How to Build GDPR Compliant Website Analytics Without Cookies

Operating a privacy-focused analytics service means constantly seeking ways to enhance user privacy while still delivering useful website analytics. The central challenge is providing unique visit counts and total pageviews without disrupting the visitor experience. No website owner wants to display intrusive cookie consent popups unless absolutely required by law.

Here is a technical overview of how cookieless, privacy-compliant analytics can be implemented.

Avoiding Cookie-Like Technology

To achieve full ePrivacy Directive compliance, including PECR and other member state implementations, an analytics tool must avoid all forms of cookie-like technology:

1. Cookies
2. localStorage
3. sessionStorage
4. Data derived from "Terminal Equipment" (timezone, device dimensions, etc.)

These constraints are actually reasonable from a privacy standpoint. Inspecting data stored on a visitor's device feels invasive, so these technical limitations align well with a privacy-first philosophy.

Tracking Visits Without Cookies

Any meaningful analytics platform needs the ability to distinguish between unique visits and raw pageviews. Pageview counts alone, without visit data, provide limited insight into actual traffic patterns.

Processing certain personal data (specifically IP addresses and User-Agent strings, as defined by the GDPR) is permissible under the regulation's six lawful bases. Website operators can rely on legitimate interest when there is no risk to the data subject and when proper anonymization is applied.

The approach involves combining multiple data points to generate a unique hash per visitor:

1. A rotating salt value tied to the IP address and site identifier
2. The IP address itself
3. The User-Agent string
4. The hostname (the website's domain)
5. A site-specific identifier

These inputs are processed through a SHA256 hashing algorithm, producing output like: cd3f1ed906bb12b62dd5eff809aa1778211a02d1c11992476f0c9977c0db0646

The resulting hashes are mathematically irreversible. It is important to note that hashing differs fundamentally from encryption. Encrypted data can be decrypted with the right key, whereas hashing is strictly one-way.

Rotating the salt string daily at midnight adds an extra layer of protection against future advances in computing power and rainbow table attacks.

The result is an anonymized hash stored in the database that cannot be used to identify any individual person.

Schrems II Compliance

Following the Schrems II ruling in 2020, analytics providers operating across borders also need to address EU data transfer requirements. Since multiple EU data protection authorities have found Google Analytics to be non-compliant, any privacy-focused alternative must demonstrate robust compliance.

One effective approach is creating isolated European infrastructure where no EU traffic ever leaves EU-based servers. Data undergoes additional rounds of hashing using encryption keys stored exclusively on EU infrastructure before touching any non-EU services. Access to these servers can be restricted to engineers based in the EU or in countries with GDPR adequacy rulings, such as Canada. Even CI/CD systems can be self-hosted within the EU to maintain complete isolation.

The Role of Anonymization

The purpose of hashing visitor data is to ensure that no individual can ever be identified from the analytics data collected. This is the foundation of genuinely privacy-focused analytics.

Compliance with GDPR, CCPA, and PECR should not be an afterthought. GDPR's Recital 26 provides key guidance:

Recital 26	Analysis
To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out.	With proper hashing, a natural person cannot be singled out. Pageview updates occur within single database transactions, and query logs are not retained.
Account should be taken of all objective factors, such as the costs of and the amount of time required for identification.	Brute-forcing a 256-bit hash would cost roughly 10^44 times the global GDP -- making reverse identification essentially impossible with current or foreseeable technology.
The principles of data protection should not apply to anonymous information or personal data rendered anonymous such that the data subject is no longer identifiable.	Properly hashed data renders individuals unidentifiable, potentially placing such analytics outside the scope of GDPR entirely.
This Regulation does not concern the processing of such anonymous information, including for statistical or research purposes.	Even if GDPR were deemed applicable, there exists a legitimate business interest in understanding website performance through aggregate, anonymized statistics.

Final Thoughts

Building analytics without cookies while still providing meaningful visit metrics is achievable through careful application of hashing and anonymization techniques. Some cookie-free analytics platforms only track pageviews, omitting unique visit data entirely. For businesses that depend on understanding traffic patterns, unique visits represent a critical metric that privacy-preserving techniques like the ones described here can deliver effectively.