You also need a cookie banner in EU in case your website uses any cookies that are not necessary to serve the content. This includes analytics, telemetry, and so on. It's not only ads.

You can remove the cookie banner if your website uses cookies only for required functionality like log-on.

Not quite, for two reasons:

- The law doesn't care about cookies, it cares about personal data, which includes any data which can individually identify someone (like a cookie associating them with a user account). If you're collecting or processing any personal data, that requires consent; even if you have no cookies.

- The law doesn't care about serving-as-in-content; it cares about providing a service, which could be showing content on a Web site, or could be dispatching orders from a warehouse, or whatever. If someone's personal data is required to provide a service for them, then their consent is implied.

The reason analytics, tracking, ad networks, etc. do not have implied consent, is because the people receiving the service (e.g. those buying ad space) are not the people who the personal data is about (i.e. ad companies cannot consent on my behalf!)

It's this directive (which pre-dates the GDPR) that makes it illegal to store or access data on the end user's devices without consent unless it is strictly necessary for the provision of the service.

How is that different to what I said above? (Modulo "s/without consent/implicit consent/g")

And you will need consent, because it has nothing to do with cookies. You need a telemetry banner.

It has nothing to do with cookies.

Sadly, every marketing person and their dog insist on having analytics. Even more sadly, every product person is not capable on putting their foot down against an obviously bad cookie banner UX.

"Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, ... "

So even Fathom, and other analytics tools that use browser fingerprinting or similar methods require consent.

And also, the whole no cookie, no consent -mantra does not respect user privacy. In some ways, browser fingerprinting is even worse because that's much harder for an average user to block than cookies.

There is a fuzzy line somewhere between access-logs and user-tracking.

Personally I think that at that point, one should just stop loading analytic scripts and stick to server-side access-log analytic toolg like goaccess.io.

That's an oxymoron. If your "completely anonymized data" is unique enough to reidentify unique visitors with reasonable probability then it isn't "completely anonymized" - it's pseudonymous.

That's the problem with all these supposedly GDPR-compliant analytics things - the GDPR outlaws analytics without consent (there's no case law whether it would fall under legitimate interest, but I doubt it), there's no way around it. It doesn't matter what technical means you use (whether cookies, fingerprinting, or a crystal ball) - if your analytics "work" in the sense that you can tell unique users apart, then you are in breach because you are effectively collecting/computing and storing some sort of identifier that can reidentify a user with reasonable accuracy.