Glinto Blog
privacy 7 min read

No Cookies, No Problem: GDPR-Compliant Analytics

A deep dive into how Glinto delivers accurate visitor insights without ever setting a cookie or fingerprinting a browser.

Glinto Privacy Team ·

The analytics industry has a cookie problem. For two decades, the default approach to tracking unique visitors has been to drop a first-party or third-party cookie on the user’s browser and read it back on every subsequent visit. It is simple, reliable, and — in the European Union — increasingly illegal without explicit consent. The ePrivacy Directive, GDPR, and the recent Digital Services Act have all tightened the screws on cookie-based tracking. Yet most analytics platforms still require them for basic metrics like unique visitors and returning-user ratios.

Glinto was built on the premise that this trade-off is false. You do not need cookies to understand how people use your website. You need better signal processing, smarter aggregation, and a willingness to accept that perfect precision is less valuable than perfect privacy.

How Cookies Work (and Why They Are a Liability)

A cookie is a small text file stored by the browser and sent back to the server with every request. In analytics, it typically contains a random identifier that lets the platform recognise the same browser across sessions. The problem is that storing any identifier on a user’s device requires consent under EU law. It does not matter if the cookie is first-party, encrypted, or "anonymised." If it can be used to single out a user, it is personal data, and you need a legal basis to process it.

The penalties for getting this wrong are not theoretical. In 2024 alone, European data protection authorities issued over €2 billion in fines, a significant portion of which involved unlawful tracking. For small and medium businesses, a single complaint can trigger an audit that consumes months of management attention and legal fees.

The Glinto Approach: Signal, Not Identity

Instead of identifying browsers, Glinto measures sessions. A session is defined by a combination of coarse-grained signals: the ASN and country of the incoming IP address, the User-Agent family, the time of day, and a rough referrer category. None of these signals, taken individually or together, can identify a specific person. But in aggregate, they produce highly accurate traffic metrics.

For example, if a request comes from a residential ISP in Lisbon, using Chrome on Android, at 14:03 UTC, with a referrer from a Hacker News thread, we classify it as a distinct session. If another request arrives ten minutes later from the same ASN and country with the same User-Agent family, we count it as a continuation of the same session. If it arrives six hours later, we count it as a new session. The margin of error for this heuristic, measured against ground-truth cookie data, is under 4% for daily unique sessions and under 2% for page-view counts.

No Fingerprinting Either

Some privacy-focused analytics tools replace cookies with browser fingerprinting — hashing screen resolution, installed fonts, WebGL parameters, and other device characteristics into a pseudo-identifier. This is arguably worse than cookies from a regulatory perspective. The European Data Protection Board has explicitly stated that fingerprinting is subject to the same consent requirements as cookies, because it achieves the same outcome: singling out a user without their knowledge.

Glinto does not fingerprint. We do not read canvas data, enumerate fonts, or probe WebGL. The signals we use are either already present in the HTTP request or derived from public IP geolocation databases. There is no client-side code that gathers extra information beyond what is necessary to render the pixel.

Consent Banners Are Optional

Because Glinto does not store identifiers, set cookies, or fingerprint devices, it falls outside the scope of the ePrivacy Directive’s consent requirements in most EU jurisdictions. That means our customers can drop the Glinto pixel on their site without triggering a cookie banner. The page loads faster, the user experience is cleaner, and the site owner avoids the legal risk of an improperly configured consent management platform.

We still recommend that customers disclose their use of analytics in their privacy policy — transparency is a core value for us — but the disclosure can be informational rather than transactional. No opt-in, no opt-out, no dark patterns.

Accuracy Without Surveillance

The hardest objection to overcome is the fear that cookieless analytics must be inaccurate. In our experience, the opposite is often true. Cookie-based tracking is brittle: users clear cookies, use private browsing modes, or block third-party storage entirely. Ad blockers and browser privacy features increasingly interfere with cookie-based analytics, leading to undercounting that can reach 30% or more on technical audiences. Glinto’s signal-based approach is resilient against all of these interventions because it does not depend on persistent browser storage.

We are not claiming perfection. There are edge cases — shared office networks, VPN exit nodes with thousands of concurrent users — where session heuristics blur together. But for the vast majority of websites, the accuracy is more than sufficient for decision-making, and the privacy guarantee is absolute.

Privacy and analytics are not mutually exclusive. They just require a different starting point. We started from the principle that user data should be treated as a liability, not an asset. Everything else followed from there.

← Back to all articles