[lmkg]

IF the legal basis for processing is Consent, then that consent needs to be opt-in and freely given.

If. If if if if IF IF IF.

Consent is not the only legal basis for processing. This website in particular claims Legitimate Interest as their legal basis for Google Analytics. If you can support a claim of Legitimate Interest, then none of the restrictions specific to Consent apply. Starting with opt-in vs out-out.

[robin_reala]

You’re not allowed to store personal data in GA by their own terms of service, so the argument is moot: neither consent nor legitimate interest is needed.

[xg15]

True - however wouldn't "legitimate interest" be subject to precedents and also depend on what exactly you're tracking?

As a layman I'd assume that if one site gets to claim Google Analytics as "legitimate interest", this would imply GA being fair game for any site, provided they don't do anything special with it.

[zorga]

Which is fair; I shouldn't have to ask for consent from the user to have analytics on my site. Having analytics is a necessary part of running a web app successfully.

[chopin]

This doesn't imply GA, sending data to a third party (and one of the worst offenders with respect to privacy at that). The same can be achieved solely by first party means. It's just not that convenient.

[richardwhiuk]

I don't think the EU would agree with that, but IANAL.

[zorga]

I don't care what the EU agrees to, there's this thing called national sovereignty; I'm not subject to the laws of every country that simply asserts I am. The world cannot function if we're subject to every law every country decides to claim we're subject to.