Cookieless tracking is one of those phrases that means six different things depending on who you ask. Vendors use it to mean “we don’t set a cookie.” Privacy advocates use it to mean “we don’t identify users at all.” Marketers use it to mean “the data still flows somehow.” In Europe in 2026, only one of those interpretations holds up to legal scrutiny — and it’s narrower than most teams realize.
I’ve been migrating European teams off cookie-based analytics since the GDPR took effect, and the patterns that survive are not the ones the marketing pages promise. This article walks through what actually works under EU regulators today, what I avoid recommending, and the trade-offs nobody puts in the comparison tables.
What “Cookieless” Actually Means in Europe
In the EU regulatory context, “cookieless” should mean: no consent banner is required, no personal data leaves the user’s device without permission, and no fingerprinting is used to reconstruct identity. Anything that fails one of those tests is just cookies-by-another-name as far as a regulator is concerned.
This narrower definition rules out a lot of what gets marketed as cookieless. Browser fingerprinting is not cookieless. Server-side tracking that still ties events to a logged-in user identity is not cookieless. First-party storage that persists a unique ID across sessions is not cookieless. The ePrivacy Directive treats them all as identifiers requiring consent.
The Patterns That Actually Work
Here are the approaches I’ve seen survive a regulator review. Each has trade-offs, and you’ll usually end up combining two or three.
1. Aggregate Server-Side Counters
The simplest and most defensible approach. Your server counts events as they happen — pageviews, signups, purchases — without ever associating them with an individual visitor. The data exists only as totals: 12,000 pageviews today, 240 signups, 80 purchases. No user table, no session table, no cookies, no consent required.
The trade-off is obvious: you can’t slice. You don’t know which channel drove the signups, you don’t know how many were returning visitors, and you can’t run cohort analysis. For top-of-funnel awareness metrics, this is fine. For anything diagnostic, you’ll need more.
2. Session-Scoped Anonymous Identifiers
A random ID generated per session, kept only in memory or in a short-lived encrypted cookie that expires when the tab closes. The ID never persists across sessions, which means you can do single-session funnel analysis without identifying anyone over time.
This pattern is widely accepted under the ePrivacy Directive’s “strictly necessary” exemption when the ID is genuinely session-scoped and can’t be used to track the user. The trade-off is that you lose all multi-session and multi-device analysis. A user who comes back tomorrow looks like a brand new visitor.
3. Consented First-Party Tracking
This is the one most teams default to: a clean consent banner, real opt-in, and full identification for users who say yes. Done well, this gives you the deepest data, fully GDPR-compliant, with no fingerprinting tricks. Done badly, it gives you 10% opt-in and skewed reports.
The trick is to make the banner small, honest, and not punish users who decline. Hidden in the trade-off: you must run the cookieless aggregate counters in parallel for users who decline, otherwise you have no idea what your real traffic looks like.
4. Privacy-Preserving Aggregation Protocols
Newer techniques like differential privacy and secure multi-party computation let you compute aggregate statistics about a user population without ever centralizing the underlying data. Apple’s private relay and Google’s Privacy Sandbox proposals work this way at the platform level. A handful of analytics vendors are starting to ship them.
These are genuinely cookieless and genuinely useful. The trade-off is complexity: most product teams can’t operate them in-house, so you become dependent on a vendor’s implementation. And the noise floor of differential privacy means small cohorts disappear into statistical fuzz.
What I Don’t Recommend Anymore
- Browser fingerprinting as a “cookieless alternative.” It’s an identifier under the ePrivacy Directive. Several EU DPAs have explicitly ruled against it. Vendors who hide fingerprinting under the cookieless label are setting their customers up for an enforcement action.
- IP-based identification, even hashed. The CJEU has consistently treated IP addresses as personal data. Hashing doesn’t change the legal status when the hash is reversible or used for tracking.
- Local storage tricks that persist an ID outside cookies. The ePrivacy Directive talks about storing or accessing information on a user’s device, regardless of the storage mechanism. localStorage is in scope.
- “Cookieless GA4” via Consent Mode v2 alone. Consent Mode reduces the data sent when consent is denied, but the underlying tracking model still relies on identifiers. It’s a mitigation, not a true cookieless implementation.
The Realistic Setup for European Teams in 2026
Here’s the architecture I recommend for most European product teams today. It combines three of the patterns above and gives you usable analytics without legal anxiety.
- Aggregate server-side counters for top-line traffic and conversion totals. Always on, no consent required, gives you the absolute baseline.
- Session-scoped anonymous IDs for single-session funnel analysis. Always on, gives you onboarding diagnostics for users who decline cookies.
- Consented first-party tracking for users who opt in. Gives you cohort, retention, and personalization data — but only on the subset of users who agreed.
Three layers. Each one is independently legal. Together they give you about 80% of the analytical power of a full identity-based setup, with about 5% of the regulatory risk.
Common Mistakes
- Treating cookieless as a single decision. It’s a layered architecture. You’ll combine multiple patterns, not pick one.
- Skipping the legal review. Your DPO needs to sign off on the implementation, not just the vendor selection. The implementation details are where most violations hide.
- Reporting cookieless numbers as if they were complete. If half your visitors decline cookies, your consented dataset is biased. Always report the aggregate counter alongside the consented number.
- Buying a vendor’s claim at face value. Read the actual data flow. If the vendor sets any persistent identifier — including in localStorage or in a server-side database keyed to the user — it’s not cookieless under EU law.
FAQ
Is server-side tracking cookieless?
Not automatically. Server-side tracking moves the collection point from the browser to your server, but if your server still associates events with a persistent user ID, it’s still tracking under the ePrivacy Directive. Server-side becomes cookieless only when the events stay aggregate or session-scoped.
Do I still need a consent banner with cookieless analytics?
You don’t need a consent banner for the aggregate or session-scoped layers, because they don’t store or access information on the user’s device beyond what’s strictly necessary. You do need consent for the first-party tracking layer if it persists identifiers across sessions.
Will my conversion tracking still work for ad platforms?
Partially. Without persistent identifiers, you can pass aggregate conversion totals to ad platforms but you lose user-level matching. Most platforms have introduced server-side conversion APIs and aggregated event measurement to bridge this gap. Expect lower attribution accuracy and plan for it in your reporting.
Are Plausible and Matomo really cookieless?
Plausible is genuinely cookieless by default — it uses session-scoped hashes derived without persistent storage. Matomo can be configured cookieless but requires specific settings. Always verify the exact configuration before claiming cookieless compliance to your DPO.
Conclusion
The honest version of cookieless tracking in Europe is that you give up some analytical depth in exchange for a setup that doesn’t require constant legal vigilance. For most product teams, that trade is worth making. The aggregate baseline plus session-scoped funnels plus a clean consent path will give you 80% of what you need, and the missing 20% wasn’t reliable under the new rules anyway.
Start with the aggregate counters this week. Add session-scoped funnels next sprint. Layer in a clean consent banner only after the cookieless baseline is running. That order keeps you legally safe while you migrate.