Best cookieless analytics
15 min read
Run cookieless tracking globally on US, UK, and APAC traffic where consent was never legally required, and every returning customer from those markets gets counted as a stranger.
Simul Sarker
Founder & Product Designer of DataCops
Last Updated
May 28, 2026
You went cookieless to solve a compliance problem. You accidentally broke attribution for every market where compliance was never required.
That is the part nobody writing "best cookieless analytics" will tell you. Cookieless is an EU rule. The GDPR requires consent before you track. Run cookieless tracking globally on US, UK, and APAC traffic where consent was never legally required, and every returning customer from those markets gets counted as a stranger. No funnel continuity. No retention signal. No attribution across visits. You solved Brussels. You broke California.
Plausible is on that list. Fathom is on that list. Cloudflare Web Analytics is on that list. They are genuinely good tools for specific problems. The problem is most guides sell them as universal answers when they are geography-specific answers that create a new problem if you deploy them without thinking about where your traffic comes from.
The second thing most guides miss: cookieless for web analytics (counting traffic) and cookieless for ad attribution (recovering paid media ROAS) are completely different jobs requiring completely different tools. Switching Plausible on solves the cookie consent problem for your analytics dashboard. It does nothing for the 55.6% of sessions GA4 was already missing when consent banners appeared, nothing for the conversion signals your Meta and Google campaigns need to optimize, and nothing for the bot traffic inflating every number before it reaches any dashboard.
I tested 25 tools across SaaS, ecommerce, and EU-strict stacks. Below is the honest version: which tool solves which problem, when cookieless creates more problems than it fixes, and where DataCops sits in this stack.
The question to answer before picking any tool
Do you run paid ads?
If no: you need cookieless aggregate analytics. Plausible, Fathom, Matomo, Umami. Pick one. Done.
If yes: you need cookieless aggregate analytics AND cookieless ad-side attribution. They are different layers. A cookieless aggregate tool tells you how much traffic came. A cookieless attribution tool tells you which paid ad drove a conversion that Meta or Google can optimize on. You cannot replace the second with the first.
The specific failure mode: a paid media team switches to Plausible, feels good about GDPR compliance, and watches ROAS slowly degrade because the conversion signal reaching Meta is now 40-60% incomplete. Meta's algorithm is optimizing on a partial and increasingly biased sample. The dashboard looks clean. The algorithm is learning wrong.
Quick answers
What is cookieless tracking?
Analytics that operates without third-party tracking cookies. For aggregate web analytics: scripts use server-side salted hashes combining IP, user agent, and a daily rotating salt to identify unique visitors without storing PII. For ad-side attribution: server-side scripts capture conversion events, hash customer email and phone with SHA-256, and forward that signal to Meta CAPI or Google Enhanced Conversions. The ad platform matches the hash to its own user graph. No cookie required. No browser permission required.
How does cookieless analytics work without identifying users?
Aggregate tools never identify individual users. They count sessions using hashes that reset daily or per-session, making cross-site fingerprinting impossible. Plausible, Fathom, Simple Analytics, and Umami all work this way. For paid media attribution, DataCops uses first-party server-side identity: when a user submits a form or completes a purchase, your server captures their email and phone, hashes them, and forwards that hashed signal via CAPI. The hash identifies the conversion without storing any PII on your side.
Is cookieless tracking accurate?
More accurate than cookie-based tracking for most use cases in 2026. GA4 misses 55.6% of traffic on sites with consent banners per independent testing (Plausible Analytics, 2024). Ad blockers suppress GA4 for 58% of tech-heavy audiences. Cookieless aggregate tools recover the blocked traffic. Cookieless CAPI attribution recovers 20-40% of conversion signals lost to iOS ATT, ad blockers, and browser restrictions. Where it falls short: offline conversions, multi-device journeys without explicit identity signals, and any market where your cookieless implementation is geography-blind.
What is the best cookieless analytics tool?
Wrong question. The right question is: what problem are you solving? For GDPR-compliant traffic measurement without consent overhead: Matomo self-hosted (free, CNIL-approved) or Plausible ($9/month). For cookieless paid-media attribution on Meta, Google, TikTok, and LinkedIn: DataCops Business at $49/month, which bundles first-party CNAME analytics, four-platform CAPI, bot filtering, and a TCF 2.2 CMP. No single tool does both jobs.
Is cookieless tracking GDPR compliant?
