Website Analytics Without Cookie Consent: What Irish Business Owners Need to Know

The cookie banner sitting on the front page of your business website is not a legal requirement. Neither is the analytics platform that made it necessary. Understanding the difference between those two statements will save you the compliance anxiety, the plugin subscriptions, and the user-experience damage of a consent popup that blocks a significant proportion of your visitors from being tracked before they have read a word of your content.

This guide covers the actual legal position for Irish businesses, how privacy-first analytics works at a technical level, what data you can gather without a consent banner, and where the honest limitations are. I have been building and operating Irish hosting infrastructure for more than 20 years. This is something I had to revisit thoroughly when the European enforcement landscape shifted in 2022, and it changed how we built the analytics layer into Web60.

What Cookie Consent Actually Requires

The legal framework in Ireland draws from two pieces of legislation. The GDPR governs how personal data is collected and processed across the EU. Separately, Ireland's ePrivacy Regulations (Statutory Instrument No. 336 of 2011) govern what can be placed on or accessed from a user's device without their consent.

The Data Protection Commission's guidance is unambiguous: consent is required before placing any cookie or similar tracking technology on a user's device, unless that technology is strictly necessary to provide a service the user has explicitly requested. A session cookie that keeps a logged-in user authenticated is strictly necessary. An analytics tracking cookie that records which pages someone visits, what browser they use, and what referring website sent them is not strictly necessary, and it requires prior consent.

The trigger is not analytics as a category. It is device access. The moment your analytics tool writes something to a visitor's device in order to identify or track them across pages or sessions, you need consent. Remove the device access and you remove the consent requirement.

For most Irish businesses running a standard analytics installation that uses cookies, that means they currently require a consent banner. Most of those banners are non-compliant in one way or another: the reject option is buried, pre-ticked boxes are used, or consent is not genuinely free and informed. The DPC's guidance is explicit that banners must have equally prominent accept and reject controls. Getting that right is harder than it looks, and the downstream cost is real: etracker, a European analytics platform, reports that with a properly compliant banner design, around 60% of visits result in analytics cookies being rejected in their customer base, though the figure varies considerably by sector and banner implementation. You either have a compliant consent mechanism or you have accurate analytics data. Both at once requires a setup most business websites do not have.

Why Google Analytics Is Complicated for Irish Businesses

In January 2022, Austria's data protection authority ruled that using Google Analytics violates the GDPR. France's CNIL followed in February of the same year, calling the data transfers "illegal." Similar rulings came in Italy, Finland, and Sweden. As the International Association of Privacy Professionals (IAPP) reported at the time, the central issue is the US CLOUD Act, which gives American federal authorities the power to compel Google to hand over European user data regardless of where it is stored. Running Google Analytics on a European site means EU visitor data is potentially accessible to US law enforcement under that framework, which conflicts with the GDPR's restrictions on international data transfers.

The Irish DPC has not issued a specific ruling against small Irish businesses using Google Analytics, and I want to be honest about that. What the DPC has done is become the most active data enforcement authority in Europe. As RTÉ reported in January 2026, Ireland's total GDPR fine issuance since 2018 stands at around €4 billion, nearly four times the equivalent figure for second-placed France. European fines across all EU authorities totalled approximately €1.2 billion in 2025 alone, according to TechCentral.ie.

I am not suggesting that a small Irish business using Google Analytics is about to receive a DPC notice. That is not how enforcement has worked in practice. What I am saying is that the direction is established, the legal reasoning is documented, and the alternative (analytics that involves neither US data transfers nor device access) is no longer difficult or expensive to implement. The question is not whether to accept the risk. It is why accept a risk that is straightforward to remove.

When I wrote the original Web60 onboarding materials, I included a recommendation to connect Google Analytics as one of the first setup steps. We removed that recommendation after the 2022 rulings. I should have anticipated the direction earlier. The Schrems II decision in 2020 had already raised the question. The platform now ships with privacy-first analytics built in, rather than pointing customers at a tool with a growing compliance exposure.

