The cookie consent banner is the web’s most dishonest dialog box. It presents a choice — “Accept All” or “Manage Preferences” — but the architecture underneath has nothing to do with consent. It’s legal theatre, and everyone knows it.

At Glinto, we built an analytics platform that doesn’t need consent banners. Not because we found a clever legal loophole, but because we don’t collect or store any personal data. Here’s how it works, and why it matters for European teams running compliance-heavy analytics.

What the GDPR Actually Requires

Let’s start with what the regulation says, not what compliance vendors want you to believe. The GDPR requires a lawful basis for processing personal data. “Personal data” means any information relating to an identified or identifiable natural person.

The key word is identifiable. If your analytics tool can distinguish one visitor from another — through cookies, fingerprinting, IP address storage, or user IDs — you need consent. Period.

Most analytics tools collect:

  • Full IP addresses
  • Persistent user identifiers (client IDs, cookies)
  • Browser fingerprints (screen resolution, installed fonts, WebGL renderer)
  • Cross-site tracking data
  • Cross-session behavioral profiles

That’s the surveillance economy model. GA4 was built for it. Most alternatives just repackage it with a green coat of paint.

Glinto was designed from the ground up to avoid creating personal data at any layer of the stack:

Daily-salted visitor hashing. When a visitor loads your site, we generate a unique identifier by hashing a combination of their IP address, user agent string, and a server-side secret that rotates every day at midnight UTC. The hash is SHA-256, one-way, and irreversible. We cannot reconstruct the original values or correlate visits across days. Even if someone compromised the server at 18:00 UTC and extracted the salt, they’d only have 6 hours of correlatable data — and the salt alone is useless without the hashing algorithm, the exact combination logic, and the ephemeral container state.

IP addresses are never persisted. We process IP addresses in memory for geo-location (country-level only, using a local MaxMind database) and for the daily hashing operation. The raw IP is then discarded before the request completes. IP addresses never touch disk, never enter a database, and never leave the EU region.

No cookies. Zero. We don’t set any cookies — first-party or third-party. Not for session tracking, not for preferences, not for A/B testing. The entire analytics pipeline works statelessly. Our tracking script is approximately 6 KB and loads in under 5 milliseconds.

No fingerprinting. We don’t collect screen resolution, installed fonts, canvas hashes, audio context fingerprints, or WebGL attributes. The only technical information we capture is the user agent (simplified to browser family + OS) and the referring domain — none of it is sufficient to re-identify a visitor.

Why “Anonymised” Isn’t Enough

Here’s a common pattern in the privacy analytics space: a tool collects full telemetry data, including IP addresses and browser fingerprints, then “anonymises” them after ingestion. The vendor claims this satisfies GDPR because they “don’t store personal data.”

This is a misunderstanding of the law. The GDPR applies to processing, not just storage. If your analytics pipeline processes personal data at any stage — even temporarily, even in RAM — you need a legal basis for doing so. Most “privacy-first” analytics tools process personal data; they just don’t persist it in identifiable form. That’s better than GA4, but it’s not truly consent-free under a strict GDPR interpretation.

Glinto’s architecture avoids processing personal data entirely. We never have it, so we never need to justify having it.

The French CNIL Decision That Changed Everything

In 2021, the French data protection authority (CNIL) published updated guidance that explicitly exempted certain analytics tools from cookie consent requirements — notably Matomo (properly configured) and Plausible. The CNIL’s reasoning: if the tool doesn’t use cookies, doesn’t cross-reference data across sites, doesn’t identify individuals, and the data doesn’t leave the EU, it can operate under the GDPR’s “legitimate interest” basis.

This decision was a watershed moment for European analytics. It demonstrated what we’d been arguing: the problem isn’t analytics per se, it’s the architecture of surveillance that most tools inherited from Google Analytics.

Glinto complies with every criterion in the CNIL decision, and exceeds it by not even processing IP addresses as stored data.

The Cost of Doing It Wrong

Fines for GDPR non-compliance have climbed sharply. Meta’s €1.2 billion fine in May 2023 for illegal data transfers to the US set a new precedent. The EDPB is increasingly focused on the analytics and ad-tech pipeline specifically.

But the real cost isn’t regulatory. It’s the slow erosion of trust. Every cookie banner tells your visitors: “We’d like to track you, but the law says we have to ask first.” That’s not a great onboarding experience. Removing the banner entirely — and meaning it — is one of the simplest trust signals you can deploy.

What This Means for Your Stack

If you’re running a European website and care about compliance, here’s a practical checklist:

  1. Can you answer “what data do we process about visitors?” If your answer includes IP addresses, client IDs, or browser fingerprints, you need a consent mechanism. If your answer is “none of the above,” you don’t.

  2. Does your analytics provider publish their data processing architecture publicly? Glinto publishes its hashing scheme, its IP handling process, and its sub-processor list. If your vendor can’t show you how they avoid creating personal data, assume they don’t.

  3. Where is the data processed? Under the GDPR, data transfers outside the EU require safeguards (Standard Contractual Clauses, an adequacy decision, etc.). Glinto hosts everything within the EU — Germany and the Netherlands, specifically — and will never move your data elsewhere.

  4. What happens when you stop using the tool? At Glinto, your account data is exportable in standard CSV format. If you delete your account, all associated data is purged from our systems within 30 days. No hanging references, no anonymous “benchmarking” datasets built from your traffic.

The Bottom Line

Privacy-first analytics is possible, but it requires architectural choices that most vendors — even the ones with “privacy” in their tagline — are unwilling to make. It means sacrificing some features (cross-domain tracking, individual visitor profiles, heatmaps built from cursor movement telemetry). It means taking a hard line on what data enters the pipeline at all.

We think that’s a good trade. You get honest analytics — pageviews, referrers, geographic distribution, top pages — without the moral and legal overhead of surveillance. Your visitors get a faster page load and no consent banner. The advertising industry gets none of your data.

That last part is the one they really don’t like. And that’s how you know you’re doing it right.