Zum Inhalt springen
Website, shop & visibility from one source
Online-Marketing

Website Analytics Without a Cookie Banner, Legally

How to measure your website in 2026 compliantly without a cookie banner: legal framework from TDDDG, DSK and EDPB, complete data instead of rejection.

12 min read AnalyticsDSGVOTDDDGDatenschutzTracking

Almost every website today greets its visitors with a cookie banner, and almost everyone clicks it away in annoyance. For businesses this is a double problem: the banner disrupts the decisive first seconds on the site, and it means a large share of visitors no longer appears in the statistics at all. Anyone who declines or simply ignores the dialog is not counted by classic analytics tools. The result is patchy numbers on which no one can base good decisions. Yet in many cases the consent dialog is not even necessary. Anyone who understands what the law requires consent for and what it does not can measure their website in 2026 in a data-protection-compliant way, without bothering visitors with a banner and without losing half the data. This article soberly explains the legal framework from the German TDDDG, the guidance of the Data Protection Conference and the guidelines of the European Data Protection Board, shows when a banner is mandatory and when not, and describes how banner-free, aggregated measurement works in technical terms. It does not replace legal advice but describes the implementation from a web agency's perspective.

Website Analytics Without a Cookie Banner: Complete Data, LegallyClassic Tracking with a BannerMeasured only after active consentMay we set cookies?DeclineAcceptVisits actually captured30%70% not capturedIncomplete data basisGaps from rejection and banner fatigueBanner-free and aggregatedMeasured without device accessNo consent dialog neededaggregated, cookieless, no profilesVisits actually capturedaround 100% of visitsComplete data basisreliable numbers without legal riskThe legal framework for banner-free measurementSec. 25 TDDDG: deviceDSK: aggregated measurementEDPB: free consentBanner-free is possible when there is no device access and no personal profiles

Why the Cookie Banner Costs You Data

Cookie banners have long become a symbol of frustration on the web. Three quarters of internet users, more precisely 76 percent (Bitkom), feel annoyed by cookie banners and tracking settings, and 68 percent (Bitkom) would rather not deal with them at all. This rejection feeds straight through to data quality. Current figures show that 43 percent (Statista) of users in Germany reject as many cookies as possible, while only around 30 percent (Statista) accept everything with one click. For a classic, consent-based measurement, every declined or ignored banner means a visitor who does not appear in the numbers.

For a business this is more than a cosmetic flaw. Anyone who only sees the minority who consented is not measuring their website but a distorted excerpt of it. Which page brings enquiries, which channel pays off, where do visitors drop off: these questions are hard to answer with half the numbers. On top of that, 58 percent (Bitkom) of users regularly delete their cookies in the browser, which wrongly counts returning visitors as new ones. At the same time many banners are legally open to challenge: a widely cited study found that only 11.8 percent (Nouwens et al., CHI 2020) of banners met the minimal requirements and that removing the decline button from the first layer alone increased consent by 22 to 23 percentage points (Nouwens et al., CHI 2020). How to measure success by the right metrics instead is shown in our article on measuring website success.

The double price of the banner

A consent banner costs twice: it worsens the user experience in the decisive first seconds, and it often shrinks the data basis considerably because a large share of visitors declines or clicks away. A modern website that does not slow visitors down in the very first second fits current web design trends 2026. Data-minimising, banner-free methods reverse the equation, because a measurement no one has to object to delivers more complete numbers.

When a Banner Is Mandatory and When Not

Whether a website needs a banner does not depend on whether it collects data at all, but on two questions: does the measurement access information on the visitor's device, for example by setting or reading cookies, and are personal data processed in the process. Both questions decide the consent requirement, and with the right technical implementation both can often be answered with no. The first step is therefore always an honest inventory of the services in use, as our GDPR checklist for websites also describes.

The first point is governed by Section 25 of the TDDDG, the German Telecommunications Digital Services Data Protection Act (TDDDG, Section 25). It requires consent as soon as information in the terminal device is accessed, that is, for example, a cookie is set or read. Only what is strictly necessary for the service the user has expressly requested is exempt. Analytics and reach measurement generally do not count as strictly necessary, which is why a cookie-based statistics tool almost always needs consent in practice. The decisive lever is therefore to measure entirely without accessing the device.

