[aqui_c]

You have to take into account two different things. The ePrivacy directive and the GDPR. The ePrivacy directive is what generated the cookie popup you mentioned, while GDPR is tackling what happens with personal data once it is on someone's server.

You can check this article: https://gdpr.eu/cookies/

But it basically states that you should give your users the possibility of opting-out from tracking cookies, like the ones used by Google, and this is not GDPR, this is ePrivacy. To comply with GDPR, you should give your users the possibility to see their data, delete the data, etc. Since this is done by Google, it is their responsibility to comply with GDPR, and not yours (more or less... Let's say, it is YOUR responsibility, but you offloaded it to Google, which is compliant with GDPR apparently).

In any case, you should ask yourself why are you giving Google your users' data. Aren't your server logs enough to see who visits you?

[verdverm]

Have you used Google analytics / tag manager? There's a lot more than who came here from where that logs could provide. And without rebuilding the connecting different requests to the same session

[aqui_c]

I know it is powerful, the questions is whether the OP is actually using them, or just server logs are enough. For a personal website, sometimes there's no need for too much info.

[idoh]

It is completely not true that you can "offload" responsibility as described. If you run a website, then you are a "controller" and are responsible for ensuring that processors are also abiding by the GDPR, for example by securing Data Protection Agreements and vetting the processors.

There is definitely risk associated with running third party analytics and not having opt-in associated with that. It is very much not established whether GA's solution is good enough. Having said that, while there is a risk, at this point it seems to be a small risk of getting into GDPR trouble unless you are a very large operation.

That's what I tell my clients. YMMV.

[aqui_c]

What I meant by 'offloading' the responsibility is that building a GDPR compliant system can be cumbersome. For example, imagine you run a Wordpress blog (I am a bit outdated here, this may have changed in recent releases), there is no path for me to get all the information you have about me (for instance, all the comments done with my e-mail). If you keep server logs with IP addresses, building a system that gives me that information is also cumbersome. However, if you outsource those needs (for instance, to GA), and they do have GDPR compliant systems in place, then you have offloaded the responsibility of keeping these services in-place. Being GDPR-compliant is an added value for SOME solutions, it is up to the user to check whether GA is compliant or not.

Regarding the risk, I think the debate should go over what are you doing with your client's users data, giving it away to Google? Is it truly necessary? It is not only about risking a fine, is about being aware of what privacy means and what is it important.

[idoh]

Well, I don’t know what to say other than you are totally wrong. It is not up to the user to check whether GA is compliant or not. The party accepting the personal data has responsibility to make sure that it is used responsibly by their processors.