SealMetrics
Pillar — Consentless analytics

Analytics without consent banners. Lawful by architecture, not by paperwork.

The legal route to web measurement without a cookie dialog is not a workaround — it is the carve-out GDPR and ePrivacy contemplated from day one. Six European data-protection authorities have described what the carve-out requires. This is what it looks like in practice, and where the limits are.

Why cookie banners stopped working

Consent banners were never a measurement strategy — they were a compliance instrument bolted onto a measurement strategy that assumed everyone said yes. Three things broke that assumption, and one regulation in 2026 broke it further.

Rejection rates climbed past the break-even line

When the average European visitor said yes 80% of the time, cookie analytics could absorb the 20% loss. Today the consumer brand average sits between 40% and 60% rejection. Decisions made on the remaining 40% are decisions made on a self-selected sample — typically older, less mobile, less privacy-aware. The bias is silent and structural.

Dark-pattern enforcement closed the gaming loophole

The CNIL fined Google and Amazon for asymmetric banner design in 2023. The Italian Garante followed. The 2026 Digital Omnibus formalised reject-all parity at the EU level: the “reject” button must be as prominent as “accept”, no pre-ticked boxes, no nudging copy. The brief window in which clever banner design lifted consent rates is closed.

Banner fatigue is now a documented user-experience cost

A 2025 University of Amsterdam study measured a 14% drop in first-page engagement when a consent banner was the first interaction. For an eCommerce site running paid acquisition at €5–30 CPC, the abandonment cost on the banner alone now exceeds the value of the analytics data it gates.

The Digital Omnibus 2026 sharpened authority enforcement

The Omnibus harmonised national approaches under one enforcement framework and gave authorities clearer power over Art. 5(3) breaches. Read the practical implications in the marketer's guide. Net effect: the legal cost of running cookie-based analytics rose; the legal cost of running consentless analytics is zero.

The architectural route to lawfulness

The exemption is not a clever interpretation; it is the original wording. Three regulatory anchors define the path, and a measurement system either sits inside them by design or it does not.

Anchor 1

GDPR Article 2 — material scope

GDPR applies to “the processing of personal data.” Personal data is any information that relates to an identified or identifiable natural person. If a measurement system processes only aggregate counts — never an identifier, never a fingerprint, never a behavioural profile — the system does not process personal data. The Regulation does not apply to its measurement output. The EDPB confirmed this reasoning in Opinion 5/2019.

Anchor 2

ePrivacy Article 5(3) — terminal-device storage

ePrivacy requires consent before storing or accessing information on the user's terminal device. The classic example is a cookie. If the measurement system writes no cookie, reads no localStorage, and uses no device fingerprint, there is nothing on the terminal device to trigger Art. 5(3). No consent dialog is required for that processing path.

Anchor 3

The CNIL analytics exemption criteria

The CNIL published five concrete criteria that an analytics system must meet to qualify for the exemption: a strictly limited purpose, no cross-site tracking, anonymised IP addresses or none stored, no merging with personal data from other sources, and aggregate reporting only. SealMetrics meets each criterion by design — not by configuration. Other authorities have aligned around the same five points.

The technical implementation — first-party server-side collection without identifiers — is documented at cookieless analytics. The architecture diagram and pipeline detail live at How it works.

Authority guidance, by country

Six European data-protection authorities have published explicit exemption guidance for analytics meeting the architectural criteria. The wording differs; the conclusion converges.

France

CNIL

Issued explicit analytics exemption criteria in 2020, reaffirmed 2024: no per-user identifier, no cross-session tracking, aggregate reporting, EU-only processing. SealMetrics meets every criterion.

Germany

DSK / BfDI

Datenschutzkonferenz guidance: analytics tools without cookies and without device fingerprinting do not require consent under §25 TTDSG. Aligned with CNIL position.

Spain

AEPD

Guía sobre el uso de cookies (2024): explicitly carves out anonymous aggregate measurement from the consent obligation. Aligns with EDPB Opinion 5/2019.

Italy

Garante

Post-Google-Analytics 2022 ruling: tools that anonymise at collection and host in the EU do not trigger the same restrictions. SealMetrics' Dublin processing and zero-identifier design fit the exemption shape.

United Kingdom

ICO (PECR)

PECR Regulation 6(4) carves out cookies and similar technologies "strictly necessary" or used for analytics that do not identify users. Aligned post-Brexit with EDPB reasoning.

Netherlands

Autoriteit Persoonsgegevens

AP guidance follows the EDPB position: privacy-friendly analytics — no cookies, no identifiers, EU processing — are exempt from the consent requirement.

Country-specific deep-dives — including the CNIL self-assessment, the UK PECR exemption walkthrough, and the Digital Omnibus marketer guide — live on the blog. Dedicated country pages (/gdpr-analytics/france,/germany,/spain) are part of the Q3 2026 content roadmap.

“Consentless” vs “consent-light” — the distinction that matters for DPOs

A common confusion: lightweight analytics tools that claim “no cookie banner needed” while still setting a first-party cookie or a randomised visitor ID. From a CMP- integration perspective the experience is similar. From a regulatory perspective the two are not in the same category.