Briefly explained: the TTDSG became the TDDDG

The former TTDSG has carried the name TDDDG (Telecommunications Digital Services Data Protection Act) since May 2024. In substance, Section 25 on the protection of the terminal device has stayed the same; older texts still use the label TTDSG. Together with the General Data Protection Regulation it forms the framework for the question of when a website may measure without asking first.

The second point concerns the General Data Protection Regulation. Even when no device access takes place, it must be clarified whether personal data are processed, such as an unshortened IP address that makes an individual visitor identifiable. A measurement that counts at an aggregated level, shortens IP addresses and builds no profiles across pages or devices does not aim at any personal reference. Where no personal reference arises and no device access is needed, the consent requirement often does not apply. The precise assessment in the individual case remains a legal question, but the technical switch is set when the measurement is built.

Three sources set the framework a data-protection-compliant measurement follows. The TDDDG governs access to the device, the Data Protection Conference, DSK for short, classifies in its guidance when reach measurement is permissible, and the European Data Protection Board, EDPB for short, defines what makes consent valid in the first place. Together they yield a clear picture.

In its guidance for telemedia providers, the DSK explicitly distinguishes between tracking and reach measurement (DSK). It speaks of reach measurement when the aim of the processing is an aggregated statistic not related to individual persons. As soon as individual users are recognised over a longer period, the line to consent-requiring processing is crossed. A banner-free measurement aligns exactly with this line: it counts what happens on the site without making the people behind it identifiable.

Reach measurement exists when the aim of the processing is an aggregated statistic with no reference to individual persons; recognising individual users over a longer period is no longer reach measurement.

paraphrased from the guidance for telemedia providers (DSK)

Where consent remains necessary, it must meet the EDPB's requirements. According to its guidelines on consent (EDPB, Guidelines 05/2020), consent must be freely given, granted for the specific purpose, informed and unambiguous. The EDPB also makes clear that so-called cookie walls, which make access to the site conditional on consent, do not allow freely given consent, and that mere scrolling is not valid consent (EDPB, Guidelines 05/2020). These high requirements are another reason to keep the number of consent-requiring services as small as possible. What a fair dialog looks like when it is unavoidable is covered in our article on the cookie banner that respects law and users.

Not a free pass, but a framework

Measuring banner-free does not mean no rules apply. It means designing the measurement so that it lies outside the consent requirement from the start: no device access, no personal reference, no profiles across pages or devices. Whether a specific method stays on this line depends on the details and should be checked legally in case of doubt. This article is a technical orientation, not legal advice.

The good news for businesses: most business-relevant questions can be answered without a single consent-requiring cookie. Instead of marking individual visitors and following them over time, a data-minimising measurement evaluates the requests in aggregate. The following building blocks ensure the measurement stays outside the consent requirement and still delivers usable numbers.

Server-side analysis

Derive reach from the server requests that occur anyway, without letting a script in the browser set cookies. The request is counted, not the person.

No recognition

No profiles across devices or pages. A visit is counted as an event, not assigned to an identifiable user.

Shorten IP addresses

The IP address is shortened or discarded immediately, so that no individual visitor stays identifiable and no personal reference is intended.

Metrics instead of raw profiles

Page views, sources, device classes and enquiries are captured as sums. That is enough to recognise trends and strong channels.

Host external locally

Serve fonts, scripts and maps from your own server instead of third parties. No data outflow on page load, faster load time.

Full data basis

Because no banner is needed, nearly all requests flow into the analysis instead of only the minority who consented.

The effect is paradoxical and pleasing at once: because no one has to object to the measurement, the data basis becomes more complete, not thinner. Instead of the minority left over from a consent-based measurement after rejection and ignored banners, nearly all requests flow in. We set up these methods as part of online marketing and ongoing website care, so the numbers are not only cleanly captured but also regularly analysed and turned into improvements.

Aggregated Measurement Compared to Classic Tracking

The difference between classic tracking and aggregated measurement can be pinned down to a few characteristics. The following comparison shows where the two approaches diverge and why the banner-free variant is the more reliable basis for the everyday work of many businesses.

