The cookieless future, explained
Cookieless tracking
The industry is moving off cookies — pushed by browsers, regulators, and visitors who decline every banner. Here's what cookieless tracking is, how the techniques actually differ, and which tools get it right.
What is cookieless tracking?
Cookieless tracking is measuring website traffic without storing identifiers on the visitor's device — no cookies, no `localStorage`, no fingerprinting. Instead of tagging each browser with a persistent ID and following it around, a cookieless system counts visits as they happen and derives short-lived visitor identity server-side, from data the browser already sends with every request.
That distinction matters legally as much as technically. GDPR and the ePrivacy Directive hinge on device storage and persistent identifiers: set a cookie (or any equivalent) for analytics, and you need consent. Store nothing and anonymize at collection, and there's nothing to consent to. Compliant cookieless analytics is exempt from the banner entirely.
One important boundary: "cookieless" is not a synonym for "compliant." Fingerprinting is also technically cookieless — and it's worse for privacy than cookies, because users can't clear it. Regulators treat it accordingly. When this page says cookieless tracking, it means the privacy-preserving kind: no device storage and no persistent identity.
Why the industry is going cookieless
- Browsers moved first. Safari's Intelligent Tracking Prevention and Firefox's Enhanced Tracking Protection block third-party cookies by default and cap the lifetime of script-set first-party cookies. A large share of your visitors is already invisible to cookie-based cross-site tracking, whatever Chrome does next.
- Regulators tightened the screws. GDPR and ePrivacy made analytics cookies consent-gated across the EU, and DPAs in France, Austria, and Italy spent years ruling against Google Analytics setups over data transfers. Every ruling makes cookie-based measurement more expensive to defend.
- Consent banners broke the data anyway. When visitors are actually given a fair choice, 30–60% decline. Cookie-based analytics in the EU now measures a self-selected minority of your audience — and you paid for a banner that hurts conversions to get that partial picture.
- Banner fatigue is real. Visitors reflexively dismiss consent prompts, and every one of them is friction on the exact first pageview where you're trying to make an impression.
Add it up and the "cookieless future" isn't a prediction — it's the current state. The question left for site operators is which cookieless technique to adopt.
How does cookieless tracking work?
Three approaches get sold under the cookieless label, and they are not interchangeable:
- Server-side salted-hash counting. The approach Plausible and Fathom pioneered and Gizmo uses. A tiny script fires one request per pageview; the server hashes IP + User-Agent with a salt that rotates daily, and that hash is the visitor ID. Raw IPs are never stored, and after the salt rotates, yesterday's IDs can't be linked to today's. You get accurate daily uniques, sources, and conversions with zero device storage — this is the fully consent-exempt option. Curious about the implementation details? See how our cookieless tracker works under the hood.
- First-party server-side tagging. You route tracking through your own domain (e.g. a server-side Google Tag Manager container) so browser blockers can't distinguish it from your site's own traffic. This restores data that ad blockers ate, but it usually still assigns persistent user IDs — so it's cookieless-ish plumbing, not a consent exemption. If it identifies users across sessions, the banner obligation stays.
- Fingerprinting. Deriving a stable ID from browser characteristics — canvas, fonts, screen, timezone. Technically cookieless, deliberately persistent, and explicitly covered by ePrivacy rules on device identifiers. It is not compliant cookieless tracking, and tools that quietly rely on it should be treated as cookie-based for legal purposes.
The litmus test is simple: can the system recognize the same visitor next week? If yes, it's tracking identity and inherits identity's legal obligations, cookies or not. If no, it's counting — and counting is what consent-free analytics is allowed to do.
What about GA4 without cookies?
Google's answer to the cookieless shift is consent mode. When a visitor declines cookies, GA4 drops to anonymous "cookieless pings," then uses machine-learning models to estimate the sessions and conversions it couldn't observe and blends those estimates into your reports. That's a reasonable patch for advertisers who need campaign numbers, but call it what it is: modeled data filling a consent gap, not cookieless analytics. Part of your dashboard is measurement and part is inference, and GA4 doesn't draw a bright line between them.
Meanwhile, for every visitor who accepts, GA4 still sets first-party cookies — so the consent banner stays, the declines keep happening, and the modeling never stops. If your goal is complete, real data with no banner, GA4 can't get you there by design; its value depends on the persistent user identity that cookieless analytics deliberately gives up.
Go cookieless in one prompt
Gizmo Analytics is cookieless from the ground up: one ~1KB script, visitor IDs from a daily-rotating salted hash, no raw IPs stored, no fingerprinting, no banner needed. Tell Cursor, Claude, or Codex to install it and the MCP server handles setup — then you can query traffic, goals, and funnels from the same chat. Free forever for 10k events / month, unlimited sites.
