The web is moving away from cookies. Browsers are blocking them, privacy laws are restricting them, and visitors are rejecting them through consent banners.
But analytics doesn't have to break just because cookies are disappearing. Cookieless tracking is a modern approach to measuring website traffic that works without storing anything on your visitors' devices — no cookies, no consent banners, and no data gaps.
This guide explains what cookieless tracking is, why cookie-based analytics are failing, and how cookieless solutions actually work under the hood.
What Is Cookieless Tracking?
Cookieless tracking is a method of measuring website visits and visitor behavior without placing cookies on the user's browser.
Traditional analytics tools like Google Analytics rely on cookies to identify users, link page views into sessions, and distinguish new visitors from returning ones. These cookies are small text files stored on a visitor's device that persist across visits.
Cookieless tracking achieves the same goals using alternative signals like anonymized browser metadata, without writing any data to the visitor's device.
The result is analytics that capture every visitor, reduce your compliance burden, and don't require cookie consent banners.
Why Cookie-Based Analytics Are Breaking
For over two decades, cookies were the backbone of web analytics. But a combination of browser changes, legislation, and user behavior has made cookie-based tracking increasingly unreliable.
Browser restrictions
Safari's Intelligent Tracking Prevention (ITP) deletes JavaScript-set first-party cookies after 7 days without user interaction on the site. Since Google Analytics sets its _ga cookie via JavaScript, any Safari visitor who doesn't return within 7 days loses their client ID. GA4 generates a new one on their next visit and counts them as a brand new user, even though they've been to your site before.
If the visitor arrived via a link with tracking parameters (like gclid or fbclid), that window shrinks to just 24 hours. With Safari accounting for nearly a third of US web traffic (roughly 32% according to StatCounter), this meaningfully inflates new user counts and fragments visitor histories.
Firefox's Enhanced Tracking Protection blocks tracking scripts entirely in Strict mode and Private Browsing, replacing them with non-functional shims that prevent site breakage but send no data to Google.
And while Chrome still supports third-party cookies after reversing its deprecation plans in 2025, the broader industry trend toward privacy-first browsing continues to erode cookie reliability.
The result: analytics cookies get deleted, blocked, or expire before they can do their job.
Consent banners reduce data coverage
Since GDPR, ePrivacy, and similar privacy laws took effect, websites must ask for consent before setting non-essential cookies. Consent rejection rates vary widely depending on banner design and geography.
According to data from Taggrs, the average cookie banner acceptance rate is just 31%. Sites using GDPR-compliant banners (where "Accept" and "Reject" are equally prominent) see rejection rates of 40-60% in Europe. US-focused sites with less restrictive banner designs tend to see 20-30% rejection.
Regardless of the exact number, a significant portion of your visitors either reject cookies or ignore the banner entirely. Without Google's Advanced Consent Mode, those visitors are invisible. With Consent Mode enabled, GA4 sends limited "cookieless pings" and uses machine learning to estimate the missing traffic.
You get numbers back, but they're modeled guesses, not actual measurements. And because GA4 standard reports take 24-48 hours to process, you can't even verify what you're seeing in real time.
Ad blockers
Roughly 30% of internet users run ad blockers, and most ad blockers also block Google Analytics by default. These visitors never trigger the analytics script at all, creating another blind spot in your data.
The compounding effect
These factors stack. Between consent rejections, browser restrictions, and ad blockers, cookie-based analytics tools can miss a significant share of actual website traffic. For a US-focused site, combined data loss is typically in the range of 30-45%. For sites with European audiences where GDPR enforcement is stricter, that number can climb to 50% or more.
For smaller websites, the problem is compounded. Google's behavioral modeling requires a minimum volume of consented visitors to generate estimates, and many sites don't meet that threshold. You're left with incomplete data and no way to fill the gaps.
How Cookieless Tracking Works
Cookieless tracking replaces persistent identifiers (cookies) with anonymized, non-persistent signals to measure visits. There are several approaches, and they differ significantly in how they handle privacy.
Server-side fingerprinting (not recommended)
Some tools collect detailed browser attributes — screen resolution, installed fonts, GPU info, timezone, language — and combine them into a unique fingerprint. While technically cookieless, this approach recreates the privacy problems of cookies and is increasingly treated as equivalent to tracking under regulations like GDPR.
First-party server-side tracking
Some companies route analytics through their own server (or a proxy) before sending data to a third-party tool.
For example, server-side Google Tag Manager can be configured to use a server-managed FPID cookie (set via HTTP headers) instead of the JavaScript-set _ga cookie. This makes the cookie more resilient against ad blockers (since requests go to your own subdomain) and can extend cookie lifetimes when configured correctly.
