← Back to Blog

GDPR-Compliant Analytics Without a Consent Banner

I spent way too long fiddling with cookie consent banners. Trying to get the styling right, making sure the “Reject All” button actually worked, worrying about whether my implementation would pass muster if a regulator came knocking.

Then I learned I could just… not have one. Legally. By switching how I track analytics.

The GDPR says you need informed consent before processing personal data or setting non-essential cookies. Google Analytics does both — it drops cookies and processes IP addresses, user IDs, and cross-site tracking data. So you need a banner.

The ePrivacy Directive (the “cookie law”) piles on more: consent is required before storing anything on a user’s device.

This isn’t theoretical. Austria’s DPA, France’s CNIL, Italy’s Garante — they’ve all ruled that Google Analytics violates GDPR. If you’re running GA without proper consent in the EU, you’re exposed.

But GDPR doesn’t ban analytics

This is the part people miss. The law doesn’t say “you can’t measure traffic.” It says you can’t process personal data without a legal basis. If your analytics tool collects zero personal data and sets zero cookies, there’s nothing to consent to. Not a loophole — that’s the actual intent of the regulation.

The CNIL has been the most explicit about this. Their guidance spells out that analytics tools exempt from consent must: not use cookies or similar trackers, not collect personal data, serve only aggregate audience measurement, and not share data with third parties.

Tools that meet all four criteria don’t need a banner. Period.

What “cookieless” actually looks like in practice

When we built HushStats, we made specific decisions to stay on the right side of this:

We don’t set cookies or touch localStorage. We don’t store IP addresses — the country is derived at request time and the IP is discarded. We don’t fingerprint browsers. We don’t build user profiles. We don’t share data with anyone.

What we do is count pageviews, estimate unique visitors through a privacy-safe HTTP header technique, and record the page URL, referrer, country, browser, and device type. Everything is aggregate from the moment it hits our servers. There’s no individual-level data to protect because it doesn’t exist.

Why this matters beyond compliance

Getting rid of the consent banner isn’t just a legal win. It’s a UX win.

Studies put the number at 10-30% of visitors who bounce immediately when they see a consent popup. That’s traffic you’re losing before anyone reads a word. And the visitors who stay? The ones who click “Reject”? GA doesn’t track them at all. So your analytics are only showing you the subset of visitors who clicked “Accept” — which skews everything.

With cookieless analytics, you see all your traffic. No selection bias. No consent fatigue. Just accurate numbers.

There’s also the dirty secret of consent banners: most are implemented wrong. Pre-checked boxes, dark patterns that make “Accept” easier than “Reject”, no real way to opt out. A badly implemented banner can be worse than no banner, because it creates a false sense of compliance while actually violating the regulation. With cookieless analytics, there’s nothing to misconfigure.

Making the switch

Pull out Google Analytics and your consent management platform. Add a single cookieless tracking script. Your pages load faster, your data gets more accurate, and you can stop worrying about whether your cookie banner meets the latest regulatory guidance.

The best consent banner is the one you don’t need.