Back to articles
Analytics
Analytics Cookies Privacy Tracking

Cookieless Tracking: The Future of Web Analytics

24 December 2025 10 min read DPLIANCE

Cookieless tracking is no longer a trend. It is the direction the entire web ecosystem is heading. And it is not primarily a technology question. It is a question of trust.

For twenty years, the web operated on a postulate: individuals can be tracked to optimize experience and advertising. Third-party cookies were the primary instrument of this model. Today, this model is being dismantled, driven by three converging forces: browsers, regulators and users themselves.

At DPLIANCE, we believe this is good news. Privacy is not an obstacle to analytics. It is a constraint that drives the building of better tools.

Why cookieless tracking is inevitable

Browsers are turning off the tap

The state of play in March 2026 is unambiguous:

Safari — Intelligent Tracking Prevention (ITP)

Apple was the first to act, in 2017, with the launch of ITP in Safari. Since then, restrictions have tightened with each version:

  • ITP 1.0 (2017): limits third-party cookie lifespan to 24 hours
  • ITP 2.0 (2018): blocks all third-party cookies by default
  • ITP 2.1 (2019): limits first-party cookies set by JavaScript to 7-day lifespan
  • ITP 2.3 and later: additional restrictions on localStorage and referrers

Safari does not just block third-party cookies. It also targets first-party cookies set by known tracking scripts, limiting their lifespan to 7 days. For a tool like Google Analytics, this means a Safari visitor returning after 8 days is counted as a new visitor.

Firefox — Enhanced Tracking Protection (ETP)

Mozilla launched ETP in 2019. Firefox blocks known tracking cookies by default while allowing non-tracking third-party cookies. The approach is based on lists of tracking domains maintained by Disconnect.

ETP is enabled by default for all Firefox users, with no configuration needed.

Chrome — Privacy Sandbox

The Chrome saga is the most complex. Here is the timeline:

  • January 2020: Google announces deprecation of third-party cookies in Chrome within 2 years
  • June 2021: postponed to end of 2023
  • July 2022: postponed to mid-2024
  • April 2024: postponed to early 2025
  • July 2024: Google announces it will not remove third-party cookies by default, but will offer users a choice
  • April 2025: Google confirms it will not introduce a specific consent prompt in Chrome. Users manage third-party cookies via existing privacy settings

In parallel, Privacy Sandbox APIs continue their rollout:

  • Topics API: replaces individual tracking with interest categories (fitness, travel, etc.) inferred locally by the browser based on recent history. Only 3 “topics” are shared with sites and advertisers.
  • Attribution Reporting API: enables measuring advertising conversions without tracking individuals.
  • Protected Audiences: enables advertising targeting without sharing browsing data with third parties.

In early 2025, only 32% of programmatic buyers reported using Privacy Sandbox APIs. Adoption is slow, but the direction is clear.

Regulators are toughening up

The European regulatory framework leaves no doubt:

  • The GDPR (2018) requires a legal basis for any processing of personal data. Cookies containing identifiers are personal data.
  • The ePrivacy Directive requires consent for any tracker placed on the user’s terminal, except limited exceptions.
  • CNIL (French data protection authority) in France applies these rules with rigor. In 2025, it sanctioned Google 325 million euros and Shein 150 million euros for cookie and consent breaches. Total CNIL (French data protection authority) fines in 2025 reached 487 million euros.

The message is unequivocal: tracking without consent is illegal in Europe. And sanctions are increasingly heavy.

Users are protecting themselves

Ad and tracker blockers are used by a growing share of internet users. In France, estimates suggest over 30% of internet users use a blocker. For technical audiences (developers, IT), this figure exceeds 50%.

Add the 30 to 70% of visitors who refuse cookies via consent banners (depending on sector), and the conclusion is clear: cookie-based tracking covers only a minority of the audience.

Cookieless tracking methods

Cookieless tracking encompasses several technical approaches, with very different levels of sophistication and privacy respect.

1. Server-side tracking

Server-side tracking is considered the most impactful technical investment for marketers in 2026. The principle: instead of running tracking scripts in the user’s browser, data is collected by the web server, processed, anonymized if necessary, then sent to analytics tools.

How it works:

  1. The user visits a page on your site
  2. Your web server records the request (URL, referrer, user-agent, etc.)
  3. The server sends relevant data to your analytics tool
  4. No third-party script is executed in the browser

Advantages:

  • Immune to ad blockers (data does not pass through the browser)
  • Total control over data sent (you filter what goes out)
  • Better site performance (fewer client-side scripts)
  • Centralized consent management
  • Companies recover an average of 20 to 40% of missed conversions

Limitations:

  • More complex setup (requires server access)
  • Does not natively capture client-side interactions (clicks, scroll, forms) without additional instrumentation
  • Requires technical expertise

2. Session-based tracking

Session-based tracking identifies visitors for the duration of a session, without persistent storage. With each new session, the visitor is considered new.

How it works:

  1. A temporary session identifier is generated (in memory or via a session cookie)
  2. The visitor’s actions are linked to this identifier during the session
  3. After an inactivity timeout (generally 30 minutes), the session expires
  4. The identifier is destroyed — no persistent trace

Advantages:

  • Enables analysis of journeys within a visit
  • No persistent storage on the terminal
  • Compatible with CNIL (French data protection authority) exemption if correctly configured

Limitations:

  • No reliable measurement of returning visitors
  • No cohort tracking over time

3. Anonymized and non-persistent hashing

Some tools create a temporary identifier based on a hash of technical parameters (truncated IP, user-agent, etc.), valid for a limited duration (generally 24 hours). This is not persistent fingerprinting: the identifier changes each day and does not allow tracking a user over time.

