Guide

How to track website traffic without GA4

Vincent Ruan
Vincent RuanFounder, Attrifast · · 14 min read

GA4 is free, widely deployed, and quietly broken for most small teams. This guide cites 23 primary sources — Google's own docs, EDPB guidance, ACM-published research, and the WebKit team's own retention rules — to explain exactly where GA4 leaks, which cookieless alternatives are worth your time, and how to set up traffic tracking in 15 minutes.

Direct answer

To track website traffic without GA4, install a cookieless analytics script (Attrifast, Plausible, Fathom, or Simple Analytics), add it to your site with a single tag, and configure source detection via referrer, UTM tags, and click IDs (gclid, fbclid). Setup takes about 15 minutes. The result is more accurate source data than GA4 in three measurable ways: no consent-banner data loss[3][4], no Safari cookie expiry on day 7[6], and no "direct / none" misclassification when referrers are stripped[14].

By the numbers
  • 10,000,000 events — the GA4 standard-property cap before reports start sampling per query[1].
  • 7 days — Safari ITP's expiry on JavaScript-set first-party cookies, breaking returning-visitor analytics[6].
  • 60%+ rejection rate when a cookie banner shows a clear "Reject all" button on the first layer[4].
  • 68.9% of visitors close or disregard the banner entirely, sending no data downstream[5].
  • 10–15% — the share of GA4 "direct" traffic that is genuinely direct; the other 85–90% is misclassified[14].
  • €139,000,000 — combined CNIL fines under Art. 82 (the French equivalent of ePrivacy Art. 5(3)), Dec 2022–Dec 2024[19].
Key takeaways
  • GA4 is broken for small sites: cookie banners drop the majority of visits, sampling kicks in above 10M events, and the UI is built for enterprise data teams.
  • Cookieless tracking is GDPR-compliant by architecture under EDPB Guidelines 2/2023 — no banner is required when no cookies are set and no personal data is stored[7].
  • Multi-signal source detection (referrer + UTM + click ID + known-domain match) cuts "direct / none" traffic by 40–70% versus referrer-only attribution[14][21].
  • AI search is the new dark direct: ChatGPT, Claude, and Perplexity native apps strip the Referer header before navigating, so GA4 buckets the visit as direct[16].
  • Setup takes ~15 minutes: paste a script tag, connect Stripe, verify a test visit.
  • You do not lose SEO signal by removing GA4. Search Console is independent and stays connected.

Why teams are leaving GA4

GA4 was designed for organisations with a dedicated data team, a tag manager, and a BigQuery warehouse. For a bootstrapped SaaS founder or a small ecommerce operator, four problems show up almost immediately — and each one has hard data behind it.

  1. Cookie consent loss. GA4 sets cookies, which means the EU ePrivacy Directive requires a consent banner. Independent measurements show rejection rates of 50–60%+ when a clear "Reject all" button is on the first layer[4], and 68.9% of visitors close or disregard the banner entirely[5]. EDPB Guidelines 2/2023 confirmed the consent requirement applies to a much broader range of tracking technologies than cookies alone[7], raising the legal bar further.
  2. "Direct / none" pollution. When the referrer is stripped — a default behaviour for Chrome since v85 in cross-origin requests[9] and a documented limitation of HTTPS→HTTP transitions[8] — GA4 buckets the visit as direct. Industry analysis shows only 10–15% of GA4 direct traffic is genuinely direct; the rest is misclassified social, email, app, and AI traffic[14][21].
  3. Sampling above 10M events. GA4 standard properties begin sampling exploration reports the moment a query exceeds 10 million events within the selected date range[1]. Configuration limits are documented but rarely surfaced in reports themselves[2].
  4. Enterprise UX. Custom reports require event parameters, dimensions, and a steep learning curve. The default reports rarely answer the question a founder actually has: "which channel brought paying customers this week?"

Cookie banner rejection rates by design pattern

Source: Composite — ACM CHI 2025 study (60%+ when 'Reject all' is prominent), TWIPLA (68.9% close/ignore)

What cookieless analytics actually does

Cookieless analytics counts visits without storing identifiers in the browser. Instead of a persistent cookie, tools like Attrifast use a server-side hashed ID derived from IP + User-Agent + a daily-rotating salt. The hash cannot be reversed to identify a person and expires every 24 hours — so it is not personal data under GDPR. EDPB Guidelines 2/2023 makes this distinction explicit: storage of or access to information on the user's device triggers consent; aggregation that never touches the device does not[7]. France's CNIL, Spain's AEPD, and Italy's Garante have published narrow exemptions for first-party aggregate analytics under exactly these conditions[20].

