Skip to main content
Back to Guides
Compliance6 min read

Do Plausible & Fathom Need Consent? Cookieless, Explained

Cookieless analytics like Plausible and Fathom store nothing on the device, so the ePrivacy cookie rule generally doesn't apply and you can usually skip the banner. But GDPR still does, and no EU regulator has formally certified them. Here's the honest picture.

The Short Answer, Then the Honest One

For a standard install, Plausible and Fathom generally don't require a cookie consent banner, because the thing that triggers the banner requirement isn't there. That's the short answer, and it's mostly right. The honest answer has two more parts: the GDPR still applies to these tools even when the cookie rule doesn't, and no EU regulator has formally blessed them the way France's CNIL blessed Matomo. So "cookieless" buys you real relief from one rule, not immunity from all of them. Let's separate the rules so you know exactly what you're getting.

Why the Cookie Banner Requirement Falls Away

The banner requirement comes from ePrivacy, specifically Article 5(3), which regulates storing information on a user's device or reading information back from it. That's the trigger. A cookie stores an ID on the device, so it needs consent. localStorage does the same, so it needs consent. Fingerprinting reads properties off the device, so it needs consent too. The EDPB spelled this scope out in its Guidelines 2/2023, adopted in final form in October 2024.

Plausible and Fathom sidestep the trigger by not storing or reading anything. Plausible states plainly that it uses no cookies, no browser cache, and no localStorage. It counts unique visitors with a daily rotating hash: it takes a salt plus the domain plus the IP plus the user agent, hashes them, and throws the raw IP and user agent away. The salt is deleted every 24 hours, so the identifier can't even follow someone across days. Fathom describes the same shape, a cookie-free method it built specifically to avoid the storage that would drag it under ePrivacy. No storage on the device, no Article 5(3) trigger, no cookie banner needed for the analytics.

ePrivacy and GDPR Are Two Different Rules

This is the distinction the whole question turns on. ePrivacy governs what you put on or take off the device (the banner rule). The GDPR governs how you process personal data, wherever it lives. A tool can clear the ePrivacy bar and still have GDPR obligations, because processing an IP address, even for a moment to compute a hash, is processing personal data. Clearing one rule is not clearing both.

The GDPR Doesn't Disappear

Here's what cookieless does not exempt you from. When Plausible or Fathom processes a visitor's IP to derive a country or to count a unique, that's a brief brush with personal data, and the GDPR wants a lawful basis and transparency for it. The tools' argument is that they retain nothing identifiable: the IP is discarded, the output is aggregate, and there's no persistent identifier to tie back to a person, which puts the retained data close to anonymous. That's a reasonable position, and it's why they lean on legitimate interest or on the data being effectively anonymized rather than on consent. But two obligations survive regardless. You still have to disclose the analytics in your privacy policy, because transparency isn't waived by going cookieless. And you should be able to explain your basis if asked. See do I need a cookie banner for the general test.

Their Claim Is Well-Argued, Not Regulator-Certified

Be precise about the difference in standing. The CNIL formally recognized Matomo, in an exempt configuration, as eligible to run without consent. Plausible and Fathom make strong, well-reasoned cases and Plausible commissioned an independent legal assessment, but neither has received that kind of formal recognition from an EU supervisory authority. A minority of legal commentators also read ePrivacy more broadly, arguing that using data transmitted from a device for non-essential purposes could itself require consent. That reading isn't mainstream, but it exists. So treat "no banner needed" as a defensible position you've adopted, documented in your records, not as a settled fact you can wave at a regulator.

Cookieless analytics vs the two rules

QuestionPlausible / Fathom (default)Google Analytics 4
Stores an identifier on the device?No cookies, no localStorageYes, cookies and IDs
ePrivacy consent banner needed?Generally no, nothing is stored or readYes, before the cookies are set
GDPR obligations apply?Yes, disclose in privacy policy; basis for IP processingYes, plus international transfer handling
Formally certified for exemption?No formal EU regulator recognitionNot exempt; requires consent

When Cookieless Stops Being Cookieless

The exemption holds only as long as the install stays clean. Two things break it. First, adding a feature or an integration that does store something on the device, at which point Article 5(3) is back in play for that feature. Second, combining the analytics data with another identifier you hold, like a logged-in user ID or a marketing cookie, because now you can single out a person and the "effectively anonymous" argument collapses. If you keep the tool doing plain, aggregate, cookieless measurement and don't join it to identity, you stay in the clear. Cross either line and you're back to needing consent for the part that crossed it. For the broader strategy, see first-party cookieless tracking.

Cookieless Analytics Compliance Checklist

  • Confirm the tool sets no cookie, localStorage, or cache entry

    Verify it in your own install rather than trusting the marketing page.

  • Disclose the analytics in your privacy policy

    Transparency is a GDPR duty that cookieless does not waive.

  • Document your legal basis for the IP processing

    Usually legitimate interest or reliance on the data being anonymized. Write it down.

  • Don't join the analytics to a logged-in ID or marketing cookie

    Combining identifiers ends the anonymity argument and reopens consent.

  • Re-check after any new feature or integration

    The moment something stores on the device, ePrivacy applies to it again.

Doing It With CookieBeam

Here's the honest role for a consent tool when your analytics is genuinely cookieless: you mostly don't need to block anything, so the value is verification, not gating. CookieBeam's scanner audits your pages and confirms that Plausible or Fathom really is setting no cookies and no storage in your specific setup, which is the evidence behind your "no banner needed" decision. It also catches drift: if a plugin update, a self-hosted misconfiguration, or a new feature quietly starts writing something to the device, the scan flags it, so the day your cookieless tool stops being cookieless doesn't pass unnoticed. If you also run cookie-based tools alongside it, CookieBeam gates those while leaving the cookieless ones alone.

Related Guides and Sources

Continue with Matomo cookie consent, Is Google Analytics GDPR compliant, and the CNIL cookie guidelines. Primary sources: Plausible's data policy and its independent legal assessment, the community discussion on the limits of the no-banner claim, Fathom's compliance page, and the EDPB's Guidelines 2/2023 on ePrivacy Article 5(3).

Do Plausible & Fathom Need Cookie Consent? | CookieBeam | CookieBeam