Cookieless analytics: do you still need a consent banner?

You replaced Google Analytics with something cookieless. Plausible, perhaps, or Fathom, or a self-hosted equivalent. The pages load faster, the script is about a kilobyte, and the dashboard is refreshingly readable.

Then the question arrives, usually around the second coffee: do I still need that cookie banner? And while we are at it, have I actually solved my GDPR problem or just moved it?

The short answer is: no banner, but one line in your privacy policy. The longer answer is worth eight minutes, because most of the confusion online comes from people treating two different laws as if they were one.

The trap: two laws, not one

Almost every argument about cookie banners is really two arguments wearing the same coat. Separate them and the whole topic becomes calm.

The ePrivacy Directive (the thing people call “the cookie law”) governs storing or reading information on a user’s device. Cookies, localStorage, device fingerprints, anything you put on or pull off their machine. This is the law that triggers the consent banner. If you store nothing on the device, it has nothing to act on.

The GDPR is a different instrument. It governs the processing of personal data, wherever and however that happens, banner or no banner. Its concern is not “did you set a cookie” but “are you processing data about an identifiable person, and have you been transparent and lawful about it.”

Keep those apart and the rule falls out naturally. A consent banner is about device storage. It is not, despite years of folklore, a general-purpose “we have analytics” disclaimer. So the real question is not “do I have analytics” but “does my analytics write anything to the visitor’s device.”

Why Plausible needs no banner

Plausible, including the self-hosted Community Edition, is cookieless by design. It does not set cookies. It does not use localStorage or sessionStorage. It writes nothing to the visitor’s device at all.

That immediately puts it outside the ePrivacy Directive’s trigger. No storage on the device means no consent required for that storage, which means no banner. This is not a loophole; it is simply what the law says when you read it literally.

The natural objection is: then how does it count returning visitors without a cookie? The answer is a daily-rotating hash. Roughly, it computes a hash of the visitor’s IP address, their user agent, your domain, and a server-side salt that is regenerated every 24 hours and then discarded. The raw IP is never stored. Once the salt rotates, yesterday’s hashes cannot be linked to today’s, so there is no persistent identifier following anyone around.

That design is deliberate. It is what lets the tool count unique visitors while keeping the processing transient and non-identifying, which is also why it sits comfortably on the right side of GDPR. Self-hosting the Community Edition behaves identically; the difference is where the data lives, not how it is collected.

What you do still owe: one line in your privacy policy

Here is the part the internet tends to skip, usually in the rush to celebrate deleting the banner.

Cookieless does not mean invisible. You are still, however briefly, processing request data to produce those visitor counts. GDPR’s transparency principle (Article 13) asks you to tell people what you are doing. So even with no banner and no consent required, you should mention your analytics in your privacy policy.

It does not need to be elaborate. One honest sentence covers it:

We use Plausible Analytics, a privacy-friendly, cookieless tool that we host on our own EU server. It sets no cookies and does not collect personal data.

That is the whole obligation. No pop-up, no “Accept All” button, no friction for the visitor. Just an accurate line in a document you should have anyway.

Which is, quietly, the catch with the whole exercise. Removing the banner is easy. Keeping a privacy policy that is actually accurate, and that stays accurate as you add Stripe, or a new email provider, or a support widget, is the part that drifts out of date the moment you stop paying attention. That maintenance is exactly what GDPR.Direct exists to handle: hosted privacy pages that you update in minutes rather than rediscover during an audit.

Self-hosted or managed? A short detour

If you are choosing between managed Plausible and self-hosting the Community Edition, the compliance answer is the same either way. Cookieless is cookieless. The differences are operational:

• Data residency. Self-hosting on an EU server keeps the data under your control and inside the EU, which removes the international-transfer questions that follow US-based tools around.
• Cost. Self-hosting is essentially the price of a small server. Managed is a subscription that scales with pageviews.
• Effort. Managed is a signup. Self-hosting is a server you now own, with the backups and uptime that implies.

Pick based on how much infrastructure you want to babysit. None of it changes whether you need a banner. (A proper self-hosting walkthrough is a separate post; this one is about the law, not the Docker file.)

The one thing that brings the banner back

There is a way to undo all of this without noticing, so it is worth saying plainly.

The moment you also load Google Analytics, or a gtag script, or the Meta pixel, the banner comes straight back. GA4 sets cookies (_ga and friends). That is device storage, that is the ePrivacy trigger, and that requires prior consent with a genuine “Reject All” that is as easy to click as “Accept All.”

This matters because privacy-first analytics setups are often provider-agnostic by design, ours included: a single trackEvent call can dispatch to both a cookieless tool and to gtag if one happens to be present. That flexibility is useful, for instance if you later add Google Ads conversion tracking. But it means the decision to add gtag is also a decision to reintroduce a consent banner on that site. Make it deliberately, not by copy-pasting a snippet you found in a marketing tutorial.

The whole thing on one card

Setup	Sets cookies?	Consent banner?	Privacy-policy mention?
Cookieless analytics only (e.g. Plausible)	No	No	Yes, one line
Cookieless + Google Analytics / gtag / pixel	Yes	Yes, with real Reject All	Yes

If you are in the top row, you are done: delete the banner, add the sentence, move on. If you ever step into the bottom row, you have signed up for consent management again, so do it on purpose.

A small disclaimer, honestly meant

This is the standard, widely-relied-on reading of how the ePrivacy Directive and GDPR treat cookieless analytics, and it is the interpretation regulators across the EU have consistently taken. It is not formal legal advice, and your situation may have wrinkles mine does not. If you operate in a sensitive sector, have a quick word with whoever signs off your compliance. For the ordinary case of “I run a website and I want honest visitor numbers,” the cookieless-and-no-banner position is solid ground.

And if the part that nags you is the privacy policy rather than the analytics, that is the right instinct. The tracking was the easy decision. Get your privacy policy written and kept up to date in about five minutes, and then you can go back to reading your nice clean dashboard.