← All articles

Privacy · July 2026

The attribution tool that doesn't need a cookie banner

A session that arrives with no referrer and no UTM parameters has still been classified. The question is whether that classification required you to first ask for consent.

Here is a situation most marketing teams have quietly accepted as normal.

A visitor arrives on your site. Before your analytics script has loaded, they dismiss your cookie banner and decline consent. Your attribution tool records nothing. The session is invisible.

For compliant client-side analytics, this is the correct behaviour. You asked, they declined, you stopped tracking. That is exactly how consent-based tools are supposed to work.

But here is the part most analytics vendors do not explain clearly: the attribution information you lost was not personal data.

What server-side attribution actually records

A server-side attribution tool reads the referrer header and any UTM parameters at the moment the HTTP request arrives. It classifies the session - Organic Search, AI Referrer, Email, Paid Search - and writes that classification to a database.

What does it write? A channel name, a source domain, a timestamp, and a session token. The session token is a hash, derived from an anonymised version of the IP address (last octet zeroed) and the current date. It rotates daily. It cannot be reversed to identify a person.

No personal data is stored. No cross-site identifier. No device fingerprint. No persistent user ID.

Under UK PECR - and under most reasonable interpretations of equivalent EU and US privacy frameworks - a cookie that contains no personal data and is used to provide a service the user is actively requesting can be classified as strictly necessary. Strictly necessary cookies do not require consent.

The session token in this attribution approach is used to group page views from the same visit into a session. It is first-party (set by your own domain), it contains no personal data, and it does not enable advertising targeting or cross-site tracking.

This does not apply to everything

GA4, in its default configuration, stores device identifiers and user IDs. It sends data to Google's servers. It enables Google to build cross-site profiles. It requires consent in most European jurisdictions, and increasingly in others.

The distinction is not between "tracking" and "not tracking." It is between tools that process personal data and tools that do not.

A server-side tool that stores only a channel classification and a daily-rotating anonymous token is a fundamentally different thing from a behavioural analytics platform. They can coexist. They serve different purposes. The consent requirement for one does not automatically transfer to the other.

What this means in practice

If your attribution relies entirely on consent-gated client-side scripts, you are currently measuring a subset of your actual traffic. Visitors who decline consent are invisible to you, even though they arrived via a channel you spent money on or content you worked to create.

A server-side tool that does not process personal data can operate independently of your consent management platform. You do not need to wait for consent. You do not lose attribution when consent is declined. You measure all traffic, including the visitors who said no to your cookie banner.

This does not replace a consent-gated analytics tool for behavioural data. It provides a complete picture of where traffic comes from, regardless of consent state, without requiring it.

*We are not lawyers and this is not legal advice. If you are uncertain about the consent requirements for any specific tool in your jurisdiction, take professional legal advice. The technical architecture described here was specifically designed to minimise the personal data processed.*

*CQI Referrer Attribution stores no personal data in its standard deployment. No cross-site identifiers, no device fingerprints, no raw IP addresses. Attribution data stays in your own database, on your own server.*

Share Copied