For most of the web's history, "analytics" meant "cookies." You dropped a script on your site, it set a cookie, and that cookie followed the visitor around so you could tell a returning user from a new one. That model is quietly falling apart, and if you maintain a website in 2026 you've probably already felt it.
This is a practical look at what cookieless visitor tracking actually involves today — the techniques, what they're good at, and the trade-offs that don't usually make it into the marketing copy.
Why cookies stopped working
Three things happened at roughly the same time.
Browsers got aggressive. Safari's Intelligent Tracking Prevention caps script-set cookies at seven days, often 24 hours. Firefox isolates third-party storage. Third-party cookies are effectively gone across the board. The result: a returning visitor frequently looks brand new because their cookie expired or got partitioned away.
Users delete and block. Ad blockers and privacy extensions are mainstream now, not a niche concern.
Consent fatigue is real. Even when cookies technically work, you need a banner — and a large share of users dismiss or reject it, so you never get the data anyway.
The net effect is that cookie-based "unique visitor" counts have drifted from "roughly accurate" toward "roughly fiction."
The cookieless options
There is no single drop-in replacement. A few approaches, roughly from least to most precise:
Server-side / aggregate counting. Count requests and hash IP + User-Agent into a daily rotating identifier, then report aggregate numbers. This is what privacy-focused tools like Plausible do. It's genuinely low-risk, and in some jurisdictions it can run without a consent banner. The downside: you lose cross-session identity. A visitor who comes back tomorrow is just a new row.
First-party storage tricks. localStorage, IndexedDB, ETag caching. These can survive a little longer than cookies in some browsers, but they're subject to the same privacy clampdowns — and the same consent rules. Storage is storage.
Browser fingerprinting. Instead of storing an ID on the device, you derive one from the device: screen dimensions, installed fonts, canvas and WebGL rendering quirks, the audio stack, timezone, language. Combine enough signals and you get an identifier stable enough to recognize the same browser across sessions — with nothing stored on the device at all.
Fingerprinting is the only cookieless approach that genuinely recovers cross-session identity. That's why it's having a moment. It's also the option with the biggest asterisk, so let's be honest about it.
The honest part: cookieless is not consent-free
It's tempting to read "no cookies" as "no consent banner." It isn't that simple.
In the EU, the legal trigger isn't the cookie itself — it's accessing or storing information on the user's device. The ePrivacy rules, and regulators including the EDPB and the UK's ICO, have been explicit that fingerprinting falls under the same requirement as cookies. The identifier you derive is also personal data under GDPR. So fingerprinting-based analytics that recognizes returning visitors generally still needs prior consent for EU traffic.
There is a narrow audience-measurement exemption that some regulators (France's CNIL, the ICO) allow — but it's meant for aggregate, non-cross-site statistics, and a persistent fingerprint identity doesn't fit it cleanly.
So here's the realistic picture: going cookieless can simplify your stack and survive browser clampdowns, but it does not automatically free you from a consent banner or a privacy policy. Treat any tool that promises otherwise with suspicion. For EU traffic, the right setup is still a banner that gates the script until the user agrees, plus a clear privacy policy describing what you collect.
What you genuinely do get from going cookieless: data that doesn't silently degrade as browsers tighten storage, no third-party cookie dependency, and a smaller, simpler client footprint.
Where identity-js fits
identity-js is the tool I've been using for this. It's a fingerprint-based analytics script — one tag, no cookies, no dependencies — with a real-time dashboard. Beyond visitor counts it also does bot detection, rage-click and frustration tracking, SEO auditing, and reading-behavior analysis. That's the kind of data that actually helps you understand a site, not just count heads.
I like it because the fingerprinting solves the returning-visitor problem that cookie-based tools fumble. I'd still pair it with a consent banner for EU visitors: the tool handles the tracking, but compliance is still on you. Used honestly, it's a solid cookieless option — just don't let "no cookies" lull you into skipping the legal groundwork.
Getting started
Installation is a single script tag:
<script src="https://www.identity-js.com/tracker/dist/identity.min.js" data-api-key="YOUR_API_KEY"></script>
Drop that into your <head> and — assuming you've got consent handling sorted — the dashboard starts populating. There's a free tier, so you can try it without committing anything.
If you'd rather see what the data looks like before installing, there's a live demo: https://www.identity-js.com/demo
Cookieless tracking in 2026 isn't a magic "no rules" button. But done with eyes open, it's a more durable foundation than the cookie model it's replacing.
Top comments (0)