cookie banner requesting consent for analytics

Problems:

• 20-30% of users reject cookies
• Data loss from non-consenting users
• Skewed analytics (privacy-conscious users underrepresented)
• Consent fatigue
• Complex consent management
• Cost of consent management platforms

Compliance challenge: Consent must be "freely given, specific, informed, and unambiguous" (GDPR Article 4(11))—difficult with cookie walls or dark patterns.

Approach 2: Legitimate Interest (Article 6(1)(f))

Claim: Analytics is a legitimate interest

Problems:

• Must pass three-part test:
  1. Legitimate interest exists ✅ (understanding website performance)
  2. Processing is necessary ❓ (are cookies necessary for analytics?)
  3. Balancing test ❓ (interests vs. rights)
• Data protection authorities skeptical of legitimate interest for tracking cookies
• Right to object must be provided
• EDPB guidance suggests consent is safer route for most cookies

Risk: Supervisory authority or court may reject legitimate interest claim for tracking cookies.

Approach 3: Ignore GDPR (Non-Compliance)

Implementation: Place analytics cookies without legal basis

Consequences:

• GDPR violations
• Fines up to €20M or 4% global revenue
• Enforcement actions
• Reputational damage
• User complaints

Not recommended: High-profile Google Analytics enforcement (Austria, France, Italy) demonstrates authorities are serious.

The Cookieless Solution

What is Cookieless Analytics?

Definition: Web analytics that do not use cookies or similar persistent identifiers to track users across sessions.

Technical approaches:

1. Session-based measurement: Track page views within session, without cross-session linking
2. Server-side logging: Analyze server logs without client-side identifiers
3. Privacy-preserving fingerprinting: Ephemeral technical signals for session uniqueness (not tracking)
4. Aggregated metrics only: Count events without identifying individuals

Key principle: Measure the audience (how many, from where, what they do) without tracking individuals (who specifically, what they do over time).

Why Cookieless Complies with GDPR

1. No Personal Data Processing (Ideal Case)

If truly anonymous:

• No unique identifiers
• No linking across sessions
• No individual tracking
• GDPR does not apply (Recital 26: anonymous information not covered)

Example: Server logs counting page views per hour, by country, without any visitor identification.

Advantage: No legal basis required; GDPR inapplicable to anonymous data.

2. Minimal Personal Data (Practical Case)

Even if some personal data processed (e.g., IP addresses):

Legitimate interest (Article 6(1)(f)) is stronger for cookieless analytics:

Necessity test:

• Cookieless measurement is genuinely necessary (no less intrusive alternative exists for basic traffic measurement)
• Purpose is limited and clear

Balancing test:

• Low privacy impact (no profiling, no cross-site tracking, no long-term identifiers)
• User expectations: Reasonable to expect website measures traffic
• Transparency: Easy to explain and understand
• No high risk to data subjects

Outcome: Legitimate interest likely valid for cookieless analytics where it may not be for cookie-based tracking.

GDPR Article 6 Bases for Cookieless Analytics

Legal Basis	Applicability	Requirements
Consent (6(1)(a))	Not needed for cookieless	N/A - no tracking to consent to
Contract (6(1)(b))	Rarely applicable	Analytics not necessary for service delivery
Legal obligation (6(1)(c))	Not applicable	No law requires website analytics
Vital interests (6(1)(d))	Not applicable	Analytics don't protect life
Public task (6(1)(e))	Public sector only	Government websites measuring performance
Legitimate interest (6(1)(f))	Primary basis	Website operator's interest in understanding traffic

Most common: Legitimate interest (Article 6(1)(f))

Legitimate Interest Assessment for Cookieless Analytics

Three-Part Test

Part 1: Legitimate Interest

Question: Does the controller have a legitimate interest?

For cookieless analytics:

• ✅ Understanding website performance
• ✅ Improving user experience
• ✅ Optimizing content
• ✅ Technical operations and security
• ✅ Business planning and development

GDPR Recital 47: "The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest."

By analogy: If direct marketing is legitimate interest, certainly understanding website usage is too.

Conclusion: Legitimate interest clearly exists.

Part 2: Necessity

Question: Is processing necessary for that interest?

