Back to blog
-- 14 min read

Can you do analytics without a consent banner? What the EU data protection authorities say

A survey of how European data protection authorities (CNIL, BayLDA, Datatilsynet, AP) treat analytics tools and the consent requirement. Which tools qualify for the measurement exemption?

The question, and why it matters

Nobody enjoys cookie banners. Site operators dislike them because they hurt conversion and clutter the design. Visitors dislike them because they are an interruption to every single browsing session. Data protection professionals dislike them because they have turned into a ritual of fake consent that doesn't protect anyone.

So the question gets asked constantly: can you just not have one? More specifically, can you run analytics — measure page views, bounce rates, traffic sources, campaign performance — without asking for consent?

The answer is "sometimes, and it depends on which data protection authority you are most likely to hear from." Underneath the apparent disagreement, the legal framework is the same across the EU: the ePrivacy Directive Article 5(3) controls storage and access on the user's device, and the GDPR controls processing of personal data. The differences between DPAs are all about interpretation, enforcement priority, and the narrowness of the "strictly necessary" exemption.

This post surveys the positions of the DPAs most likely to look at your site if you operate in the EU. It is descriptive, not prescriptive — we do not give legal advice, and you should run your specific setup past your own counsel before making changes.

CNIL (France): the most detailed and the most permissive

CNIL, the French Commission Nationale de l'Informatique et des Libertés, has produced more detailed guidance on analytics and consent than any other EU DPA. Its position is simultaneously the strictest in some respects and the most permissive in others.

The strict part: CNIL has actively enforced against Google Analytics in its default configuration, finding that the transfer of data to the United States and the setting of identifying cookies were incompatible with EU law. Multiple French websites were ordered to bring their GA deployments into compliance or stop using the tool. That enforcement sent a clear signal that running the GA4 script as supplied by Google, on a French audience, is not acceptable.

The permissive part: CNIL explicitly recognises that some analytics tools are exempt from the consent requirement altogether. It calls this the "audience measurement exemption." A tool qualifies if it meets all of the following:

  • Its purpose is strictly limited to producing anonymous statistics for the publisher
  • It is used exclusively by the publisher or its processor
  • Data is not cross-referenced with other processing or shared with third parties
  • Tracking is limited to a single website
  • IP addresses are anonymised (typically by truncation) before retention
  • Retention is limited to a reasonable period

Tools that meet the bar can be deployed without a consent banner in France. CNIL maintains a published list of solutions it has reviewed, and has recognised several cookieless analytics products (including Matomo in cookieless mode with certain settings, Piwik Pro, Abla Analytics, AT Internet, and others) as compliant.

A tool that never stores anything on the device at all — as Web-Tracking.eu, Plausible, Fathom, and Pirsch do — sits above the exemption. It does not need the exemption because it does not engage Article 5(3) in the first place. CNIL's guidance makes this clear in passing but is primarily written for the harder case of analytics tools that do touch the device.

Practical takeaway for French sites: if you use a cookieless analytics tool with no device storage, no cross-site tracking, EU hosting, and appropriate retention, you do not need a consent banner for the analytics layer. You may still need one for other trackers.

DSK and BayLDA (Germany): strict reading of the letter of the law

Germany implements the ePrivacy Directive through §25 of the TTDSG, recently renamed TDDDG. The enforcement is split across sixteen state DPAs (LDI NRW, BayLDA in Bavaria, LfD Niedersachsen, etc.), which coordinate through the Datenschutzkonferenz (DSK).

The DSK's position on analytics is strict. Any storage of information on the terminal device, or reading of information from it, requires consent under §25 TTDSG unless it is strictly necessary for a service the user has explicitly requested. Analytics does not qualify as strictly necessary. So any analytics tool that touches the device needs a consent banner in Germany.

BayLDA, the Bavarian DPA, has been the most active enforcer. It has issued guidance clarifying that:

  • Setting analytics cookies without consent is illegal under §25 TTDSG
  • Transmitting data to third-country servers (especially US-hosted services) additionally requires a lawful basis under GDPR Chapter V
  • The "consent mode" features offered by Google and others do not cure the underlying consent problem — the cookies are still set, even if they carry less data

This strict reading actually works in favour of cookieless architectures. If any device storage needs consent, then no device storage needs no consent. German DPAs accept this logic. A tool that stores nothing on the device simply falls outside the scope of §25 TTDSG, and the consent requirement does not apply to it. You still need a GDPR legal basis for any personal data processing, but that is a different question handled under Article 6, typically via legitimate interest.

Practical takeaway for German sites: the cookieless approach is the safest path in Germany. There is no "measurement exemption" equivalent to France's — you either need consent or you need an architecture that does not engage §25 at all.

