Tag: Cookieless analytics

• 07 Dec, 2025
• • Frugal analytics ,
  • GDPR

Analytics Without Consent: How to Track Visitors Without Cookie Banners (Legally)

It has become the web's most annoying ritual. You arrive on a site, and before you can even read the headline, a window pops up: "We value your privacy… Do you accept our 85 partners?" For the user, it's a nuisance (the now-famous consent fatigue). For the site owner, it's a dilemma: display this banner and lose a chunk of your data, or skip it and risk a fine from the regulator. Yet a third path exists. A lesser-known path that is 100% legal and far more respectful: the consent exemption. In short:The banner is not automatic: it's only mandatory if you track visitors for advertising or profiling purposes. The consent exemption: it's possible to measure your audience without asking for consent, provided you follow strict data frugality rules. The double win: by removing the banner, you improve user experience and recover the statistics of visitors who were refusing tracking.1. Why Cookie Banners Destroy Your Data Why do we see these banners everywhere? Because most traditional analytics tools (like the default configuration of Google Analytics) collect personal data and often share it with advertising services. The GDPR is clear: for that, you need explicit consent. The problem is that internet users are fed up. According to the latest Eurobarometer, 72% of European citizens say they are worried about how their data is processed online. → Source: Eurobarometer – Digital Rights and Principles The consequence is immediate: when given a choice, many refuse. Data from European regulators shows that cookie refusal rates have risen significantly since enforcement began. It's estimated today that a site using a classic cookie banner loses between 30% and 50% of its actual data. → Source: CNIL – Cookie action plan impact evaluation Your dashboard is lying to you: it only shows you a fraction of your real audience. As we explain in our article on data obesity, this is the paradox: the more you collect, the less you see.2. Understanding the Consent Exemption The Principle The CNIL (France's Data Protection Authority) is one of the most pragmatic regulators in Europe on this topic. It has established a clear doctrine: audience measurement is essential to the proper functioning of a web service. Consequently, certain measurement tools can be exempted from consent. In other words: you have the right to use a tracking mechanism for audience measurement without asking the user's permission, and therefore without displaying a banner. This principle has been echoed by other European DPAs and aligns with the ePrivacy Directive's provision for "strictly necessary" cookies and similar technologies. While the specifics vary by country, the underlying logic is the same: if the measurement is truly frugal and serves only the site owner, exemption is possible. But it's not a free pass. It's a strict framework that rewards what we call frugal analytics. Checklist: Criteria for Qualifying To benefit from the exemption, your tool and its configuration must meet these conditions. The list below is a synthesis of the CNIL's official guidelines, which are among the most detailed in Europe:Strictly limited purpose: data must only be used for audience measurement for the exclusive benefit of the site publisher. No retargeting, no ad profiling, no data resale.No data cross-referencing: collected data must not be merged with other databases (CRM, customer files) or cross-referenced with data from other sites or applications.IP anonymization or pseudonymization: the IP address must not allow geolocation more precise than the city level. In practice, the last octets of the IP address must be deleted or hashed before any storage.Limited tracker lifespan: if a cookie is used, its lifetime must not exceed 13 months. Raw collected data must not be retained beyond 25 months.User information: even without consent, users must be informed of the tracker's existence and their right to opt out. This information typically appears in the site's privacy policy.No uncontrolled transfers outside the EU: data must not be transferred to third countries without the safeguards required by the GDPR (standard contractual clauses, adequacy decisions, etc.).→ Official source: CNIL – Audience measurement solutions Which Tools Qualify? The CNIL has evaluated several solutions and published a (non-exhaustive) list of audience measurement tools that can qualify for exemption when properly configured. This list includes tools like Matomo (in a specific configuration), as well as several tools from the frugal new wave. To check whether your current tool is eligible, verify each point of the checklist above against the vendor's documentation. When in doubt, the CNIL's official page is the reference.3. Why Go Privacy-First? Adopting a consent-exempt analytics solution isn't just a legal hack. It's a competitive advantage on three fronts. 3.1 You Recover 100% of Your Visibility Since you no longer need to wait for the user to click "Accept," the measurement script loads the moment they arrive on the site. You go from a partial view (the 50 to 60% who accept) to a near-total view of your traffic. For an SMB making decisions based on its stats — which page works, which channel to invest in — the difference between "seeing 60%" and "seeing 100%" is enormous. The 5 essential KPIs finally become reliable. 