For cookieless analytics:

• ✅ Cannot understand traffic without measurement
• ✅ Cookieless approach is least intrusive method
• ✅ No alternative that is less invasive (unless you don't measure at all)

Article 5(1)(c): Data minimization—collect only what is necessary

Cookieless analytics demonstrates data minimization:

• No persistent identifiers
• No cross-session tracking
• Aggregated measurement
• Short data retention

Conclusion: Processing is necessary, and minimized to what's required.

Part 3: Balancing Test

Question: Do data subject interests, rights, and freedoms override the legitimate interest?

Factors to consider:

Nature of data:

• Basic traffic metrics (not sensitive)
• No special categories (Article 9)
• Minimal personal data (if any)

Reasonable expectations:

• Users expect websites measure traffic
• Cookieless is less invasive than expected (no tracking)
• Transparent and understandable

Impact on data subjects:

• Low risk: No profiling, no behavioral advertising, no selling data
• No discrimination: Analytics not used for automated decisions affecting individuals
• No vulnerability: Not targeting children or vulnerable populations

Safeguards:

• Privacy policy disclosure
• Right to object provided
• Data security measures
• Limited retention periods

Conclusion: Interests do NOT override; legitimate interest is valid.

Legitimate Interest Assessment: Cookieless vs. Cookie-Based

Factor	Cookieless Analytics	Cookie-Based Tracking
Legitimate interest	Understanding traffic ✅	Understanding + profiling ❓
Necessity	Minimized approach ✅	Could use cookieless ❌
Privacy impact	Low (no tracking) ✅	High (persistent tracking) ❌
User expectations	Reasonable ✅	Negative (tracking) ❌
Safeguards	Built-in (no IDs) ✅	Requires controls ⚠️
Balancing outcome	Legitimate interest valid ✅	Questionable, consent safer ❌

Result: Legitimate interest is appropriate for cookieless; questionable for cookie-based tracking.

GDPR Principles and Cookieless Analytics

Principle 1: Lawfulness, Fairness, Transparency (Article 5(1)(a))

Lawfulness: Legitimate interest provides legal basis ✅

Fairness:

• Users not deceived
• No hidden tracking
• Processing aligns with reasonable expectations ✅

Transparency:

• Privacy policy discloses analytics
• Clear explanation of what's measured
• How to exercise rights ✅

Cookieless advantage: Easier to explain ("we count visitors, we don't track you") vs. complex cookie ecosystems.

Principle 2: Purpose Limitation (Article 5(1)(b))

Requirement: Data collected for specified, explicit, legitimate purposes; not further processed incompatibly

Cookieless analytics:

• ✅ Clear purpose: Website performance measurement
• ✅ Limited scope: Traffic statistics for website operator's use
• ✅ No secondary uses: Not sold, not used for advertising, not shared

Compliance: Purpose limitation naturally satisfied by design.

Principle 3: Data Minimization (Article 5(1)(c))

Requirement: Adequate, relevant, and limited to what is necessary

Cookieless analytics:

• ✅ No persistent user IDs (eliminates unnecessary tracking)
• ✅ Aggregated metrics (only what's needed for statistics)
• ✅ No individual profiles (unnecessary for traffic measurement)
• ✅ Minimal personal data (IP anonymization, no cross-session linking)

Gold standard: Cookieless is data minimization by design.

Principle 4: Accuracy (Article 5(1)(d))

Requirement: Personal data must be accurate and kept up to date

Cookieless analytics:

• ✅ Aggregate statistics (accuracy inherent in counting)
• ✅ No individual data to be inaccurate
• ✅ Session-based measurement (no stale profiles)

Benefit: Less risk of inaccuracy when not maintaining user profiles.

Principle 5: Storage Limitation (Article 5(1)(e))

Requirement: Kept in identifiable form no longer than necessary

Cookieless analytics:

• ✅ Session-only tracking (no long-term storage of identifiers)
• ✅ Aggregated data quickly (raw logs not retained long)
• ✅ Typical retention: 25 months maximum (align with AEPD requirements)
• ✅ Aggregated reports can be kept indefinitely (no personal data)

Best practice: Delete raw server logs after aggregation; retain only statistics.

