DEV Community

Cover image for Do You Need A Cookie Notice If You Don't Use Cookies?
Michael Mathews
Michael Mathews

Posted on • Edited on

Do You Need A Cookie Notice If You Don't Use Cookies?

#privacy #webdev #analytics

Ever wondered, "If my website doesn't use cookies, do I actually need a cookie notice?" The answer to that is maybe.

It's a myth that the EU Privacy and Electronic Communications Directive, also known as the ePrivacy Directive (ePD), applies only to cookies. It's much more comprehensive than that.

It’s not (only) about cookies

Firstly, don't call it the "cookie law." The ePD is not a law, and the original text did not even mention cookies.

As a directive, the ePD is not directly enforceable. Instead, it directs EU Member States to meet a set of specific goals without dictating how they do so; It is up to each EU country to pass its own laws to comply with the ePD's requirements.

Storing or accessing information in the user's terminal equipment

The section of the original directive that applies to the subject of this article does not mention cookies; it states only that…

"… the storing of information, or the gaining of access to information already stored, in the terminal equipment [such as web browsers or mobile devices] of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information…"

In 2009, the ePD was amended to specifically mention cookies and "similar tracking technologies," but it was not only about cookies.

The ePD works alongside the General Data Protection Regulation (GDPR), which concerns the protection of users' privacy. If you are storing or transmitting personally identifiable information, that regulation may apply to you as well.

While the use of cookies is the most well-known target of ePD-related regulations, they apply to any technology that stores or accesses information on a user’s device.

This includes:

  • Tracking Pixels: Using invisible images to include information that instructs the user's device (browser or email client) to send data (e.g., an email open, page view, or IP address) to a remote server.
  • Local/Web Storage: Storing and/or accessing data in the user's browser, such as with localStorage via JavaScript.
  • Device Fingerprinting: Compiling a unique(ish) identifier by reading the user's device characteristics (like browser plugins, hardware specs, screen resolution, installed fonts, etc.), typically used to track that ID across web pages or sites.

Not all data is the same

If your site accesses or stores user data for analytics, marketing, or personalization, you need explicit prior consent from the user, even if you never drop a single cookie.

But the law recognizes different categories of data, based on their purpose.

Data Type Purpose Example
Strictly Necessary Required for core website functionality Keeping you logged in as you move between web pages or remembering items in your shopping basket.
Analytics Track website usage Recording how often you visit the site, possibly with device and location characteristics.
Marketing Show relevant ads Displaying an ad for a product you recently viewed on a different site.
Personalization Remember your settings The site remembers and uses your language or currency settings each time you visit.

If your website only stores and accesses data on the user's machine for strictly necessary reasons—meaning to deliver the core service the user requested—you do not need a cookie consent banner.

Examples of data access and storage that generally do not need consent:

  • Session management (e.g., keeping a user logged in as they move around your website).
  • Security tokens (e.g., protecting the user from fraud during checkout).
  • Remembering what is in a shopping cart.
  • Saving the user’s preference regarding their consent to the privacy notice itself.

However, if you use products such as Google Analytics (even in cookieless mode), Facebook Pixels, or YouTube embeds, you are processing data beyond "strictly necessary." In these cases, you must first alert the user and obtain their consent.

What if my website is not in the EU?

The ePD applies based on the user's location, not the website. If you offer any services, process data, or allow sign-ups within the EU, you must comply, regardless of where your servers or your company are based.

Quick compliance checklist for 2025

To ensure your site is compliant with applicable data tracking requirements, follow these steps:

  1. Audit your stack: Identify every script running on your site, including third-party plugins.
  2. Block by default: Ensure all non-essential tracking (Analytics, Ads) is paused until the user clicks "Accept."
  3. Categorize consent: Offer granular options (Analytics vs. Marketing, for example) rather than a single "Accept All" button.
  4. Avoid "Dark Patterns": Do not use pre-ticked boxes. Acceptance by default does not constitute consent.
  5. Enable easy withdrawal: Ensure users can revoke consent (a "Reject" or "Manage Settings" button) as easily as they gave it.

This might all change

In November of 2025, some insiders are reporting that the rules governing how websites confirm user consent may be changing.

"European Union is on a route to simplify the notorious rule that is annoying every EU citizen. Namely, the ever present "consent popups". You know them for sure as most people need to go through lots of clicks that are simply a waste of time."

The idea is that the web browser should record the user's consent (or rejection) and make that information available to each website.

In short

"Cookieless" is not a loophole. If the user is in the EU and you store or access data on their device for purposes that are not strictly necessary, you must get their consent; whether you use cookies or not.

photo credit: Jill Wellington

Top comments (0)