Cookie banners annoy your customers and cost you data: In Germany, 50–60% (SealMetrics/Advance Metrics) of visitors reject cookies or ignore the banner entirely. The result is a massive blind spot in your web analytics. Yet there is a way to operate your online shop completely without a consent banner – legally compliant, GDPR-conformant, and with near-complete visitor tracking. In this guide, we show you step by step how to eliminate the need for consent.
Why Cookie Banners Are Hurting Your Shop
Cookie banners are more than just an annoyance for visitors – they have measurable impacts on your business. The numbers are clear: 68.9% (Advance Metrics) of users close or ignore cookie banners without making a selection. In Germany, the so-called “ghosting rate” – visitors who simply dismiss the banner without interaction – reaches 50–60% (SealMetrics). Only 8–12% of German users actually accept all cookies.
The consequence: If you use Google Analytics or other consent-dependent tools, you typically lose 60% of your visitor data (etracker). On top of that comes consent bias – your remaining data is not just incomplete but systematically skewed. Marketing decisions based on this data amount to flying blind. Proper conversion optimization becomes impossible when most of your data foundation is missing.
| Metric | With Cookie Banner | Without Cookie Banner |
|---|---|---|
| Visitors Tracked | 40–50% | Nearly 100% |
| Bounce Rate from Banner | +10% (cookie-script.com) | No Distraction |
| Data Quality | Consent Bias | Complete Sample |
| User Experience | Interruption on Entry | Seamless Page Load |
Legal Basis: When You Don't Need a Cookie Banner
The legal foundation is Section 25 TDDDG (formerly TTDSG), which transposes Article 5(3) of the ePrivacy Directive into German law. The principle: Any access to information on the user's device – such as setting cookies or using local storage – requires prior consent. But there is a crucial exception.
No consent is required if the storage of or access to information is “strictly necessary in order for the provider of a digital service to deliver a service explicitly requested by the user.” German supervisory authorities (DSK) even recommend NOT displaying a consent banner for technically necessary cookies, as this would be misleading.
This means: If your online shop exclusively uses technically necessary cookies and does not employ any tracking cookies or third-party services that access the user's device, the consent requirement does not apply. The North Rhine-Westphalia supervisory authority explicitly confirms that “strictly functional cookies such as shopping cart cookies or fraud prevention systems” are exempt from the consent requirement.
Technically Necessary Cookies: What's Allowed
German data protection authorities interpret “technically necessary” strictly – Hamburg's supervisory authority emphasizes it refers to technical, not economic necessity. Nevertheless, there is a clear list of cookies that may be set without consent:
- Session cookies for shopping cart and checkout process
- Authentication cookies for login areas and customer accounts
- Language preference cookies for multilingual shops
- Payment cookies for payment processing (e.g., PayPal, Stripe)
- CSRF token cookies for form security
- Load balancing cookies for server distribution
Google Analytics (including GA4), Facebook Pixel, advertising cookies, A/B testing tools, heatmap services, and social media plugins typically require consent. Even cookieless tracking via Google Analytics remains consent-dependent as it still accesses the user's device (Dr. DSGVO). The difference to Server-Side Tracking is important: That approach handles consent differently – here, the goal is to eliminate the consent requirement entirely.
Step 1: Cookieless Analytics with Matomo or Plausible
The most important step toward a banner-free shop is switching to a privacy-friendly analytics solution. Two options have established themselves: Matomo (self-hosted) and Plausible (EU cloud or self-hosted). Both can be configured to operate without cookies, and under certain conditions, may not require consent.
Configuring Matomo Cookieless
In cookieless mode, Matomo uses a so-called config_id – a time-limited, pseudonymized hash derived from browser settings and an anonymized IP address. This hash resets daily, preventing long-term tracking of individual users. At XICTRON, we use Matomo cookieless ourselves – based on our experience, we capture nearly all page views without a consent banner.
