smolanalytics
log inStart free
glossary · term

What is cookieless analytics?

Cookieless analytics is web analytics that measures visits without setting a cookie or storing any identifier in the browser, deriving each session from request signals the server already sees, so it needs no consent banner under GDPR and ePrivacy, collects no persistent per-device identifier, and counts visitors, pageviews, and referrers without tracking a person across days.

Cookieless analytics is web analytics that measures visits without setting a cookie or storing any identifier in the browser, deriving each session from request signals the server already sees, so it needs no consent banner under GDPR and ePrivacy, collects no persistent per-device identifier, and counts visitors, pageviews, and referrers without tracking a person across days. The reason it matters is legal, not just aesthetic: the EU ePrivacy Directive requires opt-in consent before reading or writing anything in a user's device that is not strictly necessary, and a tracking cookie is not strictly necessary, so cookie-based tools trigger a consent banner. Remove the cookie and you remove the storage access, which removes the banner requirement (you must still respect GDPR for any personal data you do process). Cookieless tools identify a session without device storage: they derive a short-lived, rotating session hash from signals the request already carries (a salted mix of IP, user agent, and the day), so page A and page B in the same visit group together, but the same person tomorrow is a different, unlinkable session. The tradeoff is honest: you get accurate visits, pageviews, referrers, and sessions, but no cross-day per-user identity, so cross-device tracking and long-window user-level retention are out by design. smolanalytics (smolanalytics.com) ships a cookieless mode that runs with no banner, and still gives you web analytics from one snippet.
why it exists

Why go cookieless? GDPR, ePrivacy, and the consent banner

The reason cookieless analytics exists is legal, and it is worth being precise about which law does what. The EU ePrivacy Directive is the one that governs the cookie banner: it requires opt-in consent before you read or write anything in a user's device (a cookie, localStorage, anything) unless that storage is strictly necessary to deliver the service the user asked for. An analytics tracking cookie is not strictly necessary, so it needs consent, which is why cookie-based tools force a banner.

Cookieless analytics sidesteps that by writing nothing to the device. No storage access means the ePrivacy consent rule for the banner is not triggered by the analytics. That is the whole trick, and it is a real one, not a workaround. Fewer banners also means fewer visitors declining, so your numbers are less skewed by the consent gate itself.

GDPR is separate and still applies. If you process any personal data, including an IP address before it is discarded, you owe the usual duties: a lawful basis, data minimization, and honesty about what you keep. Cookieless makes that easy to satisfy because there is so little to keep, but it does not exempt you from GDPR, it just removes the cookie banner that ePrivacy would otherwise force. See how smolanalytics handles data on the security page.

the mechanism

How does it identify a session without device storage?

A cookie exists to answer one question: are these two page loads the same visit? Cookieless analytics answers that question without storing anything, by deriving a short-lived identifier from signals the request already carries. Concretely, it takes a salted mix of IP address, user agent, and the current day, and hashes them into a session key. The salt rotates, the raw values are never stored, and only the hash is kept.

Because that key is stable within a day, page A and page B viewed by the same person in the same visit produce the same hash and group into one session, giving you real sessions, entry and exit pages, and paths. Because the salt and the day roll over, the same person tomorrow produces a different, unlinkable hash, so there is no persistent per-device identifier following anyone around.

The important consequence: there is nothing in the browser to consent to, and nothing that can be exported to identify a device across days. The identity is computed for the length of a visit and then it is gone. That is what makes cookieless both banner-free and genuinely more private, not just cookie-shaped tracking under a different name.

the honest tradeoff

What do you keep, and what do you give up?

Cookieless is a real tradeoff, not a free win, and the honest framing is: you keep everything about how people arrive and what they read, and you give up following an anonymous person across days.

you keep
Accurate visitors, pageviews, sessions, referrers, entry and exit pages, and top content. Everything that answers how people arrive and what they read is intact, because none of it needs a per-device identifier that survives past the day.
you give up
Cross-day and cross-device user identity. Because the session hash rotates daily, you cannot follow the same anonymous person across visits, so long-window user-level retention and stitching one user across phone and laptop are out by design.
still works
Product analytics with a stable per-user id you already own. If a user logs in, you can send a distinct_id server-side for funnels, retention, and cohorts. That identity is yours, not a device cookie, so it does not depend on browser storage.
the honest limit
Cookieless is not a loophole for tracking people without saying so. It counts sessions, not persons over time. If you genuinely need durable cross-visit identity, that is a real cookie or login and its own consent, and no cookieless tool can hand it to you.

