← Back to Blog

What Is Cookieless Analytics? A Plain-English Explanation

“Cookieless analytics” sounds like a buzzword, but it describes something pretty straightforward: tracking how many people visit your website without dropping cookies in their browsers. No consent popups, no GDPR anxiety, no creepy cross-site tracking.

Here’s what’s actually going on under the hood.

Google Analytics — and most traditional analytics tools — work by planting a cookie in your visitor’s browser. It looks something like _ga=GA1.2.123456789.1234567890. That string is a unique ID tied to that specific browser.

Every time that person loads a page on your site, the cookie gets sent back to Google’s servers. Google matches the ID, connects the dots, and builds a timeline: this person viewed your pricing page Tuesday, came back Wednesday to read the docs, and signed up Thursday. Powerful stuff.

The catch: that cookie requires GDPR consent before it can be set. Hence the banners. And if someone clicks “Reject All,” Google Analytics doesn’t see them at all. They’re invisible.

The cookieless approach

Cookieless tools work differently. When someone visits your page:

A lightweight script fires off a single request to the analytics server. It includes the page URL, where the visitor came from (referrer), what browser they’re using, and their screen size. The server logs this as an anonymous data point. No cookie gets set. No unique ID gets assigned.

The visitor leaves. Nothing persists on their device. If they come back tomorrow, the analytics tool has no way to connect the two visits — because it never identified them in the first place.

”But how do you count unique visitors then?”

Fair question. Different tools handle this differently.

Plausible and Fathom create a hash from the visitor’s IP address, User-Agent string, and a daily salt. Everyone from the same browser on the same day produces the same hash, so they count as one visitor. The salt changes every day, so you can’t track anyone across days. The raw IP is never stored anywhere.

We (HushStats) use a different technique based on the If-Modified-Since HTTP header — essentially using the browser’s built-in caching mechanism to distinguish new visits from repeat visits within a session. No data stored on the device, no identifiers persisted.

Neither method is as precise as cookies. You’ll get an estimate of unique visitors rather than an exact count. In practice, the numbers are close enough to be useful, and the trade-off — privacy for precision — is one most site owners are happy to make.

What you still get

The data gap is smaller than people expect. Cookieless analytics still gives you pageview counts, estimated unique visitors, your most popular pages, where traffic is coming from, what countries your visitors are in, browser and device breakdowns, and bounce rate.

That covers about 90% of what most website owners ever look at in Google Analytics.

What you lose

No sugarcoating: there are real trade-offs.

You can’t track the same person across multiple sessions. You can’t attribute a signup to a specific ad campaign three days later. You can’t build user journey maps that span visits. And you can’t retarget visitors with ads (though honestly, if you’re reading this, you probably don’t want to).

For e-commerce sites doing serious conversion optimization, these gaps matter. For blogs, docs sites, portfolios, SaaS landing pages, and most indie projects, they really don’t.

Why people are switching

Three reasons keep coming up.

Privacy is the obvious one. People are increasingly uncomfortable knowing their site is feeding Google’s surveillance apparatus. Removing GA is one of the easiest privacy wins you can make.

Accuracy is the sneaky one. If 30% of your technical audience uses ad blockers that block GA, your numbers have been wrong this whole time. Cookieless tools aren’t blocked by most ad blockers because they’re not doing anything worth blocking.

And simplicity rounds it out. One script tag, one dashboard page, no consent banners to maintain. It’s analytics the way it should have been from the start.