Do you actually need a cookie banner for analytics?

Most people think cookie consent comes from GDPR. It does not. The cookie consent requirement comes from the ePrivacy Directive (2002/58/EC, amended by 2009/136/EC), which predates GDPR by over a decade. Each EU member state implemented this directive into national law — in the UK, it became PECR (Privacy and Electronic Communications Regulations).

Article 5(3) of the ePrivacy Directive states:

Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent.

The key phrase is "storing of information, or the gaining of access to information already stored, in the terminal equipment." Terminal equipment means the user's device — their browser. This covers cookies, but also localStorage, sessionStorage, IndexedDB, and any other client-side storage mechanism.

There is an exception: consent is not required for storage that is "strictly necessary" for providing the service the user explicitly requested. A session cookie for a shopping cart is strictly necessary. An analytics cookie that tracks visitor behavior for the site owner's benefit is not.

You need consent before your analytics tool sets cookies or accesses client-side storage for tracking purposes. This applies to:

Google Analytics. GA4 sets multiple cookies: _ga (client ID, 2-year expiry), _ga_ (session state), and potentially others for Google Ads integration. These cookies are not strictly necessary — they exist to help the site owner understand visitor behavior. Consent is required before GA4 sets them.

Mixpanel. Sets cookies for user identification and session tracking. Consent required.

Hotjar / FullStory. Set cookies and use localStorage extensively for session recording. Consent required.

Meta Pixel / Google Ads tags. These are advertising trackers, not analytics, but they are often bundled together. They set third-party cookies for cross-site tracking. Consent is absolutely required.

The consequence of running any of these tools without consent is a potential violation of the ePrivacy Directive (and PECR in the UK). Fines are real — the French CNIL has fined companies including Google, Amazon, and Facebook for cookie violations, and smaller companies have been fined too.

If your analytics tool does not store or access information on the user's device for tracking purposes, the ePrivacy Directive's consent requirement does not apply. No cookies, no consent banner.

Several analytics tools are designed to work without cookies:

sourcebeam does not set cookies. Visitor recognition uses server-side hashing of request attributes (IP + User-Agent) with rotating salts. Session state uses in-memory JavaScript variables that do not persist beyond the page lifecycle. No client-side storage is accessed for tracking purposes.

Plausible does not set cookies. Uses a similar server-side hashing approach for visitor identification with daily salt rotation.

Fathom does not set cookies. Uses a hashing approach for visitor identification.

Simple Analytics does not set cookies and does not track individual visitors at all — purely aggregate metrics.

For these tools, there is no consent requirement under the ePrivacy Directive because there is no storage of information on the user's device.

The French data protection authority (CNIL) has gone further than most. In their cookie guidelines, they define specific criteria under which an analytics tool can be exempt from consent — even if it uses limited client-side storage. The criteria include:

1. Purpose limitation. The tool must be used solely for producing anonymous statistical data. No cross-site tracking, no profiling, no sharing data with third parties.

2. Limited scope. The data must be used only by the website owner (the data controller), not by the analytics vendor for their own purposes.

3. No cross-site tracking. The analytics tool must not correlate data across different websites or services.

4. Limited data retention. Raw data should not be kept longer than 25 months, and visitor identifiers should not persist beyond 13 months.

5. User information. Users must still be informed about the analytics (typically through a privacy policy), even if consent is not required.

The CNIL has explicitly listed tools that qualify for this exemption. Plausible and several other privacy-focused analytics tools have been recognized. The key takeaway is that even French regulators — among the strictest in Europe — acknowledge that privacy-respecting analytics can operate without consent.

GDPR applies when you process personal data. Even cookieless analytics tools process some data that could be considered personal — IP addresses, for example, are personal data under GDPR.

But GDPR does not always require consent. It provides six legal bases for processing personal data, and consent is just one of them. The most relevant alternative is legitimate interest (Article 6(1)(f)) — the data controller has a legitimate interest in understanding how their website is used, and the processing is proportionate and does not override the individual's rights.