However, server-side tracking still depends on cookies. The FPID cookie is still stored in the browser, consent is still required under GDPR, and Safari ITP can still cap it to 7 days if the server IP doesn't match your site's IP. It's an improvement over client-side cookie tracking, but not a truly cookieless approach.
Privacy-safe hashing
A better approach uses a limited set of non-identifying metadata, such as the visitor's IP address, user agent, and a secret salt, to generate an anonymized hash. The raw data (including the IP address) is discarded immediately, and only the irreversible hash is stored.
This lets analytics tools count unique visitors and build sessions without ever knowing who the visitor is. Because the hash is anonymous and cannot be reversed to identify a person, it provides meaningful cookieless attribution while respecting visitor privacy.
Cookieless Tracking vs. Cookie-Based Analytics
| Cookie-Based (e.g., GA4) | Cookieless (e.g., GoodMetrics) | |
|---|---|---|
| Consent banner required | Yes | No |
| Data loss from cookie rejection | 20-40% of visitors | 0% |
| Blocked by ad blockers | Usually | Less frequently than GA4 |
| Cross-device tracking | Requires login or User-ID | Not attempted (privacy tradeoff) |
| Data freshness | 24-48 hours for standard reports | Real-time |
| Returning visitor accuracy | High (when cookies persist) | Good on same device and network, not possible cross-device |
| GDPR compliance complexity | High (DPA, consent, data processing) | Low (no personal data collected) |
| Setup complexity | Significant (GTM, consent mode, filters) | Minimal (single script tag) |
Neither approach is perfect. Cookie-based analytics offer cross-device tracking when cookies work and users are logged in, but that's becoming a smaller share of your actual traffic. Cookieless analytics can reliably identify returning visitors on the same device and network, but can't track users across devices. The tradeoff is completeness: cookieless tools capture every visitor, while cookie-based tools miss a growing percentage of them.
How GoodMetrics Implements Cookieless Tracking
GoodMetrics was built from the ground up for a cookieless world. Here's how our implementation works.
What happens when a visitor arrives
When a visitor lands on your site, the GoodMetrics script loads and records essential events such as page views and any custom events you've defined.
- It does not write cookies, localStorage, or sessionStorage.
- It collects only a limited amount of technical information needed to measure visits accurately.
Event data is sent to our servers where we create a hash from the visitor's metadata. We record the anonymized hash and event data while discarding the IP address, ensuring that all data collection remains completely anonymous.
What we collect
- Pageviews and custom event data
- Basic technical info (browser name, OS name, device type)
- Geolocation from Cloudflare headers (e.g., country)
- A hashed visitor signature based on some of the above inputs
What we don't collect
- Cookies or any form of client-side storage
- Raw IP addresses
- Personal identifiers (like email, name, or user IDs)
- Cross-site or behavioral tracking data
GoodMetrics focuses on aggregated insights — not personal profiles.
How we identify visitors
When an event is received, GoodMetrics hashes the visitor data into a visitor signature.
This anonymized signature helps us understand how many unique visitors came to your site during a given period — without knowing who they are.
If any of these properties change (for example, a visitor switches networks or devices), a new visitor is counted. That's a deliberate tradeoff we make to protect privacy while keeping metrics reliable.
How sessions work
GoodMetrics creates an open session when it first detects a visitor signature.
- Each session has a 30-minute inactivity window.
- Every new event (page view, click, or custom event) resets that timer.
- If there's no activity for 30 minutes, the session closes automatically.
This ensures visit counts and engagement metrics remain accurate — without any client-side storage.
Returning visitors
GoodMetrics can recognize returning visitors as long as their anonymized signature remains the same. If a visitor comes back on the same device, browser, and network, their hash will match and they'll be counted as a returning visitor, even days or weeks later.
If the visitor's IP, browser, or device changes, they'll appear as a new visitor. Cross-device tracking is not possible with this approach, and that's by design. We prioritize privacy over total user-level continuity.
What This Means for Accuracy and Privacy
Cookieless tracking doesn't mean less data — it means data collected responsibly.
Because our system operates entirely without cookies or persistent identifiers, you get analytics that are:
- Complete: Every visitor is counted. No data loss from consent rejections, cookie expiry, or browser restrictions.
- Accurate: Sessions, pageviews, and visits are measured using real, first-party signals — not reconstructed or estimated.
- Real-time: Event processing happens in seconds, not the 24-48 hour delay you get with GA4.
- Privacy-safe: Every event is anonymized immediately and stored without personal identifiers.
This approach gives you the clarity of traditional analytics tools — without the surveillance or compliance risks.