Datatilsynet (Denmark): faithful to the directive

The Danish DPA, Datatilsynet, applies the Danish cookie bekendtgørelse, which is a straightforward transposition of Article 5(3). Its published guidance emphasises two points:

  • The cookie rules apply to any storage or access of information on the user's device, not just to cookies narrowly defined
  • If a service does not store or access anything on the device, the cookie rules simply do not apply to it

This is the cleanest statement of the position among EU DPAs. Datatilsynet does not maintain a detailed "approved list" like CNIL, but its guidance is clear that a cookieless analytics tool with server-side counting does not need a consent banner for its own operation. Datatilsynet has been active in enforcing the cookie rules against Danish websites running non-compliant trackers, with several fines issued since 2022.

Practical takeaway for Danish sites: the logic is identical to Germany. If you use a tool that does not touch the device, the Danish cookie rules are not engaged, and you do not need a consent banner for that tool.

AP (Netherlands): cookie-specific rules, broad interpretation

The Dutch Autoriteit Persoonsgegevens enforces Article 11.7a of the Telecommunications Act (Telecommunicatiewet), which is the Dutch transposition of Article 5(3). The AP's position aligns with the mainstream European reading: any storage or access on the device requires consent unless it is strictly necessary.

The AP has issued opinions and enforcement actions against websites using third-party advertising cookies without consent, and has been particularly focused on the practices of large media publishers. Analytics has not been a primary enforcement target, but the AP has been explicit that it considers device-storing analytics to require consent.

The AP has not published a CNIL-style "approved list," but it has confirmed in several public statements that cookieless analytics solutions are outside the scope of Article 11.7a. The Dutch government's own digital services use a cookieless analytics tool (previously Piwik/Matomo in a stripped-down configuration, more recently other options) to avoid the consent requirement on public-sector websites.

Practical takeaway for Dutch sites: same as Germany and Denmark. A cookieless tool does not trigger Article 11.7a, so no consent banner is needed for it.

ICO (United Kingdom, post-Brexit): pragmatic guidance

The UK remains subject to PECR, which transposes Article 5(3) of the ePrivacy Directive, even after leaving the EU. The ICO's guidance on PECR and cookies is one of the most practically written pieces of regulatory text in the space and is worth reading in full.

The ICO confirms that:

  • PECR applies to any storage or access on the device, not just cookies
  • First-party analytics may qualify for the "strictly necessary" exemption in limited circumstances, though the ICO cautions that this is a narrow path and that consent is the safer default for device-storing analytics
  • A tool that does not engage in storage or access on the device is not subject to PECR at all

The ICO has been more forgiving in its enforcement than some continental DPAs. It has prioritised large-scale violations and egregious trackers over analytics-heavy websites. Still, its written guidance is clear, and compliance expectations are the same in theory.

Practical takeaway for UK sites: the cookieless architecture has the same effect under PECR as under the ePrivacy Directive. No device storage, no PECR engagement, no consent banner for the analytics layer.

Common requirements across DPAs

Reading the guidance from the DPAs above reveals a consistent set of requirements that cookieless analytics should meet. Think of these as the shared baseline, not quite written down in any single document but present in all of them:

  • No cross-site tracking. Any identifier must be scoped to a single site. You should not be able to follow a visitor from Site A to Site B using the same analytics tool.
  • Limited retention. Raw inputs (IP, User-Agent) must be discarded immediately. Aggregated data should not be retained longer than necessary — CNIL has suggested 13 months for cookies and 25 months for aggregated statistics as rough upper bounds.
  • Anonymised or discarded IPs. If IPs are stored at all, they should be truncated. Better: discard them entirely after extracting what you need.
  • No third-party data sharing. The analytics data should stay with the publisher (and its processor), not flow to ad networks, data brokers, or other third parties.
  • First-party deployment. The tracker should be served from the publisher's infrastructure or from a processor subject to a proper DPA, not from a third party that can combine the data with other sources.
  • Documented legal basis under GDPR. Even without a consent banner, the processing needs a GDPR Article 6 basis — typically legitimate interest with a documented assessment.

Cookieless tools like Web-Tracking.eu, Plausible, Fathom, and Pirsch all meet these conditions in their default configurations. Some tools can be configured to meet them (Matomo in cookieless mode; Piwik Pro with appropriate settings) but require deliberate setup.

Which tools qualify (cookieless by design)

Tools that never store anything on the device, by design, are the simplest case. They satisfy the ePrivacy trigger test automatically and only need to clear the GDPR processing bar (which they do via legitimate interest and appropriate safeguards). The shortlist:

  • Web-Tracking.eu — server-side daily-rotating hash, EU hosting
  • Plausible — server-side daily-rotating hash, EU hosting
  • Fathom — server-side hash, EU data centre option available
  • Pirsch — server-side salted fingerprint, EU hosting
  • Simple Analytics — server-side hash, EU hosting

In all of these cases, the analytics layer can be deployed without a cookie consent banner across the EU. The exact wording of the privacy policy still matters, and other parts of the site (embeds, chat widgets, ads) may require a banner of their own.

