Spot on. The author acknowledges that cookies are actually more privacy friendly, but then concludes with “it is what it is”. Kind of disappointing.
This is my major gripe with all the privacy friendly analytics (disclaimer: I authored two, namely Fathom when it was still open-source and Koko Analytics) tools that submerged over the past few years. Elaborate work went into bypassing cookies, only to make things worse from a privacy perspective in the end.
I don't know how bypassing cookies does literally anything, at least not since the GDPR came into effect (let alone ePrivacy). It doesn't matter if the data is collected via cookie, header, HTTP request or carrier pigeon. If you're processing, storing or transferring PII for non-functional (read: immediately necessary to provide the service the user specifically requested) purposes, you need revokable consent via opt-in and you need to be able to provide information to the user about what data you collected and what you did with it.
Now that the GDPR and ePrivacy are in effect, PII is radioactive. You need containment, handling and disposal procedures, you need to allow users to inspect it at any time and if you accidentally expose anyone to it that's a major emergency incident.
This is my major gripe with all the privacy friendly analytics (disclaimer: I authored two, namely Fathom when it was still open-source and Koko Analytics) tools that submerged over the past few years. Elaborate work went into bypassing cookies, only to make things worse from a privacy perspective in the end.