Usually yes for aggregate tools, with conditions. Plausible, Fathom, Simple Analytics, Umami, and Rybbit collect no PII and set no cookies, making consent banners unnecessary for the analytics layer in most EU jurisdictions. Matomo's CNIL-certified cookieless mode received official consent exemption in 2025 and shipped 1-click CNIL configuration in April 2026. However: if you run Meta Pixel, Google Ads tags, or any third-party marketing script alongside these tools, you still need a CMP for those. The analytics tool being cookieless does not make your entire stack consent-exempt.
Can you track conversions without cookies?
Yes. Server-side CAPI is the standard. Your server captures the conversion event, hashes the customer's email and phone using SHA-256, and posts that hashed signal directly to Meta or Google's API endpoint. The ad platform matches the hash to its user graph. Cookie irrelevant. Browser irrelevant. This is how DataCops handles cookieless conversion tracking, filtering bot events through a 361B+ IP database before forwarding. The conversion reaches Meta. The bot does not.
What about the Piwik PRO shutdown?
Piwik PRO ended its free Core plan on March 31, 2026, forcing 28,000+ organizations onto paid tiers starting at €35/month or off the platform entirely. If you are migrating from Piwik PRO Core: Matomo self-hosted is the closest free equivalent with the same data-sovereignty model. Umami is simpler and also free. If your use case includes paid media attribution, add DataCops Business at $49/month alongside your new aggregate analytics tool.
The geography problem nobody warns you about
Cookieless analytics tools are built for one problem: GDPR consent in the EU. They solve it well. The problem is most teams deploy them globally without thinking about what cookieless tracking does to traffic from markets where consent was never legally required.
In the EU, running cookieless is the maximum you are legally allowed to do without consent. Correct.
In the US, UK, Australia, and most of APAC, consent for analytics was never required. Running cookieless there means every returning visitor is counted as new. Your 30-day retention cohort disappears. Your funnel visibility across sessions disappears. Your repeat buyer attribution disappears. Not because of a legal requirement. Because the tool designed for EU compliance is now running on traffic where that limitation was never necessary.
The DataCops fix is geography-aware consent. Anonymous analytics flow unconditionally for US/UK/APAC traffic. Identifiable conversion data waits for valid EU consent. The same pipeline handles both correctly without requiring you to configure separate tracking stacks per region.
For a broader look at how this layer failure compounds with the others, the best cookieless analytics tools deep-dive covers the full consent layer architecture.
Cookieless aggregate analytics tools
DataCops
DataCops sits at the intersection of both categories: aggregate first-party analytics and cookieless paid-media attribution, from one architecture that is geography-aware by design.
JavaScript loads from datacops.yourbrand.com, your own subdomain, not a third-party CDN. uBlock Origin and Brave do not block it. Safari ITP does not partition it. Anonymous analytics flow unconditionally regardless of consent state, because anonymous session data requires no consent in any jurisdiction. Identifiable conversion parameters wait for valid TCF 2.2 consent before firing to CAPI.
Bot filtering runs before any event is counted. IP intelligence against 361B+ network ranges, browser fingerprinting across 50+ signals, email intelligence at the form layer. Up to 98% of automated traffic filtered before it reaches Meta CAPI, Google Ads, TikTok Events API, or LinkedIn Insight CAPI.
What does not work: DataCops is not a standalone analytics dashboard replacement. It has no session recording, no heatmaps, no product analytics depth. Teams wanting that layer need Plausible or PostHog alongside it.
Right for: paid-media teams running multi-platform ads who want cookieless attribution that actually closes the loop, plus geography-aware consent that does not break US/UK/APAC attribution.
Value for money: 9/10
Pricing: Free (2,000 sessions/mo, bot detection, analytics, CMP, no CAPI). Growth $7.99/mo. Business $49/mo: CAPI starts here, all four platforms, HubSpot integration. Organization $299/mo. Enterprise custom.
Plausible Analytics
The cleanest cookieless web analytics SaaS. Script under 1KB. No cookie banner needed. Cookieless by design using server-side salted hashes. EU-hosted option. Self-hostable on AGPL. Used by Hugging Face, 37signals, Ghost.
What does not work: Starter plan caps at 10,000 pageviews/month for one site, then forces upgrade fast. Trustpilot and Reddit document dashboard lockouts when annual plan customers exceed their cap. No paid media attribution. No CAPI. No bot filtering. Geography-blind: applies the same cookieless methodology to US traffic where it creates attribution gaps.
Right for: content sites, indie SaaS, and EU-first teams wanting clean traffic data without consent overhead.