CharacteristicClassic trackingAggregated, banner-free measurement
Device accessCookies are set and readNo cookie, no device access
RecognitionIndividual users over time and devicesOnly aggregated events, no profiles
ConsentUsually requiredOften not required
Cookie bannerNeeded, often with data lossUsually avoidable
Captured visitsOnly the consenting minorityNearly all requests
Level of detailVery granular, personalTrends, sources, metrics

The table makes the trade-off clear. Aggregated measurement delivers no minute individual profiles and no cross-device recognition. For the retargeting of large ad campaigns that may be a loss. For the questions that actually occupy small and medium-sized businesses, which pages bring enquiries, which channels pay off and where visitors drop off, complete, aggregated numbers are usually the better basis. For online shops the complete view is especially valuable, for example to systematically reduce cart abandonment instead of seeing only a consenting share of those who abandon a purchase.

Complete beats granular

A measurement that captures nearly all visits but knows less about each individual is often more valuable for business decisions than one that knows a lot about a few who consented. Data-minimising here does not mean poorer in insight but richer in a reliable basis.

The legislator has responded to banner fatigue. On the basis of Section 26 of the TDDDG, the Consent Management Regulation (Einwilligungsverwaltungsverordnung) came into force on 1 April 2025 (Einwilligungsverwaltungsverordnung). It creates the framework for recognised consent management services through which users can manage their decisions centrally instead of clicking anew on every site. Such services are only recognised by the competent supervisory authority if they are user-friendly and independent and have no economic self-interest in obtaining consent (Einwilligungsverwaltungsverordnung).

This development is welcome but changes nothing about the simplest route: anyone who measures without consent-requiring services from the start needs neither a banner nor a management service for it. Consent management eases handling of consents, banner-free measurement makes many of them unnecessary. For businesses planning in 2026, both are relevant: to meet the obligation cleanly where consent is needed, and to avoid it where a data-minimising approach works without it.

Fewer services, fewer obligations

Every external service that sets cookies or passes data to third parties increases the effort for consent, documentation and maintenance. Anyone who keeps the number of such services small not only simplifies data protection but also speeds up the site. A lean, banner-free measurement is therefore also a contribution to better load times and Core Web Vitals.

What Banner-Free Analytics Can Do and What Not

Honesty includes naming the limits. Banner-free, aggregated measurement is not a substitute for every conceivable analysis and no free pass. It is excellent for steering a website day to day but reaches its limits where cross-device individual journeys or personalised ad tracking are required. The following overview classifies what is realistically possible.

  • Recognise page views, popular pages and entry points as sums
  • Roughly distinguish sources and channels to separate strong from weak entry points
  • Count enquiries, calls and form completions as conversions
  • Device classes and rough regions for context, without personal reference
  • Track trends over time to check the effect of changes
  • Keep load time and technical metrics in view

What cannot be reflected is anything that requires a genuine personal reference: the seamless tracking of a single person over weeks, cross-device recognition or personalised retargeting in ad networks. Anyone who absolutely needs such functions cannot avoid consent and has to accept the price of patchy consent data. For the vast majority of regional businesses, service providers and practices, however, this is no loss, because their decisions hang on aggregated metrics and not on individual profiles. Which channels bring the best enquiries through search engine optimisation can be recognised cleanly even without personal tracking. How these numbers turn into more enquiries is explored in our article on conversion optimisation for more enquiries.

No blanket assurance

Whether a particular measurement is permissible without consent in an individual case depends on the specific method, the data processed and the respective interpretation of the supervisory authorities. We set up the measurement on the principle of data minimisation and keep it current, but that does not replace a legal review. Data protection is a moving field in which regulations and court decisions continually sharpen the details.

On balance, banner-free analytics is not a sacrifice for most businesses but a gain: more complete numbers, a calmer legal situation and a website that does not slow visitors down in the very first second. The path there runs through an honest inventory of the services in use and a measurement designed to be data-minimising from the start. Examples from practice can be found in our references, and if you want to take this path, we accompany you from setup to ongoing analysis, gladly with further articles in our blog.

This article is based on data from: Bitkom (survey on cookie banners 2024), Statista (dealing with cookie notices in Germany), Nouwens et al. (CHI 2020, cookie banner compliance), the Data Protection Conference (DSK, guidance for telemedia providers), the European Data Protection Board (EDPB, Guidelines 05/2020 on consent), the German TDDDG (Section 25 and Section 26) and the Consent Management Regulation. The article is a technical orientation and not legal advice; the assessment in an individual case remains reserved for a qualified legal review.