GDPR-Compliant Analytics Without Consent Banners: How It Works

The assumption that web analytics always requires a consent banner is widespread — and wrong. Under specific conditions, both GDPR and the ePrivacy Directive allow audience measurement without asking for consent. This is not a loophole. It is a deliberate carve-out that European regulators have clarified repeatedly since 2020.

Understanding how this works requires separating two distinct legal frameworks that are often conflated: GDPR (which governs personal data processing) and the ePrivacy Directive (which governs access to user devices).

The legal basis for consent-free analytics

GDPR analytics compliance is typically discussed in terms of consent (Article 6(1)(a)). But GDPR provides six legal bases for processing data, and consent is only one of them. Article 6(1)(f) — legitimate interest — allows data processing when the controller has a legitimate purpose that does not override the data subject’s rights and freedoms.

For analytics, the legitimate interest argument is straightforward: understanding how visitors use a website is a necessary business function. European Data Protection Authorities have generally accepted this reasoning, provided the analytics tool does not collect personal data or create individual profiles.

However, GDPR alone does not determine whether consent is required. The ePrivacy Directive (often called the “cookie law”) adds a separate layer of regulation specifically about accessing or storing information on user devices.

What the ePrivacy Directive actually says

Article 5(3) of the ePrivacy Directive states that storing or accessing information on a user’s device requires prior consent. This is why cookie banners exist — cookies are information stored on the user’s device, so placing them requires consent regardless of whether the data collected is personal.

The critical distinction is this: Article 5(3) applies to storage on and access to the user’s device. If an analytics tool does not place cookies, does not use localStorage, does not use browser fingerprinting, and does not access any information stored on the device, then Article 5(3) is not triggered. No storage, no access, no consent requirement.

This is the architectural foundation of consent-free analytics. It is not about finding an exemption to the consent requirement. It is about building analytics in a way that the consent requirement never applies in the first place.

CNIL exemption criteria for audience measurement

The French Data Protection Authority (CNIL) has gone further than any other EU regulator in defining exactly what analytics tools can do without consent. In their guidance on audience measurement exemptions, CNIL published specific criteria that an analytics tool must meet to qualify.

The key criteria include:

• —The tool must be used solely for producing anonymous statistical data
• —Data must be limited to what is strictly necessary for audience measurement
• —Data must not be combined with other processing operations or shared with third parties
• —Any visitor identifier must be limited to a single site or application and not used to track browsing across different sites
• —IP addresses must be anonymized or not stored beyond what is necessary for geolocation at the city level
• —Users must be informed about the tracking and offered a mechanism to opt out

CNIL has published a self-assessment process that analytics vendors can use to verify their compliance with these criteria. We covered the details when the process was published. While CNIL’s guidance is specific to France, it has become the de facto benchmark across the EU — other DPAs reference it, and the European Data Protection Board (EDPB) has indicated alignment with its principles.

Technical requirements for consent-free analytics

Meeting the legal criteria requires specific technical choices. An analytics platform that operates without consent must satisfy all of the following:

• —No cookies — no first-party or third-party cookies of any kind
• —No localStorage or sessionStorage — no client-side data persistence
• —No fingerprinting — no combining device characteristics (screen size, fonts, plugins) to create a unique identifier
• —No personal data — no IP addresses stored, no user-level profiles created
• —First-party only — data collected by the website owner, not shared with third-party platforms
• —EU data residency — all processing and storage within the European Union

The combination of these requirements is what makes consent-free analytics technically challenging. Any single failure — a cookie set by a tag manager, a fingerprinting technique for session stitching, an IP address logged for fraud prevention — invalidates the entire approach. Cookieless analytics must be cookieless by architecture, not by configuration.

What about the EU Digital Omnibus?

The proposed EU Digital Omnibus Directive would strengthen the legal foundation for consent-free analytics significantly. The draft regulation explicitly authorizes first-party analytics without consent under GDPR, provided the analytics are limited to audience measurement and do not involve cross-site tracking.

If adopted as proposed, the Omnibus would create a harmonized EU-wide framework replacing the current patchwork of national DPA interpretations. Analytics tools that meet the technical criteria outlined above would have explicit legal authorization rather than relying on the legitimate interest argument and CNIL-style exemption guidance.

Our detailed guide covers what the Omnibus means for marketing teams. The key takeaway: the regulatory direction in Europe is toward explicitly permitting privacy-respecting analytics, not restricting it further.

How SealMetrics achieves consent-free compliance

SealMetrics was built from the ground up to operate without consent. This is not a feature added to an existing cookie-based platform — it is the architectural foundation.

The approach uses server-side tracking through a first-party subdomain (e.g., analytics.yourdomain.com). When a visitor loads a page, the request is processed server-side without setting any cookies, accessing localStorage, or fingerprinting the browser. Session recognition uses ephemeral server-side signals that do not persist on the user’s device.

All data is processed and stored in EU-based infrastructure. No personal data is collected. No individual profiles are created. The output is aggregate audience measurement — page views, sessions, traffic sources, conversion events — with 100% of traffic captured because no consent barrier exists.

This architecture satisfies the CNIL exemption criteria, the ePrivacy Article 5(3) requirements, and the GDPR legitimate interest basis simultaneously. SealMetrics has completed the CNIL self-assessment process and maintains compliance documentation for all EU member states.

The result: enterprise analytics with 100% data capture, zero consent management complexity, and full regulatory compliance. You can review the full security and compliance architecture or learn how the technology works.