How Cookieless Analytics Counts Visitors

Privacy-first analytics tools count visitors without setting cookies. This sounds impossible — how can you tell if two pageviews came from the same person if you cannot identify them? Here is the mechanism.

What "unique visitor" means without cookies

In cookie-based analytics, a unique visitor is an individual identified by a persistent cookie. Return tomorrow, and the tool recognises the same cookie and counts you as a returning visitor.

Without cookies, "unique visitor" means something different: a unique visitor for a given day, estimated by a hash.

The definition shifts from "this specific person, across all their sessions" to "this browser in this approximate context, today." It is a different definition — not a worse one.

The daily hash method

Most privacy-first analytics tools estimate unique visitors using a daily-rotating hash. Here is how it works conceptually:

1. When a pageview arrives, the analytics server derives a hash from signals available in the request — typically involving non-personally-identifiable information combined with a salt value that changes every day.

2. The salt changes daily. So the hash produced for a given visitor changes each day. Yesterday's hash and today's hash for the same visitor are different and unrelated.

3. Each day, the analytics tool counts how many unique hashes it has seen. That is the daily unique visitor count.

4. Because the hash changes daily, the same visitor counts as a new unique visitor on each new day. Cross-day re-identification is not possible.

What this means for your data:

• Daily unique visitor counts are a reasonable approximation
• Week and month unique visitor counts are estimates (the same person on Monday and Friday are counted twice)
• This is a deliberate privacy trade-off: no persistent tracking in exchange for approximate counts

Why counts differ from Google Analytics

If you run Antlytics and Google Analytics side by side, the visitor counts will differ. This is expected and does not indicate an error.

GA uses persistent cookies, so it can de-duplicate returning visitors across days. Antlytics does not. A visitor who comes back three times in a week is counted once in GA (as a returning visitor), but may appear as three unique visitors in Antlytics's weekly count.

Additionally, GA loses data from visitors who declined the consent banner. Antlytics sees all visitors, including those who would have declined. Antlytics often shows more visitors for this reason.

Neither count is "right" — they measure different things with different methodologies.

sessionStorage for sessions

Within a single tab, Antlytics uses sessionStorage to maintain session continuity. A UUID is stored in sessionStorage when a visitor first arrives. This UUID:

• Links pageviews within the same tab into a single session
• Is used to calculate bounce rate
• Is cleared when the tab closes
• Is not shared between tabs

This is not a cookie. sessionStorage is a browser API that is local to a single tab and automatically cleared at the end of the browsing session.

FAQ

Is cookieless visitor counting less accurate? It is different. You lose cross-session return-visitor accuracy. You gain seeing all visitors, including those who would have rejected a consent banner.

Why do my numbers look higher than GA? Antlytics sees visitors who would have declined GA's consent request. This is more complete data, not inflated data.

Can the hash be reversed to identify a visitor? No. The hash is one-way and changes daily. There is no way to reverse it to an individual identity.

Does every privacy-first tool use this method? Variations exist. The core principle — daily salt, no persistent identifier — is common. Exact implementations differ between tools.