How to Add Analytics to Your Site Without a Cookie Banner

Most analytics tools trigger GDPR's consent requirement — but they don't have to. Here's what causes the banner, and how to track your site without one.

Why most analytics tools need a cookie banner

The GDPR cookie banner requirement isn't about analytics in general. It's about persistent identifiers and personal data. When a tool sets a cookie that follows a user across sessions — or uses fingerprinting techniques that can re-identify someone — that's personal data processing, and it requires explicit consent under GDPR and the UK PECR.

Google Analytics sets a cookie (_ga) that persists for two years and identifies the same browser across visits. That's why it needs a banner. Hotjar, Mixpanel, and most tracking tools do the same in different ways.

The banner isn't a legal formality. It's a direct consequence of the data the tool collects.

What "personal data" means for analytics

GDPR defines personal data as any information that can identify a natural person — directly or indirectly. An IP address alone can qualify. A user ID definitely does. A persistent cookie that tracks the same browser over time does too.

But here's the key distinction the regulation makes: aggregate, anonymised data is not personal data. Knowing that 347 people visited your pricing page on Tuesday is not personal data. Knowing that this specific browser visited your pricing page on Tuesday, and on 12 other occasions over the past month, is.

The difference is persistence and linkability. If you can connect a data point to a specific individual, even probabilistically, you're in personal data territory.

How privacy-first analytics works

Privacy-first analytics tools are built around a simple principle: collect what you need to understand traffic patterns, discard everything that could identify a person.

In practice, that means:

• No cookies — no persistent identifier stored on the user's device
• No IP storage — the IP is used only to derive country, then discarded immediately
• No cross-session tracking — each visit is independent; there's no "returning visitor" that links to a real person
• No fingerprinting — no browser fingerprint hash stored or processed beyond the current request

What you keep: the page visited, the referrer, the country, the device type, the time spent. Aggregate counts that answer real questions — how many people visited, where they came from, what they looked at — without any of the data that creates a consent obligation.

How to install Logly (two minutes)

Logly is built on this model. No cookies, no IP storage, no cross-session identifiers. One script tag, no configuration required.

Add this before the closing </body> tag on every page:

<script src="https://logly.uk/p.js?s=YOUR-SITE-ID"
        data-site="YOUR-SITE-ID" async></script>

Replace YOUR-SITE-ID with the ID shown in Settings after adding your site. That's the entire installation. No consent banner, no privacy policy update required for the analytics itself, no cookie declaration.

The script is under 1 KB. It loads asynchronously and has zero impact on your Core Web Vitals or Lighthouse score.

What you can still track

Without cookies or personal identifiers, you can still answer every question that matters for running a content site or product:

• How many people visited today, this week, this month
• Which pages get the most traffic
• Where visitors come from (referrers, search, direct)
• Which countries your audience is in
• What devices and browsers they use
• How long they actually spend on a page (active time, not tab-open time)
• Custom events: button clicks, form submissions, conversions

What you lose: the ability to track the same individual across multiple sessions. If "returning vs new visitor" is a core metric for your use case, you'll need to make a choice about consent. For most content sites and SaaS products, session-level data is more than enough.

Does this work in the UK post-Brexit?

Yes. The UK retained GDPR through the UK GDPR and the Data Protection Act 2018. The rules for consent and personal data are essentially identical to EU GDPR. Privacy-first analytics that don't require consent under EU GDPR don't require it under UK GDPR either.

The UK ICO's guidance on cookies and similar technologies aligns with this — the consent requirement is triggered by persistent tracking, not by analytics as a category.