Cookieless website analytics

Image of Iron Brands

Published on Mar 22, 2022 and edited on Feb 4, 2025 by Iron Brands

Google Analytics is the default option for tracking your website visitors. Around 85% of website using an analytics tool, us GA4. It's most powerful analytics tool out there, but in the last couple of years it has come under fire. The Austrian privacy watchdog even openly questioned the legality of using Google Analytics under the GDPR.

Apart for the legality issue (that will address below), its worth evaluating whether Google Analytics is the right choice for your website. Normally this was a given, but now with a growing market of (privacy-friendly) alternative, it's worth checking your options.

Especially if you care about privacy, just need simple insights, want to be compliant to the law or don't want an annoying cookie banner on your website.

Well, you came to the right place. Let's dive in!

  1. Google Analytics and Cookies
  2. Google Analytics cookie banner
    1. Implementing a cookie banner
    2. Cookie banner results in missing analytics
  3. Using Google Analytics without cookies
    1. Anonymizing Cookies
  4. Cookieless tracking
    1. Privacy-friendly data collection
    2. Privacy-friendly event-tracking
  5. Final Thoughts

💡 Oh one more thing. You don't have to use cookies and add an annoying cookie banner to your website to see your website traffic. Cookie-less analytics solutions like Simple Analytics provide the insights you need without the use of cookies. 100% GDPR-compliant. Feel free to check it out.


Google Analytics and Cookies

Google Analytics is by far the most used analytics tool on the planet. To understand why Google Analytics has come under pressure lately, it's key to know how it works and what implications it brings.

If you install Google Analytics to track your website performance, you need to set first-party cookies to:

  • Identify unique visitors
  • Identify unique sessions
  • Identify traffic source information
  • Determine the start and end of a session

You can access the cookies when you open the developer toolbar (right-click + inspect). By navigating to the 'application' (or 'storage') tab and clicking on 'cookies,' you can see which cookies are used by the specific website.

alt:Cookies of Indeed.com inspected via browser Cookies of indeed.com inspected via browser

As you can see from the screenshot above (taken from the Indeed homepage), the cookie's name is indicated as '_ga'. The second arrow on the screenshot indicates the value:

GA.1.2.1680553188.1645472981

It consists of a version name, the first part, and a unique ID, which is the second part.

The version name: GA.1.2.

The unique identifier: 1680553188.1645472981

The unique identifier consists of two parts. The first part is a randomly generated number. The second part is a timestamp for the first time the visitor visited the page. That way, Google can identify whether someone is a unique visitor or not.

Whenever someone visits a website, Google Analytics looks for the cookie, which is provided by the web browser. If there is a cookie stored, Google knows that the visitor is not unique. If Google can't find a cookie, it means it's a first-time visitor that visited the website. This is how Google Analytics distinguishes between unique visitors and pageviews.

To go into more depth on the ins and outs of Google Analytics cookies, check this article.

Under the ePrivacy Directive, all cookies require the user's consent except for strictly necessary cookies. Cookies for web analytics always require the user's consent, whether they are from GA or from a different software.

If you use cookie-based analytics without a cookie banner, you are violating the law under the GDPR. There is also a specific way to include cookie banners on your website. They need to be "opt-in", meaning a website visitor needs to give explicit consent. You can't say "hey, just so you know, we are using cookies". The website visitor need to give permission to do so.

As discussed, if you install Google Analytics, you need to show a cookie banner to ask for consent. Here is how to implement this quickly: (obviously, there is a way around this: Use a cookie-less analytics solution)

  1. Don't read or write analytics cookies if you don't have consent. Test your implementation to ensure that the GA script checks for consent before writing cookies.

  2. Give visitors a clear, immediate, and visible option to refuse cookies. Don't force them to go through endless options to refuse them! Tricks like that may improve your opt-in rates, but they are not GDPR compliant and authorities are starting to crack down on them.

  3. Have a comprehensive and well-written privacy policy, but also give the essential information in your cookie banner! See this blog for a few hints.

