I am not confident that the "anonymize IP" option is GDPR compliant.
This asks Google not to store the IP in full, however the IP is still transmitted to them (as an unavoidable side-effect of loading the library and sending the analytics events).
I am not sure if the other options they recommend disabling actually disable the initial collection of the data, or whether they only instruct Google to not process that data when they receive it.
Even if we assume that Google is acting in good faith (which at this point is a very big "if"), transmitting the data to Google still opens up a theoretical risk of that data being intercepted by a malicious attacker with access to Google's infrastructure, and no matter how small this risk is I can see someone potentially making an argument about it with the regulator.
This asks Google not to store the IP in full, however the IP is still transmitted to them (as an unavoidable side-effect of loading the library and sending the analytics events).
I am not sure if the other options they recommend disabling actually disable the initial collection of the data, or whether they only instruct Google to not process that data when they receive it.
Even if we assume that Google is acting in good faith (which at this point is a very big "if"), transmitting the data to Google still opens up a theoretical risk of that data being intercepted by a malicious attacker with access to Google's infrastructure, and no matter how small this risk is I can see someone potentially making an argument about it with the regulator.