This is a really good write up! I wish more companies and SaaS put this the cookie-less directive on top of their priorities. We are do the same, expect we have a jwt-cookie, but which is strictly bound to our domain. Additionally we avoid third-party scripts and apps, fonts or things like the facebook commenting system. Basically all stuff sending user traces to foreign parties. We did a write-up about this here, if you are interessted, how we did it: https://www.tredict.com/blog/we_do_not_track_you/