Skip to content
HitKeep
☁️ HitKeep Cloud is coming! Join the Early Access waitlist →

Cookie-Less Analytics Explained: How HitKeep Tracks Without Consent Banners

Every EU website displays a cookie consent banner because of one legal requirement: setting cookies that track visitors requires explicit consent under GDPR. Remove the tracking cookies, remove the need for the banner. HitKeep is cookie-less by default — this guide explains what that actually means technically and legally.

Section titled “What “Cookie-Less” Actually Means”

Cookie-less does not mean “no tracking.” It means tracking that doesn’t rely on cookies stored in the visitor’s browser.

Traditional analytics (Google Analytics, Matomo with cookies) works like this:

  1. Visitor lands on your site.
  2. Analytics sets a cookie with a unique ID (e.g., _ga=GA1.1.123456789.1700000000).
  3. This cookie persists in the browser for 2 years.
  4. On every subsequent visit, the same cookie is sent back, identifying the returning visitor.

HitKeep doesn’t set any cookies. Instead, it identifies sessions using a combination of signals available in the HTTP request:

  • IP address (hashed, not stored)
  • User agent string
  • Accept-Language header
  • Screen resolution (from the tracking snippet)

These signals are combined and hashed to create a session fingerprint. The raw values are discarded — only the hash is used to count unique sessions within a 24-hour window.

Why This Matters for GDPR

Section titled “Why This Matters for GDPR”

The key GDPR provisions for analytics are:

  • Article 5(1)(b): Data must be collected for specified, explicit, and legitimate purposes.
  • Article 6: Processing requires a lawful basis. For analytics, this is typically “legitimate interest” or “consent.”
  • ePrivacy Directive (Cookie Law): Storing or accessing information on a user’s device requires consent, unless it is strictly necessary.

The ePrivacy Directive is what triggers the cookie banner requirement. Cookies for analytics are not strictly necessary, so they require consent.

If you don’t set cookies, the ePrivacy Directive doesn’t apply to your analytics. The data processing (HTTP logs, aggregated analytics) may still fall under GDPR’s “legitimate interest” basis, but the specific consent-before-cookies requirement does not.

Do Not Track (DNT)

Section titled “Do Not Track (DNT)”

HitKeep respects the DNT: 1 header sent by browsers when users opt out of tracking. Enable it with the tracking snippet attribute:

<script async src="https://analytics.example.com/hk.js"
  data-collect-dnt="true"></script>

With data-collect-dnt="true", visits from browsers with DNT enabled are not recorded. This is the privacy-first default we recommend.

What Data HitKeep Processes

Section titled “What Data HitKeep Processes”

HitKeep processes the following data per pageview:

DataHow it’s usedStored?
IP addressGeoIP lookup (country) + session hashingNo — hashed only
User agentBrowser/OS detection + session hashingParsed only
Referrer URLTraffic source attributionYes
Page URLPath analyticsYes
UTM parametersCampaign attributionYes
Screen resolutionSession hashingNo — hashed only

No names, no emails, no persistent identifiers, no advertising profiles.

The Data Sovereignty Angle

Section titled “The Data Sovereignty Angle”

Beyond consent banners, there’s a deeper GDPR issue with cloud analytics: international data transfers. When you send analytics data to Google, Amplitude, or Mixpanel, that data flows to US servers. EU data protection authorities have ruled this violates GDPR’s Chapter V restrictions on international transfers (Schrems II).

With HitKeep:

  • Data lives on your server (or in an EU-region cloud like cloud.hitkeep.eu).
  • No third party has access.
  • No international transfer occurs.

This is data sovereignty at the infrastructure level, not just a privacy policy claim.

Session Identification Across Page Loads

Section titled “Session Identification Across Page Loads”

One common question: if HitKeep doesn’t use cookies, how does it know when a pageview is part of the same session?

The session fingerprint (hashed from IP + User-Agent + Accept-Language + day) is consistent within a 24-hour window for the same browser. This means:

  • A visitor browsing your site today counts as one session.
  • The same visitor returning tomorrow counts as a new session.
  • Two different visitors on the same corporate NAT IP but different browsers count as separate sessions (different user agents).

This approach is less precise than cookie-based tracking for identifying “returning users” over time, but it’s accurate for the metrics that matter most: unique daily visitors, page popularity, and conversion rates.

Section titled “Comparison with Consent Mode”

Google’s Consent Mode v2 attempts to model behavior for users who decline cookies by using statistical inference. This approach:

  • Still sets cookies for consenting users
  • Uses Google’s ML models to fill in gaps
  • Requires a consent management platform (CMP)
  • Adds complexity and ongoing maintenance

Cookie-less analytics sidesteps all of this by not requiring consent in the first place.

Configuring HitKeep for Maximum Privacy

Section titled “Configuring HitKeep for Maximum Privacy”
Terminal window
hitkeep \
  -public-url="https://analytics.example.com" \
  -jwt-secret="..." \
  # Trusted proxies for accurate IP resolution:
  -trusted-proxies="127.0.0.1/32" \
  # Default retention (365 days, can lower per-site):
  -retention-days=365

And in the tracking snippet, enable DNT respect:

<script async src="https://analytics.example.com/hk.js"
  data-collect-dnt="true"
  data-disable-beacon="true">
</script>
  • data-collect-dnt="true": Skips tracking for DNT-enabled browsers
  • data-disable-beacon="true": Disables the sendBeacon API (uses fetch instead, which some privacy tools block — this ensures HitKeep behaves consistently)
Section titled “Related”

Further reading: EDPB Guidelines on targeted advertising, NOYB.eu complaints on GA4.

Ready to go cookie-less? Get started with HitKeep →