Best cookieless analytics

“

TL;DR

• "Cookieless analytics" is two completely different products wearing the same word.
• One is aggregate web analytics (Plausible, Fathom). The other is ad-side measurement that still connects converter to ad.
• "Cookieless" is sold globally but is really a narrow EU legal hack.
• DataCops is the architectural answer for the ad-side measurement job - see conversion API.

"Cookieless analytics" is two completely different products wearing the same word, and the confusion costs people real money.

I have watched a DTC founder rip out Google Analytics, install a cookieless tool because a blog told her it was "GDPR-safe," and then discover three months later that she could no longer tell which ad campaign drove a single sale. The tool did exactly what it promised. It just promised the wrong thing for her problem.

Here is the distinction nobody draws cleanly. There is cookieless web analytics, which counts traffic in aggregate and never identifies anyone (Plausible, Fathom, Umami, that category). And there is cookieless ad-side measurement, which still has to connect a specific converter back to a specific ad. Those are not two flavours of the same thing. They are different jobs.

This is not a "here are 18 privacy tools, pick one" post. It is a post about which job you actually have, and the fact that for one of those jobs, "cookieless" is being sold as a global solution when it is really a narrow EU legal hack. See also best cookieless analytics tools in 2026.

DataCops is named once here as the architectural answer for the second job, ad-side measurement after Chrome's third-party cookie changes, and I will be specific about where it fits and where it does not.

Quick stuff people keep asking

What is cookieless tracking? Measuring website activity without storing identifiers in the visitor's browser. No cookies, often no localStorage, no fingerprinting. The tool counts events instead of following people.

How does cookieless analytics work? It records anonymous, aggregate signals: a pageview happened, from this referrer, on this page, roughly this device type. No persistent ID means no way to know that today's visitor is yesterday's visitor. You get traffic counts, not journeys.

Is cookieless tracking accurate? For aggregate traffic, yes, it is honest and clean. For attribution and retention, no, because without an identifier you structurally cannot stitch sessions or credit a conversion to a source.

What is the best cookieless analytics tool? Wrong question until you answer this one: do you need to count traffic, or do you need to know which ad made money? Different tools. Different list. Cloudflare Web Analytics, Umami and Simple Analytics are excellent at the first. None of them does the second.

Is cookieless tracking GDPR compliant? Genuinely cookieless tools that collect no personal data do not need a consent banner in most EU jurisdictions. That is real. But it is a legal-minimum approach. It buys compliance by collecting less, which is fine for traffic counting and a problem for paid-media measurement.

Can you track conversions without cookies? Conversions, in aggregate, yes. Conversions attributed to a specific ad click and a specific person, that needs first-party server-side identity plus hashed identifiers sent through a conversions API. That is the harder job.

Will Google Analytics work without cookies? GA4 has a cookieless and consent-mode behaviour, but it degrades to modelled, single-session data. You lose the cross-session stitching that is GA4's whole point.

The gap: cookieless solves Layer 1, and only Layer 1

Here is the structural problem, and it runs deeper than most cookieless articles ever go.

Going cookieless is a real fix for one specific thing: Layer 1, the EU legal requirement around storing identifiers without consent. A genuinely cookieless tool collects no personal data, so it does not need a consent banner, and it sidesteps the whole problem cleanly. That is a legitimate win. But it is a legal hack, not a global data solution. It buys compliance by collecting less.

Now watch what it does not fix.

Layer 2. "Reject All" does not mean "no data." Anonymous session analytics are always legal to collect, with or without consent, because there is no personal data involved. A lot of cookie-based analytics tools get this wrong: a visitor rejects consent, and the tool collects nothing, treating rejection as a total blackout. It is not. The anonymous tier should keep flowing. Most tools throw it away.

Layer 3. Your consent banner, the CMP, is itself a third-party script. uBlock Origin and Brave block it for 30 to 40 percent of privacy-conscious visitors. On single-page apps, it races the page transition and loses. When the CMP fails to load, your cookie-based analytics either fires with no consent, which is a violation, or does not fire at all. Going cookieless for your own analytics script does not fix this for every other script on your site, your ads, your retargeting, your chat widget. They all still depend on that fragile CMP.

