Ever wondered, “If my website doesn't use cookies, do I need a cookie notice?” It's a myth that websites can skip the annoyance of a privacy banner simply by avoiding cookies—and one that could land you in legal trouble.
It’s About Tracking, Not Cookies
The EU’s ePrivacy Directive, commonly known as the "cookie law," and related provisions of the EU GDPR (General Data Protection Regulation) are not just about cookies.
While cookies are the most well-known target of these laws, the ePrivacy Directive applies to any technology that stores or accesses information on a user’s device (such as cookies, local storage, or pixels). This includes:
- Tracking Pixels: Using invisible images to include information that tracks page views or open rates.
-
Local/Web Storage: Storing tracking data in the browser's
localStoragevia JavaScript. - Device Fingerprinting: Compiling browser characteristics such as screen resolution, color depth, installed fonts, and plugins to create and track a unique ID.
Not All Tracking Is The Same
If your site uses any tracking tools for analytics, marketing, or personalization, you need a banner and explicit prior consent, even if you never drop a single cookie.
But the law recognizes different categories of tracking based on their purpose.
The Non-Essential Tracking
| Data Type | Purpose | Example |
|---|---|---|
| Analytics | Track website usage | Recording how often you visit the site, possibly with device and location characteristics. |
| Marketing | Show relevant ads | Displaying an ad for a product you recently viewed on a different site. |
| Personalization | Remember your settings | The site remembers and uses your language or currency settings each time you visit. |
The Exceptions
If your website engages in zero non-essential tracking, you do not need a consent banner. You are allowed to use storage for "strictly necessary" features required to deliver the core service the user requested.
You generally do NOT need consent for:
- Session management (e.g., keeping a user logged in as they move around your website).
- Security tokens (e.g., protecting the user from fraud during checkout).
- Remembering what is in a shopping cart.
- Saving the user’s preference regarding their consent to the privacy notice itself.
However, if you use products such as Google Analytics (even in cookieless mode), Facebook Pixels, or YouTube embeds, you are processing data beyond "necessity." In these cases, the user's consent is required.
Quick Compliance Checklist for 2025
To ensure your site is compliant with applicable data tracking requirements, follow these steps:
- Audit your stack: Identify every script running on your site, including third-party plugins.
- Block by default: Ensure all non-essential tracking (Analytics, Ads) is paused until the user clicks "Accept."
- Categorize consent: Offer granular options (Analytics vs. Marketing, for example) rather than a single "Accept All" button.
- Avoid "Dark Patterns": Do not use pre-ticked boxes. Acceptance by default does not constitute consent.
- Enable easy withdrawal: Ensure users can revoke consent (a "Reject" or "Manage Settings" button) as easily as they gave it.
Why This Matters Now
Failing to comply damages user trust and invites liability. In 2025, the use of automated scanning tools by privacy activists and regulators has made it easier to identify non-compliant sites of all sizes—not just Big Tech.
In Short
"Cookieless" is not a legal loophole. If you access the user's device to track their behavior, you need their permission.
photo credit: Jill Wellington
Top comments (0)