Trying to track "return visits" often requires installing identifying tokens (cookies, localStorage, etc.). Even if no human ever looks at an individual person's data, you are processing it, so GDPR applies.
But that's where the last legal basis comes in:
> processing is necessary [for] the legitimate interests pursued by the [website], except where such interests are overridden by the interests [of] the data subject
So:
(1) on the one hand, the site owner has a legitimate interest in making the website better. This really can even solely benefit the user, e.g. if you're a non-profit like Wikipedia, but it might also just benefit you and that's okay.
(2) on the other, everyone has the right to privacy. Is privacy violated if you analyse this in an automated fashion? Is there any potential negative consequence for "private and family life, his home and his correspondence"[1]?
If the answer to (2) is a very clear "no" then here's your legal basis for data processing. Since it is not consent-based, you can do it without consent and without 'cookie wall'.
I'm no lawyer, I don't know if this is a clear "no" or if it's a "maybe somehow" or how a judge would rule that or what judges previously ruled on that. I don't have all the answers, but it should be clear not all tracking has to be consent-based, especially when you have the user's privacy at heart. Hence my phrasing of 'invasive tracking' earlier in the thread.
Also, if you're a small company or startup that really tries to do good but misinterpreted the law, the data protection agency is not going to give you a large fine. If there is neither an intention of violating privacy (in an ethical way, not a letter-of-the-law way) nor clear negligence, then the DPA will probably send you a warning. It's also a fundamental right to get a reasonable punishment, so they can't give you a fine that creates major issues if you didn't do anything majorly wrong (people often look at GDPR's vague clauses and €20 million fines and think "how could your mom and pop store ever pay that for small violations" while in practice that's not how this works).
But that's where the last legal basis comes in:
> processing is necessary [for] the legitimate interests pursued by the [website], except where such interests are overridden by the interests [of] the data subject
So:
(1) on the one hand, the site owner has a legitimate interest in making the website better. This really can even solely benefit the user, e.g. if you're a non-profit like Wikipedia, but it might also just benefit you and that's okay.
(2) on the other, everyone has the right to privacy. Is privacy violated if you analyse this in an automated fashion? Is there any potential negative consequence for "private and family life, his home and his correspondence"[1]?
If the answer to (2) is a very clear "no" then here's your legal basis for data processing. Since it is not consent-based, you can do it without consent and without 'cookie wall'.
I'm no lawyer, I don't know if this is a clear "no" or if it's a "maybe somehow" or how a judge would rule that or what judges previously ruled on that. I don't have all the answers, but it should be clear not all tracking has to be consent-based, especially when you have the user's privacy at heart. Hence my phrasing of 'invasive tracking' earlier in the thread.
Also, if you're a small company or startup that really tries to do good but misinterpreted the law, the data protection agency is not going to give you a large fine. If there is neither an intention of violating privacy (in an ethical way, not a letter-of-the-law way) nor clear negligence, then the DPA will probably send you a warning. It's also a fundamental right to get a reasonable punishment, so they can't give you a fine that creates major issues if you didn't do anything majorly wrong (people often look at GDPR's vague clauses and €20 million fines and think "how could your mom and pop store ever pay that for small violations" while in practice that's not how this works).
[1] Article 8 "Privacy" from the European Convention on Human Rights: https://en.wikipedia.org/wiki/European_Convention_on_Human_R...