Layer 4. Of the traffic that does get collected, 24 to 31 percent is bots. A cookieless analytics tool counts those bots as visitors. Headless browsers, scrapers, residential proxies. They inflate your pageviews, your funnel rates, your session durations. Cookieless does nothing about this. Most cookieless tools, by their own admission, have only basic user-agent bot filtering and no scoring.

Layer 5. This is the one that turns a data problem into a money problem. If you run paid ads, your conversion data trains Meta and Google. Feed those platforms bot-contaminated, human-missing data and they optimise toward the wrong people. They go find more bots. ROAS degrades, slowly, while your dashboards look fine.

One concrete moment, because the numbers above are abstract until they are not. PillarlabAI ran a honeypot. 3,000 signups came in. They pulled the device fingerprints apart and 77 percent were fraud. 650 of those accounts traced to one single device fingerprint. One physical machine, presenting as 650 customers. A cookieless analytics tool would have counted those 650 as 650 anonymous sessions and reported healthy traffic. An ad platform fed those as conversions would have spent the next month hunting for more machines just like it.

So here is the root cause, stated plainly. The problem was never cookies. The problem is third-party scripts collecting mixed data, bot and human, consented and anonymous, with no isolation, before it leaves your infrastructure. Cookieless fixes the cookie. It leaves the architecture untouched.

The architectural fix is first-party, filtered, and split into two data tiers at the source. Anonymous session analytics flow unconditionally, because they are always legal. Identifiable conversion data is handled with consent, separately. Bot traffic gets filtered at ingestion before either tier is built. That is DataCops: a first-party layer on your own subdomain, bot filtering against a 361.8-billion-plus IP database, and clean conversion signal forwarded to Meta, Google, TikTok and LinkedIn via CAPI. Cookieless analytics tools answer the question "how much traffic." DataCops answers "which of that traffic was real, and which ad earned the revenue."

Tool rankings

Tiered honestly. Some of these tools are genuinely excellent at the cookieless aggregate job and get a clean assessment with no DataCops pivot, because forcing one would be dishonest. DataCops sits at the top of the attribution tier, and its real limitations are stated plainly.

Tier 1: Cookieless attribution: keeping paid-media ROAS visible

1. DataCops.

What it is: a first-party tracking and conversion architecture on your own subdomain, built for the second job, ad-side measurement without third-party cookies.

What it does well: it keeps two data tiers separate at the source. Anonymous session analytics flow unconditionally, so a "Reject All" visitor still appears in your aggregate traffic, which is legal and which most tools throw away. Identifiable conversion data is handled with consent and forwarded to Meta, Google, TikTok and LinkedIn via CAPI with hashed identifiers. Bot traffic is filtered at ingestion against a 361.8-billion-plus IP database, classified as residential, datacenter, VPN, proxy or Tor, before either tier is built. So your paid-media measurement survives Chrome's third-party cookie changes, and it survives the bot contamination the aggregate tools ignore.

Where it breaks: DataCops is not a heatmap or session-replay tool. If you want to watch users click and scroll, this is not that. It is the newer brand on this list, without a decade-old logo wall. SOC 2 Type II is in progress, not finished, so a regulated buyer with a hard procurement gate may need to wait. Shared CAPI across all platforms is in verification rather than fully live, so confirm your specific platform. And it surfaces fraud context, it does not promise to "block" every bot or claim 100 percent detection.

Value for money: 9/10. Free tier covers 2,000 signup verifications a month, enough to see the contamination in your own data before paying. The honest read: if you run paid ads, this is the only tool here that addresses Layers 2 through 5, not just Layer 1.

Tier 2: Cookieless aggregate analytics, done right

These tools genuinely solve the cookieless job. If all you need is honest, EU-legal traffic counting and you do not run paid ads, several of them are excellent and need no further layer. Assessed straight.

2. Cloudflare Web Analytics.

What it is: genuinely free, genuinely cookieless traffic analytics running from Cloudflare's edge.

What it does well: no cookies, no localStorage, no fingerprinting by design, so it is the EU legal-minimum approach for sites on Cloudflare. Because it collects no personal data, the "Reject All" problem is structurally bypassed. And its script runs from Cloudflare's own CDN, the same network already serving your site, so it is far more resilient to ad-blocker blocking than a third-party analytics script.