Principle 6: Integrity and Confidentiality (Article 5(1)(f))

Requirement: Appropriate security measures

Cookieless analytics:

• ✅ Less data to secure (no long-term user profiles)
• ✅ Encryption in transit (HTTPS)
• ✅ Access controls
• ✅ Secure infrastructure

Reduced risk: Less valuable to attackers (no persistent user data to breach).

Principle 7: Accountability (Article 5(2))

Requirement: Controller must demonstrate compliance

Cookieless analytics:

• ✅ Document legitimate interest assessment
• ✅ Maintain records of processing activities (Article 30)
• ✅ Privacy policy reflects cookieless approach
• ✅ Data protection by design (Article 25)

Demonstration: Easier to show compliance when processing is minimal.

Data Subject Rights and Cookieless Analytics

Right of Access (Article 15)

User request: "What personal data do you have about me?"

Cookieless analytics response:

• If truly anonymous: "Our analytics do not process your personal data; we cannot identify you in our statistics."
• If minimal data (IP in logs): "We have server logs with your IP address from [date/time], used for traffic measurement. This data will be deleted after [retention period]."

Advantage: Simple response; no extensive user profiles to provide.

Right to Rectification (Article 16)

User request: "Correct inaccurate data about me"

Cookieless analytics:

• Not applicable (no individual user profiles to be inaccurate)
• Aggregate statistics are accurate by design

Right to Erasure (Article 17)

User request: "Delete my data"

Cookieless analytics:

• If anonymous: Not possible (cannot identify user in aggregate data)
• If IP in logs: Can delete specific IP entries, or explain scheduled deletion period

Practical: Much easier than cookie-based systems tracking users across months/years.

Right to Restriction (Article 18)

User request: "Stop processing my data while we resolve a dispute"

Cookieless analytics:

• Rarely applicable (no ongoing individual processing to restrict)
• Can flag IP for non-processing if requested

Right to Data Portability (Article 20)

User request: "Give me my data in portable format"

Cookieless analytics:

• Not applicable (Article 20 requires processing based on consent or contract; analytics typically legitimate interest)
• Even if applied: No meaningful individual data to port (aggregate statistics not "personal data")

Right to Object (Article 21)

User request: "Stop processing my data for analytics"

Cookieless analytics must provide:

• ✅ Mechanism to object (e.g., email address in privacy policy)
• ✅ Honor objections (stop including user in analytics)

Implementation options:

1. IP exclusion: Add user's IP to exclusion list (imperfect, dynamic IPs)
2. Browser signal: Respect Do Not Track or Global Privacy Control
3. Opt-out cookie: Paradoxically, set cookie to exclude from cookieless analytics
4. Manual request: User contacts, we exclude their IP or sessions

Best practice: Make objection easy and effective.

Cookieless Analytics and ePrivacy

ePrivacy Directive Article 5(3)

Separate from GDPR: Regulates terminal equipment access (cookies, device fingerprinting)

Requirement: Consent for storing/accessing information in terminal equipment

Exception: Strictly necessary for service delivery

Cookieless and ePrivacy Compliance

Key question: Do cookieless analytics access/store information in terminal equipment?

If NO cookies or client-side storage:

• ✅ ePrivacy Directive does not apply
• ✅ No consent required under ePrivacy
• ✅ Only GDPR applies (covered by legitimate interest)

If minimal cookies (e.g., session cookie):

• "Strictly necessary" exception may apply (if truly needed for service)
• Or analytics exemption under AEPD framework (see Analytics Cookies Exemption)

Cookieless advantage: Bypasses ePrivacy consent requirement entirely.

