How Analytics Works Without Cookies
Understanding the technology behind privacy-first analytics and how modern tools provide insights without tracking individual users.
Traditional analytics tools like Google Analytics rely on cookies to identify visitors. They set a unique identifier that persists across sessions, allowing them to track returning visitors and build user profiles.
This creates problems: cookies require consent, enable cross-site tracking, and turn every visitor into a surveillance target.
How Cookieless Analytics Works
Privacy-first analytics tools use different approaches to provide useful insights without tracking individual users:
1. Aggregate-First Data Collection
Instead of tracking individual users and then aggregating, cookieless analytics starts with aggregation. When a pageview occurs:
- The page URL is recorded (what was visited)
- The referrer is recorded (where they came from)
- Basic device info is recorded (browser, OS, screen size)
- Geographic location is derived from IP (country/region level)
- The IP is then discarded or anonymized
No persistent identifier links these events to a specific person.
2. Session Estimation
Without cookies, how do we know if someone is a "unique visitor" or a "returning visitor"? We use statistical estimation:
- Hash together: date + site ID + IP address + user agent
- This creates a daily identifier that can't be reversed
- Multiple pageviews with the same hash = same session
- The hash changes daily, preventing long-term tracking
This provides reasonable unique visitor counts without persistent tracking.
3. No Cross-Site Tracking
Each website's analytics is completely isolated. The same visitor on two different sites using the same analytics tool cannot be connected. This is fundamentally different from Google Analytics, where visitor data feeds into Google's advertising ecosystem.
Cookie vs Cookieless Comparison
| Capability | Cookie-Based | Cookieless |
|---|---|---|
| Track pageviews | ||
| Track referrer sources | ||
| Geographic location | ||
| Device/browser info | ||
| UTM campaign tracking | ||
| Custom event tracking | ||
| Daily unique visitors | ||
| Identify returning visitors (weeks later) | ||
| Build user profiles | ||
| Cross-site tracking | ||
| Individual user journeys | ||
| No consent required | ||
| Works with ad blockers | ||
| No privacy liability |
Technical Implementation
What Data is Collected
When a visitor loads a page with the Invoker script, we collect:
- Page URL: The current page path
- Referrer: Where the visitor came from (if available)
- User Agent: Browser and OS information
- Screen Size: Viewport dimensions
- Language: Browser language setting
- UTM Parameters: Campaign tracking data (if present)
What Happens to IP Addresses
IP addresses are used briefly for:
- Deriving geographic location (country/region)
- Creating a daily session hash (combined with other non-personal data)
After this processing, the raw IP address is never stored. There's no way to reconstruct it from our data.
The Session Hash
To estimate unique visitors without tracking, we create a hash:
hash = SHA256(
date + // Changes daily
site_id + // Per-site isolation
ip_address + // Network identifier
user_agent // Browser identifier
)This hash:
- Cannot be reversed to get the original data
- Changes every day (no long-term tracking)
- Is unique per site (no cross-site tracking)
- Provides reasonable session/visitor estimation
Limitations and Trade-offs
Cookieless analytics has real limitations:
- Returning visitor accuracy: We can identify same-day returns but not someone who visited last month
- User journeys: We can't track an individual's path through your site over multiple sessions
- Cohort analysis: Limited to session-based cohorts, not user-based
- Attribution: Can't do multi-touch attribution across sessions
For most websites, these limitations don't matter. You can still answer the important questions: What content is popular? Where does traffic come from? Are my campaigns working?
Why Not Fingerprinting?
Some "cookieless" analytics tools use fingerprinting—combining browser characteristics to create a unique identifier. This is problematic:
- It's still tracking individual users
- Users can't easily opt out (unlike deleting cookies)
- Many consider it worse than cookies for privacy
- May still require consent under GDPR
True privacy-first analytics avoid fingerprinting entirely.
Benefits of Cookieless Analytics
Without cookies or personal data, you don't need cookie consent banners for analytics.
No data lost to consent opt-outs or cookie blockers. See more of your actual traffic.
Works within GDPR, CCPA, and other privacy regulations without complex compliance measures.