Where it breaks: the free product has no bot-score integration, so bot traffic flows into the pageview counts unless you also buy Cloudflare's separate Bot Management product, which starts around $200/mo. The dashboard is intentionally minimal: pageviews and referrers, no funnels, no events. Any team needing product analytics has to layer a second tool on top.

Value for money: 9/10 for free EU-safe traffic measurement on Cloudflare infrastructure; 2/10 as a standalone strategy for a brand running paid ads or needing session-level insight.

Pricing 2026: free on all Cloudflare plans; Bot Management from roughly $200/mo.

3. Umami.

What it is: open-source, self-hostable, cookieless web analytics under an MIT licence.

What it does well: cookieless by default with in-memory session data, so no consent banner is required for its own script, and "Reject All" does not apply to it. Clean UI, free forever self-hosted, generous cloud free tier.

Where it breaks: bot filtering is basic user-agent matching with no scoring, so a self-hosted database quietly accumulates bot-contaminated sessions indefinitely. Self-hosting needs a Node.js app plus a database, and teams without DevOps regularly break upgrades. Its script is in EasyPrivacy and uBlock lists, so developer-heavy audiences see 30-plus percent block rates with no way for Umami to flag the gap.

Value for money: 7/10. Best zero-cost EU-compliant analytics for technical teams; deducted for self-hosting overhead and silent data-quality gaps.

Pricing 2026: Cloud Hobby free (100k events/mo, 3 sites); Cloud Pro $20/mo; self-hosted free.

4. Simple Analytics.

What it is: cookieless, consent-free web analytics from a privacy-first Dutch indie team.

What it does well: cookieless by architecture, exempt from consent requirements, the simplest possible dashboard with zero personal data collection.

Where it breaks: no attribution. With no cross-session identity, it cannot tell you which channel drove a conversion, which makes it useless for paid-ads or SEO ROI work. Its script is still in common ad-blocker filter lists, so 20 to 30 percent of tech-heavy audiences block it and the tool cannot detect or correct for that. No funnels, cohorts or event tracking, so most growth teams outgrow it within a few months.

Value for money: 6/10. Best EU-legal simplicity for content sites; useless for paid-ads teams or anyone needing attribution.

Pricing 2026: Simple $15/mo; Team $40/mo (20 sites).

5. Rybbit.

What it is: a genuinely cookieless, AGPL-3 open-source analytics platform with visitors, events, funnels and session replays, no persistent identifiers.

What it does well: architecturally cookieless, so EU legal minimums are met by default, and it can legally keep recording after "Reject All" because it only collects anonymous data, the correct behaviour. Cloud pricing is well below Plausible or Fathom.

Where it breaks: no bot filtering at all, so the 24 to 31 percent bot share lands in every session count and funnel metric uncorrected. Fully cookieless also means zero cross-session identity, so a returning visitor counts as new and retention or LTV analysis is structurally impossible. Self-hosting needs a PostgreSQL plus ClickHouse stack.

Value for money: 7/10. Excellent privacy-first analytics at the lowest price in the market, but zero bot filtering makes the numbers untrustworthy without an external scrubbing layer.

Pricing 2026: free tier 3,000 pageviews/mo; Standard $13/mo; Pro $26/mo; self-hosted free.

Tier 3: Behavioural and product analytics, cookie-dependent

These tools are not cookieless. They are person-level or session-level analytics that depend on identifiers, and that is where they break for EU and bot-affected traffic.

6. Microsoft Clarity.

What it is: 100 percent free heatmaps and session recording, with native GA4 integration and an AI Copilot that summarises sessions.

What it does well: unbeatable price, solid feature set, and a genuinely useful tool for US-primary sites.

Where it breaks: from October 31, 2025, Microsoft enforces consent signal requirements for EEA, UK and Switzerland visitors. On "Reject All," Clarity stops all recording, with no anonymous fallback, so for EU traffic the heatmaps are legally-required-but-data-absent for the entire reject-all population. Bot filtering uses Microsoft's signature intelligence, which is credibly large, but sophisticated residential-proxy and headless bots still record as real sessions.

Value for money: 9/10 for US-primary sites; 6/10 for EU-primary sites where consent enforcement creates a structural data gap.

Pricing 2026: 100 percent free, no tiers, no limits.

7. Hotjar.

What it is: the most accessible entry point for qualitative UX analytics, heatmaps and session recordings for CRO teams.