var _paq = window._paq = window._paq || [];
// Disable cookies entirely
_paq.push(['disableCookies']);
// IP anonymization (at least 2 bytes)
_paq.push(['setCustomVariable', ...]);
_paq.push(['trackPageView']);
_paq.push(['enableLinkTracking']);In addition to disabling cookies, you need to ensure the following for consent-free operation:
- IP anonymization – Anonymize at least 2 bytes (under Privacy > Anonymize Data)
- Disable User ID – No cross-session identification
- Exclude e-commerce order IDs – Order numbers can be linked to personal data
- Self-hosting on EU servers – No data transfers to third countries (e.g., via XICTRON Hosting)
- Provide opt-out option – Link it in your privacy policy
Plausible as an Alternative
Plausible Analytics is built from the ground up without cookies. Unique visitor identification uses a daily-reset cryptographic hash. Plausible stores no personal data and does not access the user's device – a key advantage over cookie-based tracking. Servers are located in Falkenstein, Germany (Hetzner), ensuring all data remains within EU jurisdiction.
German supervisory authorities interpret the TDDDG strictly: Typically, consent is required for any form of analytics. However, using cookieless tools like Matomo or Plausible provides a significantly stronger legal position. France's CNIL has explicitly classified Matomo as consent-exempt. For maximum legal certainty, we recommend individual consultation with a data protection lawyer.
Step 2: Self-Hosted Fonts Instead of Google Fonts
A frequently overlooked consent trigger: Google Fonts. When your shop loads fonts directly from Google servers, your visitor's IP address is transmitted to Google – which violates the GDPR according to a ruling by the Munich Regional Court (Case 3 O 17493/20). The court awarded the plaintiff €100 in damages. In practice, law firms have leveraged this widely, and fines of up to €250,000 per violation are possible.
The solution is simple: Host fonts locally. At XICTRON, we use the variable font technique with Inter – a single WOFF2 file served from our own server. No access to Google servers, no data transfer, no consent required. Your Shopware or WordPress shop can be configured the same way.
<!-- WRONG: Load Google Fonts externally -->
<link href="https://fonts.googleapis.com/css2?family=Inter" rel="stylesheet">
<!-- RIGHT: Host font locally -->
<link rel="preload" href="/fonts/Inter.var.woff2" as="font" type="font/woff2" crossorigin>
<style>
@font-face {
font-family: 'Inter';
src: url('/fonts/Inter.var.woff2') format('woff2');
font-display: swap;
}
</style>Beyond the privacy benefit, self-hosted fonts typically improve your load times as well, since the additional DNS lookup and connection to Google servers is eliminated – a plus for your Core Web Vitals and SEO.
Step 3: Eliminate Third-Party Services
Every external service loaded in your visitor's browser is a potential consent trigger. A systematic review of all embedded third-party services is therefore essential. Typical problem areas in e-commerce shops:
| Problematic Service | Consent-Free Alternative |
|---|---|
| Google Analytics / GA4 | Matomo cookieless (self-hosted) |
| Google Fonts (CDN) | Host fonts locally (WOFF2) |
| Google Maps Embed | Static map image + link |
| YouTube Embed | Thumbnail + click-to-play |
| Facebook Pixel | Remove or use server-side |
| External Chat Widgets | Self-hosted solution or contact form |
| Social Media Buttons | Simple links (no tracking) |
Check your shop's network requests in the browser (DevTools > Network tab). Every request to an external domain is a potential privacy issue. The goal is for your shop to only make requests to your own domain and possibly your self-hosted analytics. Our hosting team can assist you with this analysis.
Step 4: Update Your Privacy Policy
Even without a cookie banner, you must inform visitors transparently. Your privacy policy should clearly state which technically necessary cookies your shop sets and why, which analytics tool you use (including its cookieless configuration), where data is stored (EU hosting), and how visitors can opt out of tracking.
The DSK guidelines (Version 1.2, November 2024) clarify: When you exclusively use technically necessary cookies, you should not display a consent banner – because the user has no real choice in this case, and a banner would be misleading. Instead, information is provided through the privacy policy.
Checklist: Shop Without Cookie Banner
Use this checklist to make your online shop consent-free step by step:
- Analytics switched to Matomo cookieless or Plausible
- IP anonymization enabled in web analytics (at least 2 bytes)
- Fonts hosted locally (no Google Fonts CDN embedding)
- Google Maps replaced with static image + link
- YouTube embeds replaced with thumbnail + click-to-play
- Social media buttons replaced with simple links
- Chat widget removed or replaced with self-hosted solution
- Facebook Pixel and advertising trackers removed
- Privacy policy updated (opt-out, listing of technical cookies)
- Network analysis completed: No unexpected third-party requests
- IT security verified: HTTPS, security headers configured
This is what your shop without a cookie banner could look like:
Bio-Hofladen mit Abo-Modell
Performance Comparison: Banner vs. No Banner
The impact of a consent-free setup on your business metrics is typically substantial. A complete data foundation enables informed decisions in marketing and shop optimization.