Concrete example: Matomo uses a config_id generated from a random and temporary hash. This mechanism allows grouping a same visitor’s page views within a day, without tracking them beyond that.

Advantages:

  • Enables measuring unique visitors per day
  • More precise than purely session-based tracking

Limitations:

  • The boundary with fingerprinting can be blurry
  • Requires rigorous implementation to remain compliant

4. The contextual approach

The contextual approach does not seek to identify visitors. It analyzes the content of pages visited to infer areas of interest. This approach is primarily used in advertising, but has analytics applications.

Advantages:

  • Zero individual identification
  • Fully compliant by design
  • Relevant for advertising targeting

Limitations:

  • Does not enable user journey analysis
  • Less useful for classic web analytics

5. Fingerprinting (to avoid)

Fingerprinting consists of creating a unique device imprint from its technical characteristics. Unlike cookies, this imprint is invisible and cannot be deleted by the user.

Why to avoid it:

  • The GDPR considers fingerprinting a tracker requiring consent
  • Data protection authorities consider it more intrusive than cookies
  • Browsers implement countermeasures (parameter randomization)
  • It violates the GDPR transparency principle (the user does not know they are being tracked)
  • It is unethical: the user cannot technically oppose it

Tools like Matomo clearly state it: fingerprinting “is not considered privacy-respecting” and “may be contrary to GDPR regulations.”

Real cookieless tracking does not rely on fingerprinting. It relies on methods that respect the user by design.

Approach comparison

MethodIdentifies visitorsPersistenceGDPR compliantPrecision
Server-sideConfigurableConfigurableYes (if configured)High
Session-basedPer sessionNoneYesMedium
Anonymized hashPer day24 hYes (if non-persistent)Good
ContextualNoNoneYesLow (analytics)
FingerprintingYesPersistentNot without consentHigh but unethical

How Mirage Analytics does cookieless tracking

Mirage Analytics is a concrete example of cookieless tracking implementation. Here is how it works:

  • No third-party cookies, no persistent tracker: tracking is based on sessions, without storage on the user’s terminal
  • Session replay without cookies: sessions are recorded anonymously. Each session is an isolated event, with no persistent link to previous sessions from the same visitor
  • Heatmaps and error monitoring: interaction data (clicks, scroll, errors) is collected within the session, without individual identification
  • Hosting in France (Scaleway): no data transfer outside the EU. Data remains under European jurisdiction
  • Processing exclusively for the publisher: DPLIANCE does not reuse data for its own purposes

The result: a complete view of visitor behavior (analytics, session replay, heatmaps, errors) without compromising privacy.

What cookieless tracking changes for businesses

What you lose

  • The ability to track a specific individual over weeks or months
  • “Returning visitor” metrics in the traditional sense
  • The ability to individually target a visitor based on their history

What you gain

  • Data on 100% of your audience, not just the 30 to 70% who accept cookies
  • Legal compliance without dependence on a fragile legal framework (DPF)
  • Better web performance: fewer scripts, fewer cookies, fewer requests
  • User trust: no intrusive cookie banner, no hidden tracking
  • Independence: your data does not feed a third party’s advertising ecosystem

The strategic issue

Cookieless tracking is not a constraint. It is a competitive advantage. Companies that adopt it today will be ahead when the last browser restrictions take effect, when the DPF is eventually invalidated, when regulations tighten further.

The most resilient companies in 2026 are those that anticipated: clean first-party data, sovereign tools, and a trust relationship with their users.

FAQ

It is different, not less accurate. You measure 100% of your audience instead of a biased subset. You lose longitudinal individual tracking, but gain a more reliable global view. For most business decisions (which pages work, where traffic comes from, which content converts), cookieless tracking provides sufficient and more complete data.

Does server-side tracking circumvent the GDPR?

No. Server-side tracking is an architectural choice, not a legal exemption. If you collect personal data server-side, GDPR obligations apply. The advantage of server-side is control: you decide precisely which data is collected, processed and transmitted.

Will Google actually remove third-party cookies in Chrome?

Google abandoned the idea of removing third-party cookies by default in July 2024. Chrome users can choose to block them via privacy settings. Privacy Sandbox APIs remain available as an alternative. In practice, third-party cookies in Chrome will survive as long as users do not actively block them, but their reliability decreases with the rise of blockers and regulators.

Does cookieless tracking work for e-commerce?

Yes. Essential e-commerce metrics (product pages viewed, cart additions, conversions, traffic sources) are perfectly measurable without cookies. Some tools, like Mirage Analytics, include session replay which enables understanding cart abandonment without identifying individuals.

How much does the transition to cookieless tracking cost?

The transition is generally simple and inexpensive. Installing a tool like Mirage is done by adding a script to your site. The main cost is the tool subscription (starting at EUR 19 excl. tax/month for Mirage). If you opt for advanced server-side tracking, the setup cost is higher (server configuration, custom development).

Sources: Apple, Intelligent Tracking Prevention documentation (webkit.org); Mozilla, Enhanced Tracking Protection documentation (support.mozilla.org); Google, “Privacy Sandbox Next Steps” and “Updated Timeline for Privacy Sandbox Milestones” (privacysandbox.google.com); CNIL (French data protection authority), 2025 fines (cnil.fr); Matomo, cookieless tracking and fingerprinting documentation (matomo.org); GDPR, Articles 6, 7 and 9; ePrivacy Directive, Article 5(3).

Cookieless tracking is not the future. It is the present. Discover Mirage Analytics: cookie-free web analytics, session replay, heatmaps and error monitoring. Hosted in France. Starting at EUR 19 excl. tax/month.

Write to us

contact@dpliance.com
Contact us