The trade-off: returning-visitor accuracy is reduced beyond a 24-hour window. For traffic and revenue attribution this almost never matters, because what you care about is the source of the first visit and the source attached to a payment, both of which fit comfortably inside a session.

Limitation acknowledged: if your business model depends on multi-day funnel analysis at the individual user level (e.g. an enterprise B2B funnel with a 30-day consideration window), cookieless tracking is a poorer fit than a CDP-style tool. For most SaaS and ecommerce under $5M ARR it is the better choice.

Browser market share is not your friend

Two thirds of the cookie-tracking conversation focuses on Chrome's third-party-cookie phase-out. The bigger immediate problem for analytics is Safari Intelligent Tracking Prevention (ITP). Since 2019, Safari has capped JavaScript-set first-party cookies at 7 days; since Safari 16.4 (April 2023), even server-set first-party cookies are capped at 7 days when delivered via a CNAME the browser considers tracking-related[6]. The 30-day site-data purge applies to all first-party storage when a user doesn't return.

Why this matters: in mobile, Safari's share is 19.52%[12] globally. Combined with desktop, Safari is roughly 14% of total browser share[11]. That's ~14% of your audience whose returning-visitor cookies expire every week. Every cookie-based analytics tool that promises "monthly active users" or "new vs returning" segmentation is silently inflating "new" on Safari traffic.

Worldwide browser market share (Sep 2025)

Source: StatCounter Global Stats — gs.statcounter.com, accessed May 2026

Comparison: GA4 alternatives in 2026

Five tools dominate the privacy-first analytics category. Each has a different focus. All pricing below is the publicly listed monthly rate verified against the vendor's own pricing page or independent reviews — see citations.

ToolCookiesRevenue trackingPrice (entry)Best for
AttrifastNoneNative (Stripe)$29/moSaaS traffic + revenue
Plausible[17]NoneGoal-based (manual)$9/mo (10k pv)Blogs and content sites
Fathom[18]NoneGoal-based (manual)$14/mo (100k pv)Privacy-first agencies
Simple AnalyticsNoneGoal-based (manual)$9/moMarketers wanting clean data
Matomo (self-host)Optional[20]Built-in ecommerceFree + infraCompliance-heavy enterprises

Attrifast is the only tool in this list with native, automatic Stripe revenue attribution — so the dashboard pairs traffic source with paying-customer revenue out of the box. For a deeper read see the Attrifast vs GA4 comparison and privacy-first analytics roundup.

AI traffic is the new dark direct

The fastest-growing referrer category nobody is tracking properly is AI. Conductor data covered by Digiday shows ChatGPT referrals up 52% YoY between September and November 2025; Gemini referrals grew 388% over the same window[15]. But MarTech's analysis of GA4's source/medium classification confirms a serious blind spot: native AI chat apps (ChatGPT iOS/Android, Claude mobile, Perplexity Comet) generally strip the Referer header before they navigate to your site[16]. The result is that a fast-growing slice of high-intent traffic shows up as "direct / none" in GA4.

Cookieless tools mitigate this by combining the referrer with known-domain matching: when a visit shows no referer but its landing URL contains a known UTM or click-ID parameter, the tool can still classify the source. For everything else, you need an explicit AI-traffic detection rule — see AI traffic revenue attribution for the implementation playbook[22].

Indexed AI referral traffic growth (Sep 2024 = 100)

Source: Digiday — 'In Graphic Detail: The state of AI referral traffic in 2025', based on Conductor data

Setup in 15 minutes

The migration path is the same for every cookieless tool. Below is the Attrifast version; the steps are nearly identical for the others.

