You can, but you need to explicitly state in your data policy that this is what the data is used for and you can never use this data for any other purpose.
IANAL:
If you were allowed to use GDPR under an exemption, perhaps abuse protection, is that the only purpose the data will be used for by yourself and GA?
If you or a data processor you use, uses the data for secondary purposes not covered by any exemption to opt-in consent, I believe you would have to get opt-in consent for those secondary purposes beforehand.
Note: the cookie law is the ePrivacy directive (and national interpretations like PECR) and it goes beyond GDPR in some ways, as the ICO states "Although cookies that process personal data give rise to greater privacy and security risks than those that process anonymous data, PECR apply to all cookies." ( https://ico.org.uk/for-organisations/guide-to-pecr/cookies-a... )