How to design a tracking setup that works without consent.

The GDPR does not say you cannot track website visitors. It says you need a legal basis for processing personal data. If you design a system that never processes personal data, consent is not required. This guide walks through exactly how to architect such a system, decision by decision.

The legal framework: when consent is (and isn’t) required

Under the GDPR, consent (Art. 6(1)(a)) is required when you process personal data without another legal basis. But there are two scenarios where analytics can operate without consent:

1. No personal data is processed: If your analytics system collects only non-personal data, the GDPR does not apply to that processing.
2. Legitimate interest applies: Under Art. 6(1)(f), processing is lawful if it serves a legitimate interest and does not override the data subject’s rights.

Step 1: Eliminate IP address storage

The wrong approach: “anonymize and store”

GA4 truncates the last octet (e.g., 192.168.1.42 becomes 192.168.1.0). But EU regulators have consistently held that a truncated IP can still be personal data, especially combined with other signals.

The right approach: extract, use, discard

1. Extract the IP from the incoming request
2. Anonymize it (zero the last octet)
3. Use the anonymized IP for a single city-level geolocation lookup against a locally bundled database
4. Store only the geolocation result (e.g., “Berlin, Germany”)
5. Discard the IP immediately — never written to disk, never logged, never sent to a third party

Step 2: Replace cookies with session-scoped storage

Session continuity without cookies

• Generate a random session ID client-side using crypto.getRandomValues()
• Store in sessionStorage (clears when the tab closes)
• Send with each event as a request parameter

Returning visitor identification: the hard part

• With localStorage: A visitor ID persists across sessions within a single browser. Enables returning-visitor metrics.
• Without persistent storage: Every visit is a “new” visitor. Accurate page view and event data but no returning-visitor metric.

Step 3: Use first-party endpoints

Send analytics data to a first-party endpoint on your own domain. collect.yourdomain.com is not on any ad-blocker blocklist. The request looks identical to any other API call your website makes.

Step 4: Collect only non-identifiable data

Audit every field your tracker collects against the singling-out test: could this field, alone or combined with others, identify a specific individual?

Step 5: Process everything in the EU

EU-only hosting eliminates Schrems II concerns, SCCs, and Transfer Impact Assessments. EU cloud providers like Hetzner, OVH, and Scaleway offer competitive pricing with full GDPR compliance.

Step 6: Document your legal basis

1. DPIA: Document what data you collect, confirm no personal data is processed
2. Privacy policy: Disclose analytics use, explain no personal data is collected
3. Legitimate interest assessment: Document the balancing test under Art. 6(1)(f)
4. Art. 30 record: Maintain processing activities record

Putting it all together

A consent-free tracking setup is a privacy-by-design architecture (Art. 25 GDPR). The checklist:

• IP addresses: extracted, used for geo lookup, discarded — never stored
• Cookies: none — session continuity via sessionStorage or localStorage
• Data endpoint: first-party domain
• Data fields: audited against singling-out test, PII stripped
• Data residency: EU-only processing and storage
• Third-party sharing: none
• Legal documentation: DPIA, privacy policy, legitimate interest assessment