What it does well: genuinely useful for teams without data engineering, and the free tier is functional for small sites.

Where it breaks: Hotjar relies on its own cookie and stops all collection on "Reject All," which is GDPR-correct but means every EU rejecter produces zero data. Its script is also blocked by Brave and uBlock. The combined result: the EU heatmap population is opt-in survivors who were not on an ad-blocking browser, roughly 30 to 40 percent of actual visitors, and CRO teams are optimising for that biased minority. The Contentsquare acquisition migrated billing from site-level to account-level and deprecated some legacy plans without grandfathering.

Value for money: 6/10. Genuinely useful for CRO, but EU representativeness is structurally compromised.

Pricing 2026: Observe free (35 daily sessions), Plus around $39/mo, Business around $99/mo, Scale around $213/mo.

8. Amplitude.

What it is: the category leader for product analytics, best-in-class funnels, retention cohorts and pathfinding on user-level event streams.

What it does well: the 2026 experimentation and AI causal-insight work makes it the strongest tool for understanding why users churn.

Where it breaks: Amplitude depends on client-side device and user ID stitching; its cookieless mode degrades to single-session only, losing the cross-session retention analysis that is its core differentiator. Its SDK stops firing on "Reject All" with no anonymous fallback, so EU rejecters vanish from funnels. It has zero bot detection, so every bot event becomes a "user action" in retention curves and experiment variants. And audiences synced to ad platforms via Cohort Sync carry bot-contaminated membership, training ad algorithms on bad data.

Value for money: 6/10. Best-in-class product analytics UX, but the mid-market pricing inflection is steep and there is no data-quality gate.

Pricing 2026: Starter free; Plus $49/mo; Growth custom, typically $30k-70k/year; Enterprise $70k-250k-plus/year.

9. Amplitude Product.

What it is: the same Amplitude platform, viewed through its product analytics surface, funnels, retention, paths and session replay.

What it does well: the depth of behavioural cohort analysis and AI insight summaries is genuinely class-leading for product managers building growth loops.

Where it breaks: same engine, same gaps. Cross-session stitching collapses without persistent identifiers, so cookieless EU cohorts get systematically understated, a user who visited three times shows as three new users. The SDK stops on "Reject All." And there is no bot detection in the product analytics surface, so session replays capture bot sessions alongside real ones and product managers make roadmap calls on behaviour that includes non-human actors.

Value for money: 6/10. Excellent product analytics surface, but insights rest on uncleaned event streams.

Pricing 2026: same tiered plan as Amplitude core; session replay included in Plus with capped retention.

10. Heap.

What it is: auto-capture product analytics. It records every click, input and pageview with no pre-instrumentation.

What it does well: retroactive analysis of historical sessions against newly defined events is a genuine superpower competitors cannot match.

Where it breaks: Heap's session stitching relies on its own persistent identifier cookie, so without it every session is anonymous and disconnected and funnels become meaningless. It stops collecting on "Reject All" with no anonymous fallback. And its script is blocked by uBlock and Brave at the network level, so 25 to 35 percent of real human sessions are simply absent, which makes "auto-capture" a promise of completeness it cannot deliver.

Value for money: 6/10. Retroactive event analysis is a real differentiator, but the script-blocking gap and post-acquisition quality complaints make it hard to recommend without a structured trial.

Pricing 2026: free up to 10,000 sessions/mo; Growth/Pro/Premier custom via sales, from roughly $3,600/year.

11. FullStory.

What it is: a digital-experience platform that captures every DOM event, scroll and interaction at pixel level, with a 2026 StoryAI layer that surfaces friction signals automatically.

What it does well: retroactive query of behaviour with no pre-defined event schema, genuinely powerful.

Where it breaks: session replay depends on persistent identifiers, so cookieless mode breaks cross-page continuity. FullStory halts recording on "Reject All," so EU rejecters generate no replay and no funnel events, exactly the privacy-sensitive segment most likely to abandon checkout. Bot filtering is basic UA exclusion, so bots that mimic human signatures generate full replays and StoryAI can fire friction signals on bot rage-clicks. Session-volume pricing escalates fast.

Value for money: 6/10. The retroactive query capability is powerful, but pricing escalates and the EU consent blind spot makes it incomplete for European traffic.

Pricing 2026: free tier 30k sessions/mo; Business from roughly $499/mo; mid-market $30k-70k/year.

