What is cookieless analytics?
Cookieless analytics is web analytics that measures visits without setting a cookie or storing any identifier in the browser, deriving each session from request signals the server already sees, so it needs no consent banner under GDPR and ePrivacy, collects no persistent per-device identifier, and counts visitors, pageviews, and referrers without tracking a person across days.
How does it identify a session without device storage?
A cookie exists to answer one question: are these two page loads the same visit? Cookieless analytics answers that question without storing anything, by deriving a short-lived identifier from signals the request already carries. Concretely, it takes a salted mix of IP address, user agent, and the current day, and hashes them into a session key. The salt rotates, the raw values are never stored, and only the hash is kept.
Because that key is stable within a day, page A and page B viewed by the same person in the same visit produce the same hash and group into one session, giving you real sessions, entry and exit pages, and paths. Because the salt and the day roll over, the same person tomorrow produces a different, unlinkable hash, so there is no persistent per-device identifier following anyone around.
The important consequence: there is nothing in the browser to consent to, and nothing that can be exported to identify a device across days. The identity is computed for the length of a visit and then it is gone. That is what makes cookieless both banner-free and genuinely more private, not just cookie-shaped tracking under a different name.
What do you keep, and what do you give up?
Cookieless is a real tradeoff, not a free win, and the honest framing is: you keep everything about how people arrive and what they read, and you give up following an anonymous person across days.
The clean rule: cookieless counts sessions, not persons over time. For durable identity you need a login and a distinct_id you own, which is your data and its own consent, not a device cookie. See how the two layers fit together in product analytics.
How smolanalytics does cookieless analytics
smolanalytics ships a cookieless mode with no consent banner. Sessions come from a salted, rotating hash, nothing is written to the visitor's device, and you still get web analytics (visitors, referrers, entry and exit pages, paths) from one snippet. What makes it different is a few choices about ownership and honesty:
- 1No banner, no device storage. Cookieless mode is a setting, not a separate product. Turn it on and the tracker writes nothing to the browser, so there is no cookie to disclose and no consent gate to skew your numbers.
- 2Your own identity when you want it. If users log in, send a distinct_id server-side and you get funnels, retention, and cohorts on top, keyed to an id you own rather than a device cookie. Web analytics stays cookieless; product analytics uses your identity.
- 3Self-host, so nothing leaves. It is a single MIT-licensed Go binary, stdlib only, roughly 7 bytes per event, no Kafka, ClickHouse, or Postgres. Run it on your own server and the visitor data never touches a third party at all, the strongest version of privacy-friendly.
- 4Ask in plain English, computed not guessed. Type "what are my top referrers this week?" into a dashboard bar or your own Cursor / Claude over MCP (47 tools, 13 prompts). Every answer is computed from deterministic reports, and a CI agreement test fails the build if the AI answer ever differs from the dashboard.
It deliberately does not do session replay, feature flags, experiments, heatmaps, or surveys. It is for teams who want an owned, cheap, banner-free answer on how their site is doing. See how it compares vs GA4, the roundup of privacy-friendly analytics, or the security page for how data is handled.