[ratww]

The most important concept of GDPR is "Personal Identifiable Information", or PII: https://en.wikipedia.org/wiki/Personal_data

You can collect statistics all you want if you anonymize data such as IP addresses. But you can't collect and store PII (or even aggregate data that can be used to identify a certain user, aka fingerprinting) without consent, or without having a legitimate reason.

By legitimate reason I mean that you can freely collect information that is strictly necessary for performing tasks expected by customers. For example, you don't need explicit consent to collect a customer's address for delivering a package via Post. You can also have a cookie for login without requiring "cookie banner". However, you can't repurpose data you collected legitimately for other purposes, such as sending spam.

(Please notice that legitimate reasons don't include anything marketing-related, spam, selling to third parties. "Legitimate interest" in GDPR means the legitimate interest of the customer, not of the business)

About fingerprinting, if it can be used to identify single users, it becomes PII. This means fingerprinting also falls into GDPR.