12. Contentsquare.

What it is: the dominant enterprise UX analytics platform, heatmaps, zone-based click analysis, scroll maps, session replay and frustration-signal detection.

What it does well: a level of UI fidelity GA4 and Amplitude cannot match, with a 2026 expansion into AI and LLM conversation analytics.

Where it breaks: Contentsquare stops recording on "Reject All" via standard CMP integration, with no anonymous post-rejection layer, so heatmaps and funnels for EU properties systematically exclude 20 to 40 percent of real journeys. Bot filtering is UA-list-based, so headless browsers with real UA strings generate replays indistinguishable from humans. Enterprise pricing is opaque and steep, with mid-market contracts running $50k-150k/year.

Value for money: 5/10. Best-in-class heatmaps, but the premium price buys insight into the consenting minority, not your full audience.

Pricing 2026: quote-only; mid-market typically $50k-150k/year.

13. Adobe Analytics.

What it is: the deepest enterprise clickstream platform, custom eVars, sophisticated attribution modelling and native Experience Cloud integration.

What it does well: nothing else matches its attribution-model depth or real-time streaming at enterprise scale.

Where it breaks: Adobe defaults to first-party cookie-based identification, and its standard implementation stops collecting on "Reject All" via the Adobe Privacy library, so every EU rejecter vanishes from the dataset entirely with no anonymous fallback. Bot filtering is a static IAB list updated periodically, so novel headless bots contaminate the data in the gap windows. Total cost is opaque: a $50k-200k/year license typically carries $100k-500k in implementation services on top.

Value for money: 5/10. Powerful for teams living in Adobe Experience Cloud, but the EU data gaps and opaque high cost make it poor value relative to what a clean-data strategy needs.

Pricing 2026: quote-only; Select roughly $50k-100k/year, Prime $100k-200k, Ultimate $200k-plus.

14. Mouseflow.

What it is: session recordings, heatmaps, funnels, form analytics and friction detection with a useful free tier.

What it does well: the cleanest UX in the behavioural analytics category, with a friction-score that surfaces rage-clicks and JavaScript errors automatically.

Where it breaks: Mouseflow uses session cookies and device fingerprinting and must stop recording after "Reject All," so all EU rejecters lose their session from the dataset entirely. If the CMP fails to load, blocked by uBlock in 30 to 40 percent of browsers, Mouseflow either records without consent, a violation, or misses the session. No bot filtering, so heatmaps and funnels are contaminated by scripted clicks and instant scroll-to-bottom behaviour.

Value for money: 6/10. Strong toolset at accessible pricing, but the EU consent-blocking problem and absent bot filtering make it unreliable for EU or bot-heavy traffic.

Pricing 2026: free 500 recordings/mo; paid from around $27/mo; higher tiers to $399/mo.

15. Woopra.

What it is: real-time customer-journey analytics with cross-channel stitching across web, mobile, email and CRM.

What it does well: the journey concept is compelling, and the Appier acquisition brought ML-based behavioural segmentation.

Where it breaks: Woopra's whole value, cross-session journey stitching, is built on persistent cookies. There is no cookieless mode, so a GDPR-compliant EU deployment that honours "Reject All" breaks the core feature and turns the $99.95/mo Pro plan into a pageview counter. Consent-state integration is undocumented and must be custom-built, which is a live compliance risk. No bot filtration, and the action-volume billing means bots inflate both the bill and the journey analytics.

Value for money: 4/10. The concept is compelling but cookie-dependency makes it structurally incompatible with its own best use case in the EU.

Pricing 2026: Startup free (limited); Pro $99.95/mo; Enterprise custom.

16. Kissmetrics.

What it is: person-level event tracking with persistent cross-session identity and nine report types built for SaaS and e-commerce, plus built-in behavioural email automation.

What it does well: it pre-dated most CDPs in person-level identity, and the email automation lets marketers act without a separate ESP.

Where it breaks: the entire value proposition is person-level identity, which depends on its own persistent cookie, so cookieless mode reduces it to anonymous page-view counting. It stops tracking on "Reject All" with no anonymous fallback. Its client-side script is blocked by uBlock and Brave, exactly the technically literate SaaS audience it most wants to see. And with no bot validation, any cookie-holder or user-ID-bearing bot is tracked as a person, inflating funnel and cohort revenue figures. Pricing is opaque, with a published $99/mo that conflicts with independently reported $299-850/mo plans.