Which tools don't qualify (without careful configuration)

The tools below touch the device in their default configuration and therefore require consent or careful reconfiguration to qualify for a measurement exemption.

  • Google Analytics 4 (gtag.js) — sets first-party cookies (_ga, _ga_*). Consent mode v2 adjusts behaviour but does not remove the cookies. Needs a banner in every EU jurisdiction.
  • Microsoft Clarity — session replay and heatmap tool that stores identifiers and records interactions. Needs consent.
  • Hotjar — session replay, heatmaps, surveys, and more. Sets multiple cookies and identifiers. Needs consent.
  • Facebook Pixel / Meta Pixel — advertising tracker with cross-site linking. Needs consent, and has additional transfer issues under GDPR Chapter V.
  • LinkedIn Insight Tag — advertising cookies and cross-site linking. Needs consent.
  • Matomo (default) — sets first-party cookies (_pk_id, _pk_ses). Needs consent unless reconfigured to cookieless mode, and even then the cookieless fingerprint may or may not qualify for a measurement exemption depending on the DPA.
  • Adobe Analytics — sets multiple cookies, historically considered a device-storing analytics tool. Needs consent.

None of these are "illegal" as such — they can all be deployed lawfully with an appropriate consent flow, and in the right configuration. But they are not cookieless, and they cannot be deployed without a banner.

The server-side GA4 question

A common question is whether you can make GA4 compliant by loading it server-side, either via Google Tag Manager Server-Side, via Measurement Protocol, or via a CDN-hosted alternative. The short answer is: maybe, but the hard parts don't go away.

Server-side GA4 can avoid the client-side cookies for page views if you build the integration carefully. In that configuration, nothing is stored on the device (for the GA4 portion), and Article 5(3) is not engaged for the request itself. However, several issues remain:

  • Google's server-side tagging tool still typically sets a client-side cookie unless you actively disable it
  • If you use any GA4 feature that relies on a client-side identifier (enhanced measurement, cross-device tracking, advertising integrations), the cookie comes back
  • Data still transfers to Google in the United States, which creates GDPR Chapter V obligations independent of Article 5(3)
  • You take on the full engineering burden of a server-side deployment, which is non-trivial and expensive

In practice, a properly-built cookieless analytics tool gets you the same ePrivacy exemption with less complexity and without the international transfer question. This is why the "server-side GA4" path is popular with large enterprises that already have GA infrastructure but has not spread to smaller sites.

What to tell your legal team

If you are proposing to run your site without a cookie banner because you use cookieless analytics, your legal team will want to see a concrete compliance story. Here is a checklist to give them:

  1. Ethical basis under ePrivacy. Document that the analytics tool does not store or access information on the user's device. Cite the specific mechanism (server-side hash, no cookies, no localStorage). Reference Article 5(3) and explain why it is not triggered.
  2. Legal basis under GDPR. Document a legitimate interest assessment covering the processing of IP address and User-Agent as transient hash inputs, and the retention of the resulting hash as non-personal data. Address the three GDPR necessity tests: purpose, necessity, balancing.
  3. Data retention. Specify how long hashed data is kept, what is aggregated, when it is deleted.
  4. Sub-processors and locations. List the analytics vendor as a sub-processor and confirm EU hosting. Attach the vendor's DPA.
  5. Other trackers. Audit the rest of the site. Confirm either that no other device-storing tools are present, or that those tools have their own consent flow.
  6. DPA-specific considerations. If your primary audience is in a specific country, mention the DPA's published position on cookieless analytics and include a link to their guidance.
  7. Documentation of the tracker's behaviour. Ask your analytics vendor for a technical description of exactly what happens on each request. A vendor that cannot provide one should not be on your shortlist.

With this package in hand, a reasonable legal team will sign off on running without a consent banner for the analytics layer. Expect follow-up questions about the rest of the site — especially embeds, ads, chat widgets, and anything loaded from a third-party CDN — because the cookieless analytics argument does not cover those.

The bottom line

There is no EU DPA that takes the position "cookieless analytics still requires a consent banner." The debate in the EU is entirely about tools that do store something on the device, and the narrow question of when the "strictly necessary" exemption or a measurement-specific exemption can be relied upon. A tool that does not engage Article 5(3) at all steps over the whole debate.

The practical path for site operators who want to retire their cookie banner is therefore:

  1. Move to a cookieless analytics tool that computes identifiers server-side
  2. Remove or reconfigure any other device-storing trackers (ads, embeds, chat widgets)
  3. Document the legal basis under GDPR Article 6 for the remaining processing
  4. Update the privacy policy to reflect the new architecture
  5. Remove the cookie banner

Each step is achievable. The legal framework supports it. Every DPA surveyed above has confirmed, directly or indirectly, that this is the correct reading of the law.

Web-Tracking.eu is a cookieless analytics platform. Learn more about our approach on the no cookie banner legal explainer.