datibase
try free

GDPR Compliance Without a Cookie Banner: A Practical Guide

The banner is not the law — the cookie is. Remove the cookie and the banner usually goes with it.

8 min read

Every European visitor to your SaaS lands on a cookie banner before they see your product. You suspect most of them are clicking "reject all" out of habit, and you're right — recent studies put the rejection rate above 60% on plain SaaS sites. So you're paying a UX tax to collect data from a shrinking minority.

The good news: in most cases, the banner is not legally required. It is a consequence of the analytics tool you happen to use, not a consequence of GDPR itself. This article explains what actually triggers the consent requirement, and how to drop the banner without dropping your analytics.

What GDPR actually requires

GDPR is a regulation about personal data — information that can identify a person, directly or indirectly. The cookie banner you see everywhere is not a GDPR requirement on its own. It is the practical consequence of two overlapping rules:

  • ePrivacy Directive, Article 5(3): storing or accessing information on a user's device requires informed consent — unless it is strictly necessary for a service the user explicitly requested.
  • GDPR, Article 6: processing personal data requires a lawful basis. For analytics, that basis is usually consent or legitimate interest, and consent is the safer default most lawyers recommend.

The cookie banner exists because traditional analytics tools trigger both rules at once: they store an identifier on the device (ePrivacy) and use it to build a personal profile (GDPR). Skip the storage and the personal profile, and the legal trigger usually disappears with them.

The two questions that decide it

For any analytics tool you run, two questions determine whether you need a banner. Both must be answered "no" for the banner to be optional.

Does it write to the visitor's device?

Cookies, localStorage, IndexedDB, and any persistent device storage count. sessionStorage is a grey area but is generally treated as exempt because it is cleared the moment the tab closes.

Does it store personal data on the server?

Raw IP addresses, full User-Agent strings tied to other identifiers, account-level user IDs, and anything that lets you single out an individual visitor over time all count as personal data under GDPR.

Google Analytics, Mixpanel, and most session-replay tools answer "yes" to both. Cookie-free tools like Plausible, Fathom, and Datibase answer "no" to both — that is the entire design goal.

What "strictly necessary" actually covers

A common misconception is that any analytics can be defended as "legitimate interest." That argument is fragile. The European Data Protection Board has been explicit that audience measurement is generally not strictly necessary, and most DPAs treat tracking cookies as opt-in by default.

What is genuinely strictly necessary is a much shorter list:

  • Authentication session cookies — keep the user logged in
  • CSRF tokens — protect against forgery
  • Shopping cart contents on a checkout page
  • Load-balancer routing cookies
  • Cookie consent state itself (the banner has to remember its own answer)

Note what is missing: analytics, A/B testing, marketing pixels, retargeting, heatmaps, and session replay. None of these are strictly necessary, and each one alone is enough to require a banner.

The realistic banner-free stack

Removing the banner is not about finding a clever interpretation of the rules. It is about choosing tools that do not trigger them in the first place. A typical banner-free SaaS setup looks like this:

// keep

  • Cookieless analytics (Datibase, Plausible, Fathom)
  • Session cookies for login (strictly necessary)
  • CSRF token cookies (strictly necessary)
  • Server-side error monitoring without IPs (Sentry with IP scrubbing)
  • Stripe checkout (its own cookies are checkout-essential)

// drop or gate

  • Google Analytics, Mixpanel, Amplitude (require consent)
  • Hotjar, FullStory, LogRocket session replay
  • Facebook / TikTok / LinkedIn marketing pixels
  • Google Ads conversion tracking with cookies
  • Intercom / Drift chat with persistent identifiers

For the tools in the right column, you have two options: gate them behind a consent prompt that only appears when needed, or replace them with cookie-free alternatives that work without consent.

What a cookieless analytics tool stores

The reason cookie-free analytics avoids both the ePrivacy and GDPR triggers is that it is engineered around two principles: nothing persists on the device, and nothing on the server can be tied back to an individual.

  • On the device: Nothing. No cookies, no localStorage, no IndexedDB. A short-lived sessionStorage entry may exist within a single tab to group page views into a session, and is gone when the tab closes.
  • On the server: An anonymous daily hash combining IP, User-Agent, domain, and a salt that rotates every 24 hours. The raw IP is hashed and discarded immediately. The hash itself expires the next day, so the same visitor next week looks like a new visitor.
  • Aggregate data: Page view counts, referrer counts, country (derived from IP before discard), browser, OS, device type. Stored in aggregate and not joined to any persistent identifier.

A practical migration checklist

If you want to drop the banner this quarter, here is the order most teams follow:

  1. 1Audit every third-party script on the site. Browser DevTools → Application → Cookies and Storage shows the truth, not your tag manager.
  2. 2For each script, decide: is it strictly necessary, replaceable with a cookie-free alternative, or worth the consent friction?
  3. 3Replace analytics first — it is the single biggest banner trigger and the easiest to swap.
  4. 4Remove or replace marketing pixels next. If retargeting matters, gate them behind a consent prompt that only shows for ad-driven traffic.
  5. 5Verify in DevTools that the only cookies left are strictly necessary.
  6. 6Remove the banner. Update your privacy policy to describe the new minimal setup.

What you give up — and what you don't

Going banner-free does cost you something. Long-term cross-device tracking, multi-touch attribution across weeks, and individual user journeys all rely on persistent identifiers, and those are the things you have to let go of.

What you keep is the data that actually drives most product decisions: traffic trends, top pages, referrer sources, country breakdowns, device mix, and — if you connect a payment processor — revenue attribution by source. For most SaaS founders that is the set of metrics they were checking in Google Analytics anyway, just without the legal overhead.

The bottom line

The cookie banner is a workaround, not a requirement. It exists because legacy analytics tools store identifiers on visitor devices and build profiles on the server. Choose tools that do neither and the banner becomes optional — usually unnecessary.

For an indie SaaS team, dropping the banner is one of the cheapest UX wins available: a faster first impression, a cleaner privacy policy, and a smaller compliance surface, all from a single tooling decision.

ready when you are

Ship a banner-free analytics setup

Datibase tracks visitors and revenue without cookies, persistent identifiers, or consent prompts — by design.

Try Datibase free