Which might be fine, depending on their privacy policy. Let's take a look...
Their privacy policy indicates they are claiming Legitimate Interest as the legal basis for using Google Analytics. My network tab also sees hits form ShareThis and Facebook, which are not mentioned in the Privacy Policy. There's a section on Embedded Content, but I don't see any content embedded in the privacy policy itself.
I will say this does a good job of being straightforward and readable, and covering what a privacy policy needs to cover. But it's still incomplete with regards to what data is being sent where.
Except Google Analytics cannot be a "legitimate interest".
A legitimate interest is one that prevents the service from operating. E.g. if you're a pizza delivery service, you need to use the customer's address, since it's implicit in what the service does and the customer expects you to use their address for the purpose of home delivery.
If you block Google Analytics however, in what way will the service be impacted from the perspective of the user experience? There is no impact, even if this costs the business optimization opportunities or money. You can argue that the inability to use Google Analytics can have a long term impact on user experience, but that's not how legitimate interests work.
In general, "making more money" or "becoming more popular" are invalid reasons for stating a legitimate interest.
GDPR compliance doesn't imply that tracking is disallowed, right? The GDPR specifies the allowed, legal protocols for tracking users and consumer behavior on sites.
IF the legal basis for processing is Consent, then that consent needs to be opt-in and freely given.
If. If if if if IF IF IF.
Consent is not the only legal basis for processing. This website in particular claims Legitimate Interest as their legal basis for Google Analytics. If you can support a claim of Legitimate Interest, then none of the restrictions specific to Consent apply. Starting with opt-in vs out-out.
You’re not allowed to store personal data in GA by their own terms of service, so the argument is moot: neither consent nor legitimate interest is needed.
True - however wouldn't "legitimate interest" be subject to precedents and also depend on what exactly you're tracking?
As a layman I'd assume that if one site gets to claim Google Analytics as "legitimate interest", this would imply GA being fair game for any site, provided they don't do anything special with it.
Which is fair; I shouldn't have to ask for consent from the user to have analytics on my site. Having analytics is a necessary part of running a web app successfully.
This doesn't imply GA, sending data to a third party (and one of the worst offenders with respect to privacy at that). The same can be achieved solely by first party means. It's just not that convenient.
Their privacy policy indicates they are claiming Legitimate Interest as the legal basis for using Google Analytics. My network tab also sees hits form ShareThis and Facebook, which are not mentioned in the Privacy Policy. There's a section on Embedded Content, but I don't see any content embedded in the privacy policy itself.
https://gdpr.eu/privacy-policy/
I will say this does a good job of being straightforward and readable, and covering what a privacy policy needs to cover. But it's still incomplete with regards to what data is being sent where.