Digital Omnibus Future Framework

Article 88a(3)(c) (when in force):

"Creating aggregated information about the usage of an online service to measure the audience of such a service, where it is carried out by the controller of that online service solely for its own use"

Explicit consent exemption for:

• Aggregated measurement
• By controller
• For own use

Cookieless analytics alignment: Perfectly aligned with Article 88a(3)(c)

Learn more: EU Digital Omnibus - Cookie Consent Reform

Practical Implementation: GDPR-Compliant Cookieless Analytics

Step 1: Choose Cookieless Solution

Options:

Sealmetrics:

• Cookieless by design
• Aggregated measurement
• First-party data only
• GDPR-compliant out of the box

Server-side analytics:

• Parse server logs
• Anonymize IPs
• Aggregate metrics
• No client-side tracking

Privacy-focused platforms:

• Plausible (cookieless mode)
• Fathom Analytics
• Simple Analytics
• Matomo (cookieless configuration)

Step 2: Configure for Privacy

If using Sealmetrics: Default configuration is compliant

If using other tools:

• ✅ Disable cookies
• ✅ Disable user ID tracking
• ✅ Disable cross-site tracking
• ✅ Enable IP anonymization
• ✅ Limit data retention (25 months max recommended)
• ✅ Disable any advertising features
• ✅ Ensure first-party data only

Step 3: Conduct Legitimate Interest Assessment

Document:

1. Legitimate Interest:

   • What: Understanding website performance to improve user experience
   • Why: Necessary for operating and improving our online service
   • Benefit: Better content, faster site, improved UX

2. Necessity:

   • Processing limited to traffic statistics
   • Cookieless approach = minimum data
   • No less intrusive alternative exists

3. Balancing Test:

   • Low privacy impact (no tracking, no profiling)
   • Reasonable user expectations
   • Transparency in privacy policy
   • Right to object provided
   • Conclusion: Legitimate interest valid

Retain this assessment: For accountability (Article 5(2))

Step 4: Update Privacy Policy

Required disclosures:

## Website Analytics

We use cookieless analytics to understand how visitors use our website. This helps us improve content and user experience.

### What We Measure
- Pages visited
- Referrer (where you came from)
- Device type and browser
- Geographic location (country/region)
- Time spent on pages

### What We Don't Do
- We do not use cookies to track you
- We do not track you across websites
- We do not build individual user profiles
- We do not sell or share your data
- We do not use your data for advertising

### Legal Basis
Legitimate interest (GDPR Article 6(1)(f)): We have a legitimate interest in understanding how our website is used to improve it. Our processing is limited, transparent, and does not override your privacy rights.

### Your Rights
You have the right to:
- Object to analytics processing
- Access any personal data we hold
- Request deletion of your data

To exercise these rights, contact: [privacy@example.com]

### Data Retention
Analytics data is retained for 25 months, then deleted.

### Analytics Provider
We use [Sealmetrics/other provider], which acts as our data processor and does not use data for their own purposes.

Step 5: Provide Opt-Out Mechanism

Options:

Simple email:

"If you wish to opt out of our analytics, contact privacy@example.com with your IP address or approximate time of visit."

Technical opt-out:

• Respect Do Not Track header
• Respect Global Privacy Control
• Provide dedicated opt-out page

Best practice: Make it easy; few users will actually opt out of non-invasive cookieless analytics.

Step 6: Maintain Records

Article 30 GDPR: Record of processing activities

Required information:

• Name and contact details of controller
• Purposes of processing (website analytics)
• Categories of data subjects (website visitors)
• Categories of personal data (IP address [if processed], referrer, user agent)
• Categories of recipients (analytics provider, if any)
• Retention periods (25 months)
• Security measures

Maintain this record: Available for supervisory authority if requested.

Common Questions

Do I need a cookie banner for cookieless analytics?

No. If analytics are truly cookieless (no cookies, no persistent identifiers), ePrivacy consent requirement does not apply.

GDPR still applies: But legitimate interest is sufficient; consent not required.

Can I use cookieless Google Analytics?

Google Analytics 4 has a "cookieless mode" but:

• Data still transferred to Google
• Google may use data for its purposes
• May not qualify for GDPR legitimate interest
• May still require consent

Recommendation: Use purpose-built cookieless analytics (Sealmetrics, Plausible, Fathom) for genuine compliance.

Is IP address personal data?

Yes, under GDPR (confirmed by CJEU in Breyer case).

But: Can be processed under legitimate interest if:

• Purpose is limited (traffic measurement)
• Retention is limited (deleted after aggregation)
• Anonymized or pseudonymized where possible

Cookieless analytics: Often anonymize IPs at collection or immediately after processing.

