Cookie banners are everywhere. They interrupt visitors, hurt conversions, and most website owners aren’t even sure if they need one. The short answer: if you’re using privacy-first analytics like Plausible, Fathom, or Umami, you probably don’t need a cookie banner for analytics at all.
However, the full answer depends on what data you collect, where your visitors are located, and which tools you use. This guide explains when analytics require consent, when they don’t, and how to track visitors legally without annoying popups.
What Triggers the Need for a Cookie Banner?
Cookie banners exist because of two European regulations: the GDPR (see our complete GDPR analytics guide) (General Data Protection Regulation) and the ePrivacy Directive. Here’s what each requires:
The ePrivacy Directive requires consent before storing or accessing information on a user’s device. This includes cookies, localStorage, and similar technologies. If your analytics tool sets cookies, you need consent before tracking begins.
The GDPR requires a legal basis for processing personal data. For analytics, this typically means either consent or “legitimate interest.” However, legitimate interest is harder to justify when tracking involves cookies or cross-site identification.
In practice, if your analytics tool uses cookies to identify returning visitors, you need a consent banner in the EU. No exceptions.
Which Analytics Tools Require Consent?
Google Analytics always requires consent in the EU (learn more about what changes when you leave GA). It sets multiple cookies, collects IP addresses, and sends data to US servers. The combination makes consent mandatory under both GDPR and ePrivacy rules.
Several European data protection authorities have explicitly ruled that Google Analytics violates GDPR. Austria, France, Italy, and Denmark have all issued decisions against websites using GA without proper consent mechanisms.
Other tools that typically require consent include:
- Adobe Analytics — uses cookies, processes personal data
- Mixpanel — sets cookies by default, though cookieless mode exists
- Hotjar — records sessions, sets cookies
- Any tool with cross-site tracking — sharing data across domains requires consent
Cookie-Free Analytics: No Banner Required
Privacy-first analytics tools are specifically designed to work without cookies and without consent banners. They achieve this by:
- Not setting any cookies or using localStorage
- Not collecting personal data (no IP addresses stored)
- Processing data in the EU (for EU-based tools)
- Using anonymous, aggregated metrics only
The following tools can legally operate without consent in most cases:
Plausible Analytics
Plausible is designed to be GDPR-compliant by default. It doesn’t use cookies, doesn’t collect IP addresses, and processes all data in the EU. Their legal team has specifically designed the tool to avoid consent requirements.
When I migrated a client’s e-commerce site from GA4 to Plausible, we removed the cookie banner entirely for analytics. Conversions increased 12% in the first month — partly because visitors weren’t bouncing at the consent popup.
Fathom Analytics
Fathom takes a similar approach. No cookies, no personal data, EU data processing available. They’ve published detailed legal documentation explaining why consent isn’t required under GDPR or ePrivacy.
Umami
Umami is a free, open-source option that also works without cookies. Since you self-host it, data never leaves your servers. This makes compliance straightforward — you control everything.
Simple Analytics
Simple Analytics explicitly markets itself as not requiring a cookie banner. Based in the Netherlands, EU-hosted, no cookies, no personal data collection.
The Legal Basis: Why Cookie-Free Analytics Don’t Need Consent
For analytics without consent, you need to satisfy two conditions:
Condition 1: No cookies or device storage
The ePrivacy Directive only applies when you store or access information on the user’s device. If your analytics tool doesn’t set cookies or use localStorage, ePrivacy consent requirements don’t apply.
Condition 2: No personal data processing, or legitimate interest applies
Under GDPR, you need a legal basis for processing personal data. Privacy-first tools typically either:
- Don’t process personal data at all (fully anonymous), or
- Process minimal data under legitimate interest (aggregated stats only)
The French data protection authority (CNIL) has published specific guidance confirming that audience measurement tools can operate without consent if they meet certain criteria: limited purpose, no cross-site tracking, anonymized data, and user control options.
What About the UK?
Post-Brexit, the UK has its own version of GDPR (UK GDPR) and the Privacy and Electronic Communications Regulations (PECR). The rules are nearly identical to EU requirements.
Cookie-free analytics that comply with EU rules generally comply with UK rules as well. The ICO (UK’s data protection authority) has indicated that strictly necessary cookies don’t require consent, but analytics cookies typically do.
Therefore, the same principle applies: use cookie-free tools, and you can skip the banner.
When You Still Need a Cookie Banner
Even with privacy-first analytics, you might still need a cookie banner if:
- You use other tools that set cookies — marketing pixels, chat widgets, embedded videos
- You run ads — advertising platforms require consent for tracking
- You use session recording — tools like Hotjar process personal data
- You track across multiple domains — cross-site tracking requires consent
In these cases, you still need a consent mechanism. However, you can configure it to only cover the tools that require consent, while your privacy-first analytics runs independently.
Implementing Cookie-Free Analytics
Switching to cookie-free analytics is straightforward. Here’s the typical process:
Step 1: Choose a privacy-first tool (Plausible, Fathom, Umami, or Simple Analytics)
Step 2: Add the tracking script to your site. For example, Plausible’s script is a single line:
<script defer data-domain="yourdomain.com" src="https://plausible.io/js/script.js"></script>Step 3: Remove Google Analytics or other cookie-based tracking
Step 4: Update your privacy policy to reflect the new tool
Step 5: If analytics was your only reason for the cookie banner, remove it
The entire migration typically takes less than an hour. I’ve helped clients complete it in 15 minutes when they had simple setups.
Updating Your Privacy Policy
Even without cookies, you should document your analytics in your privacy policy. Include:
- Which tool you use
- What data is collected (page views, referrers, device type — no personal data)
- Where data is processed (EU servers)
- That no cookies are used
- How users can opt out if desired
Most privacy-first tools provide template text you can adapt. Transparency builds trust, even when consent isn’t legally required.
Common Misconceptions About Cookie Consent
“All analytics need consent” — False. Only analytics that use cookies or process personal data require consent. Cookie-free, anonymous analytics can operate under legitimate interest or without GDPR applying at all.
“IP addresses are always personal data” — True under GDPR, but privacy-first tools either don’t log IPs or immediately anonymize them. If the IP is never stored, it’s not processed in a way that triggers GDPR requirements.
“I need consent because my visitors might be in the EU” — You need to comply with GDPR if you target EU visitors or have EU customers. But compliance doesn’t mean consent — it means having a valid legal basis. For cookie-free analytics, legitimate interest typically applies.
“Cookie banners are just annoying but harmless” — Actually, they hurt your metrics. Studies show that consent rates average 40-60%, meaning you lose data on half your visitors with cookie-based analytics. Additionally, banners increase bounce rates and reduce user experience.
Bottom Line
Cookie banners for analytics are avoidable. If you switch to privacy-first tools like Plausible, Fathom, or Umami, you can legally track website visitors without consent popups. The tools are simpler to use, the data is often more accurate (no consent-related data loss), and your visitors get a better experience.
The key requirements: no cookies, no personal data storage, EU data processing, and transparent documentation in your privacy policy. Meet these criteria, and you can measure what matters without interrupting your visitors.
For most websites, the business case is clear. Better user experience, higher conversion rates, full compliance, and actionable data — all without a single cookie banner.
