The honest answer is: it depends on where your visitors are. Here is the actual legal picture, country by country, without the marketing gloss.
In several EU countries - including the Netherlands and France - low-impact first-party analytics like Corbacount can run without a consent banner, provided specific conditions are met. In others, most notably Germany, the letter of the law still requires consent for any cookie that is not strictly necessary. Corbacount sets one first-party cookie, builds no cross-site profiles and stores no IP addresses, which puts it in the most defensible category. This page is general information, not legal advice.
Cookie banners do not come from the GDPR. They come from article 5(3) of the ePrivacy Directive (2002, amended 2009), which says you need the user's consent before storing or reading anything on their device - unless that storage is strictly necessary to deliver a service the user explicitly asked for. The GDPR then separately governs what you do with any personal data you collect.
Here is the part most analytics vendors skip: an analytics cookie is not strictly necessary. Your website works fine without it. So under the directive's plain text, even a harmless visitor-counting cookie falls under the consent rule. The reason the answer is still often "no banner needed" is that the directive is implemented by each member state in its own national law, and several countries have written explicit exemptions for low-impact, first-party audience measurement. That makes this a per-country question, not an EU-wide one.
The three big examples, plus how the rest of the EU tends to fall.
Article 11.7a(3) of the Telecommunicatiewet explicitly exempts cookies used to measure the quality or effectiveness of a service, provided they have "no or only minor consequences" for the visitor's privacy. First-party analytics with no profiling is exactly the case this exemption was written for. No banner needed for Corbacount alone.
The CNIL exempts audience-measurement cookies under article 82 of the French Data Protection Act if they are first-party, used only for the publisher's own statistics, never cross-referenced or shared, with a cookie life of at most 13 months. The conditions are listed in CNIL sheet 16. Corbacount's design matches them, but the CNIL expects you to verify your own setup.
Section 25 of the TDDDG (formerly TTDSG) copies the directive almost word for word: consent for everything except the strictly necessary. German law has no carve-out for low-impact analytics, so the strict reading is that even our single cookie needs consent there. Many German sites accept that reading; talk to a lawyer if Germany is a major market for you.
Italy and Spain have published guidance that exempts first-party, non-profiling analytics under conditions similar to France's. Other member states have not. A November 2025 EU "digital omnibus" proposal would move the cookie rules into the GDPR and could harmonise this, but it is a draft, not law. When in doubt, design for the strictest market you serve.
The whole question turns on what the tracker actually does, so here it is in full.
A single cookie, _cc_vid, containing a random UUID. It lives on your domain only, expires after 365 days and is used solely to recognise returning visitors. No third-party cookies, ever.
The IP address is used once to derive the visitor's country, then discarded. We never build cross-site profiles, never share data with ad networks, and never combine visitors across customers.
Everything is hosted on servers in Germany and never leaves the EU. Read the privacy policy and security page for the full picture of what we collect and how we protect it.
The script is 2.2 KB gzipped (7.3 KB raw), loads async and reports via sendBeacon, so it never blocks your page. See how that compares to other trackers.
This combination - first-party only, no IP retention, no profiling, EU hosting - is precisely what the Dutch "minor consequences" test and the CNIL's exemption conditions describe as low privacy impact.
GA4 sits on the other side of every line above. Its _ga cookies feed data to Google, a third party, and can be linked with Google's advertising ecosystem - so no EU exemption applies to it anywhere. Running GA4 lawfully in the EU means a real consent banner, and since March 2024 Google itself requires Consent Mode v2 for any advertising features, which means wiring your banner into Google's consent signals and accepting modelled (estimated) data for visitors who decline. In practice, sites that decline-by-default lose 30-50% of their GA4 data to that gap.
With Corbacount there is no consent plumbing to maintain and no modelled gap - every visitor is counted the same way. We wrote up the full comparison on the Corbacount vs Google Analytics page. If you are leaving GA4 partly to drop the banner, just remember the per-country nuance above: dropping GA4 removes the clearest reason you needed one, but whether you can remove it entirely depends on your audience's jurisdictions and what else your site loads (embedded videos, ad pixels and chat widgets all set their own cookies).
In the Netherlands and France, generally no - both have explicit exemptions for low-impact first-party analytics, and Corbacount is built to fit them. In Germany the law has no analytics exemption, so the strict reading is that consent is required. Always check the rules for the countries your visitors come from; this is general information, not legal advice.
No, and we will not pretend it is. Your website works without it - it exists to count returning visitors. That makes it an analytics cookie under the ePrivacy rules, which is exactly why the per-country exemptions for low-impact audience measurement matter.
Yes. Skipping the banner does not mean skipping transparency. The GDPR still requires you to tell visitors what you collect and why, so list Corbacount and the _cc_vid cookie in your privacy policy. That is a paragraph of text, not a popup.
Yes. The EU withdrew the long-stalled ePrivacy Regulation in early 2025, and a November 2025 digital omnibus proposal would fold the cookie rules into the GDPR - likely making room for an EU-wide analytics exemption. Until that passes, the country-by-country picture on this page is what applies, and we will update it as the law moves.
One cookie, no profiles, no consent plumbing. Join the waitlist and we will let you know when it is your turn.
