In this article, we will discuss why businesses are moving away from cookie-based user tracking and how so-called privacy-friendly cookieless tracking software may still cause compliance and privacy concerns, regardless of their claims.
Lastly, we will take a look at privacy-first cookieless tracking solutions that will give you valuable tracking insights without compromising personal data of your website visitors.
Before we dig deeper into cookieless tracking and privacy, we will first explain why businesses are shifting away from cookie-based analytics in the first place:
Since the internet’s early days, businesses have understood the importance of analyzing website traffic. Getting more of the right kind of exposure to your website means more leads and, eventually, clients and customers.
Because of this, website analytics tools that allow user tracking have become vital parts of businesses’ digital marketing arsenals worldwide.
The default way of tracking users was through third-party cookies, small pieces of code stored on users’ web browsers and run in the background, collecting data.
While cookie-based tools such as Google Analytics used to be an effective solution to track user behavior, the level of precision they allowed had significant implications on user privacy.
Third-party cookies store data that allows external services to track users across websites. At first glance, this doesn’t seem all that important, as most of the data is technical—IP addresses, device information, precise location information, basic demographic information, and purchasing habits.
However, when combined, this information can be used to create detailed user profiles, which are incredibly valuable for website owners in their marketing efforts.
That’s why you often see ads “following” you around the web and displaying products you recently viewed—a cookie stored on your browser remembers your preferences, allowing ad targeting and much more.
The importance of privacy as a concept is nothing new; it is a part of the Universal Declaration of Human Rights and the United States Constitution. However, the modern digital era required a new approach as the older legal framework wasn’t specific enough.
The EU recognized this need, and its ePrivacy Directive was a step in the right direction. It established rules for the interception, storage, scanning, and surveillance of users.
However, the General Data Protection Regulation (GDPR) revolutionized internet privacy and website tracking by introducing strict rules around the use of cookies and personal data.
After the GDPR became fully effective, websites could process user data only with explicit user consent. Website owners are now required to display complex cookie consent banners that interfere with website design and user experience.
Even though the GDPR is an EU regulation, it applies based on the location of the user, not the business. If your organization processes personal data of individuals located in the EU, you are required to comply with GDPR—regardless of where your company is based. This extraterritorial scope triggered a wave of global compliance, as the EU represents a highly valuable market with over 450 million people.
After the GDPR, other legislators followed:
Legislators aren’t the only ones raising concerns about cookie use—users themselves are taking active measures to prevent cookie tracking.
They can refuse cookies manually, but many ad blockers and similar tools also have built-in privacy features that block cookies or clean browsing data automatically.
Plus, many users rely on VPNs to cloak their traffic, DoNotTrack settings and incognito windows, as well as private browsers and search engines that prevent tracking.
The reason behind this change is simple: people are becoming increasingly aware of their privacy and how major companies monetize their personal information.
According to a 2024 study by bitkom, 76% of internet users feel annoyed by cookie banners, and 68% say they don’t want to deal with them at all. More than half (51%) even avoid certain websites altogether because of excessive cookie prompts.
When this type of privacy-aware user notices third-party cookie consent screens on your website, they may raise questions regarding your company’s ethical standards, which can negatively affect your brand reputation.
However, those privacy-focused tools will also interfere with cookie-based tracking results. While this used to be accurate and granular, the data you get will now be far less reliable simply because a growing portion of visitors are doing what they can to prevent tracking.
As you can see, both legislators and users have recognized cookie tracking as problematic, primarily from a privacy perspective. Because of this, cookieless tracking is booming in popularity.
Instead of relying on third-party cookies for tracking, privacy-friendly cookieless solutions gather first-party data directly from your website. That means there is no tracking across websites, and data brokers, advertisers, and tech giants won’t have access to your users’ data.
While server-side tracking sounds great and is definitely a step in the right direction, these privacy-friendly tools miss the core issue. The problem isn’t cookies alone—unnecessary personal data processing is what legislators and users are trying to prevent.
Even if third parties don’t monetize users’ personal data and no cookies are used for tracking, you might still be required to display a consent banner—depending on the type of data being processed.
Under regulations such as the GDPR, ePrivacy Directive, and PECR, IP addresses are considered personal data. Any information that can be used to identify a person—either directly or when combined with other data—falls under the definition of personal data and may trigger consent requirements.
Privacy-friendly tools often avoid cookies but still generate unique identifiers based on hashed IP addresses, precise geolocation, device characteristics, and fingerprinting techniques. While this data may not contain raw personally identifiable information (PII), it is still processed on servers and can potentially be used for re-identification—especially when linked with other data points. This introduces two issues:
Consent obligations: If personal data is processed, even without cookies, explicit user consent might be necessary.
Compliance risks: Hosting or transferring such data—especially outside the EU—can create GDPR vulnerabilities. In case of a data breach, personal data on your servers could be exposed, which is exactly what privacy laws are designed to prevent.
In short, even if tools are labeled “privacy-friendly,” they may still process enough data to require consent banners. For privacy-conscious organizations, this legal uncertainty itself is a strong argument to choose truly privacy-first tools that avoid personal data processing altogether—and remove the ambiguity from the equation.
mandera is a privacy-first cookieless tracking solution that processes no personal data whatsoever. Here’s what sets us apart:
We don’t use techniques such as cookies, IP hashing, fingerprinting, or profiling—mandera is private-by-design and we eliminate the IP address from every request. As a result, no IP addresses get into contact with mandera servers or your website, which means there is no personal data processing or storing.
Without relying on cookies and personal data, we provide accurate website traffic data by combining unintrusive tracking methods that allow us to distinguish and count individual visits. We rely on time zones, referrer domains, time stamps, UTM parameters, and broad device information, none of which is considered personal data.
As a result of no personal data processing, you are not required to display consent banners.
Additionally, since there are no cookies, ad blockers, VPNs, and private web browsers won’t interfere with analytics.
Because there is no personal data collection or processing, mandera is GDPR and CCPA compliant and in line with many other leading privacy regulations.
Additionally, mandera is a German company with servers located in Germany, ensuring that all data remains within the EU at all times.
mandera’s sleek dashboard shows metrics you can understand. User flow predictions will indicate where users go next after they end up on your site.
You’ll be able to track several websites from a single dashboard and also share viewing access with your team or clients.
mandera analytics won’t slow down your website—our script is lightweight, and the installation is straightforward. Everything will be ready and running in just a couple of minutes.
With mandera, you don’t have to worry about sudden traffic spikes causing your invoices to skyrocket. You pay per domain, so there will be no surprises or confusion.
If your traffic exceeds 500k monthly visitors, we will kindly notify you and ask you to upgrade to our Enterprise plan. But, until then, traffic spikes will be something you look forward to. As every marketer knows, more visitors on your website will mean more leads and, eventually, conversions.
As you can see, privacy-friendly cookieless tracking is still a step away from full compliance. Yes, you won’t use cookies, but personal data is still being processed sometimes, posing compliance risks and requiring consent banners.
mandera is a privacy-first analytics platform that provides accurate website analytics without personal data processing. It offers true privacy and requires no consent screens or data processing notifications, keeping your UI clean and UX impeccable.
Try mandera now, completely free – a 100% privacy-first & fully GDPR-compliant cookieless tracking solution.
