[ratherbefuddled]

You don't need consent to share personally identifiable data like IP addresses with Google. For GDPR purposes you need a legal basis and "your legitimate interest" is one. You need to honestly assess - ideally write down - your determination of how your need to analyse website performance is balanced against the user's right to privacy. One thing you might consider here is the impact on the user. Then you need to fulfil your duties as a data controller with respect to accuracy, security and so on.

What you do need is consent for cookies (or local storage or similar)· That is required by the ePrivacy Directive (aka cookie law). If you want to persist an identifier on a user's device you need to get consent before you put it there.

GDPR and ePrivacy are related but not the same. You can use GA without cookies (or with only "strictly necessary" cookies which are an exception to the consent rule) and therefore not fall foul of ePrivacy.

[GordonS]

> For GDPR purposes you need a legal basis and "your legitimate interest" is one. You need to honestly assess - ideally write down - your determination of how your need to analyse website performance is balanced against the user's right to privacy

Come on, analytics,especially 3rd party analytics, is never considered a "legitimate interest". As if it was needed, this is spelled out explicitly in the ePrivacy directive and official EU opinion documents.

[ratherbefuddled]

Legitimate interest is a GDPR thing and you can indeed choose to share personal information under legitimate interest and you can do so for analytics. There are countless examples of privacy policies all over the web doing exactly that.

The ePrivacy directive is much more proscriptive about consent but applies only very narrowly - to cookies and similar technology.

Conflating GPDR and ePrivacy leads to much confusion, they are to all intents and purposes separate.