For cookieless analytics that do not store personal data, do not track users across sites, and produce only aggregate statistics, legitimate interest is generally accepted as a valid legal basis. The processing is minimal (a hashed, non-reversible identifier), the purpose is proportionate (understanding website traffic), and the impact on the individual is negligible (no profiling, no advertising, no data sharing).

This is the approach recommended by several EU data protection authorities and followed by privacy-focused analytics vendors. You still need a privacy policy that explains what data you collect and why — but you do not need a consent popup.

The UK implemented the ePrivacy Directive through PECR — the Privacy and Electronic Communications Regulations. After Brexit, PECR continues to apply alongside the UK GDPR.

PECR's cookie rules mirror the ePrivacy Directive: consent is required before storing or accessing information on a user's device, unless it is strictly necessary. The ICO (the UK's data protection authority) has published guidance specifically stating that analytics cookies are not strictly necessary and require consent.

However, the ICO's guidance also acknowledges that not all analytics tools use cookies. If your analytics tool does not store or access information on the user's device, PECR's consent requirement does not apply — the same logic as in the EU.

The US does not have a federal cookie consent law. There is no US equivalent of the ePrivacy Directive. CCPA (California Consumer Privacy Act) and its successor CPRA give consumers the right to opt out of the "sale" or "sharing" of personal information, but they do not require affirmative consent before setting cookies.

If your analytics tool does not sell or share personal data with third parties — which privacy-focused tools like sourcebeam do not — CCPA's opt-out requirements generally do not apply to your analytics.

Other US state privacy laws (Virginia VCDPA, Colorado CPA, Connecticut CTDPA) have similar frameworks: they regulate the sale and profiling use of personal data, not the mere act of setting cookies. For analytics that produce aggregate statistics without profiling or data sharing, these laws do not require consent popups.

Running cookie-based analytics without consent: Potential fines under the ePrivacy Directive / PECR. The CNIL has fined companies millions for cookie violations. Smaller businesses have received fines in the tens of thousands of euros. Beyond fines, there is reputational risk — privacy advocates and journalists increasingly audit websites for compliance.

Running a cookie banner when you do not need one: No legal risk, but real business cost. Cookie banners increase bounce rates (visitors leave before interacting with your site), reduce analytics accuracy (visitors who decline are invisible), add development and maintenance overhead (consent management platform subscription, implementation, testing), and create a poor first impression.

The optimal approach is to use analytics that do not require a cookie banner in the first place. You avoid the legal risk of non-compliance, the business cost of consent popups, and the accuracy loss from visitors who decline tracking.

Does your analytics tool set cookies? If yes, you need a consent banner for EU/UK visitors. No exceptions for analytics cookies.

Does your analytics tool use localStorage or other client-side storage for tracking? If yes, the same consent requirement likely applies. The ePrivacy Directive covers all client-side storage, not just cookies.

Does your analytics tool operate entirely server-side with no client-side storage? If yes, no consent banner is needed under ePrivacy / PECR. You still need a GDPR-compliant privacy policy and a valid legal basis (typically legitimate interest) for processing any personal data like IP addresses.

Does your analytics vendor use your data for their own purposes? If yes (as Google does with GA4 data), this creates additional compliance obligations. If no (as with sourcebeam, Plausible, Fathom), your compliance position is significantly simpler.

If you use Google Analytics, Mixpanel, Hotjar, or any other tool that sets cookies — yes, you need a cookie banner for EU/UK visitors. There is no workaround, and "consent mode" does not eliminate the consent requirement (it just limits what happens before consent is given).

If you switch to a cookieless analytics tool like sourcebeam, Plausible, or Fathom — you can track visitors without cookies and remove the cookie banner entirely (assuming you have no other cookies on your site that require consent). Your analytics run without consent, your visitors see your content instead of a popup, and your compliance overhead drops to near zero.

The simplest way to not need a cookie banner is to not use cookies.