How Privacy-First Analytics Works

The technical approach is different at a foundational level. Standard analytics tools work by injecting a JavaScript snippet into your web pages. When a visitor arrives, that script executes in their browser, writes a cookie or similar identifier to their device, and transmits tracking data to an external server. Privacy-first analytics removes that entire layer.

Every request a browser makes to your web server carries information along with it: the page being requested, the website the visitor came from, the browser name and version, and a partial network address from which approximate country or region can be inferred without storing the full address. No script runs on the visitor's device. Nothing is written to their browser. No individual identifier is stored anywhere.

The DPC's guidance, along with published determinations from France's CNIL and Germany's Federal Data Protection Commissioner, confirms that analytics which avoids device access entirely can operate without the ePrivacy consent requirement. The legal basis is the absence of the trigger. You are not placing anything on a visitor's device, so there is nothing requiring consent.

What this means for your business: visitors land on your site and see your content, not a consent popup demanding they make a legal decision before they can read your pricing. The analytics data is collected from server-side request logs, processed into aggregated traffic reports, and made available in your dashboard. No consent mechanism required. No plugin configuration. No ongoing compliance overhead.

The Data You Get, and What You Give Up

What You Actually See

Privacy-first analytics gives you the traffic data that answers the questions a business website owner genuinely needs to answer: how many visitors reached which pages, where those visitors came from, what countries and regions they are in, what devices and browsers they use, and how those numbers trend week over week.

That is enough to know whether a new service page is generating traffic. Whether your Google Business Profile listing is sending people to your site. Whether mobile visitors are reaching your contact page or dropping off before they get there. Understanding where visitors stop reading is precisely the kind of insight that helps address the issues explored in our home page three-second test, and you get that data without a consent banner interrupting the experience.

If you change your analytics configuration at any point (switching platforms, adjusting what you track, testing a new setup), Web60's staging environment lets you verify the changes behave correctly before they affect your production site. Testing an analytics configuration in staging follows the same discipline as testing a plugin update: verify first, then deploy.

What You Cannot Track

Privacy-first analytics has a meaningful limitation, and any honest guide to this topic has to state it clearly.

Cross-session tracking (building a picture of what the same visitor does across multiple visits over days or weeks) is not available without a persistent identifier. Individual conversion paths at the user level are not recorded. You cannot see that a specific visitor came back four times before making an enquiry, or that a particular referring campaign generated ten return visits before a single conversion. Remarketing audiences built from individual behavioural data are not possible.

If you are running an e-commerce operation with significant paid advertising spend and your marketing depends on attributing specific revenue to specific ad campaigns at the individual user level, privacy-first analytics alone will not give you that attribution depth. I come back to this below.

For the majority of Irish business websites (service businesses, professional practices, local retailers, hospitality), the data you give up is data you were rarely doing anything useful with. The aggregate picture is what actually drives decisions.

Capability	Traditional GA4	Privacy-First Analytics
Cookie consent required	Yes	No
Page views and referrers	Yes	Yes
Country and device type	Yes	Yes
Individual user tracking	Yes	No
Cross-session journeys	Yes	No
Data stored in EU/Ireland	Configurable	Yes
US data transfer concerns	Multiple DPA rulings	None

How This Is Built Into Web60

Web60 includes privacy-first analytics as standard. There is nothing to install, no plugin to activate, no third-party account to connect, and no additional subscription required. When you set up your site, the analytics capability is already running at the infrastructure level.

The analytics data stays in Ireland. There is no external platform processing your visitor requests in the United States. Because the tracking does not access visitor devices, the ePrivacy consent requirement for analytics does not apply.

In practice, a business owner using Web60 does not need to configure a consent management platform, navigate cookie law plugin options, or check DPC guidance updates to know whether their analytics setup remains compliant. The platform handles that as part of what managed infrastructure means. Infrastructure decisions made at the server level should not require ongoing legal review by the people using the platform.

Web60's €60/year all-inclusive hosting includes this alongside the full managed stack: Nginx, Redis object caching, FastCGI page caching, nightly backups, automatic SSL, and Irish-sovereign infrastructure. No analytics subscription added on top.