Cookieless tracking solutions compared
The good news about cookieless tracking tools: the core mechanics have converged, so you're choosing on workflow and price rather than fundamentals. The main players:
- Gizmo Analytics — cookieless analytics built MCP-first: your AI coding agents can install tracking, query traffic, and build funnels in one prompt. Tracks AI-assistant referrals (ChatGPT, Claude, Perplexity) as a source. Free forever for 10k events / month, unlimited sites.
- Plausible — the open-source standard-bearer for simple, hosted, cookieless analytics; EU-hosted, paid-only after trial.
- Fathom — polished hosted cookieless analytics with an emphasis on uptime and email reports; paid-only.
- Umami — open-source and genuinely free if you self-host; you own the infrastructure and the maintenance that comes with it.
- Matomo (cookieless mode) — the full GA-style feature suite can run without cookies, but cookieless operation is a configuration you enable and some features degrade without it; the most capable and the most work.
Any of these beats a consent-gated GA4 install for honest traffic numbers. Pick Umami for self-hosting, Matomo for feature depth, Plausible or Fathom for hosted simplicity — and Gizmo if you want analytics your AI tools can operate for you.
FAQ
- Is cookieless tracking GDPR-compliant?
- Done properly, yes — and it's the easiest path to compliance. GDPR and the ePrivacy Directive regulate storing identifiers on a user's device and processing personal data. A cookieless tool that stores nothing on the device and anonymizes IP addresses at ingestion (salted hash, raw IP discarded, salt rotated daily) processes no personal data it can tie back to a person, so no consent is required. The caveat: 'cookieless' via fingerprinting is NOT compliant — ePrivacy covers any persistent device identifier, not just cookies. Always check how a tool builds its visitor IDs.
- Is cookieless tracking accurate?
- For traffic analytics, it's usually MORE accurate than cookie-based tracking in practice. Cookie-based tools lose 30–60% of EU visitors to consent declines, plus everyone running an ad blocker that filters Google domains. Cookieless tools count everyone. The trade-off is precision on returning visitors: with a daily-rotating hash, someone visiting Monday and Tuesday counts as two visitors. Within a single day, counting is very accurate. Across days, you slightly over-count uniques — a known, consistent bias rather than the unpredictable gap consent banners create.
- Does GA4 support cookieless tracking?
- Not really. GA4's answer is consent mode: when a visitor declines cookies, GA4 sends cookieless pings and then uses machine learning to model what that visitor probably did, blending modeled estimates into your reports. That's behavioral modeling on top of missing data, not cookieless measurement. With full consent, GA4 still sets first-party cookies (_ga) and still requires a consent banner in the EU. If you want actual cookieless analytics — every visitor counted, no banner, no modeled gap-filling — you need a tool designed for it.
- What is the difference between cookieless tracking and fingerprinting?
- They're opposites wearing the same marketing label. Fingerprinting combines browser traits (canvas rendering, fonts, screen size, plugins) into a stable identifier that survives cookie clearing — its whole purpose is recognizing the same user across sessions without their knowledge. Compliant cookieless analytics does the reverse: it derives a short-lived visitor ID (typically a daily-rotating salted hash of IP + User-Agent) that is deliberately impossible to link across days. If a 'cookieless' tool can tell you a visitor came back last week, it's fingerprinting, and it carries the same consent obligations as cookies.
- Do I still need a cookie banner with cookieless analytics?
- Not for the analytics. If a compliant cookieless tool is the only tracking on your site, there's nothing to consent to — no device storage, no personal data retained. You only need a banner if something else on the site sets cookies or tracks users: ad pixels, embedded videos with tracking, a chat widget, GA4 running in parallel. Many teams switch to cookieless analytics precisely so they can delete the banner entirely and stop losing conversions to it.
- What does the cookieless future actually look like?
- Third-party cookies are effectively dead — Safari and Firefox block them by default, and regulators keep tightening the rules on everything that tried to replace them. First-party measurement is consolidating around two camps: privacy-first analytics (no identifiers at all, aggregate data, no consent needed) and server-side first-party setups (you still identify users, you still need consent, but you control the data). For most site operators, the pragmatic move is the first camp for traffic analytics, with product analytics or ad platforms layered on only where the business genuinely needs identity.
- Which cookieless tracking tool should I choose?
- They're closer to each other than their pricing pages suggest — Plausible, Fathom, Umami, and Gizmo all use the same daily-rotating-hash approach and cover pageviews, sources, goals, and campaigns. Decide on the edges: Umami if you want to self-host, Matomo if you need a GA-style feature surface and accept configuration work, Plausible or Fathom for polished hosted simplicity, Gizmo if you want your AI tools in the loop — its MCP server lets Cursor, Claude, or Codex install tracking and query your traffic in one prompt, free for 10k events a month on unlimited sites.
Keep reading
- Website tracking without cookiesHow cookieless tracking works and what it can measure.
- Do you need cookie consent for Google Analytics?The legal answer, country by country — and how to skip the banner.
- Is Google Analytics GDPR-compliant?Where GA4 stands legally in the EU, and your options.
- Privacy-friendly analyticsGDPR-safe analytics without consent banners.