Privacy-First Analytics: How to Track Links Without Cookies

Most web analytics works by planting a cookie in a visitor's browser, assigning them an ID, and following them across sessions and sites. That model built the modern analytics industry and powers everything from Google Analytics to Facebook Pixel. It also creates a data trail that most visitors never consent to and can't meaningfully opt out of.

Privacy-first analytics takes the opposite approach: measure what you need to know about traffic without building visitor profiles, without cookies, and without data that needs to be disclosed under GDPR, CCPA, or the Indian DPDP Act 2023.

This guide covers how cookieless analytics works, what you can and can't measure without cookies, and why it's the right default for link tracking specifically.

What cookies actually do in analytics

A persistent analytics cookie does two things:

1. Identifies returning visitors — by reading the same cookie value on subsequent visits, the analytics platform knows "this is the same person who visited three days ago"
2. Enables cross-session attribution — it connects a user's first click on an ad to their eventual purchase two weeks later

Both of these require storing an identifier on the visitor's device — which is why cookie consent banners exist. Under ePrivacy (the EU directive), storing anything on a user's device without consent is prohibited. GDPR amplifies this by requiring that any personal data processing (and a cookie-based ID is personal data, since it can identify an individual) has a lawful basis.

Cookieless analytics sidesteps this entirely by not storing anything on the visitor's device. There's nothing to consent to, because there's no processing of personal data at the client level.

How cookieless analytics actually works

Without a cookie, how do you count visitors? The answer is server-side aggregation with statistical counting rather than individual tracking.

IP-based session approximation

The server receives a request. It knows the IP address, user agent, and timestamp. By combining these signals (without storing them), it can estimate whether two requests are probably from the same session — and count sessions rather than individual page loads — without creating a persistent identifier.

The key difference from cookie-based analytics: nothing persists after the session. There's no ID stored in the browser, no profile built across visits, and no way to link today's visit to next week's visit at the individual level.

IP anonymisation

Even if you're not storing cookies, IP addresses are personal data under GDPR (they can identify an individual or household). Proper privacy-first analytics anonymises IPs before any processing or storage:

• IPv4 — the last octet is zeroed (e.g., 192.168.1.42 → 192.168.1.0), preserving subnet-level geography while removing the individual host
• IPv6 — the last 80 bits are zeroed (e.g., retain only the first /48 prefix), which preserves enough for fraud detection while making individual device identification impossible

This is the approach used in Truthylink's link analytics. IP addresses are anonymised at collection time and the raw IP is never written to the database. You get geography (country and city-level) and bot detection without storing data that could identify an individual.

Aggregate reporting only

Cookieless analytics produces aggregate reports: 847 clicks, 62% from mobile, top countries: India 34%, US 22%, Germany 9%. There are no individual-level rows, no session histories, no user timelines.

This is the fundamental trade-off: you gain privacy compliance by default, you lose the ability to analyse individual user journeys.

What you can measure without cookies

Cookieless analytics covers a lot of ground:

• Click volume — total requests and human-verified clicks
• Geography — country, city (from anonymised IP)
• Device type — mobile, desktop, tablet (from user agent)
• Browser — Chrome, Safari, Firefox, etc. (from user agent)
• Operating system — from user agent
• Referrer — which page or app sent the click (where available)
• Click timing — when during the day/week clicks occur
• Bot vs. human breakdown — filtered from known crawler patterns and fraud signals

What you can't measure without cookies

There are genuine limitations to cookieless analytics. Being honest about them matters:

• Returning visitor identification — you can't reliably know whether a visitor has been to your site before without a persistent identifier
• Cross-session attribution — you can't link a first-touch ad click to a purchase that happened two weeks later at the individual level
• User-level segmentation — you can't separate "power users who visit daily" from "one-time visitors" without tracking individual sessions over time
• Funnel analysis at the individual level — without linking sessions, you can see step-level conversion rates but not individual user paths through a funnel

For link analytics specifically, these limitations matter less than they do for full website analytics. The primary questions link analytics answers — how many people followed this link, from where, and when — don't require individual tracking. The privacy costs of cookie-based tracking are high; the marginal value over cookieless analytics, for link-specific use cases, is low.

The regulatory landscape in 2026

The legal pressure on cookie-based analytics has increased significantly over the past three years:

GDPR (EU, 2018)

The original framework. Analytics cookies require informed, freely given, specific, unambiguous consent before they're set. Pre-ticked consent boxes are invalid. Consent bundled with terms of service is invalid. Many EU data protection authorities have confirmed that standard Google Analytics deployments (without server-side anonymisation and data processing agreements) violate GDPR.

ePrivacy Directive

Requires explicit consent before storing or accessing anything on a user's device. Applies to cookies, local storage, and any other client-side storage. Under this directive, even "necessary" analytics cookies require consent if they involve personal data processing.

CCPA / CPRA (California)

Gives California residents the right to opt out of the "sale" of their personal data, which has been interpreted to include sharing with analytics vendors. Businesses subject to CCPA need to honour opt-outs and disclose what data is shared and with whom.

