Does your website really need a cookie banner?
The short answer: only if it uses technologies that store or read information on the visitor's device without an exemption (Art 5(3) ePrivacy Directive, in Austria § 165(3) TKG 2021). Shopping carts, logins and language preferences need no consent. Google Analytics, YouTube embeds and advertising pixels do. And for practically every consent-requiring technology there is a banner-free replacement.
This check asks the ten questions that matter and tells you at the end: banner required or not, and if yes, how to get rid of it. Everything runs in your browser, nothing is stored or transmitted. This website itself is the proof that it works: 0 cookies, no banner, full statistics.
The check: 10 questions about your website
01
How do you measure your visitor numbers?
02
Do you use advertising or marketing pixels (Meta Pixel, Google Ads remarketing, LinkedIn Insight Tag)?
03
Are videos embedded?
04
Are maps embedded?
05
Where do your fonts come from?
06
Is there a web shop, shopping cart or online booking?
07
Is there a login area?
08
Does the website remember user preferences (language, dark mode)?
09
Are third-party widgets running on the site (live chat, reCAPTCHA, social media feeds)?
10
Is A/B testing or personalisation running in the visitor's browser (Optimizely & co.)?
Technology by technology: what forces the banner and what doesn't
The yardstick is Art 5(3) of the ePrivacy Directive, in Austria § 165(3) TKG 2021: consent for any storing or reading on the device, unless strictly necessary for a service the user explicitly requested. The classifications follow the Austrian data protection authority's FAQ, the EDPB Guidelines 2/2023 and the Article 29 Working Party's exemption catalogue (WP 194). Status: 15 July 2026.
| Technology | Consent | Why | Banner-free replacement |
|---|---|---|---|
| Shopping cart cookie | No | Strictly necessary for the session (DPA FAQ) | None needed |
| Login / session cookie | No | Authentication is an explicitly requested service (WP 194) | None needed |
| Storing the cookie decision | No | Consent-free per DPA FAQ, provided it carries no unique identifier | None needed |
| Security, CSRF, load balancing | No | Security and load balancing exemption (WP 194) | None needed |
| Language preference cookie | No | UI personalisation, as long as short-lived and without tracking (WP 194) | Limit its lifetime |
| Server-side log file statistics | No | No access to the device, the ePrivacy rule does not apply; GDPR side rests on legitimate interest | Is itself the replacement |
| Matomo / Plausible cookieless, self-hosted | No | No device access; configure cleanly (IP truncation, no fingerprinting) | Is itself the replacement |
| Google Analytics / GA4 | Yes | Cookies to recognise visitors, not technically necessary per the DPA; Austria has no analytics exemption | Cookieless self-hosted Matomo or server statistics |
| YouTube / Vimeo embed (standard) | Yes | Loads the provider's cookies and scripts on page load | Two-click solution with preview image, or self-host |
| Google Maps embed | Yes | Cookies plus data transfer to Google | Static map image with a link, or self-hosted OpenStreetMap |
| Advertising pixels (Meta, Google Ads, LinkedIn) | Yes | Cross-site tracking, never strictly necessary | Click-based conversion measurement; or deliberately drop retargeting |
| Client-side A/B testing | Yes | Stores the variant assignment on the device, not user-requested | Test server-side |
| Live chat, reCAPTCHA, social feeds | Yes | Third-party scripts with device access and their own tracking | Contact form, honeypot fields, statically embedded content |
| Google Fonts from Google's servers | No cookie, but GDPR | Transmits the IP address to Google; the Regional Court of Munich awarded 100 euros in damages for it | Host the fonts locally, minutes of work |
| Google Consent Mode (advanced) | Grey area | Sends cookieless pings even after rejection, legally contested | Leave it out |
Frequently asked questions
When is a cookie banner required?
Only if the website stores or reads information on the visitor's device that is not strictly necessary (Art 5(3) ePrivacy Directive, in Austria § 165(3) TKG 2021). The rule is technology-neutral, so it also covers localStorage, pixels and fingerprinting. A website that avoids consent-requiring technologies needs no banner. Consent must be active, pre-ticked boxes have been invalid since the ECJ's Planet49 ruling, and rejecting must be possible on the first banner layer on equal terms.
Is Google Analytics allowed without a cookie banner?
No. Google Analytics sets cookies to recognise visitors and is not technically necessary according to the Austrian data protection authority. Unlike France, Austria has no exemption for audience measurement. If all you want to know is how many visitors read which pages, cookieless self-hosted Matomo or server-side log statistics do the job without consent.
Does a website without cookies need a privacy policy?
Yes, always. The information duties under Art 13 GDPR apply regardless of cookies, if only because the web server processes IP addresses. The reverse also holds: no cookie does not mean no data protection issue. Google Fonts loaded from Google's servers sets no cookie at all, yet transmits the visitor's IP address on every page load, which the Regional Court of Munich valued at 100 euros in damages. The fix is trivial: host the fonts locally.
Isn't the EU abolishing cookie banners anyway?
Not for now. The EU Commission's Digital Omnibus proposal (November 2025) would move the cookie rules into the GDPR and exempt audience measurement from consent. But the element that would have made banners truly obsolete, browser-level consent signals under Art 88b, was deleted in the Council. Nothing changes before 2027, and cross-site tracking stays consent-bound even after. If you want to lose the banner, you have to rebuild the site, and that is usually easier than expected.
What does a website without a cookie banner gain?
Fewer bounces, more trust, better data. Globally, fewer than half of all visitors click accept; the rest are simply invisible to consent-gated analytics. A banner-free website measures every visitor, lawfully. You also drop the consent tool subscription, its maintenance, and the risk of a misconfigured banner, which has already produced complaints and rulings in Austria.
Legal basis and sources
- § 165(3) TKG 2021 (Austrian legal information system): consent requirement for storing and reading on the device
- Austrian data protection authority's cookie FAQ: consent-free and consent-requiring cases
- EDPB Guidelines 2/2023: technical scope of Art 5(3) ePrivacy Directive (including pixels, localStorage, fingerprinting)
- Article 29 Working Party, Opinion 04/2012 (WP 194): exemption catalogue for strictly necessary cookies (PDF)
- ECJ C-673/17 (Planet49): active consent, no pre-ticked boxes
- Austrian Federal Administrative Court, 31 July 2024, W108 2284491-1: rejecting must be possible on the first banner layer on equal terms; confirmed for ORF.at in 2026
- Regional Court of Munich I, 3 O 17493/20: 100 euros in damages for Google Fonts loaded from Google's servers
Carefully researched, but not legal advice: this check does not replace a lawyer's review of your individual case. Legal status as of 15 July 2026.