Value for money: 8/10
Pricing: $9/mo Starter (10K pageviews). $19/mo Growth (3 sites, funnels). $39/mo Business (BI export).
Matomo
The EU compliance gold standard. Self-hosted version is free with full data ownership and no sampling. April 2026 5.9.0 release shipped 1-click CNIL compliance configuration, officially approved for consent-exempt analytics in France. Listed on CNIL's exempt tools registry.
What does not work: self-hosted requires server management. Cloud at €29/month scales quickly with traffic. Premium plugins (heatmaps, funnels, A/B testing) are sold separately. No paid media attribution. No CAPI.
Right for: EU organizations, healthcare, government, and regulated industries needing CNIL-documented compliance with full data sovereignty.
Value for money: 9/10 self-hosted.
Pricing: Self-hosted free. Cloud from €29/month.
Fathom Analytics
Single-founder, closed-source, fast. 100K pageviews unlimited sites at $15/month. EU isolation option for data residency. No cookie banner required. Simpler than Plausible for agencies managing many client sites.
What does not work: no self-hosting option. Closed source means no auditability. No paid media attribution. No CAPI.
Right for: agencies running analytics across many client sites who want flat-rate simplicity.
Value for money: 8/10
Pricing: $15/mo (100K pageviews, unlimited sites).
Simple Analytics
Aggressively priced. $10/month for under 100K pageviews. No PII, no cookies, no consent banner. EU-hosted.
What does not work: minimal feature depth intentionally. No funnels, no retention, no events beyond basics. No paid media attribution.
Right for: small sites and blogs wanting the cheapest GDPR-safe traffic overview.
Value for money: 8/10
Pricing: $10/mo (100K pageviews). $29/mo (100K-1M).
Umami
Open-source cookieless analytics. Self-hosted free, cloud from $9/month. Simpler than Matomo but more featured than Simple Analytics. Growing community. No PII collected.
What does not work: self-hosted requires infrastructure. Cloud is newer and less battle-tested than Matomo. No paid media attribution.
Right for: developers wanting open-source cookieless analytics without Matomo's complexity.
Value for money: 9/10 self-hosted.
Pricing: Self-hosted free. Cloud from $9/month.
Rybbit
Open-source GA alternative launched 2025. Positioned between Plausible's simplicity and PostHog's depth. Free self-hosted tier. Community describing it as "best balance of GA4 depth plus Plausible simplicity."
What does not work: very new, smaller community, less documentation. No paid media attribution.
Right for: developers comfortable with early-stage tools wanting something between Plausible and PostHog.
Pricing: Self-hosted free. Cloud free tier (3K pageviews/month).
Cloudflare Web Analytics
Free for any domain on Cloudflare. No cookies, no PII, no consent banner. Basic traffic overview only.
What does not work: minimal depth. No funnels, no events, no paid media attribution. Geography-blind cookieless: the same attribution gap problem as Plausible for US/UK/APAC returning visitors.
Right for: any site on Cloudflare wanting a free zero-setup privacy baseline alongside a more capable tool.
Pricing: Free.
Piwik PRO
Enterprise-focused with bundled consent manager. GDPR and HIPAA compliant. EU and US data centers. Strong in regulated industries. Free Core plan ended March 31, 2026.
What does not work: no free tier anymore. Business from €35/month, Enterprise from €366/month. The forced migration from free Core alienated 28,000+ users. No paid media attribution or CAPI.
Right for: regulated enterprise organizations needing HIPAA compliance alongside analytics. Government and healthcare.
Value for money: 7/10 post-sunset.
Pricing: Business from €35/month. Enterprise from €366/month.
Google Analytics 4
Still free. Still the default. GA4 captures 55.6% less traffic than Plausible under consent banners. Blocked by ad blockers for 58% of tech-heavy audiences. Seven EU DPAs have ruled previous GA versions non-compliant. Strongest for Google Ads attribution and BigQuery export.
What does not work: consent banner kills accuracy. Ad blockers kill reach. EU legal posture uncertain. Not cookieless by default.
Right for: teams staying on Google ecosystem who need BigQuery export and Google Ads conversion matching. Run alongside a cookieless tool for accurate traffic counts.
Pricing: Free.
Microsoft Clarity
Free heatmaps and session recordings from Microsoft. No session caps, no data limits. GA4 integration available.
What does not work: not a replacement for cookieless analytics. No cookieless mode. GDPR handling in EU contexts requires review. No paid media attribution.
