One of the most common misconceptions in web analytics is that GDPR requires a consent banner for all tracking. It doesn't. The regulation is specific about what requires consent and what doesn't. Understanding this distinction can save you from unnecessary complexity while improving your analytics accuracy.

GDPR (General Data Protection Regulation) applies to the processing of personal data. The key question for analytics is: does your analytics tool process personal data?

Personal data under GDPR includes:

IP addresses
Cookie identifiers
Device fingerprints
Any unique identifier that can distinguish one visitor from another
Location data at a granular level
Any data that, combined with other data, could identify an individual

If your analytics tool processes any of these, you need a lawful basis for processing. The two most commonly used bases for analytics are:

Consent (Article 6(1)(a)) - The visitor explicitly agrees to be tracked. This is what cookie banners implement.
Legitimate interest (Article 6(1)(f)) - You have a legitimate business interest in processing the data, balanced against the individual's rights.

But there's a third path that's often overlooked: if your analytics tool doesn't process personal data at all, GDPR's consent requirements simply don't apply.

The ePrivacy Directive matters too

GDPR isn't the only regulation at play. The ePrivacy Directive (often called the "Cookie Law") specifically governs the storage of information on a user's device. This is what makes cookies a separate legal trigger.

Under the ePrivacy Directive, storing or accessing information on a user's device (like setting a cookie) requires consent, regardless of whether the data is personal. The only exception is for cookies that are "strictly necessary" for the service the user has requested.

Analytics cookies are not considered strictly necessary. This is why Google Analytics requires a consent banner even in jurisdictions that might otherwise allow legitimate interest as a basis for analytics processing.

The path to consent-free analytics is straightforward in principle:

Don't use cookies - No cookies means the ePrivacy Directive's consent requirement doesn't apply.
Don't process personal data - No personal data means GDPR's consent requirements don't apply.
Don't fingerprint - Hashing IP addresses, user agents, or other data to create unique identifiers still constitutes processing personal data under GDPR.
Store data in the EU - While not strictly required for consent exemption, processing data within the EU avoids complications around international data transfers.

This is exactly how Cabin works.

How Cabin achieves compliance

Cabin was designed from day one to operate without any personal data processing:

No cookies

Cabin doesn't set any cookies. Not first-party, not third-party, not session cookies, not persistent cookies. Zero.

No unique identifiers

Cabin doesn't generate, store, or process any unique identifier for visitors. There's no UID in a database, no hash of IP + user agent, no fingerprint of any kind.

No IP address processing

Cabin doesn't log, store, or process IP addresses. They're not used for geolocation (country data comes from the server's edge location), and they're not used for visitor identification.

The Last-Modified method

Instead of cookies or fingerprinting, Cabin uses the browser's built-in HTTP caching mechanism to count visits. The server sends a Last-Modified header that encodes the visit count within a timestamp. This data lives entirely in the browser's cache - never in a database - and is automatically cleared when the user clears their cache.

This method is privacy-preserving because:

The data never identifies an individual
It can't be cross-referenced with other data to identify someone
It's stored in the browser, not on Cabin's servers
It's cleared automatically by standard browser behaviour

EU data processing

All Cabin data is processed and stored exclusively in the EU (AWS Ireland, with backup in London). This eliminates any concerns about international data transfers.

What privacy authorities have said

Several European Data Protection Authorities (DPAs) have provided guidance that supports cookieless, non-personal analytics without consent:

CNIL (France) has explicitly stated that audience measurement tools that don't use cookies and don't collect personal data can operate without consent.
The Dutch DPA has indicated that analytics that are limited to measuring audience statistics, don't track across sites, and don't combine data with other sources may not require consent.
The EDPB (European Data Protection Board) has acknowledged that not all analytics processing requires consent, provided certain conditions are met.

The pattern is clear: if your analytics tool genuinely doesn't process personal data and doesn't use cookies, you're on solid legal ground operating without consent.

Common mistakes to avoid

"We anonymise IP addresses"

Truncating or hashing IP addresses before storage is better than storing them in full, but the processing itself (before anonymisation) still constitutes personal data processing under GDPR. Several DPAs have ruled that this isn't sufficient to avoid consent requirements.

"We delete data after 24 hours"

Temporary processing is still processing. Even if you hash visitor data and delete the hash daily, you've still processed personal data during that window. Duration doesn't change the nature of the processing.

"We use server-side analytics"

Moving tracking from cookies to server-side fingerprinting doesn't change the legal analysis. If you're creating unique identifiers from request data (IP, user agent, headers), you're processing personal data regardless of where the processing happens.

"Our privacy policy covers it"

A privacy policy informs users about your data practices. It doesn't replace the need for a lawful basis for processing. If your analytics require consent, a privacy policy alone isn't sufficient.

A practical checklist

Before claiming your analytics are GDPR compliant without consent, verify:

No cookies are set by your analytics tool (check with browser dev tools)
No unique identifiers are generated or stored for visitors
IP addresses are not logged, stored, or used for identification
No fingerprinting techniques are used (IP + UA hashing counts as fingerprinting)
Data is not combined with data from other sources
No cross-site tracking occurs
Data is processed within the EU (recommended but not strictly required for consent exemption)

Cabin passes all of these checks by design, not by configuration.

The business case

Beyond legal compliance, consent-free analytics simply work better:

100% of visitors are measured instead of only those who consent
No consent management overhead - no CMP scripts, no banner design, no A/B testing consent flows
Better page performance without heavy consent management JavaScript
Simpler architecture with fewer third-party dependencies
Consistent data across all regions and visitor types

Getting started

If you're ready to simplify your analytics compliance, try Cabin free. Add a single line of code to your site and start collecting accurate, privacy-compliant analytics data immediately - no consent banner required.

For more detail on how Cabin measures unique visitors without cookies, read our technical deep-dive on the Last-Modified method.

GDPR compliant analytics without consent banners - a practical guide