GDPR-Compliant Analytics Without Consent Banners: A Complete Guide

If you run a website in Europe (or serve European visitors), you've probably spent time wrestling with cookie consent banners. The good news: they're not always necessary.

What GDPR actually requires

GDPR doesn't ban analytics. It regulates the processing of personal data — information that can identify a specific individual. The key question is: does your analytics tool collect personal data?

Traditional tools like Google Analytics collect:

• Full IP addresses
• Persistent cookie identifiers
• Cross-site browsing history
• Detailed device fingerprints
• Google account data (if signed in)

All of these qualify as personal data under GDPR, which is why Google Analytics requires a consent banner.

When you don't need consent

Under GDPR, you don't need consent if you're not processing personal data. The European Data Protection Board has confirmed that truly anonymous data — data that cannot identify an individual even when combined with other data — falls outside GDPR's scope.

For analytics to be truly anonymous, it must:

1. Not store IP addresses — not even temporarily in logs
2. Not use cookies — including "session" cookies
3. Not create persistent identifiers — no fingerprinting
4. Not enable cross-site tracking — no shared user IDs
5. Not store raw User-Agent strings — these can be fingerprint components

How Fairlytics stays compliant

Fairlytics processes data through a privacy pipeline:

• IP → Country code → IP discarded (in-memory, never hits the database)
• User-Agent → Browser/OS/Device category → raw string discarded
• Full URL → Path only (query parameters stripped)
• Full referrer → Domain only

The result is aggregate data that cannot identify any individual. No cookies are ever set. The Do Not Track header is respected.

What about ePrivacy / the Cookie Directive?

The ePrivacy Directive (often called the "Cookie Law") requires consent for storing or accessing information on a user's device. Since Fairlytics doesn't set cookies or use localStorage for tracking, the ePrivacy Directive doesn't apply.

We do use sessionStorage for a temporary session ID, but sessionStorage is cleared when the browser tab closes and is not transmitted to third parties — the French data protection authority (CNIL) has indicated this type of ephemeral, first-party storage does not require consent.

Switching from Google Analytics

If you're currently using Google Analytics and want to drop the consent banner:

1. Install the Fairlytics snippet — one line of code, 510 bytes gzipped
2. Run both tools in parallel for a week to compare data
3. Remove Google Analytics and the consent banner
4. Update your privacy policy to reflect the change

Your visitors will thank you — and your page load times will improve.

Get started

Fairlytics offers a free plan with 10,000 page views per month. No credit card required, no consent banner needed.