Imagine a new visitor opens your shop - and the first thing they see is ... nothing. No annoying cookie banner, no click hurdle. Instead, the page loads at lightning speed and you receive valuable analytics data - completely without cookies or personalised storage. This is possible with hash-based tracking!
Cookie banners can impair the user experience and reduce conversions. With cookie-free hash tracking, consent-free measurements can be carried out under certain conditions - without personal reference, with automatic 24-hour deletion. This guide shows you how Trackboxx works in compliance with data protection regulations.
1 | Why cookie banners impair the user experience ?
Studies show clear effects of cookie banners:
- Average conversion loss: 8-15 % according to various A/B tests
- 30-60 % of all visitors reject tracking - the available database is shrinking considerably
- Mobile users leave pages with overlays up to 22 % faster
(Sources: Various industry studies and internal tests 2024-2025)
2 | Legal framework - The basics ⚖️
Important note: This article does not replace individual legal advice. Data protection law is complex and highly dependent on individual cases.
Relevant laws:
- DSGVO Art. 6: Regulates the legal basis for data processing
- TDDDG § 25: Controls access to end device information
- § Section 25 (2) TDDDG: Provides for exceptions to the consent requirement
Basic principle:
Hash-based tracking can take place under certain circumstances without consent if no cookies are set, no personal data is stored and hash values are regularly deleted.
Attention: Anyone who invokes exceptions must be able to explain and prove their prerequisites.
3 | How does hash-based tracking work? ?
Trackboxx technology in detail:
Step 1: Hash generation
- A unique hash is created from IP + user agent + other parameters (no personal data)
- Two separate hashes: user hash and page hash
- Daily changing signature hash prevents subsequent decryption
Step 2: Temporary storage
- Hash is stored for a maximum of 24 hours
- Automatic deletion after expiry
- No permanent recognition possible
Step 3: Anonymous data collection
- Aggregated metrics only: Visitor numbers, page views, origin, bounce rate
- No IP storage, no conclusions about individuals possible
- No cookies, no local storage, no fingerprinting
4 | Hash algorithm in detail ?
User Hash = Hash(Signature Hash + IP + User Agent + SiteID + Current Tag)
Page Hash = Hash(Signature Hash + IP + User Agent + SiteID + Hostname + Path + Current Tag)Security features:
- Signature hash renews itself daily
- Hash is not reversible (one-way encryption)
- Automatic deletion of all data after 24 hours
- No history creation possible
5 | Requirements for consent-free hash tracking ✅
| # | Requirement | Trackboxx realisation |
|---|---|---|
| 1 | No cookies/end device storage | ✅ 100% cookieless, no local storage |
| 2 | No personal data | ✅ Only anonymous hashes, IP is not saved |
| 3 | Temporary processing | ✅ 24h automatic deletion |
| 4 | EU data processing | ✅ EU hosting, no third country transfer |
| 5 | Transparency & documentation | ✅ Clear privacy policy, processing directory |
Important: A case-by-case review by data protection experts is strongly recommended.
6 | Setup instructions with Trackboxx ?️
Implementation time: approx. 5-10 minutes
Step 1: Account and domain
- Create an account with Trackboxx
- Configure tracking domain
Step 2: Script integration
Example script
<script>
(function(d, s, id, w, f){
w[f] = w[f] || function() {
(w[f].q = w[f].q || []).push(arguments)
};
var js, fjs = d.getElementsByTagName(s)[0];
if (d.getElementById(id)){ return; }
js = d.createElement(s); js.id = id;
js.onload = function(){
// remote script has loaded
};
js.async = true;
js.src = "https://cdn.trackboxx.info/p/tracker.js";
fjs.parentNode.insertBefore(js, fjs);
}(document, 'script', trackboxx-script', window, trackboxx'));
trackboxx('set', siteId', 'TB-XXXXXXX');
trackboxx(trackPageview');
</script>Code language: HTML, XML (xml)
Basically, the script must be integrated into the header of your page so that all individual pages contain the tracking script and can therefore be monitored.
This means the code must be inserted between the opening and the closing .
In general, the possibilities of integration are very different depending on the type of website or the use of an appropriate CMS system, such as WordPress.
7 | Field report from practice ?
"Trackboxx's hash tracking has solved our analytics challenge perfectly. We receive all the important data for our optimisation, but without any personal reference. The automatic 24-hour deletion gives us legal security, and our users appreciate the banner-free experience."
- E-commerce manager of an online shop (anonymised, April 2025)
8 | Hash tracking vs. other methods ?
| Method | Cookies | Personal reference | Long-term tracking | Banner required |
|---|---|---|---|---|
| Trackboxx Hash | ❌ None | ❌ No | ❌ Max. 24h | ❌ No |
| Google Analytics | ✅ Yes | ✅ Yes | ✅ Yes | ✅ Yes |
| Server-Side GTM | ❌ None | ⚠️ Possible | ✅ Yes | ⚠️ Mostly |
| Fingerprinting | ❌ None | ✅ Yes | ✅ Yes | ⚠️ Controversial |
9 | Performance and SEO benefits ?
Technical improvements:
- No cookie banners = better core web vitals
- Lightweight JavaScript code
- No layout shifts due to overlays
- Faster page loading times
SEO aspects:
- Improved user experience signals
- Lower bounce rate due to smoother navigation
- Better mobile performance without banner interruptions
10 | Legal classification of the hash method ?
GDPR aspects:
- Hash without personal reference = no personal data within the meaning of the GDPR
- 24h deletion = minimum storage period
- Purpose limitation = only web analysis, no profiles
TDDDG aspects:
- No cookies = no access to end device memory
- Hash calculation takes place on the server side = no client-side storage
- § Section 25 (2) TDDDG may apply if properly implemented
Documentation obligations:
- Describe the hash algorithm in the processing directory
- Document technical cancellation procedures
- Clearly define the intended purpose
11 | FAQ - Important questions answered ?
Is hash tracking really consent-free?
If properly implemented (no cookies, no personal reference, 24-hour deletion), Section 25 (2) TDDDG may apply. A legal case-by-case examination is nevertheless recommended.
Can the IP be reconstructed from the hash?
No, the hash is a one-way encryption. In addition, the signature hash is renewed daily, which makes decryption impossible.
What specific data is stored?
Only the anonymous hash (max. 24h) and aggregated metrics such as page views, domains of origin, device categories - no IPs, no personal information.
Is the tracking as accurate as Google Analytics?
For most web analytics purposes, yes. You receive visitor numbers, page views, dwell time, origin and device types and many other values. - Without data protection issues.
12 | Next steps ?
Interested in cookie-free, data protection-compliant analytics?
Try Trackboxx 30 days for free - Click here to register
Note: This article is for information purposes only and does not replace individual legal advice. The legal assessment of hash tracking may vary depending on the implementation and context.