  4. Be transparent regarding the details of the Google Analytics cookies you are using. According to privacy regulations, consent is only valid if it constitutes an informed decision. You need to explain what type of cookies you are using and for what purpose.

More people are taking privacy seriously and often reject cookies when given a chance. This puts websites between a rock and a hard place. If you give users a transparent choice not to be tracked, many will take it, and you fill find yourself with less data. And if you use deceiving and confusing cookie banners to make rejection harder, you risk violating the GDPR (and being held liable for it).

Cookie rejection is not the only problem. More and more users browse the web with ad-blockers and similar anti-tracking technologies. Depending on their settings, these users could be ghosts in your web analytics. They don't even need to bother rejecting your cookies- their browser does the work.

We created a real-life case study around this with media production company Hebban. They both used Google Analytics (cookie-based) and Simple Analytics (cookie-less) to benchmark. This is resulted in a 20% data loss in their Google Analytics dashboards as a result of the cookie banner. Here is the full case study.

Using Google Analytics without cookies

If you are looking at doing this, you might as well switch to a cookieless analytics solution that is build with privacy by design. Google's entire business model is mining enormous amounts of personal data. Google Analytics is not build to be used in a privacy-friendly way.

However, there are a few actions you can take to improve the privacy aspect of your GA4 setup.

Anonymizing Cookies

Google Analytics cookies contain unique identifiers called Client IDs. These IDs allow Google Analytics to recognize a user (more exactly, a browser) for the purpose of metrics such as new visitors.

Whether cookies can be anonymized depends on the jurisdiction and on the definition of personal data. In the EU, all unique identifiers are by definition personal data and cannot be anonymized. The most privacy-friendly option would be setting cookies to a very short duration, which greatly decreases Google Analytics' performance.

This setup may still not be enough to anonymize the data, given how much more personal data Google collects both through Google Analytics and from other sources. In fact, the data from Google Accounts alone are basically enough to de-anonymize all the rest (as pointed out by several data protection authorities in the Google Analytics cases).

In theory, Google Analytics offers a "consent mode" that provides some information about non-tracked users through behavioral modeling (that is, by drawing inferences from other data Google already has). But behavioral modeling works poorly if you use it as your sole source of data!

Cookieless tracking

We mentioned a couple of times before, but there are privacy-friendly website solutions that care take of privacy while still providing the insights you need. Simple Analytics does exactly that.

After installing Google Analytics scripts for several years, our founder Adriaan didn't feel quite like sending so much data to Google for free. So he came up with a solution to provide insights without invading the privacy of website visitors.

This means that website visitors don't need to interact with an annoying cookie banner before they enter your website. Simple Analytics is 'out-of-the-box' compliant with GDPR .

Here is how that looks:

Try for yourself.

Privacy-friendly data collection

The general take on cookie-less web analytics tools is that you trade more privacy for fewer data. This is true because you collect fewer data points. However, it does not necessarily mean that analytics without cookies is less accurate. Cookie-based web analytics tools are not bulletproof either.

To get an overview of the metrics that privacy-friendly analytics solution collect, check this full list.

Privacy-friendly event-tracking

With Simple Analytics, it is still possible to track event counts. It is based on aggregate data, meaning that we can't collect data on individuals triggering the event.

You can add our automated events script or add your own custom events to track your metrics. In addition, you can still use URL parameters to see where your traffic is coming from. For example, to track ad campaigns or newsletter visitors.

Final Thoughts

Website analytics doesn't have to be complex, privacy intrusive or cookie-based with annoying cookie banners. Ask yourself: what data do you I really need? Do you need to track every individual move of a website visitor? If that's the case, Simple Analytics might not be your tool.

However if you are looking for a solution, that is...

...GDPR-compliant 'out of the box'

...Doesn't require and annoying cooie banner

...Accurately tracks all website visits

...And Simple to understand and use (see our live dashboard)

You might want to give us a try.