GDPR-Compliant Analytics Without a Cookie Banner — What the Law Actually Requires

Every analytics guide eventually mentions "cookie banners." But few explain why those banners exist — or under what conditions you can skip them entirely. The short answer: cookie banners are required for cookies, not for analytics. If your analytics tool doesn't use cookies, you don't need a banner.

Here's what the law actually says, why traditional analytics tools trigger the requirement, and why a growing class of cookie-free tools side-steps it completely.

What GDPR Actually Regulates

The General Data Protection Regulation (GDPR) governs the processing of personal data — information relating to an identified or identifiable natural person. If you process personal data of EU residents, GDPR applies. If you don't, it doesn't.

Tracking cookies by themselves don't automatically constitute personal data. But when a cookie stores a unique identifier — a visitor ID, a session token, a device fingerprint — that identifier can, in combination with other data, identify a person. The CJEU (Court of Justice of the EU) and national regulators have consistently held that tracking cookies that persist across sessions create identifiable profiles and therefore fall under GDPR.

GDPR requires a lawful basis for processing personal data. For non-essential analytics cookies, "legitimate interests" is increasingly difficult to rely on (DPAs have rejected it repeatedly for tracking). That leaves consent — hence the cookie banner.

The ePrivacy Directive: The Actual Cookie Law

GDPR gets most of the attention, but the more specific instrument for cookie compliance is the ePrivacy Directive (sometimes called the Cookie Law), implemented locally in each EU member state.

The ePrivacy Directive's rule is straightforward: you need prior informed consent before storing or accessing information on a user's device — with limited exceptions. The key exceptions are:

• Strictly necessary cookies: required for a service the user has explicitly requested (shopping cart, session login). No consent needed.
• Technical transmission: cookies solely used to carry out the transmission of a communication.

Analytics cookies don't qualify for these exceptions. They're not strictly necessary for the service the user requested. They exist to benefit the website operator, not to fulfil the user's request.

This is why Google Analytics requires a cookie banner: it stores a _ga cookie on the user's device for two years. That cookie is not strictly necessary. Consent is required before setting it.

Why Cookie-Free Analytics Skips All of This

Cookie-free analytics tools like Beam don't write anything to the user's device — no cookies, no localStorage, no fingerprinting scripts, no persistent identifiers. They count traffic using aggregated, non-personal signals:

• The URL path being visited
• The referrer (where the user came from)
• The user's country (derived from IP, not stored)
• Browser family and screen width (for device breakdowns)

These signals are hashed together with a rotating daily salt to count unique visitors without ever identifying a person. The hash is discarded after counting. No user-level record is created.

Because nothing is stored on or accessed from the user's device, the ePrivacy Directive's consent requirement doesn't trigger. No cookie is set, so no cookie consent is needed.

And because no personal data is collected, GDPR's consent and lawful basis requirements don't apply either — there's no personal data to regulate.

CCPA (California Consumer Privacy Act)

The same logic applies to CCPA. California's privacy law regulates the "sale" or "sharing" of personal information, and the right to opt out applies when businesses collect personal information for advertising purposes. Cookie-free analytics that collects no personal information falls outside CCPA's scope. There's no opt-out to implement, no "Do Not Sell" link to add.

PECR (UK ePrivacy Law)

Post-Brexit, the UK's Privacy and Electronic Communications Regulations (PECR) remain in force and closely mirror the EU ePrivacy Directive. The same logic applies: cookie consent is required for cookies, not for analytics in general. Cookie-free analytics is compliant with PECR without consent banners.

Common Misconceptions

"I still need a cookie banner even if I use cookie-free analytics."

Only if you have other cookies — from third-party embeds, chat widgets, advertising tags, or other services. Beam running as your only analytics tool doesn't create a consent obligation. If you're using other services that set cookies, those still need a banner.

"IP addresses are personal data, so analytics is always regulated."

IP addresses are considered personal data when stored or associated with a user record. Cookie-free analytics tools derive aggregated signals from the IP (like country) and then discard it. No IP is stored, so no personal data enters the system.

"All analytics requires consent under GDPR."

This is a common conflation. GDPR requires consent for processing personal data. If your analytics collects no personal data, GDPR's consent requirement doesn't apply. The ICO (UK), the CNIL (France), and the German DPAs have all issued guidance confirming that privacy-preserving analytics can be lawful without consent.

What to Look for in a Compliant Analytics Tool

To run analytics without a consent banner, your tool should:

• Set no cookies and use no localStorage or IndexedDB for visitor tracking
• Not store or log raw IP addresses
• Not create user-level records or persistent identifiers
• Not share data with third parties for advertising
• Use aggregated, non-reversible data for unique visitor counting

Beam meets all of these criteria by design. If you switch to Beam as your only analytics tool and you have no other cookies on your site, you can remove your cookie banner entirely.