Consent-light

  • Sets a first-party cookie or visitor ID (often randomised).
  • Justifies under “legitimate interest” — a position several authorities have rejected for cross-session tracking.
  • Stores the identifier on the terminal device → ePrivacy Art. 5(3) still triggers.
  • Argument depends on banner-free interpretation that authorities can challenge case-by-case.

Consentless (SealMetrics)

  • Sets no cookie, writes no localStorage, no visitor ID generated.
  • GDPR material scope not engaged — no personal data processed.
  • ePrivacy Art. 5(3) not triggered — nothing stored on the terminal device.
  • Aligns with the CNIL exemption criteria, the AEPD guidance, the DSK position, the AP and ICO statements.

For a DPO reviewing vendor risk, the practical question is: does the tool's defence rely on regulatory interpretation, or on the absence of triggering conditions? Consentless architecture is the second answer.

What ships with the platform

The architectural exemption removes the consent burden. The following documentation supports the rest of a vendor review:

DPA

Data Processing Agreement, GDPR Art. 28 compliant, signed by SealMetrics S.L. as processor. Pre-filled, ready to counter-sign.

TPSR package

Transfer, Privacy and Security Review document. Covers data flows, sub-processors (zero outside the EU), retention, encryption at rest and in transit, access controls, breach procedure.

Sub-processor list

Full list of sub-processors with their roles, jurisdictions and DPAs ships inside the TPSR package. All EU-only by policy.

Hosting & residency

All processing in Dublin, Ireland, on EU-owned infrastructure. No US sub-processors in the analytics data path. Schrems II transfer assessment unnecessary — no transfer occurs.

Retention

Configurable per customer. Default: aggregate counts retained 25 months. No raw individual-level data is stored beyond the millisecond-level aggregation window.

Full security and architecture documentation lives at Security. We are not currently certified to ISO 27001 or SOC 2 — the roadmap and the controls we already operate are documented in full.

Deep-dives by jurisdiction and scenario

The legal pattern is portable. The friction points are local.

GDPR

GDPR analytics without consent

The full Art. 6 / Art. 5(3) reasoning, with worked examples from CNIL, DSK, AEPD enforcement files.

Read →France · CNIL

The CNIL self-assessment, published

Walk through the five exemption criteria with SealMetrics' actual answers, side by side.

Read →UK · PECR

UK PECR analytics exemption

Post-Brexit position. ICO guidance. Reg. 6(4) walkthrough for a UK-only deployment.

Read →Digital Omnibus 2026

The marketer's guide to the Digital Omnibus

What changed for banners, what changed for analytics, and what to action this quarter.

Read →Measurement loss

How banners destroy 40–60% of your data

Industry-by-industry rejection rates and the cost of decisions made on the survivor sample.

Read →Compliance roadmap

Digital Omnibus marketer roadmap

Quarter-by-quarter actions for marketing leaders in EU-regulated markets.

Read →

Common DPO questions

Is consentless analytics actually legal under GDPR?
Yes, when the architecture meets the exemption criteria. GDPR applies to processing of personal data. ePrivacy Art. 5(3) governs storage/access to terminal-device information. If a measurement system stores no cookie, sets no identifier and processes no personal data, both rules are satisfied without a consent dialog. The CNIL has published explicit exemption criteria for analytics; the German DSK, Italian Garante, UK ICO and Dutch AP have all issued aligned guidance. This is not a workaround — it is the original carve-out the regulations contemplated.
What changed with the EU Digital Omnibus 2026?
The Omnibus tightened banner-design rules (dark-pattern enforcement), formalised reject-all parity, and gave national authorities sharper teeth on Art. 5(3) violations. The net effect: consent rejection rates rose another 5–10 points in the markets where it has landed, and the cost of running cookie-based analytics legally went up. Consentless architecture is unaffected — there is no banner to design and no consent to record.
Do I still need a cookie banner for other reasons?
Possibly — for Google Ads pixels, Meta pixels, A/B testing tools or any third-party script that does set cookies. SealMetrics removes the analytics-specific reason for the banner, not every reason. Many teams reduce the banner's scope (or eliminate it on pages without ad pixels) once analytics moves to a consentless layer.
How does this differ from "consent-light" or "privacy-friendly" tools?
Most lightweight analytics tools still set a first-party cookie or a randomised visitor ID — they are consent-light, not consentless. The CNIL exemption is specific: no identifier, no cross-session linkage, no profiling. SealMetrics is built to that bar. The trade-off is honest — no returning-visitor identification — and it is the deliberate design choice that produces the legal exemption.
What about Schrems II and US transfers?
Processing is exclusively in Dublin, Ireland, on EU-owned infrastructure. There are no US sub-processors in the data path. A Schrems II transfer impact assessment is not required because no transfer occurs. The DPA, SCCs (where needed for ancillary services), and TPSR package are available for legal review.
Can the legal basis change if I add CRM or marketing tools later?
The legal basis for the analytics layer does not change. What changes is the overall surface: if you add a tool that stores cookies or processes personal data, that tool brings its own consent requirement. SealMetrics' status is determined by its own architecture, not by the other tools running alongside it.

One compliance review. Done.

Book a 30-minute walkthrough with the founder. Bring your DPO. We answer the architecture questions and hand over the DPA + TPSR package on the call.

Start FREE Trial →Book a demo

Built by a founder · supported by a founder · EU-hosted by design