The hidden cost of consent banners
Consent banners are not just a UX problem. They are a data problem. In EU markets with active consent management platforms, 30 to 50% of visitors decline or ignore the banner. That traffic disappears from your analytics entirely. The data you make decisions from is not a representative sample of your actual audience.
High-value pages often have the worst consent rates. Visitors on mobile, first-time visitors, and visitors from certain regions tend to decline more frequently. The segment of your audience you understand least is often the one you most need to reach.
Some teams accept this as the cost of compliance. It is not. Whether you need a consent banner depends entirely on what your analytics tool does technically, not on the fact that you are running analytics.
What actually triggers the consent requirement
The legal requirement for consent banners in Europe comes from two separate texts that are often confused:
- The ePrivacy Directive (2002/58/EC), Article 5(3): Requires consent before storing any information on a user's device or accessing information already stored there. This covers cookies, localStorage, and any form of client-side persistence.
- The GDPR: Requires a legal basis for processing personal data, of which consent is one option but not the only one.
The consent banner for analytics is primarily an ePrivacy requirement, not a GDPR requirement. If your analytics tool places a cookie on the visitor's browser, Article 5(3) applies and consent is required before that cookie is set.
If your analytics tool stores nothing on the visitor's device, Article 5(3) does not apply. The consent banner requirement disappears at its legal root.
How cookieless analytics avoids the requirement
Cookieless analytics tools work differently at a technical level. Instead of placing an identifier on the visitor's device and reading it on each subsequent visit, they process signals available server-side: the IP address, the user agent string, the referrer header, and the page path.
From these signals, the tool derives traffic source, device type, country, and session data without storing anything on the visitor's browser. No cookie is set. No localStorage key is written. Article 5(3) of the ePrivacy Directive simply does not apply.
This is not a regulatory loophole. It is the direct consequence of how the law is written. The consent requirement is tied to terminal equipment storage, not to analytics as a category.
GDPR still applies: here is why it is not a problem
Even without cookies, IP addresses are personal data under GDPR. A cookieless analytics tool still processes personal data when it receives a request from a browser. The question is which legal basis applies.
For analytics tools that:
- anonymize or hash IP addresses immediately on receipt
- do not create individual user profiles
- do not share data with third parties
- store data exclusively within the EU
- use the data only for aggregate audience measurement
Legitimate interest (Article 6(1)(f) of GDPR) is a valid legal basis. The processing is proportionate, the impact on the individual is minimal, and the purpose is a legitimate one. Consent is not required.
This is the legal basis used by Plausible Analytics, Fathom, Simple Analytics, and Sublim, among others. Each has published documentation explaining how their processing qualifies under legitimate interest.
The CNIL criteria: the most detailed EU guidance available
The CNIL (France's data protection authority) published specific criteria for analytics tools that can operate without consent. While this is French regulatory guidance, it reflects the approach taken by several European DPAs and is the most operationally specific guidance available.
To qualify, an analytics tool must:
A tool that meets all five criteria can operate under legitimate interest in France without a consent banner. The key question to ask any analytics vendor is: do you meet these criteria, and can you document it?
What Google Analytics fails on
GA4 does not qualify under these criteria for several reasons:
- Cookies: GA4 sets first-party cookies that persist across sessions:
_ga(a unique browser identifier, kept for 2 years),_gid(a session identifier, kept for 24 hours), and a measurement ID variant per GA4 property (also 2 years). This immediately triggers the Article 5(3) consent requirement. - Google's own use of data: Google's terms of service allow Google to use analytics data for its own product improvement. The data is shared with a third party that has its own processing purposes.
- Google's own use of data: Google's terms allow Google to use analytics data for its own product improvement. The data is shared with a third party that has independent processing purposes — which disqualifies the tool from the CNIL exemption criteria regardless of where it is hosted.
The CNIL ruling did not say "analytics requires consent." It said "Google Analytics requires consent because of how Google Analytics works." The requirement is tool-specific, not category-wide.
GA4 also introduces separate data accuracy issues that compound the consent problem: exploration reports are sampled above 10 million events, small segments are silently removed by thresholding, and ML modeling fills gaps without any visible indicator.
| Google Analytics 4 See comparison → |
Sublim Analytics Try for free → |
|
|---|---|---|
| Consent banner required | Yes | No |
| Data completeness | ~60% | 100% |
| Data hosted in EU | No | Yes |
| Third-party data sharing | None |
Practical implications for your analytics setup
Switching to a cookieless, EU-hosted analytics tool has two direct consequences:
You see 100% of your traffic. There is no consent funnel to lose visitors through. The visitor who arrives, reads one page, and leaves is counted. The mobile visitor who abandons a consent modal is counted. Your data matches your actual audience.
Your site has no consent banner for analytics. You may still need a banner for other purposes (advertising cookies, marketing pixels, third-party embeds). But if analytics is the primary reason you show a banner, that reason disappears.
For teams running A/B tests or conversion optimization, this matters significantly. You are comparing variants using complete data, not a self-selected subset of visitors who consented.
For a comparison of tools that qualify, see our web analytics tools comparison.
How to verify if your current tool qualifies
Ask these five questions about any analytics tool you are evaluating:
If any answer is yes, you need a consent banner. If all answers are no, you likely do not. Check your specific jurisdiction and your national DPA's guidance, as national implementations of the ePrivacy Directive vary.
Tools like Sublim, Plausible, Fathom, and Simple Analytics are designed to answer no to all five. Their technical architecture makes consent banners unnecessary by default.
One thing to get right in your privacy policy
Operating without a consent banner does not mean operating without transparency. Even under legitimate interest, GDPR requires informing users about data processing. Your privacy policy should describe:
- What data is collected (page path, referrer, country, device type)
- The legal basis (legitimate interest for audience measurement)
- The retention period
- How users can opt out
Most cookieless analytics providers publish a data processing documentation you can reference directly. The compliance surface is real, but it is a privacy policy update, not a consent management platform.
