govanalytics

Cookieless web analytics compared: Simple Analytics, Plausible and Govanalytics

How Simple Analytics, Plausible and Govanalytics each measure visitor data, and why 'no cookies, no fingerprint, no personal data' is a built-in product promise for two of them and a configuration choice for the third.

“Cookieless analytics” has become a crowded space. The marketing copy of most tools reads almost identically: no cookies, no fingerprint, no personal data, no consent banner. It is tempting to line them up side by side and pick the dashboard interface you like best.

That comparison breaks down the moment you look at what each tool is actually designed for. Some products are built so that they physically cannot collect personal data. Others are built to give you all the data. Both can be the right choice, but they answer a different question, and the privacy claims mean something quite different depending on which type of instrument you are holding.

This article walks through three of them: Simple Analytics, Plausible and Govanalytics. It explains how each tool measures, where the privacy claims come from, and why you cannot project Simple Analytics’ promises one-to-one onto Govanalytics.

A note on who is writing this: Govanalytics is one of the three tools compared here. We have described Simple Analytics and Plausible as their own documentation does, and we are honest about where our product is a different kind of instrument, not a better version of the same thing.

The short version

These three tools split into two fundamentally different categories, and that distinction explains the difference in claims.

Simple Analytics and Plausible are privacy-minimalist tools. They are designed to measure as little as possible, just enough for aggregated statistics, and deliberately built so that personal data is never created in the first place.

Govanalytics is a data ownership instrument. It is designed to capture the full clickstream and route it to your own data warehouse. In essence it is a fully manageable replacement for GA4, built on the open-source core of d8a.tech.

The claims “no cookies / no fingerprint / no personal data” are, for Simple Analytics and Plausible, core product promises: properties anchored in the design. For Govanalytics these are not built-in guarantees. They are things you configure and remain responsible for yourself.

That word “configure” does a lot of work, though, and it is worth being more precise. In practice, virtually all of these properties, including a fully cookieless mode, are a few clicks away in Govanalytics, and some of them apply by default if your organisation already has a consent management platform on the website. The point is not that Govanalytics makes privacy difficult. The point is that Govanalytics lets you choose, while the other two make that choice for you.

Keep this distinction in mind, because everything below follows from it.

How Simple Analytics measures

Simple Analytics works without storing anything in the visitor’s browser: no cookies, no localStorage. IP addresses are not stored to track visitors, nothing is written to the device, visitors are not tracked across sessions, and there is no cross-device tracking.

The crucial consequence: because no persistent per-visitor identifier exists, Simple Analytics simply cannot recognise an individual across time or across pages. The tool measures at aggregated level, page views, referrers, top pages, bounce rate, without ever building an individual profile. User-level tracking across sessions is not a feature that has been switched off; it is a capability the design never included.

This is what each of the three claims means technically:

  • No cookies: literally nothing is written to the browser that is read out on a subsequent visit. This is why no consent banner is needed.
  • No fingerprint: no stable “fingerprint” of a visitor is reconstructed from signals like IP address + user agent + screen resolution. This is relevant because some other “cookieless” tools do use that technique.
  • No personal data: because IP addresses are not stored and no per-person identifier exists, no data point is ever created that can be traced back to an individual.

Under the GDPR and the ePrivacy Directive, consent is generally required when personal data is processed or when tracking technologies such as cookies are used. By collecting no personal data and using no cookies, Simple Analytics eliminates the grounds for consent in most cases. The company states that this approach has been reviewed by multiple regulators and confirmed to require no consent. The three claims are therefore not just marketing; they are the legal basis on which the product rests.

How Plausible measures

Plausible is in the same category as Simple Analytics and works in a comparable way, but there is one technical detail worth knowing because it nuances the “no fingerprint” question.

Plausible’s starting point: no cookies, no persistent identifiers, and no collection or storage of personal data that can identify individuals. All data is aggregated. As with Simple Analytics, individuals are not tracked across devices or websites; data is isolated to one day, one website and one device.

The interesting part lies in how Plausible counts unique visitors without a cookie. The tool generates a random string that resets every 24 hours, making a visitor’s activity impossible to link across sessions, days or devices.

Under the hood, that daily string is derived from a rotating salt combined with request data. Each HTTP request carries the IP address and user agent, but Plausible does not attempt to generate a device-persistent identifier and uses no cookies, browser cache or local storage. The IP address and user agent are hashed against an anonymised, daily rotating salt that is not reversible.

Where the two claims differ in practice
Plausible currently processes the IP address and user agent server-side to compute a daily, non-reversible hash. Because the salt rotates every 24 hours and nothing persistent is stored, the result is not classified as personal data and is not a persistent fingerprint. Both tools can credibly claim “no cookies / no fingerprint / no personal data,” but the route differs: Simple Analytics avoids the IP address entirely, while Plausible’s claim rests on salt rotation and irreversibility.

Plausible stores all visitor data exclusively on European-owned infrastructure that never leaves the EEA, and the product is open source and self-hostable.

How Govanalytics measures

Govanalytics is a fundamentally different type of instrument. It is warehouse-native analytics, compatible with the tracking protocols of Google Analytics and Matomo, ingesting data into ClickHouse, BigQuery or CSV/Parquet while your organisation retains full control over the data.

