Back to articles
Analytics
Analytics Cookies Privacy GDPR

Cookie-Free Analytics: How and Why in 2026

12 November 2025 8 min read DPLIANCE

Cookie-free analytics is not a trend. It is a rational response to a simple reality: the web built on individual tracking is dying.

Safari has blocked third-party cookies since 2017 with Intelligent Tracking Prevention (ITP). Firefox does the same with Enhanced Tracking Protection (ETP). Chrome, representing about 65% of the browser market, announced in July 2024 that it would not remove third-party cookies by default but would offer users a choice via Privacy Sandbox. Meanwhile, ad blockers and tracker blockers are used by more than 40% of internet users.

The result? If you still use a cookie-based analytics tool, you only see a fraction of your actual audience. And you expose yourself to growing legal risks.

At DPLIANCE, we believe privacy is not a compromise. It is a fundamental right. And it is perfectly possible to understand your visitors’ behavior without tracking them.

Cookie-free analytics refers to audience measurement methods that do not deposit any cookie on the user’s device. Neither third-party cookies (used for multi-site ad tracking) nor persistent first-party cookies (used by traditional tools to identify a visitor over time).

This does not mean no data is collected. It means nothing is stored on the visitor’s device to recognize them later.

The Difference Between Third-Party and First-Party Cookies

  • Third-party cookie: deposited by a domain different from the one the user visits. Used primarily for multi-site ad tracking. This is what Safari, Firefox, and soon Chrome block.
  • First-party cookie: deposited by the visited domain. Used by Google Analytics (even GA4) to identify returning visitors. Less legally problematic, but still subject to consent according to CNIL (French data protection authority).

Cookie-free analytics goes further: it deposits neither one nor the other.

In France, CNIL is clear: any tracker deposited on a user’s device requires prior consent, with a limited exception for audience measurement (Article 82 of the French Data Protection Act, transposing the ePrivacy directive). The user must consent through a clear positive action. Silence equals refusal. No non-essential tracker may be deposited without this consent.

In 2025, CNIL fined Google 325 million euros for cookie and advertising violations affecting more than 74 million accounts in France.

2. Browsers Are Killing Third-Party Cookies

Here is the state of play in March 2026:

  • Safari (ITP): blocks third-party cookies since 2017. Since ITP 2.1, first-party cookies set by known tracking scripts are limited to 7-day lifespans.
  • Firefox (ETP): blocks known tracking cookies by default since 2019.
  • Chrome (Privacy Sandbox): Google gave up removing third-party cookies by default in July 2024. Instead, users can choose via privacy settings. Privacy Sandbox APIs (Topics, Attribution Reporting, Protected Audiences) remain available.

Between Safari, Firefox, ad blockers, and Chrome users who refuse cookies, a significant portion of your audience already escapes cookie-based tools.

3. More Reliable Data

Paradoxically, cookie-free analytics often produces more reliable data than traditional analytics. Why?

  • No data loss from cookie banner refusals (depending on the sector, 30 to 70% of visitors refuse cookies)
  • No distortion from ad blockers
  • No bias from users deleting cookies
  • 100% of visitors are measured, without selection bias

Several technical approaches enable analytics without depositing cookies.

Session-Based Tracking

This is the most widespread method among privacy-respecting tools. The principle:

  1. When a visitor arrives on your site, the server generates a temporary session identifier
  2. This identifier exists only for the duration of the visit (typically 30 minutes of inactivity)
  3. At the end of the session, the identifier is destroyed
  4. If the visitor returns the next day, they are considered a new visitor

Advantage: no storage on the user’s device. Disadvantage: impossible to accurately measure return rates.

Anonymized Hashing (Hash-Based)

Some tools use an anonymous, non-reversible hash of technical parameters (truncated IP address, user-agent, screen size) to group a visitor’s actions within a single day. For example, Matomo uses a config_id generated from a random hash limited in time (maximum 24 hours).

This method is not fingerprinting: the identifier changes daily, is not persistent, and does not allow tracking a user from one site to another.

Server-Side Tracking

Server-side tracking moves data collection from the browser to a server controlled by the site publisher. Instead of JavaScript scripts sending data directly to a third-party service, interactions are first sent to the company’s server, which processes them, anonymizes them if necessary, then transmits them to the analysis tool.

Companies switching to server-side tracking recover an average of 20 to 40% of conversion data missed by traditional client-side tracking.

