According to the French data protection authority, "out-of-the-box" GA requires consent because they aren't anonymised: https://www.cnil.fr/en/google-analytics-and-data-transfers-h...

Well, I'm glad I don't use GA on my personal site, then, even if it means I have no idea what traffic levels it gets. GA is incredibly popular though - I would guess the vast majority of blogs etc. use it and have no consent to do so.

Even with consent and configuration, GA might be illegal in the EU. It's currently in a grey area after some latest rulings.

Don't confuse cookie laws with data laws

Anonymization (if you actually believe Google despite their conflict of interest and previous GDPR breaches) still happens on their server, so the IP address (which counts as personal data) is still transmitted there.

I guess you may actually make it truly anonymous from a GDPR point of view if you proxy all calls through your own server and strip out anything that can be used to reidentify a user - so no IP addresses, session IDs, etc.

GA collects insane amounts of data. And you might have to disable a lot of that collection manually https://support.google.com/analytics/answer/9019185?hl=en#zi...

And even then it might not be strictly compliant due to Schrems II ruling