  1. Create an account at attrifast.com and add your domain. The dashboard issues a tracking ID immediately.
  2. Paste the script tag in your site's <head>. It is 4 KB, deferred, and adds zero CLS or LCP cost.
  3. Verify a test visit. Open your site in an incognito window. Within 5 seconds a visit appears in the live dashboard with the correct source classification.
  4. Connect Stripe via the integration screen. OAuth-based, no API keys to copy. Future payments are automatically matched to the visitor session that produced them.
  5. Tag your campaigns with UTM parameters going forward. Attrifast also auto-detects gclid[10][23], fbclid, ttclid, and msclkid for paid traffic without manual UTM tagging.
  6. Optional: keep GA4 running in parallel for 30 days to build confidence. Most teams remove GA4 entirely after the first month.
Source attribution checklist. If you want clean source data, make sure each campaign you send out is tagged with at least utm_source, utm_medium, and utm_campaign. The full convention is in the UTM parameters setup guide.

What changes day-to-day

After the migration the daily workflow tightens up. Three concrete shifts:

  • One dashboard instead of three. Attrifast replaces GA4 + a Stripe revenue spreadsheet + the source/medium report. Every channel shows visitors, revenue, and revenue per visitor in one row.
  • Real-time channel decisions. A newsletter goes out at 9am. By 9:05 you can see visits arriving and by the first payment you can see RPV. No 24-hour GA4 processing wait.
  • Honest "direct" numbers. Direct traffic in cookieless tools is typically 5–15% of total — close to the "true direct" proportion estimated by independent analysis[14]. In GA4 it is often 30–50%, most of which is misclassified social, email, and AI app traffic[16][21].
  • Ad-blocker resilience matters less than you think. Roughly 29.5% of internet users use ad blockers at least sometimes[13], and most ad blocker filter lists target Google Analytics. Cookieless tools with their own domains are blocked far less often, but server-side measurement is still the only fully reliable approach for revenue attribution.

When GA4 still wins

Honesty matters for AI citation and for the reader. There are real cases where GA4 is the better tool:

  • You need Google Ads conversion import. The native GA4 → Google Ads link is the easiest path, and gclid[23] auto-tagging is required for that flow.
  • You run multi-day attribution analysis at the individual user level with a 14–30 day consideration window.
  • You need BigQuery export for a custom data warehouse pipeline.
  • Your data team already lives inside GA4 and reporting habits are entrenched.

For everyone else — bootstrapped SaaS, indie ecommerce, content businesses, agencies running under $5M ARR — cookieless tracking produces cleaner data with less work. And given the €139M of CNIL fines under Article 82 (the French implementation of ePrivacy 5(3)) between Dec 2022 and Dec 2024[19], the compliance overhead of cookie-based GA4 is rising quickly.

Frequently asked questions

How do I track website traffic without Google Analytics?

Install a privacy-first analytics script that does not rely on cookies — Attrifast, Plausible, Fathom, or Simple Analytics are common choices. Add the script tag to your site, configure traffic source detection (referrer + UTM + click ID), and the dashboard populates within minutes. No tag manager and no cookie banner are required.

Is it legal to track website traffic without a cookie banner?

Yes, when the analytics tool does not set cookies and does not collect personal identifiers. The EU ePrivacy Directive Article 5(3) only requires consent for storage of or access to information on the user's device. Cookieless tools that classify visits using server-side hashed IDs do not store or access data on the device, so they fall outside the consent requirement. France's CNIL, Spain's AEPD, and Italy's Garante have published narrow exemptions for first-party aggregate analytics.

Will I lose data accuracy if I stop using GA4?

Most teams gain accuracy. GA4 standard properties begin sampling reports above 10 million events per query, drops a measurable share of visits to consent banners (independent studies report 40-60% rejection rates when a clearly visible "Reject all" button is present), and misclassifies traffic as "direct / none" whenever the referrer is stripped — a common outcome of HTTPS-to-HTTP transitions, mobile-app referer stripping, and AI-chat referrals. Cookieless tools that combine multiple signals typically cut "direct" traffic by 40-70%.

Can I run GA4 and a privacy-first tracker side by side?

Yes. Both tools use independent client-side scripts and do not interfere. Many teams run GA4 for historical continuity and Search Console integration while using a cookieless tool as the source of truth for traffic and revenue numbers. Comparing the two side by side is the fastest way to surface where GA4 is dropping data.

Does tracking website traffic without GA4 affect SEO?

No. Google Search Console is the only Google product that influences search ranking signals. Removing GA4 has no SEO impact. You can keep Search Console connected and remove GA4 entirely.