Value for money: 4/10. The person-level concept is sound but the platform is underfunded and bot-blind relative to competitors at similar prices.

Pricing 2026: $1 trial, then plans from roughly $299/mo; standard $299-850/mo.

Tier 4: Product and experimentation tools, not analytics-first

17. Userpilot.

What it is: product analytics, funnels and retention cohorts combined with in-app onboarding flows and NPS.

What it does well: genuinely strong for SaaS onboarding optimisation, letting product teams act on behavioural data without switching tools.

Where it breaks: Userpilot is built on persistent user IDs and session cookies with no cookieless mode. It requires a user-identified session to function, so a visitor who rejects all cookies cannot be tracked and anonymous analytics are not a supported use case. Its script can be blocked with no fallback. And it ingests all identified sessions with no invalid-traffic filter, so automated testing tools and scrapers inflate funnel-entry counts and make activation-rate metrics unreliable.

Value for money: 5/10. Excellent onboarding-plus-analytics UX, but the MAU cliff, EU data blind spot and bot-contaminated funnels erode the core product's reliability.

Pricing 2026: Starter $299/mo (2,000 MAU); Growth $799/mo; Enterprise custom.

18. Statsig.

What it is: feature flags, A/B experimentation and product analytics in one platform, with built-in statistical rigour like CUPED variance reduction and sequential testing.

What it does well: best-value experimentation for product engineering teams at scale, no dedicated data science team required.

Where it breaks: Statsig has no native consent management. Its SDK fires on page load and collects exposure and event data by default regardless of consent state, so EU-serving teams must build their own consent-conditional initialisation, a non-trivial task that is easy to get wrong and creates audit exposure. Bot filtering matches user-agent strings against a list of self-identifying bots, so sophisticated crawlers pass through, and users have reported up to 12 percent of DAU in some experiments being non-human, which quietly skews "statistically significant" results.

Value for money: 7/10. Best-value experimentation platform for product engineering teams; the GDPR compliance gap is a real liability most competitors do not impose.

Pricing 2026: free up to 1M MTUs; Pro $150/mo base; Enterprise custom.

Decision guide

• Content site, no paid ads, just want honest EU-legal traffic counts? Cloudflare Web Analytics if you are on Cloudflare, otherwise Umami or Simple Analytics. Clean, cookieless, done.
• Technical team that wants to self-host and own its data? Umami or Rybbit.
• Running paid ads and need ROAS to stay visible after Chrome's cookie changes? Cookieless aggregate tools cannot do this. You need first-party server-side identity feeding CAPI. That is DataCops.
• Want to watch users click and scroll for CRO? Microsoft Clarity for US-primary sites, Hotjar or Mouseflow otherwise, knowing EU heatmaps are a biased sample.
• Deep product analytics, funnels and retention for a SaaS? Amplitude or Heap, with a clear-eyed view that bot events are uncleaned.
• Running experiments? Statsig, but build the consent gate yourself.
• EU traffic is a real share of your funnel? Almost everything in Tiers 3 and 4 discards the "Reject All" session entirely. The anonymous tier is always legal. Use a tool that keeps it.

You picked a tool for a problem you do not have

Here is the mistake, and it is everywhere. People hear "cookieless," map it to "privacy-safe," map that to "this is the modern correct choice," and install an aggregate traffic counter to solve an ad-attribution problem. The tool works perfectly. It just answers a question they were not asking.

Cookieless analytics is an EU legal hack for Layer 1. A good one. It is not a global solution, and it does nothing for Layers 2 through 5. It does not recover the anonymous data you are legally allowed to keep after a rejection. It does not survive a blocked CMP. It does not filter the quarter of your traffic that is bots. And it does not keep your paid-media measurement honest, which means it cannot stop a contaminated signal from training Meta and Google to find you more of the wrong people.

Cookies were never the disease. They were one symptom. The disease is third-party scripts collecting mixed, unfiltered, unisolated data before it ever leaves your infrastructure.

So before you install anything: pull last month's analytics and ask two questions. How much of that traffic can you prove was a human? And if a campaign drove a sale, can you still see which one? If both answers are no, then "best cookieless analytics" was never the search you should have run.