It is a bit of a mess at the moment. There are some GDPR compliance scripts available which separate cookies into different categories (e.g. Civic and OneTrust)

Having a look at those will help you to see how things are being implemented by some large EU based organisations.

If you are completely outside of the EU I think you can get away with blocking access to the site unless cookies are accepted. Though I think there was a case recently where a Dutch organisation inside the EU was prosecuted for this type of blocking.

On the analytics front yes it will potentially cripple cookie based analytics. Though I think server side analytics will still be fine and might make a comeback due to this law. Anyone fancy writing a Rest Api based analytics package?

I make use of a thing in GA that anonymises the IP address by masking the last three digits. In doing so, the IP address is no longed “PII” (personally identifiable information). It works fine for me. If they sign up to something, or chat, then they opt in at that point, but I do not track them on arrival to the site, only the IP RANGE. This is NOT on by default in GA, but I recommend doing it.

I make use of a thing in GA that anonymises the IP address by masking the last three digits.

I do use that already.

Apparently that may not be entirely sufficient. I spoke to someone who attended a seminar this week about CCPA (California Consumer Protection Act) and various data protection laws in the world, including GDPR. I had them ask a lawyer in attendance about this. (This is 3rd hand lawyer advice given at a seminar so don't take this as gospel). What I heard was that the Google anonymization happens after the data is collected, so technically you are sending PII to Google even with this IP anonymization setting.

I had to take a look, and that does appear to be the case. [support.google.com...] Google collects the full IP, anonymizes it, and then processes it. Outside the EU this might be sufficient, but it may not be in the stricter countries, like Germany, where they take a much stronger stance on this.

If this super strict interpretation of the GDPR regulations is used, then you need a pop-up explaining that you're using cookies for GA, why your're using these cookies, how long the data will be stored, and then give the visitor the option to opt-in to your Analytics cookies (by default the opt-out option must be selected).

The lawyer pointed out this UK site as a good example of how Analytics tracking cookie permissions were being handled: [ico.org.uk...]

The Dutch Data Protection Authority (government agency for GDPR) has published a Google analytics guide with 6 steps. If you follow these steps you don't have to ask permission. One of the steps is to anonymise the IP.

It is in Dutch language:

[autoriteitpersoonsgegevens.nl...]

Let us cross our fingers and hope that nobody in a law-making position ever learns of the existence of server access logs.

Thanks bhukkel. I've been looking for documents like that, but my Dutch searching skills are pretty poor ;)
I'm going to ask some people in the EU to look at this and see if the CJEU decision changes this advice from the Dutch government.

> server access logs
My backup plan is to use server logs for stats and pull GA from all EU sites.