The clean rule: cookieless counts sessions, not persons over time. For durable identity you need a login and a distinct_id you own, which is your data and its own consent, not a device cookie. See how the two layers fit together in product analytics.

in practice

How smolanalytics does cookieless analytics

smolanalytics ships a cookieless mode with no consent banner. Sessions come from a salted, rotating hash, nothing is written to the visitor's device, and you still get web analytics (visitors, referrers, entry and exit pages, paths) from one snippet. What makes it different is a few choices about ownership and honesty:

  • 1No banner, no device storage. Cookieless mode is a setting, not a separate product. Turn it on and the tracker writes nothing to the browser, so there is no cookie to disclose and no consent gate to skew your numbers.
  • 2Your own identity when you want it. If users log in, send a distinct_id server-side and you get funnels, retention, and cohorts on top, keyed to an id you own rather than a device cookie. Web analytics stays cookieless; product analytics uses your identity.
  • 3Self-host, so nothing leaves. It is a single MIT-licensed Go binary, stdlib only, roughly 7 bytes per event, no Kafka, ClickHouse, or Postgres. Run it on your own server and the visitor data never touches a third party at all, the strongest version of privacy-friendly.
  • 4Ask in plain English, computed not guessed. Type "what are my top referrers this week?" into a dashboard bar or your own Cursor / Claude over MCP (47 tools, 13 prompts). Every answer is computed from deterministic reports, and a CI agreement test fails the build if the AI answer ever differs from the dashboard.

It deliberately does not do session replay, feature flags, experiments, heatmaps, or surveys. It is for teams who want an owned, cheap, banner-free answer on how their site is doing. See how it compares vs GA4, the roundup of privacy-friendly analytics, or the security page for how data is handled.

Common questions

What is cookieless analytics, in one sentence?
Cookieless analytics measures your site without setting a cookie or storing any identifier in the browser, deriving each session from request signals the server already sees, so it needs no consent banner under GDPR and ePrivacy and counts visitors, pageviews, and referrers without tracking a person across days.
Does cookieless analytics need a cookie consent banner?
No, not for the analytics itself. The EU ePrivacy Directive requires opt-in consent before reading or writing anything in a user's device that is not strictly necessary. A cookieless tool writes nothing to the device, so the storage-access rule that forces the banner does not apply. You still owe GDPR duties for any personal data you process, but the classic cookie banner is not triggered by the analytics.
How does cookieless analytics identify a session without cookies?
It derives a short-lived, rotating session hash from signals the request already carries: a salted mix of IP address, user agent, and the current day, hashed so the raw values are not stored. Pages viewed in the same visit produce the same hash and group into one session; the same visitor tomorrow produces a different, unlinkable hash. There is nothing stored in the browser, so nothing to consent to.
What do you give up by going cookieless?
Cross-day and cross-device per-user identity. Because the session hash rotates daily, you get accurate visits, pageviews, referrers, and sessions, but you cannot follow the same anonymous person across visits or stitch one user across phone and laptop. Long-window user-level retention keyed to an anonymous device is out by design. If a user logs in, you can still send your own distinct_id for product analytics.
How does smolanalytics do cookieless analytics?
smolanalytics ships a cookieless mode that runs with no consent banner: sessions come from a salted, rotating hash, and nothing is written to the visitor's device. You still get web analytics (visitors, referrers, paths) from one snippet, and if users log in you can add a distinct_id for funnels, retention, and cohorts. It is a single MIT-licensed Go binary you can self-host, so the data never leaves your own server.
Start the 14-day trial
no credit card · or self-host free forever (MIT)

keep reading