The Legal Caveat Worth Reading

Cookie-free analytics eliminates the consent requirement for analytics tracking specifically. That is the accurate picture. But I want to be precise about what it does and does not resolve.

If your website uses embedded social media widgets, third-party live chat tools, advertising pixels, or certain payment integrations, those components may still write cookies or access devices independently of your analytics platform. Privacy-first analytics removes analytics tracking from the consent conversation. It does not remove every other potential source of non-essential cookies.

For full GDPR transparency, you should mention server-side analytics in your privacy policy, noting what data is collected, how it is processed, and the legal basis for doing so. The legal overhead is considerably lower than running a consent-based analytics platform, but it is not zero. For sector-specific obligations (medical practices, legal firms, financial services), check with a solicitor on any disclosure requirements that go beyond standard GDPR compliance. The legal burden drops significantly, but "no cookie consent required for analytics" is not the same as "no privacy obligations".

When Consent-Based Analytics Still Makes Sense

If you are running a large e-commerce business with substantial paid advertising spend across multiple channels, and your marketing operation depends on attributing individual conversions to specific campaigns, keywords, and ad groups, then a properly-configured consent-based analytics stack will give you individual-level attribution that privacy-first analytics cannot match.

GA4 with Google Consent Mode v2 correctly implemented, alongside a compliant consent management platform, is a legitimate technical choice for businesses that need that depth. It requires ongoing compliance management and a consent platform subscription, but the conversion data is more granular.

That setup is appropriate for businesses with dedicated marketing teams and significant advertising budgets. For most Irish business websites (where the owner is also the sales team and the content editor), the consent overhead is disproportionate to what the data needs to do. Track your traffic, understand your sources, know your busiest pages. Privacy-first analytics handles all of that without the compliance overhead.

Frequently Asked Questions

Do I still need a cookie banner if I use privacy-first analytics?

Not for analytics tracking. If your website includes other non-essential cookies from embedded social widgets, advertising tools, live chat platforms, or certain payment integrations, those components may still require consent independently of your analytics setup. Privacy-first analytics removes analytics tracking from the consent requirement. It does not automatically clear every other source of non-essential cookies on your site.

Is Google Analytics illegal in Ireland?

The Irish DPC has not issued a specific ruling against small businesses using Google Analytics. Data protection authorities in Austria, France, Italy, Finland, and Sweden have ruled that Google Analytics violates GDPR due to US data transfer obligations under the CLOUD Act. The Irish enforcement position has not yet matched those rulings explicitly, though Ireland's DPC is Europe's most active enforcement authority by fine volume. The direction of travel is clear.

What does privacy-first analytics actually measure?

Privacy-first analytics measures aggregated, non-personal traffic data: page views, session counts, referring websites and channels, approximate country or region derived from a partial network address rather than a full IP address, browser type, and device category. It does not store cookies, write persistent identifiers, or track individual users across multiple visits.

Can I see individual visitor journeys with privacy-first analytics?

No. You get aggregated data about groups of visitors: how many people visited a given page, what proportion arrived from Google, what percentage were on mobile. You cannot identify individual users or reconstruct what a specific person did across multiple sessions. That is both the privacy advantage and the tracking limitation.

Does removing Google Analytics affect my Google Search rankings?

No. Google's search ranking signals come from your site's content, performance, backlinks, and user engagement data collected through its own crawling and indexing infrastructure. Your choice of analytics platform has no bearing on your search rankings. Google does not reward or penalise sites for using its own analytics product.

Sources

• DPC Guidance on Cookies and Other Tracking Technologies (Data Protection Commission, Ireland)
• Ireland retains top spot in data enforcement (RTÉ News, January 2026)
• CNIL is latest authority to rule Google Analytics violates GDPR (International Association of Privacy Professionals)
• European GDPR fines totalled approximately €1.2bn in 2025 (TechCentral.ie)
• Cookies, the GDPR, and the ePrivacy Directive (GDPR.eu)
• Cookie Consent Benchmarks (etracker; single-vendor benchmark based on their own customer base; rejection rates vary by sector and implementation)