3.2 You Improve Your Brand Image A site without an aggressive pop-up is a site that inspires trust. You send a strong signal to visitors: "Here, we don't spy on you — we just look at aggregate statistics to improve the service." This is particularly powerful if you're in a sector where trust matters (healthcare, finance, legal, education). But even for a small retailer or e-commerce store, a banner-free site delivers a better first impression. 3.3 You Simplify Your Compliance No more updating complex CMPs (Consent Management Platforms) or worrying about a formal notice because a button is misplaced or the banner's visual hierarchy subtly favors acceptance. By collecting less data (data minimization), you mechanically reduce your legal risk. Less data to protect, fewer flows to document, fewer awkward questions during an audit. 3.4 You Improve Your Site's Performance Exempt tools are generally much lighter than their traditional counterparts. We detail the impact on Core Web Vitals in our article on SEO without Google Analytics: switching from a 45 KB script to a 1-6 KB script has a direct effect on load time — and therefore potentially on search rankings.4. The Limitations to Know The exemption isn't a magic bullet. Here are the important nuances. What You LoseUser-level tracking: individual journeys, user profiles, retargeting. If you need to know that "User X returned 3 times this week and viewed the pricing page," frugal analytics won't answer that (and it's a design choice, not a technical limitation). Demographic data: age, gender, interests. These require profiling that's incompatible with the exemption. Advertising integration: connections to Google Ads, Meta Ads, etc. The exemption is reserved for audience measurement, not ad optimization.What You Keep Everything an SMB actually needs to steer their business, as detailed in our analytics tool comparison: visitors, pages, sources, UTM campaigns, conversions, trends. Aggregated data is not only sufficient but often more readable and more actionable than individual tracking. The Exemption Is Not Automatic This is essential: the exemption depends on the configuration of the tool, not just its name. A tool can be eligible for exemption in one configuration and lose that eligibility if certain options are enabled (data cross-referencing, secondary purposes, uncontrolled transfers).5. How to Check If Your Site Qualifies Here's a quick 4-question diagnostic:Does your analytics tool collect personal data beyond (truncated) IP addresses?If yes → consent required. If no → continue.Is the data cross-referenced with other sources (CRM, customer files, other sites)?If yes → consent required. If no → continue.Is the data used for anything other than audience measurement for your own site? (advertising, resale, profiling)If yes → consent required. If no → continue.Is the data transferred outside the EU without GDPR safeguards?If yes → consent required. If no → exemption likely possible.If your setup passes all 4 tests, consult your local DPA's guidelines to confirm eligibility and mention the tool in your privacy policy.Conclusion: Compliance Through Simplicity For a long time, people believed the GDPR would kill web performance measurement. In reality, it only killed the "bad" kind: the kind that surveils individuals to serve targeted advertising. For SMBs, freelancers, and agencies, the future belongs to lean tools that natively respect these exemption criteria. It's the guarantee of sleeping well at night while having reliable numbers to steer your business. The equation is simple: less collection + more respect = better data + less risk.FAQ: Analytics and Consent Is Google Analytics 4 (GA4) exempt from consent? By default, no. GA4 collects personal data and often transfers it outside the European Union. The CNIL has specified that making GA4 exempt requires complex and costly "server-side proxying" that demands dedicated infrastructure. It's out of reach for most SMBs. In the majority of cases, choosing a natively eligible tool is simpler. If I don't have a cookie banner, am I breaking the law? Not necessarily. If you don't use any advertising trackers (like Meta Pixel, Google Ads tags, or retargeting scripts) and your analytics tool strictly meets consent exemption criteria, you're perfectly legal without a banner. You simply need to mention the tool in your privacy policy and inform users of their right to opt out. What is IP address anonymization? It's a technique that deletes the last portion of a visitor's IP address before recording it. This prevents tracing back to a specific person or household, while still allowing you to know, for example, that the visit came from the "London" or "Paris" region. It's a sine qua non condition for the exemption. Is the 13-month cookie lifetime mandatory? Under the CNIL's guidelines, yes — if a cookie is used, its lifetime must not exceed 13 months. Raw collected data can be retained for up to 25 months. Beyond that, only statistical aggregates (non-personal) may be kept for trend analysis. These are upper limits: retaining for shorter periods is always preferable in a data minimization approach. Do I still need a privacy policy? Yes, always. Consent exemption doesn't exempt you from the obligation to inform users. Your privacy policy must mention the measurement tool used, the data collected, the purposes (audience measurement), the retention period, and the right to object. This is a GDPR obligation independent of the cookie consent question.