Right for: teams wanting free heatmaps alongside their primary cookieless analytics tool.
Pricing: Free.
Cookieless ad-side attribution tools
Stape (sGTM)
Managed server-side GTM hosting. Routes events to Meta, Google, TikTok, LinkedIn from one container. Cookieless by design: server-side events bypass the browser entirely. 80+ templates.
What does not work: requires GTM expertise. Smart Pause (April 2026) auto-pauses containers at 10% overage on lower tiers. No bot filtering in the box. No built-in consent management.
Right for: teams with GTM engineers who want full container control over cookieless server-side event routing.
Value for money: 7/10 for GTM-literate teams.
Pricing: $17/mo Pro. $83/mo Business. Cloud Run $50-300/mo additional.
Tracklution
No-code managed CAPI. Five-minute setup. Meta, Google, TikTok. SOC 2 and ISO 27001 certified. Built-in Consent Mode v2. Cookieless server-side delivery without GTM overhead.
What does not work: no bot filtering. No LinkedIn.
Right for: EU agencies wanting no-code cookieless CAPI with compliance certifications active today.
Value for money: 8/10 for agencies.
Pricing: €31/month Starter.
Elevar
Deepest Shopify-native server-side data layer. Session Enrichment 3.0 captures Shop Pay and Apple Pay ClickIDs. Cookieless server-side delivery to Meta, Google, TikTok, Pinterest.
What does not work: Shopify-only. No bot filtering. $200-950/month depending on order volume.
Right for: Shopify-only stores at $1M+ GMV needing order-level cookieless attribution fidelity.
Value for money: 7.5/10
Pricing: $200/month Essentials. $950/month Business.
Feature comparison
| Tool | Cookieless type | Geography-aware | Bot filter | CAPI delivery | Platforms | Entry price |
|---|---|---|---|---|---|---|
| DataCops | Aggregate + attribution | Yes | Yes 361B IPs | Yes | Meta, Google, TikTok, LinkedIn | $49/mo |
| Plausible | Aggregate only | No | No | No | Analytics only | $9/mo |
| Matomo | Aggregate only | No | No | No | Analytics only | Free self-hosted |
| Fathom | Aggregate only | No | No | No | Analytics only | $15/mo |
| Simple Analytics | Aggregate only | No | No | No | Analytics only | $10/mo |
| Umami | Aggregate only | No | No | No | Analytics only | Free self-hosted |
| Rybbit | Aggregate only | No | No | No | Analytics only | Free self-hosted |
| Cloudflare WA | Aggregate only | No | No | No | Analytics only | Free |
| Piwik PRO | Aggregate only | No | No | No | Analytics only | €35/mo |
| GA4 | Not cookieless | No | No | Via GTM | Google ecosystem | Free |
| Stape | Attribution only | No | Add-on | Yes | Multi via GTM | $17/mo+CR |
| Tracklution | Attribution only | No | No | Yes | Meta, Google, TikTok | €31/mo |
| Elevar | Attribution only | No | No | Yes | Shopify only | $200/mo |
DataCops is the only tool that handles both aggregate cookieless analytics and cookieless paid-media attribution, with geography-aware consent enforcement built in.
When DataCops is not the right cookieless tool
If you run no paid ads and only need traffic measurement, any aggregate tool above does the job for less money. DataCops without CAPI starts free but you are paying for infrastructure designed for ad attribution you are not using.
If you need session recording, heatmaps, or product funnel analytics, DataCops does not provide those. Hotjar, PostHog, or Microsoft Clarity alongside your cookieless tool covers that.
If your entire stack is Shopify-native and you need the deepest possible checkout-level cookieless attribution with Shop Pay ClickID recovery, Elevar's Checkout Extensibility integration reaches inside Shopify's checkout in ways a universal CNAME setup cannot.
If you need SOC 2 Type II and ISO 27001 both certified today, Tracklution has both active. DataCops is completing SOC 2 Type II.
Every team that switched to a cookieless analytics tool this year solved the EU consent problem. Most of them did not ask what they broke in the process.
Your returning US and UK customers, the ones who came back three times before converting: are they showing up in your funnels as return visitors or as three separate strangers? Your paid media campaigns optimizing on cookieless conversion signals: are those signals reaching your ad platforms with enough identity to actually match, or are you feeding the algorithm hashed anonymity that Meta cannot resolve?
Cookieless fixed the compliance tab. The attribution tab is still open.