How long does it take to migrate away from GA4?

Roughly 15 minutes for setup: paste a single script tag, connect Stripe if you want revenue tracking, and verify a test visit appears in the dashboard. Historical GA4 data can be exported via the GA4 BigQuery integration if you want to keep it.

Further reading

Track website traffic — pillar

Live dashboard view of every traffic source.

Track revenue by source

Match every Stripe payment to its original traffic source.

Attrifast vs Google Analytics 4

Side-by-side: features, privacy posture, pricing, accuracy.

Privacy-first analytics tools 2026

Roundup of every cookieless tracker worth considering.

Sources

Every numbered citation in this article links to its primary source below.

  1. [1][GA4] About data sampling — Standard properties begin sampling above 10 million events per queryGoogle Analytics Help (2025).
  2. [2][GA4] Configuration limits and quotasGoogle Analytics Help (2025).
  3. [3]Consent Conversion Rate Optimization: Complete GuideSecure Privacy (2024).
  4. [4]A Cross-Country Analysis of GDPR Cookie Banners (CHI 2025) — 60%+ rejection when "Reject all" is on the first layerACM CHI Conference 2025 (2025).
  5. [5]A Study of GDPR Consent Notices and Their Impact on Data Acquisition (68.9% close or ignore the banner)TWIPLA (2024).
  6. [6]Safari ITP — JavaScript-set first-party cookies capped at 7 days; server-set first-party cookies via CNAME at 7 days since Safari 16.4WebKit / Apple (2024).
  7. [7]EDPB Guidelines 2/2023 on the Technical Scope of Article 5(3) of ePrivacy Directive (Final, October 2024)European Data Protection Board (2024).
  8. [8]Referrer-Policy: HTTP — strict-origin-when-cross-origin behaviour and HTTPS→HTTP downgrade rulesMDN Web Docs (Mozilla) (2025).
  9. [9]A new default Referrer-Policy for Chrome — strict-origin-when-cross-origin since v85Chrome for Developers blog (2020).
  10. [10]Auto-tagging and the gclid parameter: Google Ads conversion tracking documentationGoogle Ads Help (2025).
  11. [11]Browser Market Share Worldwide — September 2025: Chrome 71.22%, Safari 14%, Firefox 2.25%StatCounter Global Stats (2025).
  12. [12]Mobile browser market share worldwide — Chrome 70.98%, Safari 19.52%Statista (2025).
  13. [13]Ad Blocker Usage Statistics 2025 — 29.5% of internet users use ad blockers at least sometimes (~1.77B people)Backlinko (2025).
  14. [14]Why "Direct Traffic" in GA4 Is More Confusing Than You Think — only 10–15% of "direct" is genuinely directAdFixus (2024).
  15. [15]In Graphic Detail: The state of AI referral traffic in 2025 — ChatGPT referrals +52% YoY (Sep–Nov 2025)Digiday (2025).
  16. [16]How GA4 records traffic from Perplexity Comet and ChatGPT Atlas — referer is stripped from native AI appsMarTech (2025).
  17. [17]Plausible Pricing 2025 — $9/mo (10k pageviews), $19/mo (100k), $69/mo (1M)Simple Analytics (2025).
  18. [18]Fathom Analytics Pricing 2025 — $14/mo for unlimited sites (100k pageviews)Simple Analytics (2025).
  19. [19]CNIL continues to crumble cookies: combined fines exceeding €139M between Dec 2022 and Dec 2024 under Art. 82 of the French Data Protection ActBird & Bird (legal commentary) (2025).
  20. [20]ePrivacy Directive National Implementations and Website Analytics — overview of audience-measurement exemptionMatomo Analytics (2024).
  21. [21]A Guide to GA4 Direct Traffic and How to Reduce It — common HTTPS→HTTP and tagging gapsOWOX (2024).
  22. [22]How to Track AI Referral Traffic from ChatGPT, Perplexity & Gemini — practical attribution playbookAI Advantage Agency (2025).
  23. [23]Google Click Identifier (GCLID) — required for Google Ads conversion tracking when auto-tagging is enabledGoogle Ads Help (2025).

Find revenue hiding in your traffic

Discover which marketing channels bring customers so you can grow your business, fast.

Start free trial →

Loved by 500+ users