Full Data Capture
Instead of a 40–50% consent rate, you track nearly all visitors – without consent bias.
Better Load Times
No banner JavaScript, no Google Fonts requests – typically fewer requests and faster LCP.
Reduced Fine Risk
67% (Usercentrics) of all Consent Mode v2 implementations have technical errors. Without a banner, this risk disappears.
Limitations: When You Still Need a Banner
The consent-free approach has clear limitations. It is important to be transparent about these, as violations of the TDDDG carry fines of up to €300,000, and under the GDPR up to €20 million or 4% of annual revenue:
- Google Ads / Meta Ads tracking – If you need conversion tracking for advertising campaigns, consent-dependent tools are unavoidable. In this case, Server-Side Tracking is the better solution.
- Personalization – Cross-session profiles and personalized product recommendations typically require consent.
- Affiliate tracking – Affiliate cookies are not technically necessary and require consent.
- Third-party payment providers – Some payment providers set their own tracking cookies beyond what is technically necessary.
- Cloud-based chat tools – Live chat widgets like Intercom or Zendesk set their own cookies.
In these cases, we recommend a hybrid approach: cookieless analytics for baseline tracking of all visitors, combined with a lean consent banner for marketing tools only. This minimizes data loss while maintaining compliance. Contact us for individual advice.
How We Set Up Your Consent-Free Shop
As an e-commerce agency with years of experience in privacy compliance, we implement the consent-free approach for your shop:
- Audit – We analyze all cookies and third-party requests in your shop
- Concept – Individual plan to eliminate all consent-dependent services
- Analytics setup – Matomo cookieless on EU infrastructure (or Plausible)
- Font migration – Self-hosting of all fonts, removal of external font services
- Third-party cleanup – Replacement or removal of all consent-dependent services
- Privacy policy – Update and implementation of opt-out functionality
- Testing – Final verification: No unexpected cookies or third-party requests
This article is based on data from: SealMetrics (Cookie Banner Ghosting, 2025), Advance Metrics (Cookie Behaviour Study, 2023/2025), etracker (Cookie Consent Benchmarks), Munich Regional Court (Case 3 O 17493/20, Google Fonts), DSK Guidelines Version 1.2 (November 2024), Usercentrics (Consent Mode v2 Error Rate), Dr. DSGVO (Device Access in Cookieless Tracking), Matomo (Cookieless Tracking FAQ), Plausible Analytics (Data Policy and Legal Assessment), German DPAs Hamburg, NRW and Lower Saxony (Section 25 TDDDG Interpretation). The figures mentioned may vary depending on the time and industry.
Frequently Asked Questions
Yes, provided you exclusively use technically necessary cookies and do not embed any third-party services that access the user's device. The DSK even recommends not displaying a consent banner in this case. For a legally secure implementation, we additionally recommend consultation with a data protection lawyer.
Compared to a fully configured Matomo with cookies, you typically lose returning visitor data across day boundaries, since the hash resets daily. Page views, traffic sources, device types, and conversions are reliably tracked in our experience – and for nearly all visitors rather than just the 40–50% who consented to tracking.
The legal situation is not entirely clear-cut. France's CNIL classifies Matomo cookieless as consent-exempt. German supervisory authorities tend to interpret Section 25 TDDDG more strictly. In practice, many data protection lawyers consider the risk to be low with proper cookieless configuration including IP anonymization and self-hosting. We recommend discussing this individually with a data protection advisor.
Costs depend on the scope: Font migration and analytics switch can typically be done within a few days. Cleaning up third-party services depends on how many services are embedded. We are happy to provide you with an individual quote.
Typically not without consent. Google Ads tracking sets cookies and accesses the user's device. For shops with advertising budgets, we recommend a hybrid approach: cookieless analytics for the baseline, Server-Side Tracking for conversion tracking – with a minimalist consent banner only for marketing tools.