Cookieless tracking is any method of measuring website visitor behaviour without storing a tracking cookie in the visitor’s browser.
Traditional analytics tools, Google Analytics being the most common example, use cookies to identify returning visitors and stitch sessions together across visits. Cookieless tracking achieves the same goal (understanding who visits your site and what they do) through methods that don’t rely on cookies at all.
Key takeaways
- Cookieless tracking measures visitors without storing data in the browser
- The main methods are server-side analytics, hashed fingerprinting and aggregated first-party data
- Cookieless does not automatically mean you can skip consent. It depends on whether the data is personal
- Privacy-first WordPress analytics tools like Burst use cookieless tracking by default
- No cookies means no cookie banner requirement under GDPR and ePrivacy in most configurations
Why cookieless tracking exists
Cookies have been the default tracking mechanism for the web since the 1990s. They work by dropping a small file in the visitor’s browser with a unique ID. Every time that visitor returns, the analytics tool reads the same ID and recognises them as the same person.
The problems with this approach have compounded over the past decade:
Legal friction. Under GDPR in Europe and similar laws elsewhere, placing cookies that track behaviour requires explicit consent. That means cookie banners. Visitors who decline (and many do) don’t get counted at all, which creates a meaningful gap in your data.
Browser restrictions. Safari has blocked third-party cookies since 2017. Firefox followed. Chrome eventually joined. The tracking infrastructure built around third-party cookies has been collapsing steadily.
User trust. Beyond legal compliance, there’s a real shift in how people feel about being tracked across the web. Many visitors are actively hostile to tracking and will decline consent or use ad blockers regardless of what the law requires.
Cookieless tracking sidesteps these problems by not using the mechanism that triggers consent requirements in the first place.
How cookieless tracking works
There are several approaches, each with different trade-offs:
Server-side analytics
Instead of running a JavaScript tracking script in the visitor’s browser, the analytics tool records data from your web server directly. The server logs every request, including page path, referrer, browser type and rough geolocation from the IP address. No cookie is set. No data is stored client-side.
This is the cleanest privacy approach. The trade-off is that server logs capture less behavioural data, you can’t easily track scroll depth, button clicks or time on page without a client-side component.
Hashed fingerprinting
The analytics tool generates a temporary identifier from a combination of browser signals. Things like screen resolution, browser version, language settings and a salted hash of the IP address. This identifier is used to count unique visitors without ever being stored as a persistent identifier.
Done properly (with IP anonymisation and salting), this method cannot be reversed to identify individuals. It’s what Burst Statistics uses to count unique visitors while remaining anonymous by design.
First-party data collection
Some tools combine cookieless session tracking with first-party data information the visitor actively provides, like an email address at checkout. This is privacy-compliant as long as the data is handled under a proper legal basis (usually legitimate interest or contract for logged-in users).
Cookieless tracking and consent requirements
This is where a lot of confusion exists, so it’s worth being direct.
Cookieless does not automatically mean no consent needed.
The question under GDPR and ePrivacy is whether the data you’re collecting is personal data or involves storing information on the visitor’s device. If your cookieless tracking:
- Collects no individual identifiers
- Anonymises IP addresses before processing
- Does not fingerprint in a way that singles out individuals
…then in most EU jurisdictions you don’t need a cookie banner. This is the configuration Burst runs in by default: anonymous, cookie-free, no individual identifiers stored.
If your “cookieless” solution still creates persistent individual profiles, relies on device fingerprinting that can identify individuals or stores data via local storage instead of cookies, consent requirements may still apply. The mechanism doesn’t matter; what matters is whether the result is personal data.
Cookieless tracking in practice for WordPress sites
Most WordPress analytics plugins still use cookies by default because that’s what Google Analytics established as the standard. Some offer a cookieless mode as an option. A few are cookieless by default.
Burst Statistics runs cookie-free by default. Visitors are counted anonymously using session-level tracking without dropping any client-side identifier. You get accurate session counts, pageview data, referrer information and goal completions. All without a cookie banner.
If you want cookies (some site owners prefer them for more accurate returning visitor counts), you can enable them in Burst’s settings. But the default is cookieless, and for most WordPress sites it’s the cleaner choice.
“Most site owners are surprised to find they don’t actually need cookies to get useful analytics. You lose a bit of long-term returning visitor accuracy and gain cleaner data, no legal overhead and faster pages.”
— Hessel, co-founder, Burst Statistics
Cookieless vs cookie-based: what you actually lose
Switching to cookieless tracking means accepting some data gaps:
Returning visitor accuracy. Without a persistent cookie, distinguishing a truly new visitor from someone who cleared their cache or switched browsers is harder. Your “returning visitors” metric will likely run lower than with cookie-based tracking.
Cross-session user journeys. Cookie-based tools can show you that the same person visited three times before buying. Cookieless tools typically see each session as independent.
Long-term attribution. Some attribution models rely on knowing a visitor’s complete history. That’s harder without persistent IDs.
What you gain: full visitor counts (no consent dropouts), no legal overhead, faster page loads (no consent banner blocking render), and a cleaner relationship with your audience.
For most content sites, blogs and small ecommerce stores, the data you gain from being cookieless is more accurate and complete than what you lose.
FAQs
It depends on the implementation. Anonymous cookieless tracking that doesn’t store personal data and doesn’t create individual profiles generally doesn’t require a consent banner under GDPR. Burst’s default configuration falls into this category. You should still have a privacy policy that describes your analytics setup. If in doubt, consult a data protection specialist for your specific situation.
Not necessarily fewer, often even more. Cookie-based tools miss everyone who declines consent. Cookieless tools count all visitors regardless. For sites with significant EU traffic, cookieless analytics often shows 15–30% more sessions than GA4 running with a consent banner.
First-party analytics means your analytics data is collected and stored on your own domain rather than sent to a third party. Cookieless tracking refers to the method of visitor identification. Many cookieless tools are also first-party, but not all, some cookieless solutions still send data to external servers.
Yes. Burst is cookieless by default. If you’ve enabled cookies, you can turn them off in Burst Settings. Existing data isn’t affected , the switch changes how future sessions are tracked
Analytics without the banner
Cookieless tracking isn’t a compromise. For most WordPress sites it’s the better default. Burst Statistics runs cookie-free out of the box, counts every visitor and keeps your data on your own server.
Respect your readers, keep your site clean
Privacy-friendly analytics with no cookie banner, no external data sharing and no setup headaches. Installs in under 2 minutes.
Related definitions: what is first-party analytics and what is data sovereignty.