India DPDP Act 2023

India's Digital Personal Data Protection Act 2023 came into force with significant implications for any business with Indian users. Key points: personal data processing requires a specific, informed, unconditional consent; data fiduciaries must publish a privacy notice; and data principals have the right to withdraw consent and request data erasure.

For analytics specifically: if your tool is collecting IP addresses, device fingerprints, or other personal data about Indian residents without a clear consent mechanism, you may be non-compliant with the DPDP Act.

Cookieless analytics with IP anonymisation sidesteps DPDP compliance requirements for analytics by removing personal data from the equation before it's stored. No personal data → no data fiduciary obligations for analytics → no consent banner required for analytics.

Why link analytics is a natural fit for privacy-first measurement

Full website analytics often has legitimate use cases for individual user tracking: understanding user journeys, debugging conversion funnel dropoffs, segmenting by acquisition source. The argument for cookies in that context is at least arguable.

Link analytics is different. You're measuring: did people click this link, and which people (in aggregate). You're not trying to follow individuals through a multi-page journey. You don't need to know that the same person who clicked your link on Tuesday also returned on Friday. You need to know that 1,200 people clicked, 60% were mobile, and traffic peaked at 11 AM EST.

This makes link analytics a clean use case for cookieless measurement. The privacy cost of cookies is real; the analytical value of cookies, for this specific use case, is minimal.

Server-side analytics vs. client-side analytics

Traditional analytics (Google Analytics, Mixpanel, Heap) loads JavaScript in the visitor's browser, which then sends tracking data to a third-party server. This is "client-side" analytics.

Privacy-first link analytics is "server-side": when a visitor follows a shortened link, the redirect server receives the request and records the analytics before sending the redirect. The visitor's browser never loads an analytics script, never sends data to a third party, and never has a cookie set by an analytics vendor.

The practical benefits:

• No JavaScript required — analytics work even if the visitor has JavaScript disabled or uses a browser extension that blocks trackers
• No ad blocker interference — server-side analytics isn't blocked by uBlock Origin, Privacy Badger, or similar tools
• No third-party data sharing — click data goes to your link shortener's server, not to Google, Meta, or any advertising ecosystem
• Accurate counts — because bots can be filtered server-side before the redirect, human click counts are cleaner than client-side analytics (which only fires the tracking pixel if JavaScript executes)

Does cookieless analytics require a consent banner?

For most implementations, no — with caveats.

If your analytics processes no personal data (IP addresses anonymised at collection, no client-side storage, no cross-session tracking, no data sold or shared with third parties for advertising), there is nothing to consent to. ePrivacy requires consent for device storage; if you're not storing anything on the device, it doesn't apply. GDPR requires a lawful basis for personal data processing; if there's no personal data, it doesn't apply.

The caveats:

• Your anonymisation must be genuine. "Anonymised" in data protection law means data that cannot be re-identified. If you're storing a full IP address in a log file and calling it "anonymised" because you hash it, a regulator may not agree.
• If you use any third-party sub-processors (for geolocation, IP reputation, etc.), you need to disclose them in your privacy policy even if personal data isn't stored long-term.
• Some jurisdictions have stricter interpretations. Legal advice for your specific situation is always advisable.

Truthylink's approach: IP addresses are anonymised at collection time (/24 for IPv4, /48 for IPv6), no client-side cookies are set, and no data is shared with advertising networks. ip-api.com is used for geolocation and fraud detection (a sub-processor disclosed in the privacy policy).

Making the switch

If you're currently using a link shortener that relies on cookie-based analytics and you want to move to privacy-first measurement, the practical steps are:

1. Audit what you're currently measuring — are you actually using individual-level data, or are you only looking at aggregate reports? Most marketers use aggregates.
2. Identify what you'd lose — returning visitor rate, individual session histories, cross-session attribution. If these aren't driving decisions, you won't miss them.
3. Choose a tool that's genuinely cookieless — not just "we offer a cookie-free mode." Look for IP anonymisation documentation, no client-side JavaScript, and explicit confirmation that raw IPs are not stored.
4. Update your privacy policy — remove references to analytics cookies, update your sub-processor list, and reflect the new data practices.
5. Remove the consent banner for analytics — if analytics was the only reason for the consent banner (and you're not running advertising trackers separately), you can remove it. Fewer banners means better UX and slightly better conversion rates on your landing pages.

Summary

Privacy-first analytics for link tracking works by measuring aggregate behaviour server-side, anonymising IP addresses at collection, and storing no persistent identifiers. You get geography, device type, click volume, referrer, and fraud detection — everything that drives link performance decisions — without cookies, without consent banners, and without the regulatory exposure of personal data processing.

The trade-off is individual-level tracking and cross-session attribution. For link analytics, those capabilities are rarely what drives decisions. The privacy gain is real; the analytical cost is minimal.

See how Truthylink handles privacy-first analytics →