The Stateless Approach

The most radical approach: generate no identifier, even temporary. Each page view is an isolated event. You measure page view counts, referrers, landing pages, but do not link page views together.

This is the approach of Simple Analytics and, to some extent, Plausible. It produces reliable site-level metrics (global traffic, popular pages, sources) but does not allow analyzing individual journeys.

It Is Not Fingerprinting

Fingerprinting creates a unique device fingerprint from its technical characteristics (user-agent, screen resolution, installed plugins, fonts, etc.). This fingerprint is persistent and allows tracking users without consent.

Fingerprinting is explicitly considered non-GDPR-compliant by European authorities. As Matomo notes in its documentation, fingerprinting “is not considered privacy-friendly” and “may be in conflict with GDPR regulations.” Unlike cookies that users can delete, digital fingerprints cannot be removed.

Serious cookie-free analytics tools do not use fingerprinting.

It Is Not Data Loss

Cookie-free analytics does not measure the same things as Google Analytics. But what it measures, it measures better: without consent bias, without blocker losses, without distortion.

You lose the ability to track a specific individual over time. You gain a complete, unbiased view of your audience.

Mirage Analytics

Mirage Analytics is the cookie-free analytics tool published by DPLIANCE. It combines web analytics, session replay, heatmaps, and error monitoring in a single solution, without depositing third-party cookies or persistent trackers. Hosted on Scaleway in France, it guarantees no data transfers outside the European Union.

What makes Mirage unique in this category is the integration of session replay and heatmaps without cookies. Most cookie-free tools limit themselves to aggregated metrics. Mirage allows understanding individual visitor behavior (where do they go? where do they click? what errors do they encounter?) without identifying them.

From 19 EUR excl. tax/month.

  • Plausible: open source, minimalist, from 9 EUR/month
  • Fathom: simple and fast, from $15/month
  • Simple Analytics: zero personal data, from $15/month
  • Pirsch: hosted in Germany, from $6/month
  • Umami: open source, self-hostable, free
  • Matomo: configurable in cookie-free mode (CNIL exemption), free self-hosted or from 22 EUR/month in Cloud

One of the major advantages of cookie-free analytics is the possibility of benefiting from the consent exemption provided by CNIL (French data protection authority). This exemption, based on Article 82 of the French Data Protection Act, allows measuring a site’s audience without displaying a cookie banner, provided strict criteria are met.

Main conditions:

  • Purpose must be strictly limited to audience measurement
  • Data must not be cross-referenced with other processing
  • Data must not be transmitted to third parties
  • Tracker lifespan must be limited to 13 months maximum
  • Raw data collected must be retained for 25 months maximum
  • No cross-site or cross-application navigation tracking

For more, see our guide on the CNIL analytics exemption.

FAQ

It is different, not less accurate. You cannot track an individual visitor over several months. But you measure 100% of your audience (not just the 30 to 70% who accept cookies), without distortion from blockers. For most sites, the metrics obtained are more reliable.

Can session replay work without cookies?

Yes. Mirage Analytics integrates session replay without depositing cookies. Sessions are recorded anonymously, without persistent identifiers, allowing understanding of the user journey within a visit without tracking the individual.

Does cookie-free analytics work with SPAs (Single Page Applications)?

Yes. Most modern cookie-free tools natively handle Single Page Applications by detecting client-side route changes. This is the case for Mirage, Plausible, Fathom, and Umami.

If your analytics tool is your only tracker and it operates without cookies in compliance with CNIL exemption conditions, you do not need a cookie banner for audience measurement. Note: if you use other trackers (advertising, social networks, chat, etc.), the banner remains necessary for those.

“Cookie-free” means no cookies are deposited on the user’s device. “Tracking-free” would mean no data is collected, which would make analytics impossible. Cookie-free analytics does collect data (page views, referrers, etc.), but anonymously and without identifying individuals.

Sources: CNIL (French data protection authority), “Rules to follow” and “Cookies: solutions for audience measurement tools” (cnil.fr); CNIL, Google 325M EUR sanction, September 1, 2025; Apple, ITP documentation (webkit.org); Google, “Privacy Sandbox Next Steps” (privacysandbox.google.com); Matomo, documentation on fingerprinting and config_id (matomo.org).

Your users’ privacy is not a compromise. Discover Mirage Analytics: cookie-free web analytics, session replay and heatmaps integrated, hosted in France. From 19 EUR excl. tax/month.

Write to us

contact@dpliance.com
Contact us