The core idea: Govanalytics decouples data collection from visualisation, so data architects can build their own pipelines without depending on a proprietary platform. Two configurations are available. The cloud version comes with a visualisation layer and an AI agent interface; you have dashboards and answers immediately. The open-source version is deliberately “headless,” built for organisations that want to use Govanalytics purely to collect data into their own data stack, fully under their own management, writing their own SQL and connecting their own visualisation tools.

And here is the difference you are looking for. Because Govanalytics speaks the GA4 protocol, it receives by default the identifiers built into that protocol. Most importantly: the client_id. That is a browser-scoped identifier stored in a cookie, and it is anything but anonymous: it drives user counts, session stitching and attribution.

Furthermore, the European Data Protection Board has classified online identifiers, including cookie-based IDs such as client_id, as personal data when combined with other data points (IP address, behaviour, device) that can re-identify a person.

In other words: a standard Govanalytics implementation processes in principle personal data and uses a cookie. That is not a shortcoming of Govanalytics, it is the design goal. You get the full clickstream. The data needs to be rich enough to be worth keeping in-house. And cookies can be fully disabled, putting Govanalytics into a cookieless mode that closely resembles Plausible’s. The difference is that this is a setting, not a hard boundary of the product.

This is also where Govanalytics quietly fixes the problems GA4 handles poorly. Sessions are scoped and assembled on the backend rather than reconstructed from fragile client-side signals, which is more robust where browser-side counting fails. And when consent has not been given, Govanalytics can fall back to a truly anonymous tracking mode, similar in spirit to what Plausible does, measuring the session without ever creating a persistent identifier.

Where the real difference lies

The difference is not “one is privacy-friendly and the other is not.” It is about who is responsible for the privacy properties, and at what level measurement takes place.

Simple Analytics and Plausible: privacy as a product guarantee. The tool cannot collect personal data, because the identifiers simply do not exist (Simple Analytics) or are deliberately non-persistent and non-reversible (Plausible). The three claims are properties anchored in the design that cannot be switched off. The price you pay is that you only get aggregates: no individual visitor journeys, no cross-session or cross-device insight.

Govanalytics: privacy as a configuration and infrastructure question you manage yourself. Govanalytics’ claim is not “no personal data,” it is data sovereignty. You decide where the data ends up and who has access to it. In the on-premise model, Govanalytics has no access to your data and is neither processor nor controller under the GDPR. In the cloud model, it acts as a stateless relay that forwards your data to your own storage without persisting raw clickstream data. In both cases, you are the Controller.

With Govanalytics, responsibility lies with your organisation
If the data contains personal data, and with a persistent identifier in use that is the default, it is your responsibility to obtain consent, set a retention period and handle data subject requests. Because Govanalytics does not store the data, access and deletion requests must be handled by your organisation itself. That is the trade-off that comes with ownership.

Summary table

Govanalytics

PurposeMinimal aggregated statisticsMinimal aggregated statisticsFull clickstream in your own warehouse
Measurement levelAggregated (no individual identifiable)Aggregated (no individual identifiable)Event/session level per identifier
CookiesNone, by designNone, by designclient_id cookie by default; can be disabled
Per-visitor identifierNoneRotating 24h hash (non-persistent)client_id, or a session hash that is not persisted
Personal dataNot collected, by designNot collected, by designPotentially yes; your organisation manages this
Consent requiredGenerally notGenerally notDepends on your configuration
HostingSaaS; data in EU onlySaaS or self-hosted; data in EU onlySaaS or self-hosted; data in EU only
Open sourceNoYes (AGPL)Yes (MIT)

The simplest way to remember it

Simple Analytics and Plausible promise that they can never collect certain data. Govanalytics promises that all the data is yours. Those are two different kinds of promise, and that is precisely why you cannot project the three claims of Simple Analytics one-to-one onto Govanalytics. Govanalytics does not make those claims, because it is a different type of product.

There is one more point worth closing with, because it tends to be decisive for which direction a public sector organisation should go.

You do not outgrow Govanalytics. Because it captures the full clickstream in a schema you own, the scope grows with your organisation. There is no ceiling above which you suddenly need to stand up a “real” analytics stack alongside it. That ceiling arrives quickly with Plausible and Simple Analytics, however: the moment you need a custom report, or a join against your own registration data, the aggregate-only model has nothing more to offer, by design.

And the reverse reasoning is not symmetric. The two things Plausible and Simple Analytics do excellently, compliance and simplicity, are also achievable with Govanalytics. It is a matter of a few settings in the interface: disable the persistent identifier, run in anonymous mode, keep everything EU-only or on-premise. You can start strict and minimal and loosen later, or start with rich data and tighten later, but only the data ownership model gives you the freedom to change your mind without switching tools.

The honest summary is this. If you would rather not think about any of this and are willing to pay for that simplicity, Simple Analytics or Plausible are excellent at precisely that: aggregated statistics with zero responsibility. But it is good to know that Govanalytics offers the same simplicity and compliance when you want it, on top of a generous free tier and considerably richer data, plus room to grow further, without ever switching instruments.

No-obligation introduction? Want to know more?

We discuss in 30 minutes which option fits your organisation. Cloud, On-Premise, or building on the open-source core yourself. No sales pitch, no obligations.

Click here to book an online meeting →