I make use of a thing in GA that anonymises the IP address by masking the last three digits.
I do use that already.
Apparently that may not be entirely sufficient. I spoke to someone who attended a seminar this week about CCPA (California Consumer Protection Act) and various data protection laws in the world, including GDPR. I had them ask a lawyer in attendance about this. (This is 3rd hand lawyer advice given at a seminar so don't take this as gospel). What I heard was that the Google anonymization happens after the data is collected, so technically you are sending PII to Google
even with this IP anonymization setting.
I had to take a look, and that does appear to be the case. [support.google.com
...] Google collects the full IP, anonymizes it, and then processes it. Outside the EU this might be sufficient, but it may not be in the stricter countries, like Germany, where they take a much stronger stance on this.
If this super strict interpretation of the GDPR regulations is used, then you need a pop-up explaining that you're using cookies for GA, why your're using these cookies, how long the data will be stored, and then give the visitor the option to opt-in to your Analytics cookies (by default the opt-out option must be selected).
The lawyer pointed out this UK site as a good example of how Analytics tracking cookie permissions were being handled: [ico.org.uk