What about device fingerprinting?

Device fingerprinting = Combining browser/device characteristics to create unique identifier

GDPR status:

• If creates persistent identifier: Likely personal data
• If used for tracking: Requires legal basis (consent or legitimate interest)

ePrivacy status:

• Accessing device information may require consent under Article 5(3)

Cookieless analytics caution: Using fingerprinting defeats the purpose; truly cookieless should avoid persistent fingerprinting.

Acceptable: Ephemeral technical signals for session uniqueness (not cross-session tracking).

How long can I retain cookieless analytics data?

GDPR Storage Limitation (Article 5(1)(e)): No longer than necessary

Best practice:

• Raw data (IP addresses, logs): 25 months maximum (aligns with AEPD)
• Aggregated statistics: Indefinitely (no personal data)

Recommended approach:

1. Collect raw data
2. Aggregate into statistics daily/weekly/monthly
3. Delete raw data after aggregation (or after 25 months max)
4. Retain aggregated reports indefinitely

Can I share cookieless analytics data?

With data processor (Article 28): Yes, if:

• Data Processing Agreement in place
• Processor only acts on your instructions
• Processor does not use data for own purposes

With third parties for their purposes: No, unless:

• Data is truly anonymous (aggregated to point of non-identification)
• OR you obtain consent
• OR another Article 6 basis applies

Best practice: Keep analytics data in-house; only share truly anonymous statistics.

Cookieless Analytics and Data Transfers

GDPR Chapter V: International Transfers

If analytics data transferred outside EU/EEA:

GDPR requirements:

• Adequacy decision, OR
• Appropriate safeguards (Standard Contractual Clauses, Binding Corporate Rules), OR
• Derogations (consent, contract, etc.)

Cookieless advantage:

• Less data to transfer (no user profiles)
• Can keep data in EU more easily (self-hosted or EU providers)

Sealmetrics: Data stays in EU; no international transfer issues.

US-based analytics: Proceed with caution post-Schrems II; ensure SCCs and supplementary measures.

Comparison: Cookie-Based vs. Cookieless

Aspect	Cookie-Based Analytics	Cookieless Analytics
GDPR legal basis	Consent (usually) or contested legitimate interest	Legitimate interest (strong case)
ePrivacy requirement	Consent required	Not applicable (no cookies)
Cookie banner	Required	Not required
Data subject rights	Complex (years of profiles)	Simple (minimal data)
Consent rate	50-80% (data loss)	N/A (100% data)
Privacy impact	High (tracking over time)	Low (session-only)
User experience	Interrupted (banner)	Seamless (no banner)
Compliance complexity	High	Low
Cost	High (CMP, legal review)	Low (no CMP needed)
Data quality	Skewed (consent bias)	Complete (all visitors)

Clear winner: Cookieless analytics for privacy, compliance, UX, and data quality.

Related Resources

• Analytics Cookies Exemption Requirements - AEPD and EU DPA guidance on analytics without consent
• EU Digital Omnibus - Cookie Consent Reform - Future framework for analytics under Article 88a
• EU Digital Omnibus - Impact on Analytics - How regulations affect analytics industry

Key Takeaways

1. Cookieless analytics can comply with GDPR without consent banners
2. Legitimate interest (Article 6(1)(f)) is appropriate legal basis for cookieless analytics
3. ePrivacy consent not required when no cookies or terminal storage used
4. Data minimization by design: Cookieless naturally satisfies GDPR principles
5. Simpler data subject rights: Minimal data = minimal rights management
6. No cookie banner needed: Better UX, complete data, lower costs
7. Future-proof: Aligns with Digital Omnibus Article 88a(3)(c)
8. Document legitimate interest: Conduct and retain assessment for accountability
9. Privacy policy disclosure: Required even for cookieless analytics
10. Right to object: Must be provided and honored

Cookieless analytics represent the evolution of privacy-respecting measurement. By eliminating persistent tracking while maintaining statistical accuracy, they satisfy both GDPR requirements and user expectations for privacy. As the Digital Omnibus makes clear, aggregated audience measurement for own use is not invasive surveillance—it's legitimate business intelligence. Cookieless analytics embody this principle in practice.